int _tmain(int argc, _TCHAR* argv[])
{
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
DWORD microP1Version = 0xFFFFFFFF,
microP2Version = 0xFFFFFFFF,
engineerID = 0xFFFFFFFF,
projectID = 0xFFFFFFFF;
BYTE byHWBoaredVersion = 0xFF;
microP1Version = *(DWORD*)(0xBA081C2C);
microP2Version = *(DWORD*)(0xBA081C30);
byHWBoaredVersion = *(BYTE*)(0xBA081030);
engineerID = *(DWORD*)(0xBA081C88);
projectID = *(DWORD*)(0xBA081C8C);
SetKMode(bMode);
SetProcPermissions(dwPerm);
wchar_t str[500];
swprintf(str, L"microP1Version = %X\nmicroP2Version = %X\nboard = %X\nengineerID = %X\nprojectID = %X\n",
microP1Version, microP2Version, byHWBoaredVersion, engineerID, projectID);
MessageBox(NULL, str, L"HardwareRevision for SE X1", 0);
return 0;
}
BOOL InstallHook()
{
static long s_lCount = 0;
if (InterlockedIncrement(&s_lCount) > 1)
{
// no need to install again
return TRUE;
}
BOOL bResult = TRUE;
if (m_hDestProcess == NULL)
{
int iAPISetId = SH_WMGR;
DWORD dwOldPermissions = 0;
SetKMode(TRUE);
dwOldPermissions = SetProcPermissions(-1);
__try
{
CINFO ** pSystemAPISets = (CINFO**)(UserKInfo[KINX_APISETS]);
m_hDestProcess = pSystemAPISets[iAPISetId]->m_pProcessServer->hProc;
CALLBACKINFO cbi;
ZeroMemory(&cbi, sizeof(CALLBACKINFO));
cbi.m_hDestinationProcessHandle = m_hDestProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"LoadLibraryW"), m_hDestProcess);
cbi.m_pFirstArgument = (LPVOID)MapPtrToProcess(L"\\Windows\\FingerSuiteDll.dll", GetCurrentProcess());
m_hDllInst = (HINSTANCE)PerformCallBack4(&cbi, 0,0,0); //returns the HINSTANCE from LoadLibraryW
Sleep(1000);
ZeroMemory(&cbi, sizeof(CALLBACKINFO));
cbi.m_hDestinationProcessHandle = m_hDestProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(m_hDllInst, L"StartHookOnServer"), m_hDestProcess);
cbi.m_pFirstArgument = NULL;
DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly executed
Sleep(1000);
}
__except(FilterException(GetExceptionInformation()))
{
bResult = FALSE;
}
if(dwOldPermissions)
{
SetProcPermissions(dwOldPermissions);
}
SetKMode(FALSE);
}
int _tmain(int argc, _TCHAR* argv[])
{
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
CINFO **SystemAPISets= (CINFO **)KData.aInfo[KINX_APISETS];
for(int i=0; i<NUM_SYSTEM_SETS; i++)
{
DEBUGMSG(1, (L"SystemAPISets[%d]:\n",i));
DEBUGMSG(1, (L"API set: %s\n", getApiName(i)));
if(SystemAPISets[i]==0)
{
DEBUGMSG(1, (L" NULL\n"));
continue;
}
DEBUGMSG(1, (L" acName: %S\n",SystemAPISets[i]->acName)); //use %S (capital S) as acName is char*
DEBUGMSG(1, (L" cMethods: %d\n",SystemAPISets[i]->cMethods));
DEBUGMSG(1, (L" handle type: %i\n",SystemAPISets[i]->type));
DEBUGMSG(1, (L" disp type: %s\n",getDispType(SystemAPISets[i]->disp)));
DEBUGMSG(1, (L"\n"));
}
DWORD Tmp= (FIRST_METHOD-FAULT_ADDR)/APICALL_SCALE;
DWORD ApiSet=(Tmp>>HANDLE_SHIFT)&HANDLE_MASK;
DWORD Method=Tmp&METHOD_MASK;
// validate
if(ApiSet>NUM_SYSTEM_SETS)
{
DEBUGMSG(1, (L"Invalid ApiSet\n"));
return 0;
}
if(SystemAPISets[ApiSet]==0)
{
DEBUGMSG(1, (L"Invalid ApiSet\n"));
return 0;
}
if(SystemAPISets[ApiSet]->cMethods<=Method)
{
DEBUGMSG(1, (L"Invalid method number\n"));
return 0;
}
// I support only filesystem and similar hooks that are processed inside filesys.exe
if(SystemAPISets[ApiSet]->pServer==0)
{
DEBUGMSG(1, (L"Calls with pServer==0 are not supported\n"));
return 0;
}
// get server process and inject DLL there
HANDLE Proc=SystemAPISets[ApiSet]->pServer->hProc;
void *Ptr=MapPtrToProcess(L"TestApiSetHookDll.dll",GetCurrentProcess());
CALLBACKINFO ci;
ci.hProc=Proc;
void *t=GetProcAddress(GetModuleHandle(L"coredll.dll"),L"LoadLibraryW");
ci.pfn=(FARPROC)MapPtrToProcess(t,Proc);
ci.pvArg0=Ptr;
PerformCallBack4(&ci);
Sleep(1000); // allow PerformCallBack4 to finish before exit. Better enum loaded DLLs or use events
// bug in VS2005b1 causes DllMain not to be called in DLLs
HMODULE Hm=LoadLibrary(L"TestApiSetHookDll.dll");
void *Fn=GetProcAddress(Hm,L"PerformHook");
if(Hm==0 || Fn==0)
{
DEBUGMSG(1, (L"Unable to load library\n"));
return 0;
}
ci.hProc=Proc;
ci.pfn=(FARPROC)MapPtrToProcess(Fn,Proc);
ci.pvArg0=Proc; // pass the hooked process ID as parameter to be sure that we are called from the context of hooked process
PerformCallBack4(&ci); // so we call function ourselves, fortunately DLLs are loaded at the same address in all processes
Sleep(3000);
DEBUGMSG(1, (L"exit\n"));
MessageBox(GetForegroundWindow(),L"CreateFileW hooked!",L"Done",0);
FreeLibrary(Hm);
return 0;
}
~get_permissions_t(void)
{
SetProcPermissions(dwPerm);
SetKMode(bMode);
}
get_permissions_t(void)
{
bMode = SetKMode(TRUE); // Switch to kernel mode
dwPerm = SetProcPermissions(0xFFFFFFFF); // Set access rights to the whole system
}
DWORD ThreadForTx(PSPI_PUBLIC_CONTEXT pSpiPublic)
{
volatile S3C2450_HSSPI_REG *pSPIregs = pSpiPublic->pHSSPIregs; // for HS-SPI
volatile S3C2450_INTR_REG *pINTRregs = pSpiPublic->pINTRregs;
volatile S3C2450_DMA_REG *pDMAregs = pSpiPublic->pDMAregs;
PSPI_PRIVATE_CONTEXT pSpiPrivate;
DWORD dwTxCount;
PBYTE pTxBuffer;
DWORD dwOldPerm;
PBYTE pTestBuffer;
DWORD dwTestCount;
do
{
WaitForSingleObject(pSpiPublic->hTxEvent, INFINITE);
pSpiPrivate = (PSPI_PRIVATE_CONTEXT) pSpiPublic->pSpiPrivate;
dwTestCount = dwTxCount = pSpiPrivate->dwTxCount;
dwOldPerm = SetProcPermissions((DWORD)-1);
pTestBuffer = pTxBuffer = (PBYTE) MapPtrToProcess(pSpiPrivate->pTxBuffer, (HANDLE) GetCurrentProcessId());
RETAILMSG(1,(TEXT("pTxBuffer : 0x%X, dwTxCount : %d \r\n"), pTxBuffer, dwTxCount));
//Reset
pSPIregs->CH_CFG |= SW_RST;
RETAILMSG(1,(TEXT("\n HS SPI reset\n")));
pSPIregs->CH_CFG &= ~SW_RST;
if(pSpiPrivate->bUseTxIntr)
// INT + TX
{
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : USE INT \r\n")));
pSpiPrivate->State = STATE_TXINTR;
/*
if(pSpiPrivate->dwMode == SPI_MASTER_MODE) {
pSPIregs->CH_CFG = 0x0;
pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG;
pSPIregs->MODE_CFG = (TX_TRIG_LEVEL<<5);
} else {
pSPIregs->CH_CFG = (0x1<<4);
pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG;
pSPIregs->MODE_CFG = (TX_TRIG_LEVEL<<5);
}
pSPIregs->SP_INT_EN = (1<<0);
pSPIregs->PENDING_CLR_REG = (0x1f);
pSPIregs->CH_CFG = (1<<0);
if(pSpiPrivate->dwMode == SPI_MASTER_MODE) {
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : MASTER MODE \r\n")));
pSPIregs->SLAVE_SELECTION_REG = 0;
}
else{
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : SLAVE MODE \r\n")));
}
WaitForSingleObject(pSpiPublic->hTxIntrDoneEvent, INFINITE);
while(((pSPIregs ->SPI_STATUS>>6) & 0x7f));
while(!((pSPIregs ->SPI_STATUS>>21) & 0x1));
*/
}
else if(pSpiPrivate->bUseTxDMA)
// DMA + TX
{
DWORD dwDmaLen = dwTxCount & 0xFFFFF ;
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : USE DMA (TxCount : %d) \r\n"),dwDmaLen));
pSpiPrivate->State = STATE_TXDMA;
VirtualCopy((PVOID)pSpiPrivate->pTxBuffer, (PVOID)((ULONG) pSpiPrivate->pTxDMABuffer>>8), sizeof(dwTxCount), PAGE_READWRITE | PAGE_NOCACHE | PAGE_PHYSICAL);
if(pSpiPrivate->dwMode == SPI_MASTER_MODE)
{
pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG;
pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG;
pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG;
}else {
pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG;
pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG;
pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG;
}
if(dwDmaLen > 0)
{
pSPIregs->MODE_CFG |= TX_DMA_ON|DMA_SINGLE;
pSPIregs->CH_CFG |= TX_CH_ON;
pDMAregs->DISRC4 = (UINT)pSpiPrivate->pTxDMABuffer;
pDMAregs->DISRCC4 = ~(DESTINATION_PERIPHERAL_BUS | FIXED_DESTINATION_ADDRESS);
pDMAregs->DIDST4 = (UINT)SPI_TX_DATA_PHY_ADDR;
pDMAregs->DIDSTC4 = (SOURCE_PERIPHERAL_BUS | FIXED_SOURCE_ADDRESS);
// pDMAregs->DCON4 = HANDSHAKE_MODE |GENERATE_INTERRUPT |PADDRFIX |NO_DMA_AUTO_RELOAD | dwDmaLen;
pDMAregs->DCON4 = HANDSHAKE_MODE |GENERATE_INTERRUPT |NO_DMA_AUTO_RELOAD | dwDmaLen;
pDMAregs->DMAREQSEL4 = ( DMAREQSEL_SPI_0TX | DMA_TRIGGERED_BY_HARDWARE );
if(pSpiPrivate->dwMode == SPI_MASTER_MODE)
{
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : MASTER MODE \r\n")));
MASTER_CS_ENABLE;
}
else
{
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : SLAVE MODE \r\n")));
}
pDMAregs->DMASKTRIG4 = ENABLE_DMA_CHANNEL;
WaitForSingleObject(pSpiPublic->hTxDmaDoneDoneEvent, INFINITE);
pSpiPrivate->dwTxCount -= dwDmaLen;
pSpiPrivate->pTxBuffer = (((PUINT) pSpiPrivate->pTxBuffer) + dwDmaLen);
}
VirtualFree((PVOID)pTxBuffer, 0, MEM_RELEASE);
while(((pSPIregs ->SPI_STATUS>>6) & 0x7f));
while(!(pSPIregs ->SPI_STATUS & TX_DONE));
}
else
// POLLING + TX
{
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : USE Polling (TxCount : %d) \r\n"), dwTxCount));
if(pSpiPrivate->dwMode == SPI_MASTER_MODE) {
pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG;
pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG;
pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG;
} else{
pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG;
pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG;
pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG;
}
pSPIregs->CH_CFG |= TX_CH_ON;
if(pSpiPrivate->dwMode == SPI_MASTER_MODE)
{
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : MASTER MODE \r\n")));
MASTER_CS_ENABLE;
}
else
{
RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : SLAVE MODE \r\n")));
}
do
{
while(((pSPIregs ->SPI_STATUS>>6) & 0x7f)==FIFO_FULL);
pSPIregs->SPI_TX_DATA = *(PBYTE)pSpiPrivate->pTxBuffer;
} while(--pSpiPrivate->dwTxCount > 0 && ++(PBYTE)pSpiPrivate->pTxBuffer);
while(((pSPIregs ->SPI_STATUS>>6) & 0x7f));
while(!(pSPIregs ->SPI_STATUS & TX_DONE));
}
pSpiPrivate->dwTxCount = dwTestCount - pSpiPrivate->dwTxCount;
#ifdef TEST_MODE
do
{
RETAILMSG(1,(TEXT("WRITE BYTE : %02X(dwTxCount : %d)\n"), *pTestBuffer, dwTestCount));
} while( (--dwTestCount > 0) && ++pTestBuffer);
#endif
RETAILMSG(FALSE,(TEXT("[HSPI DD] TX_CH_OFF \n")));
pSPIregs->CH_CFG &= ~TX_CH_ON;
if(pSpiPrivate->dwMode == SPI_MASTER_MODE)
MASTER_CS_DISABLE;
UnMapPtr(pTxBuffer);
SetProcPermissions(dwOldPerm);
SetEvent(pSpiPublic->hTxDoneEvent);
} while(TRUE);
