Win8's `KERNELBASE!DuplicateHandle` has jump instructions whose destination is within the region where we move instructions to a trampoline. In the example below, the address `000007fe`0618271c` is a destination of the `JMP` instructions, but when we detour `KERNELBASE!DuplicateHandle`, we move the original instructions to a trampoline, and that address will point to an invalid instruction. A proposed fix is to detour `KERNEL32!DuplicateHandle` without resolving redirection, that is the behavior before bug 1642626. ``` KERNELBASE!DuplicateHandle: 000007fe`06182710 4883ec48 sub rsp,48h 000007fe`06182714 4c8bd1 mov r10,rcx 000007fe`06182717 83faf4 cmp edx,0FFFFFFF4h 000007fe`0618271a 733b jae KERNELBASE!DuplicateHandle+0x43 (000007fe`06182757) 000007fe`0618271c 8b842480000000 mov eax,dword ptr [rsp+80h] ... 000007fe`0623f0de 65488b042560000000 mov rax,qword ptr gs:[60h] 000007fe`0623f0e7 488b5020 mov rdx,qword ptr [rax+20h] 000007fe`0623f0eb 488b5220 mov rdx,qword ptr [rdx+20h] 000007fe`0623f0ef e92836f4ff jmp KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c) 000007fe`0623f0f4 65488b042560000000 mov rax,qword ptr gs:[60h] 000007fe`0623f0fd 488b5020 mov rdx,qword ptr [rax+20h] 000007fe`0623f101 488b5228 mov rdx,qword ptr [rdx+28h] 000007fe`0623f105 e91236f4ff jmp KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c) 000007fe`0623f10a 65488b042560000000 mov rax,qword ptr gs:[60h] 000007fe`0623f113 488b5020 mov rdx,qword ptr [rax+20h] 000007fe`0623f117 488b5230 mov rdx,qword ptr [rdx+30h] 000007fe`0623f11b e9fc35f4ff jmp KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c) ... ```
Bug 1659398 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Win8's `KERNELBASE!DuplicateHandle` has jump instructions whose destination is within the region where we move instructions to a trampoline. In the example below, the address `000007fe0618271c` is a destination of the `JMP` instructions, but when we detour `KERNELBASE!DuplicateHandle`, we move the original instructions to a trampoline, and that address will point to an invalid instruction. A proposed fix is to detour `KERNEL32!DuplicateHandle` without resolving redirection, that is the behavior before bug 1642626. ``` KERNELBASE!DuplicateHandle: 000007fe`06182710 4883ec48 sub rsp,48h 000007fe`06182714 4c8bd1 mov r10,rcx 000007fe`06182717 83faf4 cmp edx,0FFFFFFF4h 000007fe`0618271a 733b jae KERNELBASE!DuplicateHandle+0x43 (000007fe`06182757) 000007fe`0618271c 8b842480000000 mov eax,dword ptr [rsp+80h] ... 000007fe`0623f0de 65488b042560000000 mov rax,qword ptr gs:[60h] 000007fe`0623f0e7 488b5020 mov rdx,qword ptr [rax+20h] 000007fe`0623f0eb 488b5220 mov rdx,qword ptr [rdx+20h] 000007fe`0623f0ef e92836f4ff jmp KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c) 000007fe`0623f0f4 65488b042560000000 mov rax,qword ptr gs:[60h] 000007fe`0623f0fd 488b5020 mov rdx,qword ptr [rax+20h] 000007fe`0623f101 488b5228 mov rdx,qword ptr [rdx+28h] 000007fe`0623f105 e91236f4ff jmp KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c) 000007fe`0623f10a 65488b042560000000 mov rax,qword ptr gs:[60h] 000007fe`0623f113 488b5020 mov rdx,qword ptr [rax+20h] 000007fe`0623f117 488b5230 mov rdx,qword ptr [rdx+30h] 000007fe`0623f11b e9fc35f4ff jmp KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c) ... ```