int ReadKDPipe(HANDLE hPipe, kd_packet_t *pktBuffer){ DWORD numBytesRead = 0; BOOL result; UINT8 firstCMD = 0x00; do{ firstCMD = Get8Pipe(hPipe); } while (firstCMD != 0x69 && firstCMD != 0x30 && firstCMD != 0x62); if (firstCMD == 0x62){ //Fast-Break !!! return FASTBREAK_PKT; //TODO: return FAST-BREAK ! } UINT32 leader = (firstCMD << 24) | (Get16Pipe(hPipe) << 8) | Get8Pipe(hPipe); if (leader == 0x69696969 || leader == 0x30303030){ UINT16 type = Get16Pipe(hPipe); UINT16 length = Get16Pipe(hPipe); UINT32 id = Get32Pipe(hPipe); UINT32 checksum = Get32Pipe(hPipe); pktBuffer->leader = leader; pktBuffer->type = type; pktBuffer->length = length; pktBuffer->id = id; pktBuffer->checksum = checksum; //TODO: function ! UINT16 bytesToRead = length; UINT16 bytesAlreadyRead = 0; while (bytesToRead > 0){ //printf("bytesToRead %d\n", bytesToRead); result = ReadFile(hPipe, pktBuffer->data + bytesAlreadyRead, bytesToRead, &numBytesRead, NULL); bytesToRead = bytesToRead - numBytesRead; bytesAlreadyRead = bytesAlreadyRead + numBytesRead; //printf("%d/%d\n", bytesAlreadyRead, length); } //END_OF_DATA if (length > 0){ char endOfData; ReadFile(hPipe, &endOfData, 1, NULL, NULL); } return KD_PKT; }else{ UINT16 type = Get16Pipe(hPipe); printf("Unknown Leader %08x\n", leader); printf("type: %04x\n", type); //system("pause"); } return ERR_PKT; }
bool FDP_clearBP(uint8_t breakPointId, HANDLE toVMPipe){ FDP_clearBP_req tmpReq; tmpReq.cmdType = CLEAR_BP; tmpReq.breakPointId = breakPointId; PutPipe(toVMPipe, (uint8_t*)&tmpReq, sizeof(tmpReq)); FlushFileBuffers(toVMPipe); return (Get8Pipe(toVMPipe) == 1); }
bool FDP_setBP(uint8_t breakPointId, uint64_t breakAddress, HANDLE toVMPipe){ FDP_setBP_req tmpReq; tmpReq.cmdType = SET_BP; tmpReq.breakPointId = breakPointId; tmpReq.breakAddress = breakAddress; PutPipe(toVMPipe, (uint8_t*)&tmpReq, sizeof(tmpReq)); FlushFileBuffers(toVMPipe); return (Get8Pipe(toVMPipe) == 1); }
uint8_t readPhysical8(uint64_t physicalAddress, analysisContext_t *context){ uint8_t result; if (context->curMode == STOCK_VBOX_TYPE){ Put8Pipe(context->toVMPipe, READ_PHYSICAL_8); Put64Pipe(context->toVMPipe, physicalAddress); FlushFileBuffers(context->toVMPipe); result = Get8Pipe(context->toVMPipe); }else{ readPhysical(&result, sizeof(result), physicalAddress, context); } return result; }
//TODO: move in FDP.cpp bool readPhysical(uint8_t *dstBuffer, uint64_t size, uint64_t physicalAdress, analysisContext_t *context){ if (context->curMode == STOCK_VBOX_TYPE){ Put8Pipe(context->toVMPipe, READ_PHYSICAL); Put64Pipe(context->toVMPipe, physicalAdress); Put64Pipe(context->toVMPipe, size); FlushFileBuffers(context->toVMPipe); for (int i = 0; i < size; i++){ dstBuffer[i] = Get8Pipe(context->toVMPipe); } }else{ memcpy(dstBuffer, context->physicalMemory + physicalAdress, size); } return true; }
uint8_t FDP_resume(HANDLE toVMPipe){ Put8Pipe(toVMPipe, RESUME_VM); FlushFileBuffers(toVMPipe); uint8_t result = Get8Pipe(toVMPipe); return result; }
uint8_t FDP_pause(HANDLE toVMPipe){ Put8Pipe(toVMPipe, PAUSE_VM); FlushFileBuffers(toVMPipe); uint8_t result = Get8Pipe(toVMPipe); return result; }