Fix detours ability to identify OS applied patches. #318
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change allows for interoperability between OS applied patches and detours (x64/arm64/x86). When a detour is active and an OS patch is attempted to be applied, the attempt will fail since it's not safe/secure to patch code amidst unexpected code stream. However, it is safe for the detours library to insert a detour into a function that has already been patched by the OS. In the event a binary/process is already detoured and a patch needs to be applied, the process can simply be restarted to get the patch applied prior to the detour initialization.
Amd64:
Prior to this change, when a patched binary has a detour applied to it, the detour application will incorrectly redirect to the detour at the point of the HPAT code page jump. This results in failure to insert the detour code, since the detours library cannot modify the HPAT region. Now, the detours library first verifies that it has encountered an OS applied patch function, and if so, it redirects execution to the detour at the point of the 6-byte function padding leading up to the patched function.
Arm64:
Similar to the amd64 issue, the detour code was interpreting the patch function jump as an end-of-function instruction, resulting in failure to apply the detour. The detour library now verifies that the code encountered is an OS patch and modifies the bytes at the start of the patched function.
x86:
Same as amd64, with a slight deviation in expected code stream for OS applied patches.
One other minor change was needed in uimports.cpp where the NT header checksum field was being zeroed, leading to patch applicability failing (since the OS uses file checksum/timestamp fields to identify a patch).