[cherry-pick] Cygwin: Adjust CWD magic to accommodate for the latest Windows previews #265
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reportedly a very recent internal build of Windows 11 once again changed the current working directory logic a bit, and Cygwin's "magic" (or: "technologically sufficiently advanced") code needs to be adjusted accordingly. In particular, the following assembly code can be seen: ntdll!RtlpReferenceCurrentDirectory 598 00000001`800c6925 488d0db4cd0f00 lea rcx,[ntdll!FastPebLock (00000001`801c36e0)] 583 00000001`800c692c 4c897810 mov qword ptr [rax+10h],r15 588 00000001`800c6930 0f1140c8 movups xmmword ptr [rax-38h],xmm0 598 00000001`800c6934 e82774f4ff call ntdll!RtlEnterCriticalSection The change necessarily looks a bit different than 4840a56 (Cygwin: Adjust CWD magic to accommodate for the latest Windows previews, 2023-05-22): The needle `\x48\x8d\x0d` is already present, as the first version of the hack after Windows 8.1 was released. In that code, though, the `call` to `RtlEnterCriticalSection` followed the `lea` instruction immediately, but now there are two more instructions separating them. Note: In the long run, we may very well want to follow the insightful suggestion by a helpful Windows kernel engineer who pointed out that it may be less fragile to implement kind of a disassembler that has a better chance to adapt to the ever-changing code of `ntdll!RtlpReferenceCurrentDirectory` by skipping uninteresting instructions such as `mov %rsp,%rax`, `mov %rbx,0x20(%rax)`, `push %rsi` `sub $0x70,%rsp`, etc, and focuses on finding the `lea`, `call ntdll!RtlEnterCriticalSection` and `mov ..., rbx` instructions, much like it was prototyped out for ARM64 at https://gist.github.com/jeremyd2019/aa167df0a0ae422fa6ebaea5b60c80c9 Signed-off-by: Johannes Schindelin <[email protected]>
lazka
changed the title
Member
Author
Collaborator
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reportedly a very recent internal build of Windows 11 once again changed the current working directory logic a bit, and Cygwin's "magic" (or: "technologically sufficiently advanced") code needs to be adjusted accordingly.
In particular, the following assembly code can be seen:
ntdll!RtlpReferenceCurrentDirectory
598 00000001
800c6925 488d0db4cd0f00 lea rcx,[ntdll!FastPebLock (00000001801c36e0)]583 00000001
800c692c 4c897810 mov qword ptr [rax+10h],r15 588 00000001800c6930 0f1140c8 movups xmmword ptr [rax-38h],xmm0598 00000001`800c6934 e82774f4ff call ntdll!RtlEnterCriticalSection
The change necessarily looks a bit different than 4840a56 (Cygwin: Adjust CWD magic to accommodate for the latest Windows previews, 2023-05-22): The needle
\x48\x8d\x0dis already present, as the first version of the hack after Windows 8.1 was released. In that code, though, thecalltoRtlEnterCriticalSectionfollowed theleainstruction immediately, but now there are two more instructions separating them.Note: In the long run, we may very well want to follow the insightful suggestion by a helpful Windows kernel engineer who pointed out that it may be less fragile to implement kind of a disassembler that has a better chance to adapt to the ever-changing code of
ntdll!RtlpReferenceCurrentDirectoryby skipping uninteresting instructions such asmov %rsp,%rax,mov %rbx,0x20(%rax),push %rsisub $0x70,%rsp, etc, and focuses on finding thelea,call ntdll!RtlEnterCriticalSectionandmov ..., rbxinstructions, much like it was prototyped out for ARM64 athttps://gist.github.com/jeremyd2019/aa167df0a0ae422fa6ebaea5b60c80c9