int main(int argc, char **argv) { LPSTR executable = "C:\\Windows\\System32\\calc.exe"; LPSTR injectDll = "inject.dll"; STARTUPINFO SI = {0}; PROCESS_INFORMATION PI = {0}; HANDLE hProcess; DWORD pid; DWORD threadID; LPVOID injectAddr; DWORD lpNumOfWritten; HMODULE hKernel32; FARPROC hLoadLibrary; SI.dwFlags = 1; SI.wShowWindow = 0; SI.cb = sizeof(SI); if(CreateProcess(executable, NULL, NULL, NULL, NULL, CREATE_NEW_CONSOLE, NULL, NULL, &SI, &PI)) { printf("[OK] CreateProcess %s\n", executable); } else FAULT(); pid = PI.dwProcessId; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); injectAddr = VirtualAllocEx(hProcess, NULL, strlen(injectDll), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); if(injectAddr == NULL) FAULT(); printf("[OK] VirtualAllocEx to 0x%08X\n", (int *)injectAddr); if(WriteProcessMemory(hProcess, injectAddr, injectDll, strlen(injectDll), &lpNumOfWritten) == 0) FAULT(); printf("[OK] WriteProcessMememory to 0x%08X :: \"%s\",%d\n", (int *)injectAddr, injectDll, strlen(injectDll)); hKernel32 = GetModuleHandle("kernel32.dll"); hLoadLibrary = (FARPROC)GetProcAddress(hKernel32, "LoadLibraryA"); Sleep(2000); if(CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)hLoadLibrary, injectAddr, NULL, &threadID) == NULL) FAULT(); printf("[OK] CreateRemoteThread at 0x%08X :: LoadLibrary(\"%s\")\n", (int *)injectAddr, injectDll); getchar(); return 0; }
TInt DArmPlatProcess::GetNewChunk(DMemModelChunk*& aChunk, SChunkCreateInfo& aInfo) { aChunk=NULL; DArmPlatChunk* pC=new DArmPlatChunk; if (!pC) return KErrNoMemory; aChunk=pC; pC->iChunkType=aInfo.iType; switch(pC->iChunkType) { case EKernelData: case EKernelStack: case EKernelCode: case EKernelMessage: pC->iAttributes |= DMemModelChunk::EFixedAccess; break; case ERamDrive: pC->iDomain=3; pC->iAttributes |= DMemModelChunk::EFixedAccess; break; case EUserCode: case EUserSelfModCode: pC->iAttributes |= DMemModelChunk::EFixedAddress; if (iDomain>=0) { __KTRACE_OPT(KMMU,Kern::Printf("DArmPlatChunk create code chunk, owning process domain %d",iDomain)); pC->iDomain=iDomain; pC->iAttributes |= DMemModelChunk::EFixedAccess; } break; case EDll: break; case EUserData: case EDllData: if (aInfo.iGlobal && (iAttributes & DMemModelProcess::EFixedAddress || aInfo.iForceFixed)) { TInt domain=ArmMmu::AllocDomain(); if (domain>=0) { __KTRACE_OPT(KMMU,Kern::Printf("DArmPlatChunk create global chunk, Domain %d allocated",domain)); pC->iDomain=domain; pC->iAttributes |= DMemModelChunk::EFixedAccess; } } else if (!aInfo.iGlobal && iDomain>=0) { __KTRACE_OPT(KMMU,Kern::Printf("DArmPlatChunk create local chunk, owning process domain %d",iDomain)); pC->iDomain=iDomain; pC->iAttributes |= DMemModelChunk::EFixedAccess; } break; case ESharedKernelSingle: case ESharedKernelMultiple: case ESharedIo: break; default: FAULT(); } return KErrNone; }
void NThread_Default_State_Handler(NThread* __DEBUG_ONLY(aThread), TInt __DEBUG_ONLY(aOperation), TInt __DEBUG_ONLY(aParameter)) { // __KTRACE_OPT(KPANIC,DEBUGPRINT("Unknown NState %d: thread %T op %08x par %08x",aThread,aThread->iNState,aOperation,aParameter)); #ifdef _DEBUG DEBUGPRINT("UnknownState: thread %T op %08x par %08x",aThread,aOperation,aParameter); #endif FAULT(); }
static void I486OP(group0F01_32)(i386_state *cpustate) // Opcode 0x0f 01 { UINT8 modrm = FETCH(cpustate); UINT32 address, ea; switch( (modrm >> 3) & 0x7 ) { case 0: /* SGDT */ { if( modrm >= 0xc0 ) { address = LOAD_RM32(modrm); ea = i386_translate( cpustate, CS, address, 1 ); } else { ea = GetEA(cpustate,modrm,1); } WRITE16(cpustate,ea, cpustate->gdtr.limit); WRITE32(cpustate,ea + 2, cpustate->gdtr.base); CYCLES(cpustate,CYCLES_SGDT); break; } case 1: /* SIDT */ { if (modrm >= 0xc0) { address = LOAD_RM32(modrm); ea = i386_translate( cpustate, CS, address, 1 ); } else { ea = GetEA(cpustate,modrm,1); } WRITE16(cpustate,ea, cpustate->idtr.limit); WRITE32(cpustate,ea + 2, cpustate->idtr.base); CYCLES(cpustate,CYCLES_SIDT); break; } case 2: /* LGDT */ { if(PROTECTED_MODE && cpustate->CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { address = LOAD_RM32(modrm); ea = i386_translate( cpustate, CS, address, 0 ); } else { ea = GetEA(cpustate,modrm,0); } cpustate->gdtr.limit = READ16(cpustate,ea); cpustate->gdtr.base = READ32(cpustate,ea + 2); CYCLES(cpustate,CYCLES_LGDT); break; } case 3: /* LIDT */ { if(PROTECTED_MODE && cpustate->CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { address = LOAD_RM32(modrm); ea = i386_translate( cpustate, CS, address, 0 ); } else { ea = GetEA(cpustate,modrm,0); } cpustate->idtr.limit = READ16(cpustate,ea); cpustate->idtr.base = READ32(cpustate,ea + 2); CYCLES(cpustate,CYCLES_LIDT); break; } case 4: /* SMSW */ { if( modrm >= 0xc0 ) { STORE_RM32(modrm, cpustate->cr[0] & 0xffff); CYCLES(cpustate,CYCLES_SMSW_REG); } else { /* always 16-bit memory operand */ ea = GetEA(cpustate,modrm,1); WRITE16(cpustate,ea, cpustate->cr[0]); CYCLES(cpustate,CYCLES_SMSW_MEM); } break; } case 7: /* INVLPG */ { // Nothing to do ? break; } default: fatalerror("i486: unimplemented opcode 0x0f 01 /%d at %08X", (modrm >> 3) & 0x7, cpustate->eip - 2); break; } }
OS_Return OS_CreateProcess( OS_Process_t *process, const INT8 *process_name, UINT16 attributes, void (*process_entry_function)(void *pdata), void *pdata) { OS_Process *pcb; if(!process) { FAULT("Invalid process"); return INVALID_ARG; } if(!process_entry_function || !process_name) { FAULT("OS_CreateProcess: invalid arguments"); return INVALID_ARG; } // Now get a free PCB resource from the pool *process = (OS_Process_t) GetFreeResIndex(g_process_usage_mask, MAX_PROCESS_COUNT); if(*process < 0) { FAULT("OS_CreateProcess failed for '%s': Exhausted all resources\n", g_current_process->name); return RESOURCE_EXHAUSTED; } KlogStr(KLOG_GENERAL_INFO, "Creating process - ", process_name); // Get a pointer to actual PCB pcb = &g_process_pool[*process]; // Clear the process structure memset(pcb, 0, sizeof(OS_Process)); // Copy process name strncpy(pcb->name, process_name, OS_PROCESS_NAME_SIZE - 1); pcb->name[OS_PROCESS_NAME_SIZE - 1] = '\0'; pcb->id = *process; // Assign a unique process id pcb->attributes = attributes; pcb->process_entry_function = process_entry_function; pcb->pdata = pdata; pcb->next = NULL; #if ENABLE_MMU pcb->ptable = _MMU_allocate_l1_page_table(); if(!pcb->ptable) { FAULT("OS_CreateProcess failed for '%s': No space in page table area\n", g_current_process->name); return RESOURCE_EXHAUSTED; } // Now create a memory map for the task for the kernel space. Every process is going to have map for // the whole kernel process. This makes it more efficient during system calls and interrupts // by eliminating the need to change the page table. // Note that this does not compromise the security as the user mode cannot read/write // anything in the kernel memory map _OS_create_kernel_memory_map(pcb->ptable); #endif // Block the process resource SetResourceStatus(g_process_usage_mask, *process, FALSE); // Add to the process list if(g_process_list_tail) { g_process_list_tail->next = pcb; g_process_list_tail = pcb; } else { g_process_list_head = g_process_list_tail = pcb; } return SUCCESS; }
OS_Return OS_CreateProcessFromFile( OS_Process_t *process, const INT8 * process_name, UINT16 attributes, const INT8 * exec_path, void *pdata ) { // Validate inputs if(!exec_path) { FAULT("OS_CreateProcessFromFile: invalid file path"); return INVALID_ARG; } // First read the elf file INT32 fd = ramdisk_open(exec_path, O_RDONLY); if(fd < 0) { FAULT("OS_CreateProcessFromFile: could not open '%s'", exec_path); return FILE_ERROR; } void * program = ramdisk_GetDataPtr(fd, NULL); if(!program) { FAULT("OS_CreateProcessFromFile: could not read '%s'", exec_path); return FILE_ERROR; } // First read the section attributes from the ELF file so that we can create memory maps // before we load the sections into memory Elf_SectionAttribute sections[MAX_LOADABLE_SECTIONS]; UINT32 scount = MAX_LOADABLE_SECTIONS; void * start_address = NULL; // Read the section attributes if(elf_get_sections(program, &start_address, sections, &scount) == SUCCESS) { if(scount > MAX_LOADABLE_SECTIONS) { // Not all sections were loaded. Generate an error return EXCEEDED_MAX_SECTIONS; } } // All sections can be loaded. OS_Return status = OS_CreateProcess(process, process_name, attributes, start_address, pdata); if(status == SUCCESS) { // Get a pointer to actual PCB OS_Process *pcb = &g_process_pool[*process]; #if ENABLE_MMU // Create Memory Map for all sections in this program. // The kernel space has already been mapped to this process UINT32 i; for(i = 0; i < scount; i++) { _MMU_PTE_AccessPermission ap; switch(sections[i].flags) { case (PF_R): ap = KERNEL_RW_USER_RO; break; case (PF_X): case (PF_R | PF_X): ap = KERNEL_RW_USER_EX; break; case (PF_R | PF_W): ap = KERNEL_RW_USER_RW; break; default: ap = KERNEL_NA_USER_NA; break; } #if USER_PAGE_SIZE==4 // Create a map in the user process _MMU_add_l2_small_page_va_to_pa_map(pcb->ptable, sections[i].vaddr, sections[i].vaddr, sections[i].size, ap, TRUE, TRUE); // Also map this place in the kernel process _MMU_add_l2_small_page_va_to_pa_map(g_kernel_process->ptable, sections[i].vaddr, sections[i].vaddr, sections[i].size, KERNEL_RW_USER_NA, TRUE, TRUE); #elif USER_PAGE_SIZE==64 // Create a map in the user process _MMU_add_l2_large_page_va_to_pa_map(pcb->ptable, sections[i].vaddr, sections[i].vaddr, sections[i].size, ap, TRUE, TRUE); // Also map this place in the kernel process _MMU_add_l2_large_page_va_to_pa_map(g_kernel_process->ptable, sections[i].vaddr, sections[i].vaddr, sections[i].size, KERNEL_RW_USER_NA, TRUE, TRUE); #else #error "Supported values for USER_PAGE_SIZE is either 4 or 64" #endif } #endif // ENABLE_MMU // Now we are ready to actually load the program into memory status = elf_load(program); } return status; }
void i386_device::i486_group0F01_16() // Opcode 0x0f 01 { UINT8 modrm = FETCH(); UINT16 address; UINT32 ea; switch( (modrm >> 3) & 0x7 ) { case 0: /* SGDT */ { if( modrm >= 0xc0 ) { address = LOAD_RM16(modrm); ea = i386_translate( CS, address, 1 ); } else { ea = GetEA(modrm,1); } WRITE16(ea, m_gdtr.limit); WRITE32(ea + 2, m_gdtr.base & 0xffffff); CYCLES(CYCLES_SGDT); break; } case 1: /* SIDT */ { if (modrm >= 0xc0) { address = LOAD_RM16(modrm); ea = i386_translate( CS, address, 1 ); } else { ea = GetEA(modrm,1); } WRITE16(ea, m_idtr.limit); WRITE32(ea + 2, m_idtr.base & 0xffffff); CYCLES(CYCLES_SIDT); break; } case 2: /* LGDT */ { if(PROTECTED_MODE && m_CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { address = LOAD_RM16(modrm); ea = i386_translate( CS, address, 0 ); } else { ea = GetEA(modrm,0); } m_gdtr.limit = READ16(ea); m_gdtr.base = READ32(ea + 2) & 0xffffff; CYCLES(CYCLES_LGDT); break; } case 3: /* LIDT */ { if(PROTECTED_MODE && m_CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { address = LOAD_RM16(modrm); ea = i386_translate( CS, address, 0 ); } else { ea = GetEA(modrm,0); } m_idtr.limit = READ16(ea); m_idtr.base = READ32(ea + 2) & 0xffffff; CYCLES(CYCLES_LIDT); break; } case 4: /* SMSW */ { if( modrm >= 0xc0 ) { STORE_RM16(modrm, m_cr[0]); CYCLES(CYCLES_SMSW_REG); } else { ea = GetEA(modrm,1); WRITE16(ea, m_cr[0]); CYCLES(CYCLES_SMSW_MEM); } break; } case 6: /* LMSW */ { UINT16 b; if(PROTECTED_MODE && m_CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { b = LOAD_RM16(modrm); CYCLES(CYCLES_LMSW_REG); } else { ea = GetEA(modrm,0); CYCLES(CYCLES_LMSW_MEM); b = READ16(ea); } if(PROTECTED_MODE) b |= 0x0001; // cannot return to real mode using this instruction. m_cr[0] &= ~0x0000000f; m_cr[0] |= b & 0x0000000f; break; } case 7: /* INVLPG */ { if(PROTECTED_MODE && m_CPL) FAULT(FAULT_GP,0) if(modrm >= 0xc0) { logerror("i486: invlpg with modrm %02X\n", modrm); FAULT(FAULT_UD,0) } ea = GetEA(modrm,-1); CYCLES(25); // TODO: add to cycles.h vtlb_flush_address(m_vtlb, ea); break; } default: report_invalid_modrm("group0F01_16", modrm); break; }
extern "C" void PanicFastSemaphoreWait() { FAULT(); }
static void I486OP(group0F01_16)(i386_state *cpustate) // Opcode 0x0f 01 { UINT8 modrm = FETCH(cpustate); UINT16 address; UINT32 ea; switch( (modrm >> 3) & 0x7 ) { case 0: /* SGDT */ { if( modrm >= 0xc0 ) { address = LOAD_RM16(modrm); ea = i386_translate( cpustate, CS, address, 1 ); } else { ea = GetEA(cpustate,modrm,1); } WRITE16(cpustate,ea, cpustate->gdtr.limit); WRITE32(cpustate,ea + 2, cpustate->gdtr.base & 0xffffff); CYCLES(cpustate,CYCLES_SGDT); break; } case 1: /* SIDT */ { if (modrm >= 0xc0) { address = LOAD_RM16(modrm); ea = i386_translate( cpustate, CS, address, 1 ); } else { ea = GetEA(cpustate,modrm,1); } WRITE16(cpustate,ea, cpustate->idtr.limit); WRITE32(cpustate,ea + 2, cpustate->idtr.base & 0xffffff); CYCLES(cpustate,CYCLES_SIDT); break; } case 2: /* LGDT */ { if(PROTECTED_MODE && cpustate->CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { address = LOAD_RM16(modrm); ea = i386_translate( cpustate, CS, address, 0 ); } else { ea = GetEA(cpustate,modrm,0); } cpustate->gdtr.limit = READ16(cpustate,ea); cpustate->gdtr.base = READ32(cpustate,ea + 2) & 0xffffff; CYCLES(cpustate,CYCLES_LGDT); break; } case 3: /* LIDT */ { if(PROTECTED_MODE && cpustate->CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { address = LOAD_RM16(modrm); ea = i386_translate( cpustate, CS, address, 0 ); } else { ea = GetEA(cpustate,modrm,0); } cpustate->idtr.limit = READ16(cpustate,ea); cpustate->idtr.base = READ32(cpustate,ea + 2) & 0xffffff; CYCLES(cpustate,CYCLES_LIDT); break; } case 4: /* SMSW */ { if( modrm >= 0xc0 ) { STORE_RM16(modrm, cpustate->cr[0]); CYCLES(cpustate,CYCLES_SMSW_REG); } else { ea = GetEA(cpustate,modrm,1); WRITE16(cpustate,ea, cpustate->cr[0]); CYCLES(cpustate,CYCLES_SMSW_MEM); } break; } case 6: /* LMSW */ { UINT16 b; if(PROTECTED_MODE && cpustate->CPL) FAULT(FAULT_GP,0) if( modrm >= 0xc0 ) { b = LOAD_RM16(modrm); CYCLES(cpustate,CYCLES_LMSW_REG); } else { ea = GetEA(cpustate,modrm,0); CYCLES(cpustate,CYCLES_LMSW_MEM); b = READ16(cpustate,ea); } if(PROTECTED_MODE) b |= 0x0001; // cannot return to real mode using this instruction. cpustate->cr[0] &= ~0x0000000f; cpustate->cr[0] |= b & 0x0000000f; break; } case 7: /* INVLPG */ { // Nothing to do ? break; } default: fatalerror("i486: unimplemented opcode 0x0f 01 /%d at %08X", (modrm >> 3) & 0x7, cpustate->eip - 2); break; } }
/****************************************************************************** * Thread ******************************************************************************/ void InvalidExec() { FAULT(); }