Chameleon

Chameleon Commit Details

Date:2011-07-11 22:15:56 (8 years 11 days ago)
Author:armel cadet-petit
Commit:1144
Parents: 1143
Message:updated kernelpatcher with AnV's Patch
Changes:
M/branches/cparm/i386/modules/KernelPatcher/kernel_patcher.c
M/branches/cparm/CHANGES

File differences

branches/cparm/CHANGES
1
12
2
3
3
4
45
56
67
- Applied Andy Vandijck's Nehalem (i5/i9) spoof to kernelpatcher
- Fixed an issue with kernelPatcher, it seems that kernelPatcher is unable to patch the kernelCache
- Applied some fix from the trunk
- Applied many under the hood fix
- Applied some fixes from the trunk
- Applied many under the hood fixes
- Added Andy Vandijck Server spoof
- Added a Patch from Andy Vandijck in SMBiosPatcher and SMBiosGetters
- Added a Patch from Netkas in GraphicEnabler (ati.c)
branches/cparm/i386/modules/KernelPatcher/kernel_patcher.c
1414
1515
1616
17
1817
1918
2019
......
2625
2726
2827
29
3028
3129
3230
......
3735
3836
3937
40
38
4139
4240
4341
4442
45
46
4743
48
49
44
5045
5146
5247
53
5448
5549
5650
......
8983
9084
9185
92
9386
9487
9588
......
9790
9891
9992
100
10193
10294
10395
......
132124
133125
134126
135
127
128
136129
137130
138131
......
165158
166159
167160
168
169161
170162
171163
172164
173165
174166
175
176167
177168
178169
......
187178
188179
189180
190
191181
192182
193183
......
197187
198188
199189
190
200191
201192
202193
......
207198
208199
209200
210
211201
212202
213203
......
233223
234224
235225
236
237226
238227
239228
240229
241230
242231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
243249
244250
245251
246252
247253
248
254
249255
250256
251257
252
253
258
254259
255260
256261
257
262
258263
259264
260265
......
268273
269274
270275
276
271277
272278
273279
......
276282
277283
278284
279
280
281
285
282286
283
284
287
285288
286289
287290
288291
289
290292
291293
292294
......
297299
298300
299301
300
301
302
302
303303
304304
305305
......
312312
313313
314314
315
315
316316
317317
318318
......
320320
321321
322322
323
324
325
323
326324
327325
328326
329
330327
331328
332329
......
334331
335332
336333
337
338
334
339335
340336
341
342
337
343338
344339
345340
......
353348
354349
355350
356
357
351
358352
359353
360354
......
363357
364358
365359
366
367
368
369
360
361
370362
371363
372364
......
385377
386378
387379
388
389380
390381
391382
392383
393384
394
395
396385
397386
398
399
400
401
402387
403388
404389
......
407392
408393
409394
410
411
412395
413
414
415
396
397
416398
417399
418400
419401
420
421402
422403
423404
......
429410
430411
431412
432
433
434413
435414
436415
......
438417
439418
440419
441
420
442421
443422
444423
......
450429
451430
452431
453
454
432
455433
456434
457435
......
483461
484462
485463
486
487
464
488465
489466
490467
......
511488
512489
513490
514
515491
516492
517493
......
557533
558534
559535
560
561
562
536
563537
564538
565
566539
567540
568541
......
578551
579552
580553
581
582554
583555
584556
......
597569
598570
599571
600
601
602
572
603573
604574
605575
......
614584
615585
616586
617
618587
619588
620589
......
624593
625594
626595
627
628596
629597
630598
......
638606
639607
640608
641
642
643
644609
645610
646611
......
650615
651616
652617
653
618
654619
655620
656621
......
664629
665630
666631
667
668
669632
670633
671
672634
673635
674636
......
683645
684646
685647
686
687648
688649
689650
......
701662
702663
703664
704
665
705666
706667
707668
......
713674
714675
715676
716
717
718677
719678
720679
721680
722681
723682
724
683
725684
726685
727686
728687
729688
730
731689
732
690
733691
734
735
692
736693
737694
738695
......
762719
763720
764721
765
766
767722
768723
769
770724
771725
772726
......
791745
792746
793747
794
795748
796749
797750
......
803756
804757
805758
806
807759
808760
809761
......
818770
819771
820772
821
773
822774
823775
824776
......
858810
859811
860812
861
813
862814
863815
864816
......
936888
937889
938890
939
940891
941892
942893
void kernel_patcher_ignore_cache(void* arg1, void* arg2, void* arg3, void *arg4, void* arg5, void* arg6){}
void KernelPatcher_start()
{
register_kernel_patch(patch_cpuid_set_info_all, KERNEL_ANY, CPUID_MODEL_UNKNOWN);
// NOTE: following is currently 32bit only
register_kernel_patch(patch_lapic_configure, KERNEL_32, CPUID_MODEL_ANY);
register_kernel_symbol(KERNEL_ANY, "_panic");
register_kernel_symbol(KERNEL_ANY, "_cpuid_set_info");
register_kernel_symbol(KERNEL_ANY, "_pmCPUExitHaltToOff");
register_kernel_symbol(KERNEL_ANY, "_lapic_configure");
register_kernel_symbol(KERNEL_ANY, "_lapic_start");
register_kernel_symbol(KERNEL_ANY, "_lapic_interrupt_base");
// lapic_interrup symbols
//register_kernel_patch(patch_lapic_interrupt, KERNEL_ANY, CPUID_MODEL_ANY);
//register_kernel_symbol(KERNEL_ANY, "_lapic_interrupt");
// TODO: register needed symbols
register_hook_callback("ExecKernel", &patch_kernel);
replace_function("_getKernelCachePath", &kernel_patcher_ignore_cache);
}
/*
// CPU not in supported list, so we are going to add
// The patch will be applied
break;
}
}
else
// Invalid cpuid for current cpu. Ignoring patch
return;
}
}
}
kernelSymbols->symbol = (char*)name;
kernelSymbols->addr = 0;
}
else {
else
{
kernSymbols_t *symbol = kernelSymbols;
while(symbol->next != NULL)
{
{
return symbol;
}
}
void patch_kernel(void* kernelData, void* arg2, void* arg3, void *arg4, void* arg5, void* arg6)
{
patchRoutine_t* entry = patches;
int arch = determineKernelArchitecture(kernelData);
locate_symbols(kernelData);
}
entry = entry->next;
}
}
}
{
return KERNEL_32;
}
if(((struct mach_header*)kernelData)->magic == MH_MAGIC_64)
{
return KERNEL_64;
}
}
/**
**This functions located the requested symbols in the mach-o file.
**as well as determines the start of the __TEXT segment and __TEXT,__text sections
return 0xFFFFFFFF; // fixme
}
/**
** Locate the fisrt instance of _panic inside of _cpuid_set_info, and either remove it
** Or replace it so that the cpuid is set to a valid value.
**/
void patch_cpuid_set_info_all(void* kernelData)
{
// AnV: Extra cpuid fix for spoofing Nehalem CPU for i5/i9
switch(Platform->CPU.Family)
{
case 0x1E: /* Intel i5 */
case 0x2C: /* Intel i9 */
if(determineKernelArchitecture(kernelData) == KERNEL_32)
{
patch_cpuid_set_info_32(kernelData, CPUFAMILY_INTEL_NEHALEM, CPUID_MODEL_NEHALEM);
}
else
{
patch_cpuid_set_info_64(kernelData, CPUFAMILY_INTEL_NEHALEM, CPUID_MODEL_NEHALEM);
}
break;
}
switch(Platform->CPU.Model)
{
case CPUID_MODEL_ATOM:
if(determineKernelArchitecture(kernelData) == KERNEL_32)
{
patch_cpuid_set_info_32(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN);
patch_cpuid_set_info_32(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN);
}
else
{
patch_cpuid_set_info_64(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN);
patch_cpuid_set_info_64(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN);
}
break;
default:
if(determineKernelArchitecture(kernelData) == KERNEL_32)
{
break;
}
}
void patch_cpuid_set_info_64(void* kernelData, UInt32 impersonateFamily, UInt8 impersonateModel)
{
UInt8* bytes = (UInt8*)kernelData;
UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);
patchLocation -= (UInt32)kernelData;// Remove offset
//UInt32 jumpLocation = 0;
if(symbol == 0 || symbol->addr == 0)
{
verbose("Unable to locate _cpuid_set_info\n");
return;
}
symbol = lookup_kernel_symbol("_panic");
return;
}
panicAddr -= (UInt32)kernelData;
//TODO: don't assume it'll always work (Look for *next* function address in symtab and fail once it's been reached)
while(
(bytes[patchLocation -1] != 0xE8) ||
patchLocation++;
}
patchLocation--;
// Remove panic just in ca se
// The panic instruction is exactly 5 bytes long.
bytes[patchLocation + 0] = 0x90;
bytes[patchLocation + 2] = 0x90;
bytes[patchLocation + 3] = 0x90;
bytes[patchLocation + 4] = 0x90;
// Check for a 10.2.0+ kernel
if(bytes[patchLocation - 19] == 0xC7 && bytes[patchLocation - 18] == 0x05)
{
UInt32 cpuid_cpufamily_addr =bytes[patchLocation - 17] << 0 |
bytes[patchLocation - 16] << 8 |
bytes[patchLocation - 15] << 16 |
// NOTE: may change, determined based on cpuid_info struct
UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 310;
//ffffff8000228b3b -> 0x00490e8b
//ffffff8000228c28 -> -237 -> 0x490D9E -> -310
// The mov is 10 bytes
/*
bytes[patchLocation - 19] = 0x90;// c7
bytes[patchLocation - 12] = (impersonateFamily & 0x0000FF00) >> 8;
bytes[patchLocation - 11] = (impersonateFamily & 0x00FF0000) >> 16;
bytes[patchLocation - 10] = (impersonateFamily & 0xFF000000) >> 24;
// The lea (%rip),%rip is 7 bytes
bytes[patchLocation - 9] = 0xC7;
bytes[patchLocation - 8] = 0x05;
bytes[patchLocation - 5] = ((cpuid_model_addr -10) & 0x00FF0000) >> 16;
bytes[patchLocation - 4] = ((cpuid_model_addr -10) & 0xFF000000) >> 24;
bytes[patchLocation - 3] = impersonateModel;// cpuid_model
// The xor eax eax is 2 bytes
// The xor eax eax is 2 bytes
bytes[patchLocation - 2] = 0x01;// cpuid_extmodel
bytes[patchLocation - 1] = 0x00;// cpuid_extfamily
// Total: 24 bytes
printf("Running on a 10.2.0+ kernel\n");
getc();
}
else {
printf("Running on a 10.0.0 kernel, patch unsupported\n");
getc();
}
}
void patch_cpuid_set_info_32(void* kernelData, UInt32 impersonateFamily, UInt8 impersonateModel)
{
UInt8* bytes = (UInt8*)kernelData;
UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);
patchLocation -= (UInt32)kernelData;// Remove offset
UInt32 jumpLocation = 0;
UInt32 jumpLocation = 0;
if(symbol == 0 || symbol->addr == 0)
{
verbose("Unable to locate _cpuid_set_info\n");
return;
}
symbol = lookup_kernel_symbol("_panic");
}
panicAddr -= (UInt32)kernelData;
//TODO: don't assume it'll always work (Look for *next* function address in symtab and fail once it's been reached)
while(
(bytes[patchLocation -1] != 0xE8) ||
bytes[patchLocation + 1] << 8 |
bytes[patchLocation + 2] << 16 |
bytes[patchLocation + 3] << 24)))
)
)
{
patchLocation++;
}
bytes[patchLocation + 2] = 0x90;
bytes[patchLocation + 3] = 0x90;
bytes[patchLocation + 4] = 0x90;
// Locate the jump call, so that 10 bytes can be reclamed.
// NOTE: This will *NOT* be located on pre 10.6.2 kernels
jumpLocation = patchLocation - 15;
// NOTE: may change, determined based on cpuid_info struct
UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 299;
// cpufamily
bytes[patchLocation - 11] = (impersonateFamily & 0x000000FF) >> 0;
bytes[patchLocation - 10] = (impersonateFamily & 0x0000FF00) >> 8;
bytes[patchLocation + 2] = 0x01;// cpuid_extmodel
bytes[patchLocation + 3] = 0x00;// cpuid_extfamily
bytes[patchLocation + 4] = 0x02;// cpuid_stepping
}
else if(impersonateFamily && impersonateModel)
{
bytes[patchLocation + 2] = 0x01;// cpuid_extmodel
bytes[patchLocation + 3] = 0x00;// cpuid_extfamily
bytes[patchLocation + 4] = 0x02;// cpuid_stepping
patchLocation = jumpLocation;
// We now have 14 bytes available for a patch
}
else
{
}
}
/**
** SleepEnabler.kext replacement (for those that need it)
** Located the KERN_INVALID_ARGUMENT return and replace it with KERN_SUCCESS
}
patchLocation -= (UInt32)kernelData;// Remove offset
while(bytes[patchLocation - 1]!= 0xB8 ||
bytes[patchLocation]!= 0x04 ||// KERN_INVALID_ARGUMENT (0x00000004)
bytes[patchLocation + 1]!= 0x00 ||// KERN_INVALID_ARGUMENT
void patch_lapic_init(void* kernelData)
{
UInt8 panicIndex = 0;
UInt8* bytes = (UInt8*)kernelData;
{
printf("Unable to locate %s\n", "_lapic_init");
return;
}
symbol = lookup_kernel_symbol("_panic");
patchLocation -= (UInt32)kernelData;// Remove offset
panicAddr -= (UInt32)kernelData;// Remove offset
// Locate the (panicIndex + 1) panic call
while(panicIndex < 3)// Find the third panic call
{
bytes[patchLocation + 1] << 8 |
bytes[patchLocation + 2] << 16 |
bytes[patchLocation + 3] << 24)))
)
)
{
patchLocation++;
}
bytes[++patchLocation] = 0x90;
bytes[++patchLocation] = 0x90;
bytes[++patchLocation] = 0x90;
}
void patch_commpage_stuff_routine(void* kernelData)
{
UInt8* bytes = (UInt8*)kernelData;
UInt32 patchLocation = symbol->addr - textAddress + textSection;
symbol = lookup_kernel_symbol("_panic");
if(symbol == 0 || symbol->addr == 0)
{
bytes[patchLocation + 1] << 8 |
bytes[patchLocation + 2] << 16 |
bytes[patchLocation + 3] << 24)))
)
)
{
patchLocation++;
}
bytes[patchLocation + 2] = 0x90;
bytes[patchLocation + 3] = 0x90;
bytes[patchLocation + 4] = 0x90;
}
void patch_lapic_interrupt(void* kernelData)
{
// NOTE: this is a hack untill I finish patch_lapic_configure
UInt8* bytes = (UInt8*)kernelData;
kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_interrupt");
if(symbol == 0 || symbol->addr == 0)
{
printf("Unable to locate %s\n", "_lapic_interrupt");
return;
}
UInt32 patchLocation = symbol->addr - textAddress + textSection;
symbol = lookup_kernel_symbol("_panic");
if(symbol == 0 || symbol->addr == 0)
{
bytes[patchLocation + 2] = 0x90;
bytes[patchLocation + 3] = 0x90;
bytes[patchLocation + 4] = 0x90;
}
void patch_lapic_configure(void* kernelData)
{
UInt8* bytes = (UInt8*)kernelData;
}
lapicStart = symbol->addr;
symbol = lookup_kernel_symbol("_lapic_interrupt_base");
if(symbol == 0 || symbol->addr == 0)
{
lapicStart -= (UInt32)kernelData;
lapicInterruptBase -= (UInt32)kernelData;
// Looking for the following:
//movl _lapic_start,%e_x
//addl $0x00000320,%e_x
bytes[patchLocation + 3] << 24
)
)
) ||
) ||
(bytes[patchLocation + 4 ] != 0x81) ||
//(bytes[patchLocation + 5 ] != 0Cx2) ||// register
(bytes[patchLocation + 6 ] != 0x20) ||
bytes[patchLocation++];// = 0x00;
bytes[patchLocation++];// = 0x00;
*/
patchLocation += 3;
patchLocation += 3;
// c7 02 00 04 00 00 -> movl $0x00000400,(%edx)
bytes[patchLocation++] = 0xC7;
// Replace remaining with nops
bytes[patchLocation++] = 0x90;
bytes[patchLocation++] = 0x90;
bytes[patchLocation++] = 0x90;

Archive Download the corresponding diff file

Revision: 1144