risc-v 函数hook理解

unsigned int inject_test( u8 *in_buff );

u8 g_test_str[64] = {'1', '2', '3'};

unsigned int make_asm_test( void )

{

int ret;

ret = 0x123;

g_debug_buff[0x10] = 0x78;

//macdbg_dmphex( (const char *)ram_buffer, 0x40 );

//ret = asm_test_func();

ret = inject_test(g_test_str);

at_uart_log_string( "current sp666 = %#x\n", ret );

return ret;

}

unsigned int inject_test( u8 *in_buff )

{

u8 buff[32];

u32 *pxx;

memset( buff, 0x00, sizeof(buff) );

memcpy( buff, in_buff, 32 );

pxx = (u32 *)&buff[32];

pxx[0] = 0xd00a0dff; //__stack_chk_guard canary

pxx[1] = 0x12345678; //reserve

pxx[2] = 0x12345678; //s1 alias x9

pxx[3] = 0x12345678; //s0 alias x8

at_uart_log_string( "hook_test gp4 = %#x\n", get_gp() );

asm volatile("lw gp, 60(sp)"); //保留hook前的返回地址到gp寄存器

pxx[4] = 0x00f02434; //ra alias x1 ->hook_test

at_uart_log_string( "inject_test = %s\n", buff );

asm volatile("nop");

asm volatile("nop");

return 0x00;

}

//0x00f02434

EXT_SECTION_RAM_TEXT unsigned int hook_test( void )

{

int ret;

ret = 0x888;

at_uart_log_string( "hook_test gp = %#x\n", get_gp() );

asm volatile("sw gp, 0x0c(sp)"); //恢复原始的(before hook)程序返回流

return ret;

}

输出日志：

//hook_test gp4 = 0x102ef18

//inject_test = 123

//hook_test gp = 0x102ef18

//current sp666 = 0x888

//return value = 0x888.

堆栈结构：

old sp->ra

s0

s1

reserve

canary __stack_chk_guard

32 bytes buff[32]

12 bytes reserve

new sp->old sp - 64