int main(int argc, char **argv) {
vmi_instance_t vmi;
addr_t start_address;
struct timeval ktv_start;
struct timeval ktv_end;
char *vm = argv[1];
int buf_size = atoi(argv[2]);
int loops = atoi(argv[3]);
int mode = atoi(argv[4]);
unsigned char *buf = malloc(buf_size);
int i = 0;
long int diff;
long int *data = malloc(loops * sizeof(long int));
int j = 0;
uint32_t value = 0;
if (mode != 1 && mode != 2) {
printf("invalid mode\n");
return 1;
}
/* initialize the xen access library */
vmi_init(&vmi, VMI_AUTO | VMI_INIT_COMPLETE, vm);
/* find address to work from */
start_address = vmi_translate_ksym2v(vmi, "PsInitialSystemProcess");
start_address = vmi_translate_kv2p(vmi, start_address);
for (i = 0; i < loops; ++i) {
if (mode == 1) {
gettimeofday(&ktv_start, 0);
vmi_read_pa(vmi, start_address, buf, buf_size);
gettimeofday(&ktv_end, 0);
} else {
gettimeofday(&ktv_start, 0);
for (j = 0; j < buf_size / 4; ++j) {
vmi_read_32_pa(vmi, start_address + j * 4, &value);
}
gettimeofday(&ktv_end, 0);
}
print_measurement(ktv_start, ktv_end, &diff);
data[i] = diff;
memset(buf, 0, buf_size);
sleep(1);
}
avg_measurement(data, loops);
vmi_destroy(vmi);
free(buf);
return 0;
}
// 2nd Level Page Table Descriptor (Fine Pages)
static inline
void get_fine_second_level_descriptor(vmi_instance_t vmi, uint32_t vaddr, page_info_t *info)
{
info->arm_aarch32.sld_location = (info->arm_aarch32.fld_value & VMI_BIT_MASK(12,31)) | (fine_second_level_table_index(vaddr) << 2);
uint32_t sld_v;
if (VMI_SUCCESS == vmi_read_32_pa(vmi, info->arm_aarch32.sld_location, &sld_v)) {
info->arm_aarch32.sld_value = sld_v;
}
}
static inline
uint32_t get_pgd_nopae (vmi_instance_t instance,
uint32_t vaddr,
uint32_t pdpe,
addr_t *pgd_entry)
{
uint32_t value;
*pgd_entry = pdba_base_nopae(pdpe) + pgd_index_nopae(vaddr);
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: pgd_entry = 0x%.8"PRIx64"\n", *pgd_entry);
if(VMI_FAILURE == vmi_read_32_pa(instance, *pgd_entry, &value)) {
value = 0;
}
return value;
}
status_t
vmi_read_addr_pa(
vmi_instance_t vmi,
addr_t paddr,
addr_t *value)
{
if (vmi->page_mode == VMI_PM_IA32E) {
return vmi_read_64_pa(vmi, paddr, value);
}
else {
uint32_t tmp = 0;
status_t ret = vmi_read_32_pa(vmi, paddr, &tmp);
*value = (uint64_t) tmp;
return ret;
}
}
static inline
status_t get_pgd_nopae (vmi_instance_t instance,
uint32_t vaddr,
uint32_t pdpe,
addr_t *pgd_entry,
addr_t *pgd_value)
{
uint32_t value = 0;
*pgd_value = 0;
*pgd_entry = pdba_base_nopae(pdpe) + pgd_index_nopae(vaddr);
if(VMI_FAILURE == vmi_read_32_pa(instance, *pgd_entry, &value)) {
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: failed to read pgd_entry at = 0x%.8"PRIx64"\n", *pgd_entry);
return VMI_FAILURE;
}
*pgd_value = value;
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: pgd_entry = 0x%.8"PRIx64", pgd_value = 0x%.8"PRIx64"\n",
*pgd_entry, *pgd_value);
return VMI_SUCCESS;
}
static status_t
init_from_rekall_profile(vmi_instance_t vmi)
{
status_t ret = VMI_FAILURE;
windows_instance_t windows = vmi->os_data;
dbprint(VMI_DEBUG_MISC, "**Trying to init from Rekall profile\n");
reg_t kpcr = 0;
addr_t kpcr_rva = 0;
// try to find the kernel if we are not connecting to a file and the kernel pa/va were not already specified.
if(vmi->mode != VMI_FILE && ! ( windows->ntoskrnl && windows->ntoskrnl_va ) ) {
switch ( vmi->page_mode ) {
case VMI_PM_IA32E:
if (VMI_FAILURE == driver_get_vcpureg(vmi, &kpcr, GS_BASE, 0))
goto done;
break;
case VMI_PM_LEGACY: /* Fall-through */
case VMI_PM_PAE:
if (VMI_FAILURE == driver_get_vcpureg(vmi, &kpcr, FS_BASE, 0))
goto done;
break;
default:
goto done;
};
if (VMI_SUCCESS == rekall_profile_symbol_to_rva(windows->rekall_profile, "KiInitialPCR", NULL, &kpcr_rva)) {
if ( kpcr <= kpcr_rva || vmi->page_mode == VMI_PM_IA32E && kpcr < 0xffff800000000000 ) {
dbprint(VMI_DEBUG_MISC, "**vCPU0 doesn't seem to have KiInitialPCR mapped, can't init from Rekall profile.\n");
goto done;
}
// If the Rekall profile has KiInitialPCR we have Win 7+
windows->ntoskrnl_va = kpcr - kpcr_rva;
windows->ntoskrnl = vmi_translate_kv2p(vmi, windows->ntoskrnl_va);
} else if(kpcr == 0x00000000ffdff000) {
// If we are in live mode without KiInitialPCR, the KPCR has to be
// at this VA (XP/Vista) and the KPCR trick [1] is still valid.
// [1] http://moyix.blogspot.de/2008/04/finding-kernel-global-variables-in.html
addr_t kdvb = 0, kdvb_offset = 0, kernbase_offset = 0;
rekall_profile_symbol_to_rva(windows->rekall_profile, "_KPCR", "KdVersionBlock", &kdvb_offset);
rekall_profile_symbol_to_rva(windows->rekall_profile, "_DBGKD_GET_VERSION64", "KernBase", &kernbase_offset);
vmi_read_addr_va(vmi, kpcr+kdvb_offset, 0, &kdvb);
vmi_read_addr_va(vmi, kdvb+kernbase_offset, 0, &windows->ntoskrnl_va);
windows->ntoskrnl = vmi_translate_kv2p(vmi, windows->ntoskrnl_va);
} else {
goto done;
}
dbprint(VMI_DEBUG_MISC, "**KernBase PA=0x%"PRIx64"\n", windows->ntoskrnl);
/*
* If the CR3 value points to a pagetable that hasn't been setup yet
* we need to resort to finding a valid pagetable the old fashioned way.
*/
if (windows->ntoskrnl_va && !windows->ntoskrnl)
{
windows_find_cr3(vmi);
windows->ntoskrnl = vmi_translate_kv2p(vmi, windows->ntoskrnl_va);
}
}
// This could happen if we are in file mode or for Win XP
if (!windows->ntoskrnl) {
windows->ntoskrnl = get_ntoskrnl_base(vmi, vmi->kpgd);
// get KdVersionBlock/"_DBGKD_GET_VERSION64"->KernBase
addr_t kdvb = 0, kernbase_offset = 0;
rekall_profile_symbol_to_rva(windows->rekall_profile, "KdVersionBlock", NULL, &kdvb);
rekall_profile_symbol_to_rva(windows->rekall_profile, "_DBGKD_GET_VERSION64", "KernBase", &kernbase_offset);
dbprint(VMI_DEBUG_MISC, "**KdVersionBlock RVA 0x%lx. KernBase RVA: 0x%lx\n", kdvb, kernbase_offset);
dbprint(VMI_DEBUG_MISC, "**KernBase PA=0x%"PRIx64"\n", windows->ntoskrnl);
if (windows->ntoskrnl && kdvb && kernbase_offset) {
vmi_read_addr_pa(vmi, windows->ntoskrnl + kdvb + kernbase_offset, &windows->ntoskrnl_va);
if(!windows->ntoskrnl_va) {
vmi_read_32_pa(vmi, windows->ntoskrnl + kdvb + kernbase_offset, (uint32_t*)&windows->ntoskrnl_va);
}
if(!windows->ntoskrnl_va) {
dbprint(VMI_DEBUG_MISC, "**failed to find Windows kernel VA via KdVersionBlock\n");
goto done;
}
} else {
dbprint(VMI_DEBUG_MISC, "**Failed to find required offsets and/or kernel base PA\n");
goto done;
}
}
dbprint(VMI_DEBUG_MISC, "**KernBase VA=0x%"PRIx64"\n", windows->ntoskrnl_va);
addr_t ntbuildnumber_rva;
uint16_t ntbuildnumber = 0;
// Let's do some sanity checking
if (VMI_FAILURE == rekall_profile_symbol_to_rva(windows->rekall_profile, "NtBuildNumber", NULL, &ntbuildnumber_rva)) {
goto done;
}
if (VMI_FAILURE == vmi_read_16_pa(vmi, windows->ntoskrnl + ntbuildnumber_rva, &ntbuildnumber)) {
goto done;
}
if (ntbuild2version(ntbuildnumber) == VMI_OS_WINDOWS_UNKNOWN) {
dbprint(VMI_DEBUG_MISC, "Unknown Windows NtBuildNumber: %u, the Rekall Profile may be incorrect for this Windows!\n", ntbuildnumber);
}
// The system map seems to be good, lets grab all the required offsets
if(!windows->pdbase_offset) {
if (VMI_FAILURE == rekall_profile_symbol_to_rva(windows->rekall_profile, "_KPROCESS", "DirectoryTableBase", &windows->pdbase_offset)) {
goto done;
}
}
if(!windows->tasks_offset) {
if (VMI_FAILURE == rekall_profile_symbol_to_rva(windows->rekall_profile, "_EPROCESS", "ActiveProcessLinks", &windows->tasks_offset)) {
goto done;
}
}
if(!windows->pid_offset) {
if (VMI_FAILURE == rekall_profile_symbol_to_rva(windows->rekall_profile, "_EPROCESS", "UniqueProcessId", &windows->pid_offset)) {
goto done;
}
}
if(!windows->pname_offset) {
if (VMI_FAILURE == rekall_profile_symbol_to_rva(windows->rekall_profile, "_EPROCESS", "ImageFileName", &windows->pname_offset)) {
goto done;
}
}
ret = VMI_SUCCESS;
dbprint(VMI_DEBUG_MISC, "**init from Rekall profile success\n");
done: return ret;
}
static status_t
init_from_sysmap(vmi_instance_t vmi)
{
status_t ret = VMI_FAILURE;
windows_instance_t windows = vmi->os_data;
dbprint(VMI_DEBUG_MISC, "**Trying to init from sysmap\n");
reg_t kpcr = 0;
addr_t kpcr_rva = 0;
if(vmi->mode != VMI_FILE) {
if (vmi->page_mode == VMI_PM_IA32E) {
if (VMI_FAILURE == driver_get_vcpureg(vmi, &kpcr, GS_BASE, 0)) {
goto done;
}
} else if (vmi->page_mode == VMI_PM_LEGACY || vmi->page_mode == VMI_PM_PAE) {
if (VMI_FAILURE == driver_get_vcpureg(vmi, &kpcr, FS_BASE, 0)) {
goto done;
}
}
if (VMI_SUCCESS == windows_system_map_symbol_to_address(vmi, "KiInitialPCR", NULL, &kpcr_rva)) {
// If the sysmap has KiInitialPCR we have Win 7+
windows->ntoskrnl_va = kpcr - kpcr_rva;
windows->ntoskrnl = vmi_translate_kv2p(vmi, windows->ntoskrnl_va);
} else if(kpcr == 0x00000000ffdff000) {
// If we are in live mode without KiInitialPCR, the KPCR has to be
// at this VA (XP/Vista) and the KPCR trick [1] is still valid.
// [1] http://moyix.blogspot.de/2008/04/finding-kernel-global-variables-in.html
addr_t kdvb = 0, kdvb_offset = 0, kernbase_offset = 0;
windows_system_map_symbol_to_address(vmi, "_KPCR", "KdVersionBlock", &kdvb_offset);
windows_system_map_symbol_to_address(vmi, "_DBGKD_GET_VERSION64", "KernBase", &kernbase_offset);
vmi_read_addr_va(vmi, kpcr+kdvb_offset, 0, &kdvb);
vmi_read_addr_va(vmi, kdvb+kernbase_offset, 0, &windows->ntoskrnl_va);
windows->ntoskrnl = vmi_translate_kv2p(vmi, windows->ntoskrnl_va);
} else {
goto done;
}
dbprint(VMI_DEBUG_MISC, "**KernBase PA=0x%"PRIx64"\n", windows->ntoskrnl);
}
// This could happen if we are in file mode or for Win XP
if (!windows->ntoskrnl) {
windows->ntoskrnl = get_ntoskrnl_base(vmi, vmi->kpgd);
// get KdVersionBlock/"_DBGKD_GET_VERSION64"->KernBase
addr_t kdvb = 0, kernbase_offset = 0;
windows_system_map_symbol_to_address(vmi, "KdVersionBlock", NULL, &kdvb);
windows_system_map_symbol_to_address(vmi, "_DBGKD_GET_VERSION64", "KernBase", &kernbase_offset);
dbprint(VMI_DEBUG_MISC, "**KdVersionBlock RVA 0x%lx. KernBase RVA: 0x%lx\n", kdvb, kernbase_offset);
dbprint(VMI_DEBUG_MISC, "**KernBase PA=0x%"PRIx64"\n", windows->ntoskrnl);
if (windows->ntoskrnl && kdvb && kernbase_offset) {
vmi_read_addr_pa(vmi, windows->ntoskrnl + kdvb + kernbase_offset, &windows->ntoskrnl_va);
if(!windows->ntoskrnl_va) {
vmi_read_32_pa(vmi, windows->ntoskrnl + kdvb + kernbase_offset, (uint32_t*)&windows->ntoskrnl_va);
}
if(!windows->ntoskrnl_va) {
dbprint(VMI_DEBUG_MISC, "**failed to find Windows kernel VA via KdVersionBlock\n");
goto done;
}
} else {
dbprint(VMI_DEBUG_MISC, "**Failed to find required offsets and/or kernel base PA\n");
goto done;
}
}
dbprint(VMI_DEBUG_MISC, "**KernBase VA=0x%"PRIx64"\n", windows->ntoskrnl_va);
addr_t ntbuildnumber_rva;
uint16_t ntbuildnumber = 0;
// Let's do some sanity checking
if (VMI_FAILURE == windows_system_map_symbol_to_address(vmi, "NtBuildNumber", NULL, &ntbuildnumber_rva)) {
goto done;
}
if (VMI_FAILURE == vmi_read_16_pa(vmi, windows->ntoskrnl + ntbuildnumber_rva, &ntbuildnumber)) {
goto done;
}
if (ntbuild2version(ntbuildnumber) == VMI_OS_WINDOWS_UNKNOWN) {
dbprint(VMI_DEBUG_MISC, "Unknown Windows NtBuildNumber: %u. The Rekall Profile may be incorrect for this Windows!\n", ntbuildnumber);
goto done;
}
// The system map seems to be good, lets grab all the required offsets
if(!windows->pdbase_offset) {
if (VMI_FAILURE == windows_system_map_symbol_to_address(vmi, "_KPROCESS", "DirectoryTableBase", &windows->pdbase_offset)) {
goto done;
}
}
if(!windows->tasks_offset) {
if (VMI_FAILURE == windows_system_map_symbol_to_address(vmi, "_EPROCESS", "ActiveProcessLinks", &windows->tasks_offset)) {
goto done;
}
}
if(!windows->pid_offset) {
if (VMI_FAILURE == windows_system_map_symbol_to_address(vmi, "_EPROCESS", "UniqueProcessId", &windows->pid_offset)) {
goto done;
}
}
if(!windows->pname_offset) {
if (VMI_FAILURE == windows_system_map_symbol_to_address(vmi, "_EPROCESS", "ImageFileName", &windows->pname_offset)) {
goto done;
}
}
ret = VMI_SUCCESS;
dbprint(VMI_DEBUG_MISC, "**init from sysmap success\n");
done: return ret;
}
