metasm 1.0.1 → 1.0.2

data/{lib/metasm → metasm}/dynldr.rb

@@ -52,15 +52,17 @@ extern VALUE *rb_cObject __attribute__((import));
 extern VALUE *rb_eRuntimeError __attribute__((import));
 extern VALUE *rb_eArgError __attribute__((import));
 
-#define Qfalse ((VALUE)0)
-#define Qtrue  ((VALUE)2)
-#define Qnil   ((VALUE)4)
-
 // allows generating a ruby1.9 dynldr.so from ruby1.8
 #ifndef DYNLDR_RUBY_19
 #define DYNLDR_RUBY_19 #{RUBY_VERSION >= '1.9' ? 1 : 0}
 #endif
 
+#if #{RUBY_VERSION >= '2.0' ? 1 : 0}
+// flonums. WHY?
+// also breaks Qtrue/Qnil
+#define rb_float_new rb_float_new_in_heap
+#endif
+
 #if DYNLDR_RUBY_19
  #define T_STRING 0x05
  #define T_ARRAY  0x07
@@ -90,7 +92,8 @@ VALUE rb_ull2inum(unsigned long long);
 VALUE rb_num2ulong(VALUE);
 unsigned long long rb_num2ull(VALUE);
 VALUE rb_str_new(const char* ptr, long len);	// alloc + memcpy + 0term
-VALUE rb_ary_new2(int len);
+VALUE rb_ary_new();
+VALUE rb_ary_push(VALUE, VALUE);
 VALUE rb_float_new(double);
 
 VALUE rb_intern(char *);
@@ -163,7 +166,7 @@ static VALUE memory_write(VALUE self, VALUE addr, VALUE val)
 static VALUE memory_write_int(VALUE self, VALUE addr, VALUE val)
 {
 	*(uintptr_t *)VAL2INT(addr) = VAL2INT(val);
-	return Qtrue;
+	return 1;
 }
 
 static VALUE str_ptr(VALUE self, VALUE str)
@@ -200,7 +203,7 @@ static VALUE sym_addr(VALUE self, VALUE lib, VALUE func)
 
 	if (TYPE(func) != T_STRING && TYPE(func) != T_FIXNUM)
 		rb_raise(*rb_eArgError, "Invalid func");
-	
+
 	if (TYPE(func) == T_FIXNUM)
 		p = os_load_sym_ord(h, VAL2INT(func));
 	else
@@ -224,7 +227,7 @@ static VALUE invoke(VALUE self, VALUE ptr, VALUE args, VALUE flags)
 {
 	if (TYPE(args) != T_ARRAY || ARY_LEN(args) > 64)
 		rb_raise(*rb_eArgError, "bad args");
-	
+
 	uintptr_t flags_v = VAL2INT(flags);
 	uintptr_t ptr_v = VAL2INT(ptr);
 	unsigned i, argsz;
@@ -241,7 +244,7 @@ static VALUE invoke(VALUE self, VALUE ptr, VALUE args, VALUE flags)
 		ret = do_invoke_stdcall(ptr_v, argsz, args_c);
 	else
 		ret = do_invoke(ptr_v, argsz, args_c);
-	
+
 	if (flags_v & 4)
 		return rb_ull2inum((unsigned __int64)ret);
 	else if (flags_v & 8)
@@ -257,23 +260,27 @@ static VALUE invoke(VALUE self, VALUE ptr, VALUE args, VALUE flags)
 // callback generated by callback_alloc
 // heavy stack magick at work here !
 // TODO float args / float retval / ret __int64
-uintptr_t do_callback_handler(uintptr_t ori_retaddr, uintptr_t caller_id, uintptr_t arg0)
+uintptr_t do_callback_handler(uintptr_t ori_retaddr, uintptr_t caller_id, uintptr_t arg0, uintptr_t arg_ecx __attribute__((register(ecx))), uintptr_t arg_edx __attribute__((register(edx))))
 {
 	uintptr_t *addr = &arg0;
 	unsigned i, ret;
-	VALUE args = rb_ary_new2(8);
+	VALUE args = rb_ary_new();
+
+	// __fastcall callback args
+
+	rb_ary_push(args, INT2VAL(arg_ecx));
+	rb_ary_push(args, INT2VAL(arg_edx));
 
 	// copy our args to a ruby-accessible buffer
-	for (i=0U ; i<8U ; ++i)
-		ARY_PTR(args)[i] = INT2VAL(*addr++);
-	RArray(args)->len = 8U;	// len == 8, no need to ARY_LEN/EMBED stuff
+	for (i=2U ; i<10U ; ++i)
+		rb_ary_push(args, INT2VAL(*addr++));
 
 	ret = rb_funcall(dynldr, rb_intern("callback_run"), 2, INT2VAL(caller_id), args);
 
 	// dynldr.callback will give us the arity (in bytes) of the callback in args[0]
 	// we just put the stack lifting offset in caller_id for the asm stub to use
 	caller_id = VAL2INT(ARY_PTR(args)[0]);
-	
+
 	return VAL2INT(ret);
 }
 
@@ -290,7 +297,7 @@ static VALUE invoke(VALUE self, VALUE ptr, VALUE args, VALUE flags)
 {
 	if (TYPE(args) != T_ARRAY || ARY_LEN(args) > 16)
 		rb_raise(*rb_eArgError, "bad args");
-	
+
 	uintptr_t flags_v = VAL2INT(flags);
 	uintptr_t ptr_v = VAL2INT(ptr);
 	int i, argsz;
@@ -312,7 +319,7 @@ static VALUE invoke(VALUE self, VALUE ptr, VALUE args, VALUE flags)
 			    args_c[4],  args_c[5],  args_c[6],  args_c[7],
 			    args_c[8],  args_c[9],  args_c[10], args_c[11],
 			    args_c[12], args_c[13], args_c[14], args_c[15]);
-	
+
 	if (flags_v & 8)
 		return rb_float_new(fake_float());
 
@@ -324,18 +331,16 @@ uintptr_t do_callback_handler(uintptr_t cb_id __attribute__((register(rax))),
 		uintptr_t arg4, uintptr_t arg5, uintptr_t arg6, uintptr_t arg7)
 {
 	uintptr_t ret;
-	VALUE args = rb_ary_new2(8);
-	VALUE *ptr = ARY_PTR(args);
-
-	RArray(args)->len = 8;
-	ptr[0] = INT2VAL(arg0);
-	ptr[1] = INT2VAL(arg1);
-	ptr[2] = INT2VAL(arg2);
-	ptr[3] = INT2VAL(arg3);
-	ptr[4] = INT2VAL(arg4);
-	ptr[5] = INT2VAL(arg5);
-	ptr[6] = INT2VAL(arg6);
-	ptr[7] = INT2VAL(arg7);
+	VALUE args = rb_ary_new();
+
+	rb_ary_push(args, INT2VAL(arg0));
+	rb_ary_push(args, INT2VAL(arg1));
+	rb_ary_push(args, INT2VAL(arg2));
+	rb_ary_push(args, INT2VAL(arg3));
+	rb_ary_push(args, INT2VAL(arg4));
+	rb_ary_push(args, INT2VAL(arg5));
+	rb_ary_push(args, INT2VAL(arg6));
+	rb_ary_push(args, INT2VAL(arg7));
 
 	ret = rb_funcall(dynldr, rb_intern("callback_run"), 2, INT2VAL(cb_id), args);
 
@@ -379,8 +384,7 @@ static void *wstrcaseruby(short *s1, int len)
 {
 	int i = 0;
 	int match = 0;
-
-	static char *want = "ruby";	// cant contain the same letter twice
+	char *want = "ruby";	// cant contain the same letter twice
 
 	while (i < len) {
 		if (want[match] == (s1[i] | 0x20)) {	// downcase cmp
@@ -474,11 +478,11 @@ int load_ruby_imports(uintptr_t rbaddr)
 	if (rbaddr)
 		ruby_module = find_ruby_module_mem(rbaddr);
 	else
-	 	ruby_module = find_ruby_module_peb();
+		ruby_module = find_ruby_module_peb();
 
 	if (!ruby_module)
 		return 0;
-	
+
 	ptr = &ruby_import_table;
 	table = (char*)ptr;
 
@@ -494,7 +498,7 @@ int load_ruby_imports(uintptr_t rbaddr)
 
 #ifdef __x86_64__
 #define DLL_PROCESS_ATTACH 1
-__stdcall int DllMain(void *handle, int reason, void *res)
+int DllMain(void *handle, int reason, void *res)
 {
 	if (reason == DLL_PROCESS_ATTACH)
 		return load_ruby_imports(0);
@@ -509,7 +513,7 @@ EOS
 do_invoke_fastcall:
 	push ebp
 	mov ebp, esp
-	
+
 	// load ecx/edx, fix arg/argcount
 	mov eax, [ebp+16]
 	mov ecx, [eax]
@@ -627,7 +631,7 @@ EOS
 		# save the shared library
 		bin.encode_file(modulename, :lib)
 	end
-	
+
 	def self.compile_binary_module_hack(bin)
 		# this is a hack
 		# we need the module to use ruby symbols
@@ -720,8 +724,7 @@ EOS
 	# find the path of the binary module
 	# if none exists, create a path writeable by the current user
 	def self.find_bin_path
-		fname = ['dynldr', host_arch, host_cpu.shortname,
-			 ('19' if RUBY_VERSION >= '1.9')].compact.join('-') + '.so'
+		fname = ['dynldr', host_arch, host_cpu.shortname, RUBY_VERSION.gsub('.', '')].join('-') + '.so'
 		dir = File.dirname(__FILE__)
 		binmodule = File.join(dir, fname)
 		if not File.exists? binmodule or File.stat(binmodule).mtime < File.stat(__FILE__).mtime
@@ -765,7 +768,7 @@ EOS
 		else raise LoadError, "Unsupported host platform #{RUBY_PLATFORM}"
 		end
 	end
-	
+
 	# returns whether we run on linux or windows
 	def self.host_arch
 		case RUBY_PLATFORM
@@ -788,16 +791,73 @@ EOS
 		cp.parse(src)
 	end
 
-	# compile a C fragment into a Shellcode, honors the host ABI
+	# compile a C fragment into a Shellcode_RWX, honors the host ABI
 	def self.compile_c(src)
 		# XXX could we reuse self.cp ? (for its macros etc)
 		cp = C::Parser.new(host_exe.new(host_cpu))
 		cp.parse(src)
-		sc = Shellcode.new(host_cpu)
+		sc = Shellcode_RWX.new(host_cpu)
 		asm = host_cpu.new_ccompiler(cp, sc).compile
 		sc.assemble(asm)
 	end
 
+	# maps a Shellcode_RWX in memory, fixup stdlib relocations
+	# returns the Shellcode_RWX, with the base_r/w/x initialized to the allocated memory
+	def self.sc_map_resolve(sc)
+		sc_map_resolve_addthunks(sc)
+
+		sc.base_r = memory_alloc(sc.encoded_r.length) if sc.encoded_r.length > 0
+		sc.base_w = memory_alloc(sc.encoded_w.length) if sc.encoded_w.length > 0
+		sc.base_x = memory_alloc(sc.encoded_x.length) if sc.encoded_x.length > 0
+
+		locals = sc.encoded_r.export.keys | sc.encoded_w.export.keys | sc.encoded_x.export.keys
+		exts = sc.encoded_r.reloc_externals(locals) | sc.encoded_w.reloc_externals(locals) | sc.encoded_x.reloc_externals(locals)
+		bd = {}
+		exts.uniq.each { |ext| bd[ext] = sym_addr(lib_from_sym(ext), ext) or raise rescue raise "unknown symbol #{ext.inspect}" }
+		sc.fixup_check(bd)
+
+		memory_write sc.base_r, sc.encoded_r.data if sc.encoded_r.length > 0
+		memory_write sc.base_w, sc.encoded_w.data if sc.encoded_w.length > 0
+		memory_write sc.base_x, sc.encoded_x.data if sc.encoded_x.length > 0
+
+		memory_perm sc.base_r, sc.encoded_r.length, 'r'  if sc.encoded_r.length > 0
+		memory_perm sc.base_w, sc.encoded_w.length, 'rw' if sc.encoded_w.length > 0
+		memory_perm sc.base_x, sc.encoded_x.length, 'rx' if sc.encoded_x.length > 0
+
+		sc
+	end
+
+	def self.sc_map_resolve_addthunks(sc)
+		case host_cpu.shortname
+		when 'x64'
+			# patch 'call moo' into 'call thunk; thunk: jmp qword [moo_ptr]'
+			# this is similar to ELF PLT section, allowing code to call
+			# into a library mapped more than 4G away
+			# XXX handles only 'call extern', not 'lea reg, extern' or anything else
+			# in this case, the linker will still raise an 'immediate overflow'
+			# during fixup_check in sc_map_resolve
+			[sc.encoded_r, sc.encoded_w, sc.encoded_x].each { |edata|
+				edata.reloc.dup.each { |off, rel|
+					# target only call extern / jmp.i32 extern
+					next if rel.type != :i32
+					next if rel.target.op != :-
+					next if edata.export[rel.target.rexpr] != off+4
+					next if edata.export[rel.target.lexpr]
+					opc = edata.data[off-1, 1].unpack('C')[0]
+					next if opc != 0xe8 and opc != 0xe9
+
+					thunk_sc = Shellcode.new(host_cpu).share_namespace(sc)
+					thunk = thunk_sc.assemble(<<EOS).encoded
+1: jmp qword [rip]
+dq #{rel.target.lexpr}
+EOS
+					edata << thunk
+					rel.target.lexpr = thunk.inv_export[0]
+				}
+			}
+		end
+	end
+
 	# retrieve the library where a symbol is to be found (uses AutoImport)
 	def self.lib_from_sym(symname)
 		case host_arch
@@ -821,7 +881,7 @@ EOS
 			cp.toplevel.symbol.delete v.name
 			lib = fromlib || lib_from_sym(v.name)
 			addr = sym_addr(lib, v.name)
-		       	if addr == 0 or addr == -1 or addr == 0xffff_ffff or addr == 0xffffffff_ffffffff
+			if addr == 0 or addr == -1 or addr == 0xffff_ffff or addr == 0xffffffff_ffffffff
 				api_not_found(lib, v)
 				next
 			end
@@ -912,11 +972,11 @@ EOS
 		flags |= 4 if proto.type.type.integral? and cp.sizeof(nil, proto.type.type) == 8
 		flags |= 8 if proto.type.type.float?
 		class << self ; self ; end.send(:define_method, name) { |*a|
-			raise ArgumentError, "bad arg count for #{name}: #{a.length} for #{proto.type.args.length}" if a.length != proto.type.args.length and not proto.type.varargs
+			raise ArgumentError, "bad arg count for #{name}: #{a.length} for #{proto.type.args.to_a.length}" if a.length != proto.type.args.to_a.length and not proto.type.varargs
 
 			# convert the arglist suitably for raw_invoke
 			auto_cb = []	# list of automatic C callbacks generated from lambdas
-			a = a.zip(proto.type.args).map { |ra, fa|
+			a = a.zip(proto.type.args.to_a).map { |ra, fa|
 				aa = convert_rb2c(fa, ra, :cb_list => auto_cb)
 				if fa and fa.type.integral? and cp.sizeof(fa) == 8 and host_cpu.size == 32
 					aa = [aa & 0xffff_ffff, (aa >> 32) & 0xffff_ffff]
@@ -965,6 +1025,10 @@ EOS
 		raise "invalid callback #{'%x' % id} not in #{@@callback_table.keys.map { |c| c.to_s(16) }}" if not cb
 
 		rawargs = args.dup
+		if host_cpu.shortname == 'ia32' and (not cb[:proto_ori] or not cb[:proto_ori].has_attribute('fastcall'))
+			rawargs.shift
+			rawargs.shift
+		end
 		ra = cb[:proto] ? cb[:proto].args.map { |fa| convert_cbargs_c2rb(fa, rawargs) } : []
 
 		# run it
@@ -995,6 +1059,7 @@ EOS
 	# XXX val is an integer, how to decode Floats etc ? raw binary ptr ?
 	def self.convert_c2rb(formal, val)
 		formal = formal.type if formal.kind_of? C::Variable
+		val &= (1 << 8*cp.sizeof(formal))-1 if formal.integral?
 		val = Expression.make_signed(val, 8*cp.sizeof(formal)) if formal.integral? and formal.signed?
 		val = nil if formal.pointer? and val == 0
 		val
@@ -1019,13 +1084,8 @@ EOS
 		if (v and v.initializer) or cp.toplevel.statements.find { |st| st.kind_of? C::Asm }
 			cp.toplevel.statements.delete_if { |st| st.kind_of? C::Asm }
 			cp.toplevel.symbol.delete v.name if v
-			sc = compile_c(proto)
-			ptr = memory_alloc(sc.encoded.length)
-			sc.base_addr = ptr
-			# TODO fixup external calls
-			memory_write ptr, sc.encode_string
-			memory_perm ptr, sc.encoded.length, 'rwx'
-			ptr
+			sc = sc_map_resolve(compile_c(proto))
+			sc.base_x
 		elsif not v
 			raise 'empty prototype'
 		else
@@ -1044,6 +1104,7 @@ EOS
 		cb[:id] = id
 		cb[:proc] = b
 		cb[:proto] = proto
+		cb[:proto_ori] = ori
 		cb[:abi_stackfix] = proto.args.inject(0) { |s, a| s + [cp.sizeof(a), cp.typesize[:ptr]].max } if ori and ori.has_attribute('stdcall')
 		cb[:abi_stackfix] = proto.args[2..-1].to_a.inject(0) { |s, a| s + [cp.sizeof(a), cp.typesize[:ptr]].max } if ori and ori.has_attribute('fastcall')	# supercedes stdcall
 		@@callback_table[id] = cb
@@ -1058,29 +1119,34 @@ EOS
 	# finds a free callback id, allocates a new page if needed
 	def self.callback_find_id
 		if not id = @@callback_addrs.find { |a| not @@callback_table[a] }
-			cb_page = memory_alloc(4096)
+			page_size = 4096
+			cb_page = memory_alloc(page_size)
 			sc = Shellcode.new(host_cpu, cb_page)
 			case sc.cpu.shortname
 			when 'ia32'
-				addr = cb_page
-				nrcb = 128	# TODO should be 4096/5, but the parser/compiler is really too slow
-				nrcb.times {
-					@@callback_addrs << addr
-					sc.parse "call #{CALLBACK_TARGET}"
-					addr += 5
-				}
+				asm = "call #{CALLBACK_TARGET}"
 			when 'x64'
-				addr = cb_page
-				nrcb = 128	# same remark
-				nrcb.times {
-					@@callback_addrs << addr
-					sc.parse "1: lea rax, [rip-$_+1b] jmp #{CALLBACK_TARGET}"
-					addr += 12	# XXX approximative..
-				}
+				if (cb_page - CALLBACK_TARGET).abs >= 0x7fff_f000
+					# cannot directly 'jmp CB_T'
+					asm = "1: mov rax, #{CALLBACK_TARGET}  push rax  lea rax, [rip-$_+1b]  ret"
+				else
+					asm = "1: lea rax, [rip-$_+1b]  jmp #{CALLBACK_TARGET}"
+				end
+			else
+				raise 'Who are you?'
+			end
+
+			# fill the page with valid callbacks
+			loop do
+				off = sc.encoded.length
+				sc.assemble asm
+				break if sc.encoded.length > page_size
+				@@callback_addrs << (cb_page + off)
 			end
-			sc.assemble
-			memory_write cb_page, sc.encode_string
-			memory_perm cb_page, 4096, 'rx'
+
+			memory_write cb_page, sc.encode_string[0, page_size]
+			memory_perm cb_page, page_size, 'rx'
+
 			raise 'callback_alloc bouh' if not id = @@callback_addrs.find { |a| not @@callback_table[a] }
 		end
 		id
@@ -1090,23 +1156,17 @@ EOS
 	# returns the raw pointer to the code page
 	# if given a block, run the block and then undefine all the C functions & free memory
 	def self.new_func_c(src)
-		sc = compile_c(src)
-		ptr = memory_alloc(sc.encoded.length)
-		sc.base_addr = ptr
-		bd = sc.encoded.binding(ptr)
-		sc.encoded.reloc_externals.uniq.each { |ext| bd[ext] = sym_addr(lib_from_sym(ext), ext) or raise "unknown symbol #{ext}" }
-		sc.encoded.fixup(bd)
-		memory_write ptr, sc.encode_string
-		memory_perm ptr, sc.encoded.length, 'rwx'
+		sc = sc_map_resolve(compile_c(src))
+
 		parse_c(src)	# XXX the Shellcode parser may have defined stuff / interpreted C another way...
 		defs = []
 		cp.toplevel.symbol.dup.each_value { |v|
 			next if not v.kind_of? C::Variable
 			cp.toplevel.symbol.delete v.name
 			next if not v.type.kind_of? C::Function or not v.initializer
-			next if not off = sc.encoded.export[v.name]
+			next if not off = sc.encoded_x.export[v.name]
 			rbname = c_func_name_to_rb(v.name)
-			new_caller_for(v, rbname, ptr+off)
+			new_caller_for(v, rbname, sc.base_x+off)
 			defs << rbname
 		}
 		if block_given?
@@ -1114,16 +1174,20 @@ EOS
 				yield
 			ensure
 				defs.each { |d| class << self ; self ; end.send(:remove_method, d) }
-				memory_free ptr
+				memory_free sc.base_r if sc.base_r
+				memory_free sc.base_w if sc.base_w
+				memory_free sc.base_x if sc.base_x
 			end
 		else
-			ptr
+			sc.base_x
 		end
 	end
 
 	# compile an asm sequence, callable with the ABI of the C prototype given
 	# function name comes from the prototype
-	def self.new_func_asm(proto, asm)
+	# the shellcode is mapped in read-only memory unless selfmodifyingcode is true
+	# note that you can use a .data section for simple writable non-executable memory
+	def self.new_func_asm(proto, asm, selfmodifyingcode=false)
 		proto += "\n;"
 		old = cp.toplevel.symbol.keys
 		parse_c(proto)
@@ -1133,24 +1197,24 @@ EOS
 		raise "invalid func proto #{proto}" if not f.name or not f.type.kind_of? C::Function or f.initializer
 		cp.toplevel.symbol.delete f.name
 
-		sc = Shellcode.assemble(host_cpu, asm)
-		ptr = memory_alloc(sc.encoded.length)
-		bd = sc.encoded.binding(ptr)
-		sc.encoded.reloc_externals.uniq.each { |ext| bd[ext] = sym_addr(lib_from_sym(ext), ext) or raise "unknown symbol #{ext}" }
-		sc.encoded.fixup(bd)
-		memory_write ptr, sc.encode_string
-		memory_perm ptr, sc.encoded.length, 'rwx'
+		sc = Shellcode_RWX.assemble(host_cpu, asm)
+		sc = sc_map_resolve(sc)
+		if selfmodifyingcode
+			memory_perm sc.base_x, sc.encoded_x.length, 'rwx'
+		end
 		rbname = c_func_name_to_rb(f.name)
-		new_caller_for(f, rbname, ptr)
+		new_caller_for(f, rbname, sc.base_x)
 		if block_given?
 			begin
 				yield
 			ensure
 				class << self ; self ; end.send(:remove_method, rbname)
-				memory_free ptr
+				memory_free sc.base_r if sc.base_r
+				memory_free sc.base_w if sc.base_w
+				memory_free sc.base_x
 			end
 		else
-			ptr
+			sc.base_x
 		end
 	end
 
@@ -1234,69 +1298,70 @@ EOS
 	when :windows
 
 		new_api_c <<EOS, 'kernel32'
-#define PAGE_NOACCESS          0x01     
-#define PAGE_READONLY          0x02     
-#define PAGE_READWRITE         0x04     
-#define PAGE_WRITECOPY         0x08     
-#define PAGE_EXECUTE           0x10     
-#define PAGE_EXECUTE_READ      0x20     
-#define PAGE_EXECUTE_READWRITE 0x40     
-#define PAGE_EXECUTE_WRITECOPY 0x80     
-#define PAGE_GUARD            0x100     
-#define PAGE_NOCACHE          0x200     
-#define PAGE_WRITECOMBINE     0x400     
-
-#define MEM_COMMIT           0x1000     
-#define MEM_RESERVE          0x2000     
-#define MEM_DECOMMIT         0x4000     
-#define MEM_RELEASE          0x8000     
-#define MEM_FREE            0x10000     
-#define MEM_PRIVATE         0x20000     
-#define MEM_MAPPED          0x40000     
-#define MEM_RESET           0x80000     
-#define MEM_TOP_DOWN       0x100000     
-#define MEM_WRITE_WATCH    0x200000     
-#define MEM_PHYSICAL       0x400000     
-#define MEM_LARGE_PAGES  0x20000000     
-#define MEM_4MB_PAGES    0x80000000     
+#define PAGE_NOACCESS          0x01
+#define PAGE_READONLY          0x02
+#define PAGE_READWRITE         0x04
+#define PAGE_WRITECOPY         0x08
+#define PAGE_EXECUTE           0x10
+#define PAGE_EXECUTE_READ      0x20
+#define PAGE_EXECUTE_READWRITE 0x40
+#define PAGE_EXECUTE_WRITECOPY 0x80
+#define PAGE_GUARD            0x100
+#define PAGE_NOCACHE          0x200
+#define PAGE_WRITECOMBINE     0x400
+
+#define MEM_COMMIT           0x1000
+#define MEM_RESERVE          0x2000
+#define MEM_DECOMMIT         0x4000
+#define MEM_RELEASE          0x8000
+#define MEM_FREE            0x10000
+#define MEM_PRIVATE         0x20000
+#define MEM_MAPPED          0x40000
+#define MEM_RESET           0x80000
+#define MEM_TOP_DOWN       0x100000
+#define MEM_WRITE_WATCH    0x200000
+#define MEM_PHYSICAL       0x400000
+#define MEM_LARGE_PAGES  0x20000000
+#define MEM_4MB_PAGES    0x80000000
 
 __stdcall uintptr_t VirtualAlloc(uintptr_t addr, uintptr_t size, int type, int prot);
 __stdcall uintptr_t VirtualFree(uintptr_t addr, uintptr_t size, int freetype);
 __stdcall uintptr_t VirtualProtect(uintptr_t addr, uintptr_t size, int prot, int *oldprot);
 EOS
-		
+
 		# allocate some memory suitable for code allocation (ie VirtualAlloc)
 		def self.memory_alloc(sz)
 			virtualalloc(nil, sz, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE)
 		end
-	
+
 		# free memory allocated through memory_alloc
 		def self.memory_free(addr)
 			virtualfree(addr, 0, MEM_RELEASE)
 		end
-	
+
 		# change memory permissions - perm in [r rw rx rwx]
 		def self.memory_perm(addr, len, perm)
 			perm = { 'r' => PAGE_READONLY, 'rw' => PAGE_READWRITE, 'rx' => PAGE_EXECUTE_READ,
 				'rwx' => PAGE_EXECUTE_READWRITE }[perm.to_s.downcase]
 			virtualprotect(addr, len, perm, str_ptr([0].pack('C')*8))
 		end
-	
+
 	when :linux
-		
+
 		new_api_c <<EOS
-#define PROT_READ 0x1
+#define PROT_READ  0x1
 #define PROT_WRITE 0x2
-#define PROT_EXEC 0x4
+#define PROT_EXEC  0x4
 
-#define MAP_PRIVATE 0x2
+#define MAP_PRIVATE   0x2
+#define MAP_FIXED     0x10
 #define MAP_ANONYMOUS 0x20
 
 uintptr_t mmap(uintptr_t addr, uintptr_t length, int prot, int flags, uintptr_t fd, uintptr_t offset);
 uintptr_t munmap(uintptr_t addr, uintptr_t length);
 uintptr_t mprotect(uintptr_t addr, uintptr_t len, int prot);
 EOS
-		
+
 		# allocate some memory suitable for code allocation (ie mmap)
 		def self.memory_alloc(sz)
 			@mmaps ||= {}	# save size for mem_free
@@ -1304,26 +1369,48 @@ EOS
 			@mmaps[a] = sz
 			a
 		end
-	
+
 		# free memory allocated through memory_alloc
 		def self.memory_free(addr)
 			munmap(addr, @mmaps[addr])
 		end
-	
+
 		# change memory permissions - perm 'rwx'
 		# on PaX-enabled systems, this may need a non-mprotect-restricted ruby interpreter
+		# if a mapping 'rx' is denied, will try to create a file and mmap() it rx in place
 		def self.memory_perm(addr, len, perm)
 			perm = perm.to_s.downcase
 			len += (addr & 0xfff) + 0xfff
 			len &= ~0xfff
 			addr &= ~0xfff
+
 			p = 0
-			p |= PROT_READ if perm.include? 'r'
-			p |= PROT_WRITE if perm.include? 'w'
-			p |= PROT_EXEC if perm.include? 'x'
-			mprotect(addr, len, p)
+			p |= PROT_READ  if perm.include?('r')
+			p |= PROT_WRITE if perm.include?('w')
+			p |= PROT_EXEC  if perm.include?('x')
+
+			ret = mprotect(addr, len, p)
+
+			if ret != 0 and perm.include?('x') and not perm.include?('w') and len > 0 and @memory_perm_wd ||= find_write_dir
+				# We are on a PaX-mprotected system. Try to use a file mapping to work aroud.
+				Dir.chdir(@memory_perm_wd) {
+					fname = 'tmp_mprot_%d_%x' % [Process.pid, addr]
+					data = memory_read(addr, len)
+					begin
+						File.open(fname, 'w') { |fd| fd.write data }
+						# reopen to ensure filesystem flush
+						rret = File.open(fname, 'r') { |fd| mmap(addr, len, p, MAP_FIXED|MAP_PRIVATE, fd.fileno, 0) }
+						raise 'hax' if data != memory_read(addr, len)
+						ret = 0 if rret == addr
+					ensure
+						File.unlink(fname) rescue nil
+					end
+				}
+			end
+
+			ret
 		end
-	
+
 	end
 end
 end