Exemple #1
0
int main(int argc, char **argv)
{
        LPSTR executable = "C:\\Windows\\System32\\calc.exe";
        LPSTR injectDll = "inject.dll";

        STARTUPINFO SI = {0};
        PROCESS_INFORMATION PI = {0};
        HANDLE hProcess;
        DWORD pid;
        DWORD threadID;
        LPVOID injectAddr;
        DWORD lpNumOfWritten;
        HMODULE hKernel32;
        FARPROC hLoadLibrary;

        SI.dwFlags = 1;
        SI.wShowWindow = 0;
        SI.cb = sizeof(SI);

        if(CreateProcess(executable, NULL, NULL, NULL, NULL, CREATE_NEW_CONSOLE, NULL, NULL, &SI, &PI)) {
                printf("[OK] CreateProcess %s\n", executable);
        } else
                FAULT();

        pid = PI.dwProcessId;
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

        injectAddr = VirtualAllocEx(hProcess, NULL, strlen(injectDll), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);

        if(injectAddr == NULL)
                FAULT();

        printf("[OK] VirtualAllocEx to 0x%08X\n", (int *)injectAddr);

        if(WriteProcessMemory(hProcess, injectAddr, injectDll, strlen(injectDll), &lpNumOfWritten) == 0)
                FAULT();

        printf("[OK] WriteProcessMememory to 0x%08X :: \"%s\",%d\n", (int *)injectAddr, injectDll, strlen(injectDll));

        hKernel32 = GetModuleHandle("kernel32.dll");
        hLoadLibrary = (FARPROC)GetProcAddress(hKernel32, "LoadLibraryA");

        Sleep(2000);

        if(CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)hLoadLibrary, injectAddr, NULL, &threadID) == NULL)
                FAULT();

        printf("[OK] CreateRemoteThread at 0x%08X :: LoadLibrary(\"%s\")\n", (int *)injectAddr, injectDll);

        getchar();
        return 0;
}
Exemple #2
0
TInt DArmPlatProcess::GetNewChunk(DMemModelChunk*& aChunk, SChunkCreateInfo& aInfo)
	{
	aChunk=NULL;
	DArmPlatChunk* pC=new DArmPlatChunk;
	if (!pC)
		return KErrNoMemory;
	aChunk=pC;
	pC->iChunkType=aInfo.iType;
	switch(pC->iChunkType)
		{
		case EKernelData:
		case EKernelStack:
		case EKernelCode:
		case EKernelMessage:
			pC->iAttributes |= DMemModelChunk::EFixedAccess;
			break;
		case ERamDrive:
			pC->iDomain=3;
			pC->iAttributes |= DMemModelChunk::EFixedAccess;
			break;
		case EUserCode:
		case EUserSelfModCode:
			pC->iAttributes |= DMemModelChunk::EFixedAddress;
			if (iDomain>=0)
				{
				__KTRACE_OPT(KMMU,Kern::Printf("DArmPlatChunk create code chunk, owning process domain %d",iDomain));
				pC->iDomain=iDomain;
				pC->iAttributes |= DMemModelChunk::EFixedAccess;
				}
			break;
		case EDll:
			break;
		case EUserData:
		case EDllData:
			if (aInfo.iGlobal && (iAttributes & DMemModelProcess::EFixedAddress || aInfo.iForceFixed))
				{
				TInt domain=ArmMmu::AllocDomain();
				if (domain>=0)
					{
					__KTRACE_OPT(KMMU,Kern::Printf("DArmPlatChunk create global chunk, Domain %d allocated",domain));
					pC->iDomain=domain;
					pC->iAttributes |= DMemModelChunk::EFixedAccess;
					}
				}
			else if (!aInfo.iGlobal && iDomain>=0)
				{
				__KTRACE_OPT(KMMU,Kern::Printf("DArmPlatChunk create local chunk, owning process domain %d",iDomain));
				pC->iDomain=iDomain;
				pC->iAttributes |= DMemModelChunk::EFixedAccess;
				}
			break;
		case ESharedKernelSingle:
		case ESharedKernelMultiple:
		case ESharedIo:
			break;
		default:
			FAULT();
		}
	return KErrNone;
	}
Exemple #3
0
void NThread_Default_State_Handler(NThread* __DEBUG_ONLY(aThread), TInt __DEBUG_ONLY(aOperation), TInt __DEBUG_ONLY(aParameter))
	{
//	__KTRACE_OPT(KPANIC,DEBUGPRINT("Unknown NState %d: thread %T op %08x par %08x",aThread,aThread->iNState,aOperation,aParameter));
#ifdef _DEBUG
	DEBUGPRINT("UnknownState: thread %T op %08x par %08x",aThread,aOperation,aParameter);
#endif
	FAULT();
	}
Exemple #4
0
static void I486OP(group0F01_32)(i386_state *cpustate)		// Opcode 0x0f 01
{
	UINT8 modrm = FETCH(cpustate);
	UINT32 address, ea;

	switch( (modrm >> 3) & 0x7 )
	{
		case 0:			/* SGDT */
			{
				if( modrm >= 0xc0 ) {
					address = LOAD_RM32(modrm);
					ea = i386_translate( cpustate, CS, address, 1 );
				} else {
					ea = GetEA(cpustate,modrm,1);
				}
				WRITE16(cpustate,ea, cpustate->gdtr.limit);
				WRITE32(cpustate,ea + 2, cpustate->gdtr.base);
				CYCLES(cpustate,CYCLES_SGDT);
				break;
			}
		case 1:			/* SIDT */
			{
				if (modrm >= 0xc0)
				{
					address = LOAD_RM32(modrm);
					ea = i386_translate( cpustate, CS, address, 1 );
				}
				else
				{
					ea = GetEA(cpustate,modrm,1);
				}
				WRITE16(cpustate,ea, cpustate->idtr.limit);
				WRITE32(cpustate,ea + 2, cpustate->idtr.base);
				CYCLES(cpustate,CYCLES_SIDT);
				break;
			}
		case 2:			/* LGDT */
			{
				if(PROTECTED_MODE && cpustate->CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					address = LOAD_RM32(modrm);
					ea = i386_translate( cpustate, CS, address, 0 );
				} else {
					ea = GetEA(cpustate,modrm,0);
				}
				cpustate->gdtr.limit = READ16(cpustate,ea);
				cpustate->gdtr.base = READ32(cpustate,ea + 2);
				CYCLES(cpustate,CYCLES_LGDT);
				break;
			}
		case 3:			/* LIDT */
			{
				if(PROTECTED_MODE && cpustate->CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					address = LOAD_RM32(modrm);
					ea = i386_translate( cpustate, CS, address, 0 );
				} else {
					ea = GetEA(cpustate,modrm,0);
				}
				cpustate->idtr.limit = READ16(cpustate,ea);
				cpustate->idtr.base = READ32(cpustate,ea + 2);
				CYCLES(cpustate,CYCLES_LIDT);
				break;
			}
		case 4:			/* SMSW */
			{
				if( modrm >= 0xc0 ) {
					STORE_RM32(modrm, cpustate->cr[0] & 0xffff);
					CYCLES(cpustate,CYCLES_SMSW_REG);
				} else {
					/* always 16-bit memory operand */
					ea = GetEA(cpustate,modrm,1);
					WRITE16(cpustate,ea, cpustate->cr[0]);
					CYCLES(cpustate,CYCLES_SMSW_MEM);
				}
				break;
			}
		case 7:			/* INVLPG */
			{
				// Nothing to do ?
				break;
			}
		default:
			fatalerror("i486: unimplemented opcode 0x0f 01 /%d at %08X", (modrm >> 3) & 0x7, cpustate->eip - 2);
			break;
	}
}
Exemple #5
0
OS_Return OS_CreateProcess(
	OS_Process_t *process,
	const INT8 *process_name,
	UINT16 attributes,
	void (*process_entry_function)(void *pdata),
	void *pdata)
{
	OS_Process *pcb;
	
	if(!process)
	{
	    FAULT("Invalid process");
		return INVALID_ARG;
	}

	if(!process_entry_function || !process_name)
	{
	    FAULT("OS_CreateProcess: invalid arguments");
		return INVALID_ARG;
	}
	
	// Now get a free PCB resource from the pool
	*process = (OS_Process_t) GetFreeResIndex(g_process_usage_mask, MAX_PROCESS_COUNT);
	if(*process < 0) 
	{
		FAULT("OS_CreateProcess failed for '%s': Exhausted all resources\n", g_current_process->name);
		return RESOURCE_EXHAUSTED;	
	}
	
	KlogStr(KLOG_GENERAL_INFO, "Creating process - ", process_name);

	// Get a pointer to actual PCB
	pcb = &g_process_pool[*process];
	
	// Clear the process structure
	memset(pcb, 0, sizeof(OS_Process));
	
	// Copy process name
	strncpy(pcb->name, process_name, OS_PROCESS_NAME_SIZE - 1);
	pcb->name[OS_PROCESS_NAME_SIZE - 1] = '\0';
		
	pcb->id = *process;	// Assign a unique process id
	pcb->attributes = attributes;
	pcb->process_entry_function = process_entry_function;
	pcb->pdata = pdata;
	pcb->next = NULL;

#if ENABLE_MMU
	pcb->ptable = _MMU_allocate_l1_page_table();
	if(!pcb->ptable)
	{
		FAULT("OS_CreateProcess failed for '%s': No space in page table area\n", g_current_process->name);
		return RESOURCE_EXHAUSTED;	
	}

	// Now create a memory map for the task for the kernel space. Every process is going to have map for 
	// the whole kernel process. This makes it more efficient during system calls and interrupts
	// by eliminating the need to change the page table.
	// Note that this does not compromise the security as the user mode cannot read/write
	// anything in the kernel memory map
	_OS_create_kernel_memory_map(pcb->ptable);
#endif	

	// Block the process resource
	SetResourceStatus(g_process_usage_mask, *process, FALSE);
	
	// Add to the process list
	if(g_process_list_tail)
	{
		g_process_list_tail->next = pcb;
		g_process_list_tail = pcb;
	}
	else
	{
		g_process_list_head = g_process_list_tail = pcb;
	}
	
	return SUCCESS; 
}
Exemple #6
0
OS_Return OS_CreateProcessFromFile(
		OS_Process_t *process,
		const INT8 * process_name,
		UINT16 attributes,
		const INT8 * exec_path,
		void *pdata
	)
{		
	// Validate inputs
	if(!exec_path)
	{
		FAULT("OS_CreateProcessFromFile: invalid file path");
		return INVALID_ARG;
	}
	
	// First read the elf file
	INT32 fd = ramdisk_open(exec_path, O_RDONLY);
	if(fd < 0)
	{
		FAULT("OS_CreateProcessFromFile: could not open '%s'", exec_path);
		return FILE_ERROR;
	}
	
	void * program = ramdisk_GetDataPtr(fd, NULL);
	if(!program)
	{
		FAULT("OS_CreateProcessFromFile: could not read '%s'", exec_path);
		return FILE_ERROR;		
	}

	// First read the section attributes from the ELF file so that we can create memory maps
	// before we load the sections into memory
	Elf_SectionAttribute sections[MAX_LOADABLE_SECTIONS];
	UINT32 scount = MAX_LOADABLE_SECTIONS;
	void * start_address = NULL;

	// Read the section attributes
	if(elf_get_sections(program, &start_address, sections, &scount) == SUCCESS)
	{
		if(scount > MAX_LOADABLE_SECTIONS) 
		{	
			// Not all sections were loaded. Generate an error
			return EXCEEDED_MAX_SECTIONS;
		}
	}
	
	// All sections can be loaded. 
	OS_Return status = OS_CreateProcess(process, process_name, attributes, start_address, pdata);
	if(status == SUCCESS)
	{
		// Get a pointer to actual PCB
		OS_Process *pcb = &g_process_pool[*process];
	
#if ENABLE_MMU
		// Create Memory Map for all sections in this program.
		// The kernel space has already been mapped to this process
		UINT32 i;
		for(i = 0; i < scount; i++)
		{
			_MMU_PTE_AccessPermission ap;
			switch(sections[i].flags)
			{
				case (PF_R):
					ap = KERNEL_RW_USER_RO;
					break;
				
				case (PF_X):
				case (PF_R | PF_X):
					ap = KERNEL_RW_USER_EX;
					break;
											
				case (PF_R | PF_W):
					ap = KERNEL_RW_USER_RW;
					break;
								
				default:
					ap = KERNEL_NA_USER_NA;
					break;				
			}

#if USER_PAGE_SIZE==4

			// Create a map in the user process
			_MMU_add_l2_small_page_va_to_pa_map(pcb->ptable,
									sections[i].vaddr, sections[i].vaddr,
									sections[i].size, ap, 
									TRUE, TRUE);
									
			// Also map this place in the kernel process
			_MMU_add_l2_small_page_va_to_pa_map(g_kernel_process->ptable,
									sections[i].vaddr, sections[i].vaddr,
									sections[i].size, KERNEL_RW_USER_NA,
									TRUE, TRUE);
#elif USER_PAGE_SIZE==64

			// Create a map in the user process
			_MMU_add_l2_large_page_va_to_pa_map(pcb->ptable,
									sections[i].vaddr, sections[i].vaddr,
									sections[i].size, ap, 
									TRUE, TRUE);

			// Also map this place in the kernel process
			_MMU_add_l2_large_page_va_to_pa_map(g_kernel_process->ptable,
									sections[i].vaddr, sections[i].vaddr,
									sections[i].size, KERNEL_RW_USER_NA, 
									TRUE, TRUE);
#else
	#error "Supported values for USER_PAGE_SIZE is either 4 or 64"
#endif
		}
#endif // ENABLE_MMU

		// Now we are ready to actually load the program into memory
		status = elf_load(program);
	}
	
	return status;	
}
Exemple #7
0
void i386_device::i486_group0F01_16()      // Opcode 0x0f 01
{
	UINT8 modrm = FETCH();
	UINT16 address;
	UINT32 ea;

	switch( (modrm >> 3) & 0x7 )
	{
		case 0:         /* SGDT */
			{
				if( modrm >= 0xc0 ) {
					address = LOAD_RM16(modrm);
					ea = i386_translate( CS, address, 1 );
				} else {
					ea = GetEA(modrm,1);
				}
				WRITE16(ea, m_gdtr.limit);
				WRITE32(ea + 2, m_gdtr.base & 0xffffff);
				CYCLES(CYCLES_SGDT);
				break;
			}
		case 1:         /* SIDT */
			{
				if (modrm >= 0xc0)
				{
					address = LOAD_RM16(modrm);
					ea = i386_translate( CS, address, 1 );
				}
				else
				{
					ea = GetEA(modrm,1);
				}
				WRITE16(ea, m_idtr.limit);
				WRITE32(ea + 2, m_idtr.base & 0xffffff);
				CYCLES(CYCLES_SIDT);
				break;
			}
		case 2:         /* LGDT */
			{
				if(PROTECTED_MODE && m_CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					address = LOAD_RM16(modrm);
					ea = i386_translate( CS, address, 0 );
				} else {
					ea = GetEA(modrm,0);
				}
				m_gdtr.limit = READ16(ea);
				m_gdtr.base = READ32(ea + 2) & 0xffffff;
				CYCLES(CYCLES_LGDT);
				break;
			}
		case 3:         /* LIDT */
			{
				if(PROTECTED_MODE && m_CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					address = LOAD_RM16(modrm);
					ea = i386_translate( CS, address, 0 );
				} else {
					ea = GetEA(modrm,0);
				}
				m_idtr.limit = READ16(ea);
				m_idtr.base = READ32(ea + 2) & 0xffffff;
				CYCLES(CYCLES_LIDT);
				break;
			}
		case 4:         /* SMSW */
			{
				if( modrm >= 0xc0 ) {
					STORE_RM16(modrm, m_cr[0]);
					CYCLES(CYCLES_SMSW_REG);
				} else {
					ea = GetEA(modrm,1);
					WRITE16(ea, m_cr[0]);
					CYCLES(CYCLES_SMSW_MEM);
				}
				break;
			}
		case 6:         /* LMSW */
			{
				UINT16 b;
				if(PROTECTED_MODE && m_CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					b = LOAD_RM16(modrm);
					CYCLES(CYCLES_LMSW_REG);
				} else {
					ea = GetEA(modrm,0);
					CYCLES(CYCLES_LMSW_MEM);
					b = READ16(ea);
				}
				if(PROTECTED_MODE)
					b |= 0x0001;  // cannot return to real mode using this instruction.
				m_cr[0] &= ~0x0000000f;
				m_cr[0] |= b & 0x0000000f;
				break;
			}
		case 7:         /* INVLPG */
			{
				if(PROTECTED_MODE && m_CPL)
					FAULT(FAULT_GP,0)
				if(modrm >= 0xc0)
				{
					logerror("i486: invlpg with modrm %02X\n", modrm);
					FAULT(FAULT_UD,0)
				}
				ea = GetEA(modrm,-1);
				CYCLES(25); // TODO: add to cycles.h
				vtlb_flush_address(m_vtlb, ea);
				break;
			}
		default:
			report_invalid_modrm("group0F01_16", modrm);
			break;
	}
Exemple #8
0
extern "C" void PanicFastSemaphoreWait()
	{
	FAULT();
	}
Exemple #9
0
static void I486OP(group0F01_16)(i386_state *cpustate)		// Opcode 0x0f 01
{
	UINT8 modrm = FETCH(cpustate);
	UINT16 address;
	UINT32 ea;

	switch( (modrm >> 3) & 0x7 )
	{
		case 0:			/* SGDT */
			{
				if( modrm >= 0xc0 ) {
					address = LOAD_RM16(modrm);
					ea = i386_translate( cpustate, CS, address, 1 );
				} else {
					ea = GetEA(cpustate,modrm,1);
				}
				WRITE16(cpustate,ea, cpustate->gdtr.limit);
				WRITE32(cpustate,ea + 2, cpustate->gdtr.base & 0xffffff);
				CYCLES(cpustate,CYCLES_SGDT);
				break;
			}
		case 1:			/* SIDT */
			{
				if (modrm >= 0xc0)
				{
					address = LOAD_RM16(modrm);
					ea = i386_translate( cpustate, CS, address, 1 );
				}
				else
				{
					ea = GetEA(cpustate,modrm,1);
				}
				WRITE16(cpustate,ea, cpustate->idtr.limit);
				WRITE32(cpustate,ea + 2, cpustate->idtr.base & 0xffffff);
				CYCLES(cpustate,CYCLES_SIDT);
				break;
			}
		case 2:			/* LGDT */
			{
				if(PROTECTED_MODE && cpustate->CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					address = LOAD_RM16(modrm);
					ea = i386_translate( cpustate, CS, address, 0 );
				} else {
					ea = GetEA(cpustate,modrm,0);
				}
				cpustate->gdtr.limit = READ16(cpustate,ea);
				cpustate->gdtr.base = READ32(cpustate,ea + 2) & 0xffffff;
				CYCLES(cpustate,CYCLES_LGDT);
				break;
			}
		case 3:			/* LIDT */
			{
				if(PROTECTED_MODE && cpustate->CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					address = LOAD_RM16(modrm);
					ea = i386_translate( cpustate, CS, address, 0 );
				} else {
					ea = GetEA(cpustate,modrm,0);
				}
				cpustate->idtr.limit = READ16(cpustate,ea);
				cpustate->idtr.base = READ32(cpustate,ea + 2) & 0xffffff;
				CYCLES(cpustate,CYCLES_LIDT);
				break;
			}
		case 4:			/* SMSW */
			{
				if( modrm >= 0xc0 ) {
					STORE_RM16(modrm, cpustate->cr[0]);
					CYCLES(cpustate,CYCLES_SMSW_REG);
				} else {
					ea = GetEA(cpustate,modrm,1);
					WRITE16(cpustate,ea, cpustate->cr[0]);
					CYCLES(cpustate,CYCLES_SMSW_MEM);
				}
				break;
			}
		case 6:			/* LMSW */
			{
				UINT16 b;
				if(PROTECTED_MODE && cpustate->CPL)
					FAULT(FAULT_GP,0)
				if( modrm >= 0xc0 ) {
					b = LOAD_RM16(modrm);
					CYCLES(cpustate,CYCLES_LMSW_REG);
				} else {
					ea = GetEA(cpustate,modrm,0);
					CYCLES(cpustate,CYCLES_LMSW_MEM);
					b = READ16(cpustate,ea);
				}
				if(PROTECTED_MODE)
					b |= 0x0001;  // cannot return to real mode using this instruction.
				cpustate->cr[0] &= ~0x0000000f;
				cpustate->cr[0] |= b & 0x0000000f;
				break;
			}
		case 7:			/* INVLPG */
			{
				// Nothing to do ?
				break;
			}
		default:
			fatalerror("i486: unimplemented opcode 0x0f 01 /%d at %08X", (modrm >> 3) & 0x7, cpustate->eip - 2);
			break;
	}
}
Exemple #10
0
/******************************************************************************
 * Thread
 ******************************************************************************/
void InvalidExec()
	{
	FAULT();
	}