risc-v 函数hook理解

unsigned int inject_test( u8 *in_buff );
u8 g_test_str[64] = {'1', '2', '3'};

unsigned int make_asm_test( void )
{
    int ret;
    ret = 0x123;
    g_debug_buff[0x10] = 0x78;                             
    //macdbg_dmphex( (const char *)ram_buffer, 0x40 );
    //ret = asm_test_func();
    ret = inject_test(g_test_str);
    at_uart_log_string( "current sp666 = %#x\n", ret );
    return ret;
}

unsigned int inject_test( u8 *in_buff )
{
    u8 buff[32];
    u32 *pxx;

    memset( buff, 0x00, sizeof(buff) );
    memcpy( buff, in_buff, 32 );
    pxx = (u32 *)&buff[32];  

    pxx[0] = 0xd00a0dff;   //__stack_chk_guard canary
    pxx[1] = 0x12345678;   //reserve

    pxx[2] = 0x12345678;  //s1 alias x9
    pxx[3] = 0x12345678;  //s0 alias x8

    at_uart_log_string( "hook_test gp4 = %#x\n", get_gp() ); 
    __asm__ __volatile__("lw  gp, 60(sp)");   //保留hook前的返回地址到gp寄存器        
    pxx[4] = 0x00f02434;  //ra alias x1  ->hook_test
    
    at_uart_log_string( "inject_test = %s\n", buff );
    __asm__ __volatile__("nop");
    __asm__ __volatile__("nop");

    
    return 0x00;

}

//0x00f02434
EXT_SECTION_RAM_TEXT unsigned int hook_test( void )
{
    int ret;
    ret = 0x888;    
    at_uart_log_string( "hook_test gp = %#x\n", get_gp() ); 
    __asm__ __volatile__("sw  gp, 0x0c(sp)"); //恢复原始的(before hook)程序返回流
    return ret;

}

输出日志：

//hook_test gp4 = 0x102ef18
//inject_test = 123
//hook_test gp = 0x102ef18
//current sp666 = 0x888
//return value = 0x888.

堆栈结构：

old sp->ra
    s0
    s1
    reserve 
    canary  __stack_chk_guard
    32 bytes  buff[32]
    12 bytes reserve
new sp->old sp - 64