Chameleon

Chameleon Commit Details

Date:2010-08-10 07:56:26 (3 years 8 months ago)
Author:Evan Lojewski
Commit:341
Parents: 340
Message:Updates module code, dependencies now work correctly. Added KernelPatcher module (currently doesn't hook in anywhere). I need to fix the module loader so that the kernel patcher module loads / starts correctly.
Changes:
A/branches/meklort/i386/modules/KernelPatcher/kernel_patcher.c
A/branches/meklort/i386/modules/KernelPatcher/kernel_patcher.h
A/branches/meklort/i386/modules/KernelPatcher/Makefile
A/branches/meklort/i386/modules/KernelPatcher
M/branches/meklort/i386/boot2/boot.c
M/branches/meklort/i386/boot2/modules.c
M/branches/meklort/i386/modules/HelloWorld/HelloWorld.c
M/branches/meklort/i386/boot2/Makefile
M/branches/meklort/i386/boot2/modules.h
M/branches/meklort/i386/boot2/drivers.c

File differences

branches/meklort/i386/boot2/drivers.c
3838
3939
4040
41
4241
4342
4443
......
832831
833832
834833
835
834
836835
837836
838837
#include "bootstruct.h"
#include "xml.h"
#include "ramdisk.h"
#include "kernel_patcher.h"
extern char gMacOSVersion;
extern intrecoveryMode;
ret = ThinFatFile(&binary, &len);
}
patch_kernel(binary);
//patch_kernel(binary);
ret = DecodeMachO(binary, rentry, raddr, rsize);
branches/meklort/i386/boot2/Makefile
4242
4343
4444
45
45
4646
4747
4848
# The ordering is important;
# boot2.o must be first.
OBJS = boot2.o boot.o graphics.o drivers.o prompt.o options.o lzss.o mboot.o \
ramdisk.o picopng.o resume.o bmdecompress.o graphic_utils.o gui.o modules.o kernel_patcher.o
ramdisk.o picopng.o resume.o bmdecompress.o graphic_utils.o gui.o modules.o
# button.o browser.o scrollbar.o == NOTYET
UTILDIR = ../util
branches/meklort/i386/boot2/boot.c
287287
288288
289289
290
290
291291
292
293
294
292295
293296
294297
// Intialize module system
load_module(SYMBOLS_MODULE);
load_module("HelloWorld");
lookup_symbol = (void*)lookup_all_symbols("_lookup_symbol");
// Load a module
load_module("KernelPatcher");
// Disable rescan option by default
gEnableCDROMRescan = false;
branches/meklort/i386/boot2/modules.c
1717
1818
1919
20
21
22
23
2024
2125
2226
2327
2428
25
2629
2730
2831
......
177180
178181
179182
180
181
182
183
184
185
183
184
185
186
187
188
189
186190
187191
188192
......
243247
244248
245249
246
247250
248251
249252
......
728731
729732
730733
731
732
734
733735
734
735
736
737
738
739736
740737
741738
......
838835
839836
840837
841
838
842839
843840
844841
845
842
846843
847844
848845
void rebase_macho(void* base, char* rebase_stream, UInt32 size);
void bind_macho(void* base, char* bind_stream, UInt32 size);
/*
* Load a module file in /Extra/modules
* TODO: verify version number of module
*/
int load_module(const char* module)
{
// Check to see if the module has already been loaded
if(is_module_laoded(module))
{
printf("Module %s already loaded\n");
return 1;
}
break;
case LC_LOAD_DYLIB:
case LC_LOAD_WEAK_DYLIB:
{
// TODO: do this before
struct dylib_command* weakLoad = binary + binaryIndex;
load_module((char*)((UInt32)*((UInt32*)&weakLoad->dylib.name)));
}
case LC_LOAD_WEAK_DYLIB ^ LC_REQ_DYLD:
dylibCommand = binary + binaryIndex;
char* module = binary + binaryIndex + ((UInt32)*((UInt32*)&dylibCommand->dylib.name));
// =dylibCommand->dylib.current_version;
// =dylibCommand->dylib.compatibility_version;
load_module(module);
break;
case LC_ID_DYLIB:
// To satisfy cicular deps, the module_loaded command shoudl be run before the module init();
module_loaded(moduleName, moduleVersion, moduleCompat);
getc();
return module_start;
{
//printf("Adding symbol %s at 0x%X\n", symbol, addr);
//hack
if(strcmp(symbol, "_lookup_symbol") == 0)
if(!moduleSymbols)
{
//printf("Initializing lookup symbol function\n");
lookup_symbol = addr;
}
else if(!moduleSymbols)
{
moduleSymbols = malloc(sizeof(symbolList_t));
moduleSymbols->next = NULL;
moduleSymbols->addr = (unsigned int)addr;
return addr;
}
}
else
/*else
{
printf("Symbol.dylib not loaded. Module loader not setup.\n");
return 0xFFFFFFFF;
}
}*/
branches/meklort/i386/boot2/modules.h
77
88
99
10
11
1012
13
1114
1215
1316
......
2124
2225
2326
24
25
2627
2728
2829
......
4647
4748
4849
50
51
4952
#include <mach-o/loader.h>
#include <mach-o/nlist.h>
#ifndef __BOOT_MODULES_H
#define __BOOT_MODULES_H
typedef struct symbolList_t{
char* symbol;
unsigned int addr;
struct moduleList_t* next;
} moduleList_t;
#ifndef __BOOT_MODULES_H
#define __BOOT_MODULES_H
#define SYMBOLS_MODULE "Symbols"
unsigned int lookup_all_symbols(const char* name);
extern unsigned int (*lookup_symbol)(const char*);
#endif /* __BOOT_MODULES_H */
branches/meklort/i386/modules/KernelPatcher/kernel_patcher.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
/*
* Copyright (c) 2009 Evan Lojewski. All rights reserved.
*
*/
#include "libsaio.h"
#include "kernel_patcher.h"
#include "platform.h"
//extern PlatformInfo_t Platform;
#define SYMBOL_CPUID_SET_INFO0
#define SYMBOL_PANIC1
#define SYMBOL_PMCPUEXITHALTTOOFF2
#define SYMBOL_LAPIC_INIT3
#define SYMBOL_COMMPAGE_STUFF_ROUTINE4
#define NUM_SYMBOLS5
#define SYMBOL_CPUID_SET_INFO_STRING"_cpuid_set_info"
#define SYMBOL_PANIC_STRING"_panic"
#define SYMBOL_PMCPUEXITHALTTOOFF_STRING"_pmCPUExitHaltToOff"
#define SYMBOL_LAPIC_INIT_STRING"_lapic_init"
#define SYMBOL_COMMPAGE_STUFF_ROUTINE_STRING"_commpage_stuff_routine"
char* kernelSymbols[NUM_SYMBOLS] = {
SYMBOL_CPUID_SET_INFO_STRING,
SYMBOL_PANIC_STRING,
SYMBOL_PMCPUEXITHALTTOOFF_STRING,
SYMBOL_LAPIC_INIT_STRING,
SYMBOL_COMMPAGE_STUFF_ROUTINE_STRING
};
UInt32 kernelSymbolAddresses[NUM_SYMBOLS] = {
0,
0,
0,
0,
0
};
UInt32 textSection = 0;
UInt32 textAddress = 0;
void HelloWorld_start();
void KernelPatcher_start()
{
printf("KernelPatcher(), about to call HelloWorld_start()\n");
//getc();
//HelloWorld_start();
}
void patch_kernel(void* kernelData)
{
switch (locate_symbols((void*)kernelData)) {
case KERNEL_32:
patch_kernel_32((void*)kernelData);
break;
case KERNEL_64:
default:
patch_kernel_64((void*)kernelData);
break;
}
}
// patches a 64bit kernel.
void patch_kernel_64(void* kernelData)
{
// At the moment, the kernel patching code fails when used
// in 64bit mode, so we don't patch it. This is due to 32bit vs 64bit
// pointers as well as changes in structure sizes
printf("Unable to patch 64bit kernel. Please use arch=i386.\n");
}
/**
** patch_kernel_32
**patches kernel based on cpu info determined earlier in the boot process.
**It the machine is vmware, remove the artificial lapic panic
**If the CPU is not supported, remove the cpuid_set_info panic
**If the CPU is and Intel Atom, inject the penryn cpuid info.
**/
void patch_kernel_32(void* kernelData)
{
// Remove panic in commpage
patch_commpage_stuff_routine(kernelData);
//patch_pmCPUExitHaltToOff(kernelData);// Not working as intended, disabled for now
//if(vmware_detected)
{
patch_lapic_init(kernelData);
}
switch(13)//Platform.CPU.Model)
{
// Known good CPU's, no reason to patch kernel
case 13:
case CPUID_MODEL_YONAH:
case CPUID_MODEL_MEROM:
case CPUID_MODEL_PENRYN:
case CPUID_MODEL_NEHALEM:
case CPUID_MODEL_FIELDS:
case CPUID_MODEL_DALES:
case CPUID_MODEL_NEHALEM_EX:
break;
// Known unsuported CPU's
case CPUID_MODEL_ATOM:
// TODO: Impersonate CPU based on user selection
patch_cpuid_set_info(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN);// Impersonate Penryn CPU
break;
// Unknown CPU's
default:
// TODO: Impersonate CPU based on user selection
patch_cpuid_set_info(kernelData, 0, 0);// Remove Panic Call
break;
}
}
/**
**This functions located the kernelSymbols[i] symbols in the mach-o header.
**as well as determines the start of the __TEXT segment and __TEXT,__text sections
**/
int locate_symbols(void* kernelData)
{
UInt16 symbolIndexes[NUM_SYMBOLS];
struct load_command *loadCommand;
struct symtab_command *symtableData;
struct nlist *symbolEntry;
char* symbolString;
UInt32 kernelIndex = 0;
kernelIndex += sizeof(struct mach_header);
if(((struct mach_header*)kernelData)->magic != MH_MAGIC) return KERNEL_64;
//printf("%d load commands beginning at 0x%X\n", (unsigned int)header->ncmds, (unsigned int)kernelIndex);
//printf("Commands take up %d bytes\n", header->sizeofcmds);
int cmd = 0;
while(cmd < ((struct mach_header*)kernelData)->ncmds)// TODO: for loop instead
{
cmd++;
loadCommand = kernelData + kernelIndex;
UInt cmdSize = loadCommand->cmdsize;
// Locate start of _panic and _cpuid_set_info in the symbol tabe.
// Load commands should be anded with 0x7FFFFFFF to ignore theLC_REQ_DYLD flag
if((loadCommand->cmd & 0x7FFFFFFF) == LC_SYMTAB)// We only care about the symtab segment
{
//printf("Located symtable, length is 0x%X, 0x%X\n", (unsigned int)loadCommand->cmdsize, (unsigned int)sizeof(symtableData));
symtableData = kernelData + kernelIndex;
kernelIndex += sizeof(struct symtab_command);
cmdSize -= sizeof(struct symtab_command);
// Loop through symbol table untill all of the symbols have been found
symbolString = kernelData + symtableData->stroff;
UInt16 symbolIndex = 0;
UInt8 numSymbolsFound = 0;
while(symbolIndex < symtableData->nsyms && numSymbolsFound < NUM_SYMBOLS)// TODO: for loop
{
int i = 0;
while(i < NUM_SYMBOLS)
{
if(strcmp(symbolString, kernelSymbols[i]) == 0)
{
symbolIndexes[i] = symbolIndex;
numSymbolsFound++;
}
i++;
}
symbolString += strlen(symbolString) + 1;
symbolIndex++;
}
// loop again
symbolIndex = 0;
numSymbolsFound = 0;
while(symbolIndex < symtableData->nsyms && numSymbolsFound < NUM_SYMBOLS)// TODO: for loop
{
symbolEntry = kernelData + symtableData->symoff + (symbolIndex * sizeof(struct nlist));
int i = 0;
while(i < NUM_SYMBOLS)
{
if(symbolIndex == (symbolIndexes[i] - 4))
{
kernelSymbolAddresses[i] = (UInt32)symbolEntry->n_value;
numSymbolsFound++;
}
i++;
}
symbolIndex ++;
}
// Load commands should be anded with 0x7FFFFFFF to ignore theLC_REQ_DYLD flag
} else if((loadCommand->cmd & 0x7FFFFFFF) == LC_SEGMENT)// We only care about the __TEXT segment, any other load command can be ignored
{
struct segment_command *segCommand;
segCommand = kernelData + kernelIndex;
//printf("Segment name is %s\n", segCommand->segname);
if(strcmp("__TEXT", segCommand->segname) == 0)
{
UInt32 sectionIndex;
sectionIndex = sizeof(struct segment_command);
struct section *sect;
while(sectionIndex < segCommand->cmdsize)
{
sect = kernelData + kernelIndex + sectionIndex;
sectionIndex += sizeof(struct section);
if(strcmp("__text", sect->sectname) == 0)
{
// __TEXT,__text found, save the offset and address for when looking for the calls.
textSection = sect->offset;
textAddress = sect->addr;
break;
}
}
}
kernelIndex += cmdSize;
} else {
kernelIndex += cmdSize;
}
}
return KERNEL_32;
}
/**
** Locate the fisrt instance of _panic inside of _cpuid_set_info, and either remove it
** Or replace it so that the cpuid is set to a valid value.
**/
void patch_cpuid_set_info(void* kernelData, UInt32 impersonateFamily, UInt8 impersonateModel)
{
UInt8* bytes = (UInt8*)kernelData;
UInt32 patchLocation = (kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);
UInt32 jumpLocation = 0;
UInt32 panicAddr = kernelSymbolAddresses[SYMBOL_PANIC] - textAddress;
if(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] == 0)
{
printf("Unable to locate _cpuid_set_info\n");
return;
}
if(kernelSymbolAddresses[SYMBOL_PANIC] == 0)
{
printf("Unable to locate _panic\n");
return;
}
//TODO: don't assume it'll always work (Look for *next* function address in symtab and fail once it's been reached)
while(
(bytes[patchLocation -1] != 0xE8) ||
( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 |
bytes[patchLocation + 1] << 8 |
bytes[patchLocation + 2] << 16 |
bytes[patchLocation + 3] << 24)))
)
{
patchLocation++;
}
patchLocation--;
// Remove panic call, just in case the following patch routines fail
bytes[patchLocation + 0] = 0x90;
bytes[patchLocation + 1] = 0x90;
bytes[patchLocation + 2] = 0x90;
bytes[patchLocation + 3] = 0x90;
bytes[patchLocation + 4] = 0x90;
// Locate the jump call, so that 10 bytes can be reclamed.
// NOTE: This will *NOT* be located on pre 10.6.2 kernels
jumpLocation = patchLocation - 15;
while((bytes[jumpLocation - 1] != 0x77 ||
bytes[jumpLocation] != (patchLocation - jumpLocation - -8)) &&
(patchLocation - jumpLocation) < 0xF0)
{
jumpLocation--;
}
// If found... AND we want to impersonate a specific cpumodel / family...
if(impersonateFamily &&
impersonateModel &&
((patchLocation - jumpLocation) < 0xF0))
{
bytes[jumpLocation] -= 10;// sizeof(movl$0x6b5a4cd2,0x00872eb4) = 10bytes
/*
* Inpersonate the specified CPU FAMILY and CPU Model
*/
// bytes[patchLocation - 17] = 0xC7;// already here... not needed to be done
// bytes[patchLocation - 16] = 0x05;// see above
UInt32 cpuid_cpufamily_addr =bytes[patchLocation - 15] << 0 |
bytes[patchLocation - 14] << 8 |
bytes[patchLocation - 13] << 16 |
bytes[patchLocation - 12] << 24;
// NOTE: may change, determined based on cpuid_info struct
UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 299;
// cpufamily = CPUFAMILY_INTEL_PENRYN
bytes[patchLocation - 11] = (impersonateFamily & 0x000000FF) >> 0;
bytes[patchLocation - 10] = (impersonateFamily & 0x0000FF00) >> 8;
bytes[patchLocation - 9] = (impersonateFamily & 0x00FF0000) >> 16;
bytes[patchLocation - 8] = (impersonateFamily & 0xFF000000) >> 24;
// NOPS, just in case if the jmp call wasn't patched, we'll jump to a
// nop and continue with the rest of the patch
// Yay two free bytes :), 10 more can be reclamed if needed, as well as a few
// from the above code (only cpuid_model needs to be set.
bytes[patchLocation - 7] = 0x90;
bytes[patchLocation - 6] = 0x90;
bytes[patchLocation - 5] = 0xC7;
bytes[patchLocation - 4] = 0x05;
bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;
bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;
bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;
bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;
// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes
// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.
bytes[patchLocation + 1] = impersonateModel;// cpuid_model
bytes[patchLocation + 2] = 0x01;// cpuid_extmodel
bytes[patchLocation + 3] = 0x00;// cpuid_extfamily
bytes[patchLocation + 4] = 0x02;// cpuid_stepping
}
else if(impersonateFamily && impersonateModel)
{
// pre 10.6.2 kernel
// Locate the jump to directly *after* the panic call,
jumpLocation = patchLocation - 4;
while((bytes[jumpLocation - 1] != 0x77 ||
bytes[jumpLocation] != (patchLocation - jumpLocation + 4)) &&
(patchLocation - jumpLocation) < 0x20)
{
jumpLocation--;
}
// NOTE above isn't needed (I was going to use it, but I'm not, so instead,
// I'll just leave it to verify the binary stucture.
// NOTE: the cpumodel_familt data is not set in _cpuid_set_info
// so we don't need to set it here, I'll get set later based on the model
// we set now.
if((patchLocation - jumpLocation) < 0x20)
{
UInt32 cpuid_model_addr =(bytes[patchLocation - 14] << 0 |
bytes[patchLocation - 13] << 8 |
bytes[patchLocation - 12] << 16 |
bytes[patchLocation - 11] << 24);
// Remove jump
bytes[patchLocation - 9] = 0x90;/// Was a jump if supported cpu
bytes[patchLocation - 8] = 0x90;// jumped past the panic call, we want to override the panic
bytes[patchLocation - 7] = 0x90;
bytes[patchLocation - 6] = 0x90;
bytes[patchLocation - 5] = 0xC7;
bytes[patchLocation - 4] = 0x05;
bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;
bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;
bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;
bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;
// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes
// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.
bytes[patchLocation + 1] = impersonateModel;// cpuid_model
bytes[patchLocation + 2] = 0x01;// cpuid_extmodel
bytes[patchLocation + 3] = 0x00;// cpuid_extfamily
bytes[patchLocation + 4] = 0x02;// cpuid_stepping
patchLocation = jumpLocation;
// We now have 14 bytes available for a patch
}
else
{
// Patching failed, using NOP replacement done initialy
}
}
else
{
// Either We were unable to change the jump call due to the function's sctructure
// changing, or the user did not request a patch. As such, resort to just
// removing the panic call (using NOP replacement above). Note that the
// IntelCPUPM kext may still panic due to the cpu's Model ID not being patched
}
}
/**
** SleepEnabler.kext replacement (for those that need it)
** Located the KERN_INVALID_ARGUMENT return and replace it with KERN_SUCCESS
**/
void patch_pmCPUExitHaltToOff(void* kernelData)
{
UInt8* bytes = (UInt8*)kernelData;
UInt32 patchLocation = (kernelSymbolAddresses[SYMBOL_PMCPUEXITHALTTOOFF] - textAddress + textSection);
if(kernelSymbolAddresses[SYMBOL_PMCPUEXITHALTTOOFF] == 0)
{
printf("Unable to locate _pmCPUExitHaltToOff\n");
return;
}
while(bytes[patchLocation - 1]!= 0xB8 ||
bytes[patchLocation]!= 0x04 ||// KERN_INVALID_ARGUMENT (0x00000004)
bytes[patchLocation + 1]!= 0x00 ||// KERN_INVALID_ARGUMENT
bytes[patchLocation + 2]!= 0x00 ||// KERN_INVALID_ARGUMENT
bytes[patchLocation + 3]!= 0x00)// KERN_INVALID_ARGUMENT
{
patchLocation++;
}
bytes[patchLocation] = 0x00;// KERN_SUCCESS;
}
void patch_lapic_init(void* kernelData)
{
UInt8 panicIndex = 0;
UInt8* bytes = (UInt8*)kernelData;
UInt32 patchLocation = (kernelSymbolAddresses[SYMBOL_LAPIC_INIT] - textAddress + textSection);
UInt32 panicAddr = kernelSymbolAddresses[SYMBOL_PANIC] - textAddress;
if(kernelSymbolAddresses[SYMBOL_LAPIC_INIT] == 0)
{
printf("Unable to locate %s\n", SYMBOL_LAPIC_INIT_STRING);
return;
}
if(kernelSymbolAddresses[SYMBOL_PANIC] == 0)
{
printf("Unable to locate %s\n", SYMBOL_PANIC_STRING);
return;
}
// Locate the (panicIndex + 1) panic call
while(panicIndex < 3)// Find the third panic call
{
while(
(bytes[patchLocation -1] != 0xE8) ||
( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 |
bytes[patchLocation + 1] << 8 |
bytes[patchLocation + 2] << 16 |
bytes[patchLocation + 3] << 24)))
)
{
patchLocation++;
}
patchLocation++;
panicIndex++;
}
patchLocation--;// Remove extra increment from the < 3 while loop
bytes[--patchLocation] = 0x90;
bytes[++patchLocation] = 0x90;
bytes[++patchLocation] = 0x90;
bytes[++patchLocation] = 0x90;
bytes[++patchLocation] = 0x90;
}
void patch_commpage_stuff_routine(void* kernelData)
{
UInt8* bytes = (UInt8*)kernelData;
UInt32 patchLocation = (kernelSymbolAddresses[SYMBOL_COMMPAGE_STUFF_ROUTINE] - textAddress + textSection);
UInt32 panicAddr = kernelSymbolAddresses[SYMBOL_PANIC] - textAddress;
if(kernelSymbolAddresses[SYMBOL_COMMPAGE_STUFF_ROUTINE] == 0)
{
printf("Unable to locate %s\n", SYMBOL_COMMPAGE_STUFF_ROUTINE_STRING);
return;
}
if(kernelSymbolAddresses[SYMBOL_PANIC] == 0)
{
printf("Unable to locate %s\n", SYMBOL_PANIC_STRING);
return;
}
while(
(bytes[patchLocation -1] != 0xE8) ||
( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 |
bytes[patchLocation + 1] << 8 |
bytes[patchLocation + 2] << 16 |
bytes[patchLocation + 3] << 24)))
)
{
patchLocation++;
}
patchLocation--;
// Remove panic call, just in case the following patch routines fail
bytes[patchLocation + 0] = 0x90;
bytes[patchLocation + 1] = 0x90;
bytes[patchLocation + 2] = 0x90;
bytes[patchLocation + 3] = 0x90;
bytes[patchLocation + 4] = 0x90;
}
branches/meklort/i386/modules/KernelPatcher/kernel_patcher.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/*
* Copyright (c) 2009 Evan Lojewski. All rights reserved.
*
*/
#include <mach-o/loader.h>
#include <mach-o/nlist.h>
#ifndef __BOOT2_KERNEL_PATCHER_H
#define __BOOT2_KERNEL_PATCHER_H
#define CPUID_MODEL_YONAH14
#define CPUID_MODEL_MEROM15
#define CPUID_MODEL_PENRYN23
#define CPUID_MODEL_NEHALEM26
#define CPUID_MODEL_ATOM28
#define CPUID_MODEL_FIELDS30/* Lynnfield, Clarksfield, Jasper */
#define CPUID_MODEL_DALES31/* Havendale, Auburndale */
#define CPUID_MODEL_NEHALEM_EX46
void patch_kernel(void* kernelData);
#define KERNEL_641
#define KERNEL_322
int locate_symbols(void* kernelData);
void patch_kernel_32(void* kernelData);
void patch_kernel_64(void* kernelData);
void patch_cpuid_set_info(void* kernelData, UInt32 impersonateFamily, UInt8 inpersonateModel);
void patch_pmCPUExitHaltToOff(void* kernelData);
void patch_lapic_init(void* kernelData);
void patch_commpage_stuff_routine(void* kernelData);
#endif /* !__BOOT2_KERNEL_PATCHER_H */
branches/meklort/i386/modules/KernelPatcher/Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
MODULE_NAME = KernelPatcher
MODULE_VERSION = "1.0.0"
MODULE_COMPAT_VERSION = "1.0.0"
MODULE_START = _$(MODULE_NAME)_start
MODULE_DEPENDENCIES =
DIR = HelloWorld
include ../../MakePaths.dir
OBJROOT=../../../obj/i386/modules/$(DIR)
SYMROOT=../../../sym/i386/modules/
DSTROOT=../../../dst/i386/modules/
UTILDIR = ../../util
LIBSADIR = ../../libsa
LIBSAIODIR = ../../libsaio
BOOT2DIR = ../../boot2
INSTALLDIR = $(DSTROOT)/System/Library/Frameworks/System.framework/Versions/B/PrivateHeaders/standalone
OPTIM = -Os -Oz
DEBUG = -DNOTHING
#DEBUG = -DDEBUG_HELLO_WORLD=1
CFLAGS= $(RC_CFLAGS) $(OPTIM) $(MORECPP) -arch i386 -g -Wmost \
-D__ARCHITECTURE__=\"i386\" -DSAIO_INTERNAL_USER \
-DRCZ_COMPRESSED_FILE_SUPPORT $(DEBUG) \
-fno-builtin $(OMIT_FRAME_POINTER_CFLAG) \
-mpreferred-stack-boundary=2 -fno-align-functions -fno-stack-protector \
-march=pentium4 -msse2 -mfpmath=sse -msoft-float -fno-common
DEFINES=
CONFIG = hd
INC = -I. -I.. -I$(SYMROOT) -I$(UTILDIR) -I$(LIBSADIR) -I$(LIBSAIODIR) -I$(BOOT2DIR)
ifneq "" "$(wildcard /bin/mkdirs)"
MKDIRS = /bin/mkdirs
else
MKDIRS = /bin/mkdir -p
endif
AS = as
LD = ld
# LIBS= -lc_static
LIBS=
VPATH = $(OBJROOT):$(SYMROOT)
OBJS = kernel_patcher.o
SFILES =
CFILES =
HFILES =
EXPORTED_HFILES =
INSTALLED_HFILES =
OTHERFILES = Makefile
ALLSRC = $(SFILES) $(CFILES) \
$(HFILES) $(OTHERFILES)
DIRS_NEEDED = $(OBJROOT) $(SYMROOT)
all embedtheme: ${OBJS} dylib
dylib: ${OBJS}
ld -flat_namespace -arch i386 \
-undefined suppress \
-alias $(MODULE_START) start \
-dylib -read_only_relocs suppress \
-S -x -dead_strip_dylibs \
-no_uuid \
-bind_at_load \
-current_version $(MODULE_VERSION) -compatibility_version $(MODULE_COMPAT_VERSION) \
-final_output $(MODULE_NAME) \
-weak_library $(SYMROOT)/Symbols.dylib \
-weak_library $(SYMROOT)/HelloWorld.dylib \
$(OBJROOT)/kernel_patcher.o -o $(SYMROOT)/$(MODULE_NAME).dylib
kernel_patcher.o:
$(CC) $(CPPFLAGS) $(CFLAGS) $(DEFINES) -c "kernel_patcher.c" $(INC) -o "$(OBJROOT)/kernel_patcher.o"
include ../../MakeInc.dir
# dependencies
-include $(OBJROOT)/Makedep
branches/meklort/i386/modules/HelloWorld/HelloWorld.c
55
66
77
8
9
108
119
12
1310
1411
#include "libsaio.h"
void Symbols_start();
void HelloWorld_start()
{
Symbols_start();
printf("Hello World from a module\n");
}

Archive Download the corresponding diff file

Revision: 341