uint32 peChecksumExecSections(uint8 *peBaseAddr,
void *realBase,
PEPROCESS proc,
PKAPC_STATE apc,
PHYSICAL_ADDRESS *physArr)
{
uint16 numExecSections = peGetNumExecSections(peBaseAddr);
uint32 checksum = 0, k, i, j,
numRelocs = peGetNumberOfRelocs(peBaseAddr, realBase, proc, apc),
relocDelta = peCalculateRelocDiff(peBaseAddr, realBase);
uint8 *dataPtr = NULL;
PHYSICAL_ADDRESS phys = {0};
SectionData *execSections = (SectionData *) MmAllocateNonCachedMemory(
numExecSections * sizeof(SectionData));
peGetExecSections(peBaseAddr, execSections);
//DbgPrint("Found %d relocations, delta of: %x\r\n", numRelocs, relocDelta);
for (i = 0; i < numExecSections; i++)
{
uint32 numpages = execSections[i].Size / 0x1000, size = execSections[i].Size;
if (numpages * 0x1000 < execSections[i].Size)
numpages++;
for (k = 0; k < numpages; k++)
{
KeStackAttachProcess(proc, apc);
dataPtr = (uint8 *) MmMapIoSpace(MmGetPhysicalAddress((void *)(((uint32) realBase) +
execSections[i].VirtualAddress + (0x1000 * k))),
0x1000, 0);
phys = MmGetPhysicalAddress((void *) dataPtr);
for (j = 0; j < min(size, 0x1000); j++)
{
checksum += dataPtr[j];
}
MmUnmapIoSpace((void *) dataPtr, 0x1000);
size -= 0x1000;
KeUnstackDetachProcess(apc);
}
}
// Subtract the relocations from the checksum
// TODO Fix incase of lower load address
checksum += numRelocs * (relocDelta & 0x000000FF);
checksum += numRelocs * ((relocDelta & 0x0000FF00) >> 8);
checksum += numRelocs * ((relocDelta & 0x00FF0000) >> 16);
checksum += numRelocs * ((relocDelta & 0xFF000000) >> 24);
MmFreeNonCachedMemory((void *) execSections, numExecSections * sizeof(SectionData));
return checksum;
}
void
GetGuestState()
{
PHYSICAL_ADDRESS HighestAcceptableAddress;
HighestAcceptableAddress.QuadPart = 0xFFFFFFFF00000000;
g_GuestState.CR0 = __readcr0();
g_GuestState.CR3 = __readcr3();
g_GuestState.CR4 = __readcr4() | CR4_VMXE;
g_GuestState.RFLAGS = __readeflags();
g_GuestState.Cs = __readcs();
g_GuestState.Ds = __readds();
g_GuestState.Es = __reades();
g_GuestState.Ss = __readss();
g_GuestState.Fs = __readfs();
g_GuestState.Gs = __readgs();
g_GuestState.Ldtr = __sldt();
g_GuestState.Tr = __str();
__sgdt(&(g_GuestState.Gdtr));
__sidt(&(g_GuestState.Idtr));
g_GuestState.S_CS = __readmsr(IA32_SYSENTER_CS);
g_GuestState.SEIP = __readmsr(IA64_SYSENTER_EIP);
g_GuestState.SESP = __readmsr(IA32_SYSENTER_ESP);
g_GuestState.VMXON = MmAllocateNonCachedMemory(PAGE_SIZE);
RtlZeroMemory(g_GuestState.VMXON, PAGE_SIZE);
g_GuestState.VMCS = MmAllocateNonCachedMemory(PAGE_SIZE);
RtlZeroMemory(g_GuestState.VMCS, PAGE_SIZE);
g_GuestState.hvStack = // 分配的是非页面内存, 且保证在物理内存中是连续的, MmFreeContiguousMemory
MmAllocateContiguousMemory(PAGE_SIZE * 2, HighestAcceptableAddress);
RtlZeroMemory(g_GuestState.hvStack, PAGE_SIZE * 2);
}
KERNELAPI BOOL PsCreateIntThread(OUT PHANDLE ThreadHandle, IN HANDLE ProcessHandle, IN PKSTART_ROUTINE StartRoutine,
IN PVOID StartContext, IN DWORD StackSize)
{
PTHREAD_CONTROL_BLOCK pThread;
int *pStack;
pThread = MmAllocateNonCachedMemory(sizeof(THREAD_CONTROL_BLOCK));
if(pThread == NULL) return FALSE;
pStack = MmAllocateNonCachedMemory(StackSize);
if(pStack == NULL) return FALSE;
pThread->parent_process_handle = ProcessHandle;
pThread->thread_id = PspGetNextThreadID(ProcessHandle);
pThread->thread_handle = (HANDLE)pThread;
pThread->thread_status = THREAD_STATUS_STOP;
pThread->auto_delete = FALSE;
pThread->pt_next_thread = NULL;
pThread->start_routine = StartRoutine;
pThread->start_context = StartContext;
pThread->pt_stack_base_address = pStack;
pThread->stack_size = StackSize;
if(!PspAddNewThread(ProcessHandle, (HANDLE)pThread)) return FALSE;
HalSetupTSS(&pThread->thread_tss32, TRUE, (int)StartRoutine, pStack, StackSize);
*ThreadHandle = pThread;
return TRUE;
}
//쓰레드 생성 함수
KERNELAPI BOOL PsCreateThread(OUT PHANDLE ThreadHandle, IN HANDLE ProcessHandle, IN PKSTART_ROUTINE StartRoutine, IN PVOID StartContext, IN DWORD StackSize, IN BOOL AutoDelete)
{
PTHREAD_CONTROL_BLOCK pThread;
int *pStack;
//메모리할당
pThread = MmAllocateNonCachedMemory(sizeof(THREAD_CONTROL_BLOCK));
if(pThread == NULL) return FALSE;
//쓰레드에서 사용할 스택 할당
pStack = MmAllocateNonCachedMemory(StackSize);
if(pStack == NULL) return FALSE;
//부모 프로세스의 핸들 설정
pThread->parent_process_handle = ProcessHandle;
//Thread id 및 handle 할당
pThread->thread_id = PspGetNextThreadID(ProcessHandle);
pThread->thread_handle = (HANDLE)pThread;
pThread->thread_status = THREAD_STATUS_STOP; //Thread 상태를 STOP으로 설정
pThread->auto_delete = AutoDelete;
pThread->pt_next_thread = NULL;
//쓰레드가 실행해야 하는 함수(StartRoutine), 함수에 넘어가는 인자(StartContext), 스택 사이즈 설정
pThread->start_routine = StartRoutine;
pThread->start_context = StartContext;
pThread->pt_stack_base_address = pStack;
pThread->stack_size = StackSize;
//PspAddNewThread 함수를 통해 Process에 생성된 쓰레드를 추가
if(!PspAddNewThread(ProcessHandle, (HANDLE)pThread)) return FALSE;
HalSetupTSS(&pThread->thread_tss32, TRUE, (int)PspTaskEntryPoint, pStack, StackSize);
*ThreadHandle = pThread;
return TRUE;
}
//유제 쓰레드 생성하는 함수
KERNELAPI BOOL PsCreateUserThread(OUT PHANDLE ThreadHandle, IN HANDLE ProcessHandle, IN PVOID StartContext)
{
#define USER_APP_ENTRY_POINT 0x00101000 //유저 프로그램의 진입점의 주소
#define USER_APP_STACK_PTR 0x001f0000 //유저 프로그램의 스택 주소
#define USER_APP_STACK_SIZE (1024*64) //유저 프로그램의 스택의 크디
PTHREAD_CONTROL_BLOCK pThread;
pThread = MmAllocateNonCachedMemory(sizeof(THREAD_CONTROL_BLOCK));
if(pThread == NULL) return FALSE;
pThread->parent_process_handle = ProcessHandle;
pThread->thread_id = PspGetNextThreadID(ProcessHandle);
pThread->thread_handle = (HANDLE)pThread;
pThread->thread_status = THREAD_STATUS_STOP;
pThread->auto_delete = FALSE;
pThread->pt_next_thread = NULL;
pThread->start_routine = (PKSTART_ROUTINE)USER_APP_ENTRY_POINT;
pThread->start_context = StartContext;
pThread->pt_stack_base_address = (int *)USER_APP_STACK_PTR;
pThread->stack_size = USER_APP_STACK_SIZE;
if(!PspAddNewThread(ProcessHandle, (HANDLE)pThread)) return FALSE;
HalSetupTSS(&pThread->thread_tss32, TRUE, USER_APP_ENTRY_POINT, (int *)USER_APP_STACK_PTR, USER_APP_STACK_SIZE);
*ThreadHandle = pThread;
return TRUE;
}
NTSTATUS HelloDDKDeviceIOControl(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("Enter HelloDDKDeviceIOControl\n"));
//得到当前堆栈
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
//得到输入缓冲区大小
ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
//得到输出缓冲区大小
ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
//得到IOCTL码
ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;
ULONG info = 0;
switch (code)
{ // process request
case IOCTL_ENABLEDIRECTIO:
{
KdPrint(("IOCTL_ENABLEDIRECTIO\n"));
pIOPM = (UCHAR*)MmAllocateNonCachedMemory(IOPM_SIZE);
if (pIOPM)
{
RtlZeroMemory(pIOPM, IOPM_SIZE);
Ke386IoSetAccessProcess(PsGetCurrentProcess(), 1);
Ke386SetIoAccessMap(1, pIOPM);
}
else
pIrp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
}
case IOCTL_DISABLEDIRECTIO:
{
KdPrint(("IOCTL_DISABLEDIRECTIO\n"));
if (pIOPM)
{
Ke386IoSetAccessProcess(PsGetCurrentProcess(), 0);
Ke386SetIoAccessMap(1, pIOPM);
MmFreeNonCachedMemory(pIOPM, IOPM_SIZE);
pIOPM = NULL;
}
}
default:
status = STATUS_INVALID_VARIANT;
}
// 完成IRP
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = info; // bytes xfered
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("Leave HelloDDKDeviceIOControl\n"));
return status;
}
/**********************************************************************************************************
* GLOBAL FUNTIONS *
**********************************************************************************************************/
BOOL SysInitializeSyscall(VOID)
{
if(!SyspSetupSysCallgate()) {
DbgPrint("SyspSetupSysCallgate() returned an error.\r\n");
return FALSE;
}
/* setup stack for syscall */
m_pSyscallStack = MmAllocateNonCachedMemory(DEFAULT_STACK_SIZE);
if(m_pSyscallStack == NULL) return FALSE;
return TRUE;
}
// Standard entry point for the device driver. Initialize ourselves
// and create the proper links to ourselves...
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT driverObject,
IN PUNICODE_STRING registryPath)
{
NTSTATUS result = STATUS_INSUFFICIENT_RESOURCES;
PDEVICE_OBJECT deviceObject;
UNICODE_STRING deviceName, dosName;
ioMap = MmAllocateNonCachedMemory(sizeof(IOPM));
if(ioMap)
{
// this will allow access to all ports. if we want to
// allow limited access we could set only ports we want
// to access to 0.
RtlZeroMemory(ioMap, sizeof(IOPM));
// create unicode string for device name;
//wcscpy(foo, L"\\Device\\portio");
RtlInitUnicodeString(&deviceName, devicePath);
// create the actual device
result = IoCreateDevice(driverObject,
0,
&deviceName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&deviceObject);
if(NT_SUCCESS(result))
{
// create symbolic link to driver
RtlInitUnicodeString(&dosName, dosDevicePath);
result = IoCreateSymbolicLink (&dosName, &deviceName);
if(NT_SUCCESS(result))
{
// finally register the entry points for the driver functions
driverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreateDispatch;
driverObject->DriverUnload = DriverUnload;
result = STATUS_SUCCESS;
}
}
}
return result;
}
/*********************************************************************
Driver Entry routine.
This routine is called only once after the driver is initially
loaded into memory. It allocates everything necessary for the
driver's operation. In our case, it allocates memory for our IOPM
array, and creates a device which user mode applications can open.
It also creates a symbolic link to the device driver. This allows
a user mode application to access our driver using the \\.\giveio
notation.
*********************************************************************/
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
WCHAR NameBuffer[] = L"\\Device\\" DEVICE_NAME_STRING;
WCHAR DOSNameBuffer[] = L"\\DosDevices\\" DEVICE_NAME_STRING;
UNICODE_STRING uniNameString, uniDOSString;
//
// Allocate a buffer for the local IOPM and zero it.
//
IOPM_local = MmAllocateNonCachedMemory(sizeof(IOPM));
if(IOPM_local == 0)
return STATUS_INSUFFICIENT_RESOURCES;
RtlZeroMemory(IOPM_local, sizeof(IOPM));
//
// Set up device driver name and device object.
//
RtlInitUnicodeString(&uniNameString, NameBuffer);
RtlInitUnicodeString(&uniDOSString, DOSNameBuffer);
status = IoCreateDevice(DriverObject, 0,
&uniNameString,
FILE_DEVICE_UNKNOWN,
0, FALSE, &deviceObject);
if(!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink (&uniDOSString, &uniNameString);
if (!NT_SUCCESS(status))
return status;
//
// Initialize the Driver Object with driver's entry points.
// All we require are the Create and Unload operations.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = GiveioCreateDispatch;
DriverObject->DriverUnload = GiveioUnload;
return STATUS_SUCCESS;
}
void *co_os_alloc_pages(unsigned int pages)
{
void *ret;
if (pages == 0)
KeBugCheck(0x11117777);
ret = MmAllocateNonCachedMemory(pages * CO_ARCH_PAGE_SIZE);
#ifdef DEBUG_CO_OS_ALLOC
if (ret) {
allocs++;
co_debug_allocations("PAGE ALLOC %d(%u) - %p", allocs, pages, ret);
}
#endif
return ret;
}
/**********************************************************************************************************
* EXPORTED FUNTIONS *
**********************************************************************************************************/
KERNELAPI BOOL PsCreateProcess(OUT PHANDLE ProcessHandle)
{
PPROCESS_CONTROL_BLOCK pProcess;
pProcess = MmAllocateNonCachedMemory(sizeof(PROCESS_CONTROL_BLOCK));
if(pProcess == NULL) return FALSE;
pProcess->process_id = PspGetNextProcessID();
pProcess->process_handle = (HANDLE)pProcess;
pProcess->pt_next_process = NULL;
pProcess->thread_count = 0;
pProcess->next_thread_id = 0;
pProcess->pt_head_thread = NULL;
if(!PspAddNewProcess((HANDLE)pProcess)) return FALSE;
*ProcessHandle = pProcess;
return TRUE;
}
NTSTATUS WinIoDispatch(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
PIO_STACK_LOCATION IrpStack;
ULONG dwInputBufferLength;
ULONG dwOutputBufferLength;
ULONG dwIoControlCode;
PVOID pvIOBuffer;
NTSTATUS ntStatus;
struct tagPhys32Struct Phys32Struct;
OutputDebugString ("Entering WinIoDispatch");
// Init to default settings
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(Irp);
// Get the pointer to the input/output buffer and it's length
pvIOBuffer = Irp->AssociatedIrp.SystemBuffer;
dwInputBufferLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
dwOutputBufferLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch (IrpStack->MajorFunction)
{
case IRP_MJ_CREATE:
OutputDebugString("IRP_MJ_CREATE");
break;
case IRP_MJ_CLOSE:
OutputDebugString("IRP_MJ_CLOSE");
break;
case IRP_MJ_DEVICE_CONTROL:
OutputDebugString("IRP_MJ_DEVICE_CONTROL");
dwIoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
switch (dwIoControlCode)
{
case IOCTL_WINIO_ENABLEDIRECTIO:
OutputDebugString("IOCTL_WINIO_ENABLEDIRECTIO");
pIOPM = MmAllocateNonCachedMemory(sizeof(IOPM));
if (pIOPM)
{
RtlZeroMemory(pIOPM, sizeof(IOPM));
Ke386IoSetAccessProcess(PsGetCurrentProcess(), 1);
Ke386SetIoAccessMap(1, pIOPM);
}
else
Irp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
break;
case IOCTL_WINIO_DISABLEDIRECTIO:
OutputDebugString("IOCTL_WINIO_DISABLEDIRECTIO");
if (pIOPM)
{
Ke386IoSetAccessProcess(PsGetCurrentProcess(), 0);
Ke386SetIoAccessMap(1, pIOPM);
MmFreeNonCachedMemory(pIOPM, sizeof(IOPM));
pIOPM = NULL;
}
break;
case IOCTL_WINIO_MAPPHYSTOLIN:
OutputDebugString("IOCTL_WINIO_MAPPHYSTOLIN");
if (dwInputBufferLength)
{
memcpy (&Phys32Struct, pvIOBuffer, dwInputBufferLength);
ntStatus = MapPhysicalMemoryToLinearSpace(Phys32Struct.pvPhysAddress,
Phys32Struct.dwPhysMemSizeInBytes,
&Phys32Struct.pvPhysMemLin,
&Phys32Struct.PhysicalMemoryHandle);
if (NT_SUCCESS(ntStatus))
{
memcpy (pvIOBuffer, &Phys32Struct, dwInputBufferLength);
Irp->IoStatus.Information = dwInputBufferLength;
}
Irp->IoStatus.Status = ntStatus;
}
else
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
break;
case IOCTL_WINIO_UNMAPPHYSADDR:
OutputDebugString("IOCTL_WINIO_UNMAPPHYSADDR");
if (dwInputBufferLength)
{
memcpy (&Phys32Struct, pvIOBuffer, dwInputBufferLength);
ntStatus = UnmapPhysicalMemory(Phys32Struct.PhysicalMemoryHandle, Phys32Struct.pvPhysMemLin);
Irp->IoStatus.Status = ntStatus;
}
else
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
break;
default:
OutputDebugString("ERROR: Unknown IRP_MJ_DEVICE_CONTROL");
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
break;
}
break;
}
// DON'T get cute and try to use the status field of the irp in the
// return status. That IRP IS GONE as soon as you call IoCompleteRequest.
ntStatus = Irp->IoStatus.Status;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
// We never have pending operation so always return the status code.
OutputDebugString("Leaving WinIoDispatch");
return ntStatus;
}
static STDCALL NTSTATUS MapPhysicalMemoryToLinearSpace(PVOID pPhysAddress,ULONG PhysMemSizeInBytes,PVOID *PhysMemLin){
alloc_priv* alloclisttmp;
PMDL Mdl=NULL;
PVOID SystemVirtualAddress=NULL;
PVOID UserVirtualAddress=NULL;
PHYSICAL_ADDRESS pStartPhysAddress;
OutputDebugString ("dhahelper: entering MapPhysicalMemoryToLinearSpace");
#ifdef _WIN64
pStartPhysAddress.QuadPart = (ULONGLONG)pPhysAddress;
#else
pStartPhysAddress.QuadPart = (ULONGLONG)(ULONG)pPhysAddress;
#endif
#ifndef NO_SEH
__try {
#endif
SystemVirtualAddress=MmMapIoSpace(pStartPhysAddress,PhysMemSizeInBytes, /*MmWriteCombined*/MmNonCached);
if(!SystemVirtualAddress){
OutputDebugString("dhahelper: MmMapIoSpace failed");
return STATUS_INVALID_PARAMETER;
}
OutputDebugString("dhahelper: SystemVirtualAddress 0x%x",SystemVirtualAddress);
Mdl=IoAllocateMdl(SystemVirtualAddress, PhysMemSizeInBytes, FALSE, FALSE,NULL);
if(!Mdl){
OutputDebugString("dhahelper: IoAllocateMdl failed");
return STATUS_INSUFFICIENT_RESOURCES;
}
OutputDebugString("dhahelper: Mdl 0x%x",Mdl);
MmBuildMdlForNonPagedPool(Mdl);
#ifdef _WIN64
UserVirtualAddress = (PVOID)(((ULONGLONG)PAGE_ALIGN(MmMapLockedPages(Mdl,UserMode))) + MmGetMdlByteOffset(Mdl));
#else
UserVirtualAddress = (PVOID)(((ULONG)PAGE_ALIGN(MmMapLockedPages(Mdl,UserMode))) + MmGetMdlByteOffset(Mdl));
#endif
if(!UserVirtualAddress){
OutputDebugString("dhahelper: MmMapLockedPages failed");
return STATUS_INSUFFICIENT_RESOURCES;
}
OutputDebugString("dhahelper: UserVirtualAddress 0x%x",UserVirtualAddress);
#ifndef NO_SEH
}__except(EXCEPTION_EXECUTE_HANDLER){
NTSTATUS ntStatus;
ntStatus = GetExceptionCode();
OutputDebugString("dhahelper: MapPhysicalMemoryToLinearSpace failed due to exception 0x%0x\n", ntStatus);
return ntStatus;
}
#endif
OutputDebugString("dhahelper: adding data to internal allocation list");
alloclisttmp=MmAllocateNonCachedMemory((alloccount+1)*sizeof(alloc_priv));
if(!alloclisttmp){
OutputDebugString("dhahelper: not enough memory to create temporary allocation list");
MmUnmapLockedPages(UserVirtualAddress, Mdl);
IoFreeMdl(Mdl);
return STATUS_INSUFFICIENT_RESOURCES;
}
if(alloccount){
memcpy(alloclisttmp,alloclist,alloccount * sizeof(alloc_priv));
MmFreeNonCachedMemory(alloclist,alloccount*sizeof(alloc_priv));
}
alloclist=alloclisttmp;
alloclist[alloccount].Mdl=Mdl;
alloclist[alloccount].SystemVirtualAddress=SystemVirtualAddress;
alloclist[alloccount].UserVirtualAddress=UserVirtualAddress;
alloclist[alloccount].PhysMemSizeInBytes=PhysMemSizeInBytes;
++alloccount;
*PhysMemLin=UserVirtualAddress;
OutputDebugString("dhahelper: leaving MapPhysicalMemoryToLinearSpace");
return STATUS_SUCCESS;
}
