OpenRCE_EliCZ
March 6th, 2008, 14:20
AM bit of CR0 is set on Windows x64, so it is possible to generate AC faults -> it is possible to test 64bit (why only 64bit?) apps for unaligned memory access. Even MS code sometimes does mov [rxx], ryx; where rxx = x*4 (should be x*8). AC fault results in exception 0x80000002 that silently (w/o error box) terminates the process (like touching stack page before guarded one but AC fault is caught by debugger). SetErrorMode(SEM_NOALIGNMENTFAULTEXCEPT) has no effect.
https://www.openrce.org/blog/view/359/Alignment_check
Code:
/////EnableAC.bat file
;@GOTO -)
.CODE
EnableAC PROC C
SMSW EAX
TEST EAX, 40000h
JE NotEnabled
PUSHFQ
OR BYTE PTR [RSP+2], 4
POPFQ
MOV AL, 1
RET
NotEnabled:
MOV AL, 0
RET
EnableAC ENDP
DisableAC PROC C
PUSHFQ
AND BYTE PTR [RSP+2], NOT 4
POPFQ
RET
DisableAC ENDP
END
:-)
@ECHO OFF
ML64.EXE /nologo /c EnableAC.bat
PAUSE
CLS
/////Test.c file
#include <stdio.h>
char EnableAC(void);
void DisableAC(void);
int main(void) {
char c[16];
printf(EnableAC() ? "AC enabled.\n" : "AC not enabled.\n";
__try {
*(short int *)(c+1) = 0x1234;
}
__except(1) {
printf("Exception.\n";
}
DisableAC();
return(printf("End.\n");
}
https://www.openrce.org/blog/view/359/Alignment_check