*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
- stream.refs=(UINT *)ExAllocatePoolWithTag(NonPagedPool, (nins + 1)*sizeof(UINT), '0JWA');
+#define NPF_TAG_REFTABLE TAG('0', 'J', 'W', 'A')
+ stream.refs=(UINT *)ExAllocatePoolWithTag(NonPagedPool, (nins + 1)*sizeof(UINT), NPF_TAG_REFTABLE);
- if(stream.refs==NULL)
- {
- return NULL;
- }
-
- // Reset the reference table
- for(i=0; i< nins + 1; i++)
- stream.refs[i]=0;
-
- stream.cur_ip=0;
- stream.bpf_pc=0;
-
- // the first pass will emit the lengths of the instructions
- // to create the reference table
- emitm=emit_lenght;
-
- for(pass=0;;){
-
- ins = prog;
-
- /* create the procedure header */
- PUSH(EBP)
- MOVrd(EBP,ESP)
- PUSH(EBX)
- PUSH(ECX)
- PUSH(EDX)
- PUSH(ESI)
- PUSH(EDI)
- MOVodd(EBX, EBP, 8)
-
- for(i=0;i<nins;i++){
-
- stream.bpf_pc++;
-
- switch (ins->code) {
-
- default:
-
- return NULL;
-
- case BPF_RET|BPF_K:
-
- MOVid(EAX,ins->k)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- RET()
-
- break;
-
-
- case BPF_RET|BPF_A:
-
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- RET()
-
- break;
-
-
- case BPF_LD|BPF_W|BPF_ABS:
-
- MOVid(ECX,ins->k)
- MOVrd(ESI,ECX)
- ADDib(ECX,sizeof(INT))
- CMPodd(ECX, EBP, 0x10)
- JLEb(12)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- MOVid(EAX,0) //this can be optimized with xor eax,eax
- RET()
- MOVobd(EAX, EBX, ESI)
- BSWAP(EAX)
-
- break;
-
- case BPF_LD|BPF_H|BPF_ABS:
-
- MOVid(ECX,ins->k)
- MOVrd(ESI,ECX)
- ADDib(ECX,sizeof(SHORT))
- CMPodd(ECX, EBP, 0x10)
- JLEb(12)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- MOVid(EAX,0)
- RET()
- MOVid(EAX,0)
- MOVobw(AX, EBX, ESI)
- SWAP_AX()
-
- break;
-
- case BPF_LD|BPF_B|BPF_ABS:
-
- MOVid(ECX,ins->k)
- CMPodd(ECX, EBP, 0x10)
- JLEb(12)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- MOVid(EAX,0)
- RET()
- MOVid(EAX,0)
- MOVobb(AL,EBX,ECX)
-
- break;
-
- case BPF_LD|BPF_W|BPF_LEN:
-
- MOVodd(EAX, EBP, 0xc)
-
- break;
-
- case BPF_LDX|BPF_W|BPF_LEN:
-
- MOVodd(EDX, EBP, 0xc)
-
- break;
-
- case BPF_LD|BPF_W|BPF_IND:
-
- MOVid(ECX,ins->k)
- ADDrd(ECX,EDX)
- MOVrd(ESI,ECX)
- ADDib(ECX,sizeof(INT))
- CMPodd(ECX, EBP, 0x10)
- JLEb(12)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- MOVid(EAX,0)
- RET()
- MOVobd(EAX, EBX, ESI)
- BSWAP(EAX)
-
- break;
-
- case BPF_LD|BPF_H|BPF_IND:
-
- MOVid(ECX,ins->k)
- ADDrd(ECX,EDX)
- MOVrd(ESI,ECX)
- ADDib(ECX,sizeof(SHORT))
- CMPodd(ECX, EBP, 0x10)
- JLEb(12)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- MOVid(EAX,0)
- RET()
- MOVid(EAX,0)
- MOVobw(AX, EBX, ESI)
- SWAP_AX()
-
- break;
-
- case BPF_LD|BPF_B|BPF_IND:
-
- MOVid(ECX,ins->k)
- ADDrd(ECX,EDX)
- CMPodd(ECX, EBP, 0x10)
- JLEb(12)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- MOVid(EAX,0)
- RET()
- MOVid(EAX,0)
- MOVobb(AL,EBX,ECX)
-
- break;
-
- case BPF_LDX|BPF_MSH|BPF_B:
-
- MOVid(ECX,ins->k)
- CMPodd(ECX, EBP, 0x10)
- JLEb(12)
- POP(EDI)
- POP(ESI)
- POP(EDX)
- POP(ECX)
- POP(EBX)
- POP(EBP)
- MOVid(EAX,0)
- RET()
- MOVid(EDX,0)
- MOVobb(DL,EBX,ECX)
- ANDib(DL, 0xf)
- SHLib(EDX, 2)
-
- break;
+ if(stream.refs==NULL)
+ {
+ return NULL;
+ }
+
+ // Reset the reference table
+ for(i=0; i< nins + 1; i++)
+ stream.refs[i]=0;
+
+ stream.cur_ip=0;
+ stream.bpf_pc=0;
+
+ // the first pass will emit the lengths of the instructions
+ // to create the reference table
+ emitm=emit_lenght;
+
+ for(pass=0;;){
+
+ ins = prog;
+
+ /* create the procedure header */
+ PUSH(EBP)
+ MOVrd(EBP,ESP)
+ PUSH(EBX)
+ PUSH(ECX)
+ PUSH(EDX)
+ PUSH(ESI)
+ PUSH(EDI)
+ MOVodd(EBX, EBP, 8)
+
+ for(i=0;i<nins;i++){
+
+ stream.bpf_pc++;
+
+ switch (ins->code) {
+
+ default:
+
+ return NULL;
+
+ case BPF_RET|BPF_K:
+
+ MOVid(EAX,ins->k)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ RET()
+
+ break;
+
+
+ case BPF_RET|BPF_A:
+
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ RET()
+
+ break;
+
+
+ case BPF_LD|BPF_W|BPF_ABS:
+
+ MOVid(ECX,ins->k)
+ MOVrd(ESI,ECX)
+ ADDib(ECX,sizeof(INT))
+ CMPodd(ECX, EBP, 0x10)
+ JLEb(12)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ MOVid(EAX,0) //this can be optimized with xor eax,eax
+ RET()
+ MOVobd(EAX, EBX, ESI)
+ BSWAP(EAX)
+
+ break;
+
+ case BPF_LD|BPF_H|BPF_ABS:
+
+ MOVid(ECX,ins->k)
+ MOVrd(ESI,ECX)
+ ADDib(ECX,sizeof(SHORT))
+ CMPodd(ECX, EBP, 0x10)
+ JLEb(12)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ MOVid(EAX,0)
+ RET()
+ MOVid(EAX,0)
+ MOVobw(AX, EBX, ESI)
+ SWAP_AX()
+
+ break;
+
+ case BPF_LD|BPF_B|BPF_ABS:
+
+ MOVid(ECX,ins->k)
+ CMPodd(ECX, EBP, 0x10)
+ JLEb(12)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ MOVid(EAX,0)
+ RET()
+ MOVid(EAX,0)
+ MOVobb(AL,EBX,ECX)
+
+ break;
+
+ case BPF_LD|BPF_W|BPF_LEN:
+
+ MOVodd(EAX, EBP, 0xc)
+
+ break;
+
+ case BPF_LDX|BPF_W|BPF_LEN:
+
+ MOVodd(EDX, EBP, 0xc)
+
+ break;
+
+ case BPF_LD|BPF_W|BPF_IND:
+
+ MOVid(ECX,ins->k)
+ ADDrd(ECX,EDX)
+ MOVrd(ESI,ECX)
+ ADDib(ECX,sizeof(INT))
+ CMPodd(ECX, EBP, 0x10)
+ JLEb(12)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ MOVid(EAX,0)
+ RET()
+ MOVobd(EAX, EBX, ESI)
+ BSWAP(EAX)
+
+ break;
+
+ case BPF_LD|BPF_H|BPF_IND:
+
+ MOVid(ECX,ins->k)
+ ADDrd(ECX,EDX)
+ MOVrd(ESI,ECX)
+ ADDib(ECX,sizeof(SHORT))
+ CMPodd(ECX, EBP, 0x10)
+ JLEb(12)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ MOVid(EAX,0)
+ RET()
+ MOVid(EAX,0)
+ MOVobw(AX, EBX, ESI)
+ SWAP_AX()
+
+ break;
+
+ case BPF_LD|BPF_B|BPF_IND:
+
+ MOVid(ECX,ins->k)
+ ADDrd(ECX,EDX)
+ CMPodd(ECX, EBP, 0x10)
+ JLEb(12)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ MOVid(EAX,0)
+ RET()
+ MOVid(EAX,0)
+ MOVobb(AL,EBX,ECX)
+
+ break;
+
+ case BPF_LDX|BPF_MSH|BPF_B:
+
+ MOVid(ECX,ins->k)
+ CMPodd(ECX, EBP, 0x10)
+ JLEb(12)
+ POP(EDI)
+ POP(ESI)
+ POP(EDX)
+ POP(ECX)
+ POP(EBX)
+ POP(EBP)
+ MOVid(EAX,0)
+ RET()
+ MOVid(EDX,0)
+ MOVobb(DL,EBX,ECX)
+ ANDib(DL, 0xf)
+ SHLib(EDX, 2)
+
+ break;
- // XXX: this command and the following could be optimized if the previous
- // instruction was already of this type
- MOVid(ECX,(INT)mem)
- MOVid(ESI,ins->k*4)
- MOVomd(ECX, ESI, EAX)
+ // XXX: this command and the following could be optimized if the previous
+ // instruction was already of this type
+ MOVid(ECX,(INT)mem)
+ MOVid(ESI,ins->k*4)
+ MOVomd(ECX, ESI, EAX)
- CMPid(EAX, ins->k)
- JG(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5) // 5 is the size of the following JMP
- JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
- break;
+ CMPid(EAX, ins->k)
+ JG(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5) // 5 is the size of the following JMP
+ JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
+ break;
- CMPid(EAX, ins->k)
- JGE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
- JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
+ CMPid(EAX, ins->k)
+ JGE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
+ JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
- CMPid(EAX, ins->k)
- JE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
- JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
+ CMPid(EAX, ins->k)
+ JE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
+ JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
- MOVrd(ECX,EAX)
- ANDid(ECX,ins->k)
- JE(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc]+5)
- JMP(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc])
+ MOVrd(ECX,EAX)
+ ANDid(ECX,ins->k)
+ JE(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc]+5)
+ JMP(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc])
- CMPrd(EAX, EDX)
- JA(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
- JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
- break;
+ CMPrd(EAX, EDX)
+ JA(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
+ JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
+ break;
- CMPrd(EAX, EDX)
- JAE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
- JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
+ CMPrd(EAX, EDX)
+ JAE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
+ JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
- CMPrd(EAX, EDX)
- JE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
- JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
+ CMPrd(EAX, EDX)
+ JE(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc]+5)
+ JMP(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc])
- MOVrd(ECX,EAX)
- ANDrd(ECX,EDX)
- JE(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc]+5)
- JMP(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc])
-
- break;
+ MOVrd(ECX,EAX)
+ ANDrd(ECX,EDX)
+ JE(stream.refs[stream.bpf_pc+ins->jf]-stream.refs[stream.bpf_pc]+5)
+ JMP(stream.refs[stream.bpf_pc+ins->jt]-stream.refs[stream.bpf_pc])
+
+ break;
- stream.ibuf=(CHAR*)ExAllocatePoolWithTag(NonPagedPool, stream.cur_ip, '1JWA');
+#define NPF_TAG_STREAMBUF TAG('1', 'J', 'W', 'A')
+ stream.ibuf=(CHAR*)ExAllocatePoolWithTag(NonPagedPool, stream.cur_ip, NPF_TAG_STREAMBUF);
- return NULL;
- }
-
- // modify the reference table to contain the offsets and not the lengths of the instructions
- for(i=1; i< nins + 1; i++)
- stream.refs[i]+=stream.refs[i-1];
-
- // Reset the counters
- stream.cur_ip=0;
- stream.bpf_pc=0;
- // the second pass creates the actual code
- emitm=emit_code;
-
- }
-
- // the reference table is needed only during compilation, now we can free it
+ return NULL;
+ }
+
+ // modify the reference table to contain the offsets and not the lengths of the instructions
+ for(i=1; i< nins + 1; i++)
+ stream.refs[i]+=stream.refs[i-1];
+
+ // Reset the counters
+ stream.cur_ip=0;
+ stream.bpf_pc=0;
+ // the second pass creates the actual code
+ emitm=emit_code;
+
+ }
+
+ // the reference table is needed only during compilation, now we can free it
- Filter=(struct JIT_BPF_Filter*)ExAllocatePoolWithTag(NonPagedPool, sizeof(struct JIT_BPF_Filter), '2JWA');
+#define NPF_TAG_FILTSTRUCT TAG('2', 'J', 'W', 'A')
+ Filter=(struct JIT_BPF_Filter*)ExAllocatePoolWithTag(NonPagedPool, sizeof(struct JIT_BPF_Filter), NPF_TAG_FILTSTRUCT);
- Filter->mem=(INT*)ExAllocatePoolWithTag(NonPagedPool, BPF_MEMWORDS*sizeof(INT), '3JWA');
+#define NPF_TAG_FILTMEM TAG('3', 'J', 'W', 'A')
+ Filter->mem=(INT*)ExAllocatePoolWithTag(NonPagedPool, BPF_MEMWORDS*sizeof(INT), NPF_TAG_FILTMEM);
}
//////////////////////////////////////////////////////////////
void BPF_Destroy_JIT_Filter(JIT_BPF_Filter *Filter){
}
//////////////////////////////////////////////////////////////
void BPF_Destroy_JIT_Filter(JIT_BPF_Filter *Filter){