branches/meklort/i386/modules/KernelPatcher/kernel_patcher.c - Chameleon Svn Source Tree - Chameleon open source boot loader project.

Root/branches/meklort/i386/modules/KernelPatcher/kernel_patcher.c

Source at commit 482 created 13 years 7 months ago. By meklort, Modified macho parser to handle 64bit files properly (untested). Modified module hooks to be a sorted linked list for now, I may convert to a faster search later on. I should now be able to add 64bit support to the kernel patcher.
1	␉/*␊
2	* Copyright (c) 2009-2010 Evan Lojewski. All rights reserved.␊
3	*␊
4	*/␊
5	␊
6	#include "libsaio.h"␊
7	#include "kernel_patcher.h"␊
8	#include "platform.h"␊
9	#include "modules.h"␊
10	extern PlatformInfo_t Platform;␊
11	␊
12	patchRoutine_t* patches = NULL;␊
13	kernSymbols_t* kernelSymbols = NULL;␊
14	␊
15	␊
16	UInt32 textSection = 0;␊
17	UInt32 textAddress = 0;␊
18	␊
19	␊
20	void KernelPatcher_start()␊
21	{␊
22	␉//register_kernel_patch(patch_cpuid_set_info, KERNEL_32, CPUID_MODEL_ATOM);␉␉// TODO: CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN␊
23	␉//register_kernel_patch(patch_cpuid_set_info, KERNEL_32, CPUID_MODEL_UNKNOWN);␉// 0, 0 ␊
24	␉register_kernel_patch(patch_cpuid_set_info_all, KERNEL_32, CPUID_MODEL_UNKNOWN); ␊
25	␊
26	␉register_kernel_patch(patch_commpage_stuff_routine, KERNEL_32, CPUID_MODEL_ANY);␊
27	␉␊
28	␉register_kernel_patch(patch_lapic_init, KERNEL_32, CPUID_MODEL_ANY);␊
29	␊
30	␉register_kernel_patch(patch_lapic_configure, KERNEL_32, CPUID_MODEL_ANY);␊
31	␉//register_kernel_patch(patch_lapic_interrupt, KERNEL_32, CPUID_MODEL_ANY);␊
32	␊
33	␉␊
34	␉register_kernel_symbol(KERNEL_32, "_panic");␊
35	␉register_kernel_symbol(KERNEL_32, "_cpuid_set_info");␊
36	␉register_kernel_symbol(KERNEL_32, "_pmCPUExitHaltToOff");␊
37	␉register_kernel_symbol(KERNEL_32, "_lapic_init");␊
38	␉register_kernel_symbol(KERNEL_32, "_commpage_stuff_routine");␊
39	␊
40	␉// LAPIC configure symbols␊
41	␉register_kernel_symbol(KERNEL_32, "_lapic_configure");␊
42	␉register_kernel_symbol(KERNEL_32, "_lapic_interrupt");␊
43	␊
44	␉register_kernel_symbol(KERNEL_32, "_lapic_start");␊
45	␉register_kernel_symbol(KERNEL_32, "_lapic_interrupt_base");␊
46	␊
47	␉␊
48	␉// TODO: register needed symbols␊
49	␉␊
50	␉␊
51	␉register_hook_callback("ExecKernel", &patch_kernel); ␊
52	}␊
53	␊
54	/*␊
55	* Register a kerenl patch␊
56	*/␊
57	void register_kernel_patch(void* patch, int arch, int cpus)␊
58	{␊
59	␉// TODO: only insert valid patches based on current cpuid and architecture␊
60	␉// AKA, don't at 64bit patches if it's a 32bit only machine␊
61	␉patchRoutine_t* entry;␊
62	␉␊
63	␉// TODO: verify Platform.CPU.Model is populated this early in bootup␊
64	␉// Check to ensure that the patch is valid on this machine␊
65	␉// If it is not, exit early form this function␊
66	␉if(cpus != Platform.CPU.Model)␊
67	␉{␊
68	␉␉if(cpus != CPUID_MODEL_ANY)␊
69	␉␉{␊
70	␉␉␉if(cpus == CPUID_MODEL_UNKNOWN)␊
71	␉␉␉{␊
72	␉␉␉␉switch(Platform.CPU.Model)␊
73	␉␉␉␉{␊
74	␉␉␉␉␉case 13:␊
75	␉␉␉␉␉case CPUID_MODEL_YONAH:␊
76	␉␉␉␉␉case CPUID_MODEL_MEROM:␊
77	␉␉␉␉␉case CPUID_MODEL_PENRYN:␊
78	␉␉␉␉␉case CPUID_MODEL_NEHALEM:␊
79	␉␉␉␉␉case CPUID_MODEL_FIELDS:␊
80	␉␉␉␉␉case CPUID_MODEL_DALES:␊
81	␉␉␉␉␉case CPUID_MODEL_NEHALEM_EX:␊
82	␉␉␉␉␉␉// Known cpu's we don't want to add the patch␊
83	␉␉␉␉␉␉return;␊
84	␉␉␉␉␉␉break;␊
85	␊
86	␉␉␉␉␉default:␊
87	␉␉␉␉␉␉// CPU not in supported list, so we are going to add␊
88	␉␉␉␉␉␉// The patch will be applied␊
89	␉␉␉␉␉␉break;␊
90	␉␉␉␉␉␉␊
91	␉␉␉␉}␊
92	␉␉␉}␊
93	␉␉␉else␊
94	␉␉␉{␊
95	␉␉␉␉// Invalid cpuid for current cpu. Ignoring patch␊
96	␉␉␉␉return;␊
97	␉␉␉}␊
98	␊
99	␉␉}␊
100	␉}␊
101	␉␉␊
102	␉if(patches == NULL)␊
103	␉{␊
104	␉␉patches = entry = malloc(sizeof(patchRoutine_t));␊
105	␉}␊
106	␉else␊
107	␉{␊
108	␉␉entry = patches;␊
109	␉␉while(entry->next)␊
110	␉␉{␊
111	␉␉␉entry = entry->next;␊
112	␉␉}␊
113	␉␉␊
114	␉␉entry->next = malloc(sizeof(patchRoutine_t));␊
115	␉␉entry = entry->next;␊
116	␉}␊
117	␉␊
118	␉entry->next = NULL;␊
119	␉entry->patchRoutine = patch;␊
120	␉entry->validArchs = arch;␊
121	␉entry->validCpu = cpus;␊
122	}␊
123	␊
124	void register_kernel_symbol(int kernelType, const char* name)␊
125	{␊
126	␉if(kernelSymbols == NULL)␊
127	␉{␊
128	␉␉kernelSymbols = malloc(sizeof(kernSymbols_t));␊
129	␉␉kernelSymbols->next = NULL;␊
130	␉␉kernelSymbols->symbol = (char*)name;␊
131	␉␉kernelSymbols->addr = 0;␊
132	␉}␊
133	␉else {␊
134	␉␉kernSymbols_t *symbol = kernelSymbols;␊
135	␉␉while(symbol->next != NULL)␊
136	␉␉{␊
137	␉␉␉symbol = symbol->next;␊
138	␉␉}␊
139	␉␉␊
140	␉␉symbol->next = malloc(sizeof(kernSymbols_t));␊
141	␉␉symbol = symbol->next;␊
142	␊
143	␉␉symbol->next = NULL;␊
144	␉␉symbol->symbol = (char*)name;␊
145	␉␉symbol->addr = 0;␊
146	␉}␊
147	}␊
148	␊
149	kernSymbols_t* lookup_kernel_symbol(const char* name)␊
150	{␊
151	␉kernSymbols_t *symbol = kernelSymbols;␊
152	␊
153	␉while(symbol && strcmp(symbol->symbol, name) !=0)␊
154	␉{␊
155	␉␉symbol = symbol->next;␊
156	␉}␊
157	␉␊
158	␉if(!symbol)␊
159	␉{␊
160	␉␉return NULL;␊
161	␉}␊
162	␉else␊
163	␉{␊
164	␉␉return symbol;␊
165	␉}␊
166	␊
167	}␊
168	␊
169	void patch_kernel(void* kernelData, void* arg2, void* arg3, void *arg4)␊
170	{␊
171	␉patchRoutine_t* entry = patches;␊
172	␊
173	␉␊
174	␉int arch = determineKernelArchitecture(kernelData);␊
175	␊
176	␉locate_symbols(kernelData);␊
177	␉␊
178	␉␊
179	␉if(patches != NULL)␊
180	␉{␊
181	␉␉while(entry)␊
182	␉␉{␊
183	␉␉␉if(entry->validArchs == KERNEL_ANY \|\| arch == entry->validArchs)␊
184	␉␉␉{␊
185	␉␉␉␉if(entry->patchRoutine) entry->patchRoutine(kernelData);␊
186	␉␉␉}␊
187	␉␉␉entry = entry->next;␊
188	␉␉}␊
189	␉␉␊
190	␉}␊
191	}␊
192	␊
193	int determineKernelArchitecture(void* kernelData)␊
194	{␉␊
195	␉if(((struct mach_header*)kernelData)->magic == MH_MAGIC)␊
196	␉{␊
197	␉␉return KERNEL_32;␊
198	␉}␊
199	␉if(((struct mach_header*)kernelData)->magic == MH_MAGIC_64)␊
200	␉{␊
201	␉␉return KERNEL_64;␊
202	␉}␊
203	␉else␊
204	␉{␊
205	␉␉return KERNEL_ERR;␊
206	␉}␊
207	}␊
208	␊
209	␊
210	/**␊
211	**␉␉This functions located the requested symbols in the mach-o file.␊
212	**␉␉␉as well as determines the start of the __TEXT segment and __TEXT,__text sections␊
213	**/␊
214	int locate_symbols(void* kernelData)␊
215	{␊
216	␊
217	␉struct load_command *loadCommand;␊
218	␉struct symtab_command *symtableData;␊
219	␉//␉struct nlist *symbolEntry;␊
220	␉␊
221	␉char* symbolString;␊
222	␊
223	␉UInt32 kernelIndex = 0;␊
224	␉kernelIndex += sizeof(struct mach_header);␊
225	␉␊
226	␉if(((struct mach_header*)kernelData)->magic != MH_MAGIC) return KERNEL_64;␊
227	␉␊
228	␉␊
229	␉int cmd = 0;␊
230	␉while(cmd < ((struct mach_header*)kernelData)->ncmds)␉// TODO: for loop instead␊
231	␉{␊
232	␉␉cmd++;␊
233	␉␉␊
234	␉␉loadCommand = kernelData + kernelIndex;␊
235	␉␉␊
236	␉␉UInt cmdSize = loadCommand->cmdsize;␊
237	␉␉␊
238	␉␉␊
239	␉␉if((loadCommand->cmd & 0x7FFFFFFF) == LC_SYMTAB)␉␉// We only care about the symtab segment␊
240	␉␉{␊
241	␉␉␉//printf("Located symtable, length is 0x%X, 0x%X\n", (unsigned int)loadCommand->cmdsize, (unsigned int)sizeof(symtableData));␊
242	␉␉␉␊
243	␉␉␉symtableData = kernelData + kernelIndex;␊
244	␉␉␉kernelIndex += sizeof(struct symtab_command);␊
245	␉␉␊
246	␉␉␉symbolString = kernelData + symtableData->stroff;␊
247	␉␉}␊
248	␉␉else if((loadCommand->cmd & 0x7FFFFFFF) == LC_SEGMENT)␉␉// We only care about the __TEXT segment, any other load command can be ignored␊
249	␉␉{␊
250	␉␉␉␊
251	␉␉␉struct segment_command *segCommand;␊
252	␉␉␉␊
253	␉␉␉segCommand = kernelData + kernelIndex;␊
254	␉␉␉␊
255	␉␉␉//printf("Segment name is %s\n", segCommand->segname);␊
256	␉␉␉␊
257	␉␉␉if(strcmp("__TEXT", segCommand->segname) == 0)␊
258	␉␉␉{␊
259	␉␉␉␉UInt32 sectionIndex;␊
260	␉␉␉␉␊
261	␉␉␉␉sectionIndex = sizeof(struct segment_command);␊
262	␉␉␉␉␊
263	␉␉␉␉struct section *sect;␊
264	␉␉␉␉␊
265	␉␉␉␉while(sectionIndex < segCommand->cmdsize)␊
266	␉␉␉␉{␊
267	␉␉␉␉␉sect = kernelData + kernelIndex + sectionIndex;␊
268	␉␉␉␉␉␊
269	␉␉␉␉␉sectionIndex += sizeof(struct section);␊
270	␉␉␉␉␉␊
271	␉␉␉␉␉␊
272	␉␉␉␉␉if(strcmp("__text", sect->sectname) == 0)␊
273	␉␉␉␉␉{␊
274	␉␉␉␉␉␉// __TEXT,__text found, save the offset and address for when looking for the calls.␊
275	␉␉␉␉␉␉textSection = sect->offset;␊
276	␉␉␉␉␉␉textAddress = sect->addr;␊
277	␉␉␉␉␉␉break;␊
278	␉␉␉␉␉}␉␉␉␉␉␊
279	␉␉␉␉}␊
280	␉␉␉}␊
281	␉␉␉␊
282	␉␉␉␊
283	␉␉␉kernelIndex += cmdSize;␊
284	␉␉} else {␊
285	␉␉␉kernelIndex += cmdSize;␊
286	␉␉}␊
287	␉}␊
288	␉␊
289	␉handle_symtable((UInt32)kernelData, symtableData, &symbol_handler, determineKernelArchitecture(kernelData) == KERNEL_64);␊
290	}␊
291	␊
292	long long symbol_handler(char* symbolName, long long addr, char is64)␊
293	{␊
294	␉// Locate the symbol in the list, if it exists, update it's address␊
295	␉kernSymbols_t *symbol = lookup_kernel_symbol(symbolName);␊
296	␉␊
297	␉␊
298	␉if(symbol)␊
299	␉{␊
300	␉␉symbol->addr = addr;␊
301	␉}␊
302	␉return 0xFFFFFFFF; // fixme␊
303	}␊
304	␊
305	␊
306	/**␊
307	** Locate the fisrt instance of _panic inside of _cpuid_set_info, and either remove it␊
308	** Or replace it so that the cpuid is set to a valid value.␊
309	**/␊
310	void patch_cpuid_set_info_all(void* kernelData)␊
311	{␊
312	␉switch(Platform.CPU.Model)␊
313	␉{␊
314	␉␉case CPUID_MODEL_ATOM:␊
315	␉␉␉patch_cpuid_set_info(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN); ␊
316	␉␉␉break;␊
317	␉␉␉␊
318	␉␉default:␊
319	␉␉␉patch_cpuid_set_info(kernelData, 0, 0);␊
320	␉␉␉break;␊
321	␉}␊
322	}␊
323	␊
324	void patch_cpuid_set_info(void* kernelData, UInt32 impersonateFamily, UInt8 impersonateModel)␊
325	{␉␊
326	␉UInt8* bytes = (UInt8*)kernelData;␊
327	␉␊
328	␉kernSymbols_t *symbol = lookup_kernel_symbol("_cpuid_set_info");␊
329	␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //␉(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);␊
330	␉␊
331	␉UInt32 jumpLocation = 0;␊
332	␉␊
333	␉␊
334	␉if(symbol == 0 \|\| symbol->addr == 0)␊
335	␉{␊
336	␉␉printf("Unable to locate _cpuid_set_info\n");␊
337	␉␉return;␊
338	␉␉␊
339	␉}␊
340	␊
341	␉symbol = lookup_kernel_symbol("_panic");␊
342	␉UInt32 panicAddr = symbol ? symbol->addr - textAddress: 0; //kernelSymbolAddresses[SYMBOL_PANIC] - textAddress;␊
343	␉if(symbol == 0 \|\| symbol->addr == 0)␊
344	␉{␊
345	␉␉printf("Unable to locate _panic\n");␊
346	␉␉return;␊
347	␉}␊
348	␉␊
349	␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
350	␉panicAddr -= (UInt32)kernelData;␊
351	␊
352	␊
353	␉␊
354	␉␊
355	␉␊
356	␉//TODO: don't assume it'll always work (Look for next function address in symtab and fail once it's been reached)␊
357	␉while( ␊
358	␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
359	␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
360	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
361	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
362	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
363	␉␉ )␊
364	␉{␊
365	␉␉patchLocation++;␊
366	␉}␊
367	␉patchLocation--;␊
368	␉␊
369	␉// Remove panic call, just in case the following patch routines fail␊
370	␉bytes[patchLocation + 0] = 0x90;␊
371	␉bytes[patchLocation + 1] = 0x90;␊
372	␉bytes[patchLocation + 2] = 0x90;␊
373	␉bytes[patchLocation + 3] = 0x90;␊
374	␉bytes[patchLocation + 4] = 0x90;␊
375	␉␊
376	␉␊
377	␉// Locate the jump call, so that 10 bytes can be reclamed.␊
378	␉// NOTE: This will NOT be located on pre 10.6.2 kernels␊
379	␉jumpLocation = patchLocation - 15;␊
380	␉while((bytes[jumpLocation - 1] != 0x77 \|\|␊
381	␉␉ bytes[jumpLocation] != (patchLocation - jumpLocation - -8)) &&␊
382	␉␉ (patchLocation - jumpLocation) < 0xF0)␊
383	␉{␊
384	␉␉jumpLocation--;␊
385	␉}␊
386	␉␊
387	␉// If found... AND we want to impersonate a specific cpumodel / family...␊
388	␉if(impersonateFamily &&␊
389	␉ impersonateModel &&␊
390	␉ ((patchLocation - jumpLocation) < 0xF0))␊
391	␉{␊
392	␉␉␊
393	␉␉bytes[jumpLocation] -= 10;␉␉// sizeof(movl␉$0x6b5a4cd2,0x00872eb4) = 10bytes␊
394	␉␉␊
395	␉␉/* ␊
396	␉␉ * Inpersonate the specified CPU FAMILY and CPU Model␊
397	␉␉ */␊
398	␊
399	␉␉// bytes[patchLocation - 17] = 0xC7;␉// already here... not needed to be done␊
400	␉␉// bytes[patchLocation - 16] = 0x05;␉// see above␊
401	␉␉UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 15] << 0 \|␊
402	␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 14] << 8 \|␊
403	␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 13] << 16 \|␊
404	␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 12] << 24;␊
405	␉␉␊
406	␉␉// NOTE: may change, determined based on cpuid_info struct␊
407	␉␉UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 299; ␊
408	␉␉␊
409	␉␉␊
410	␉␉// cpufamily = CPUFAMILY_INTEL_PENRYN␊
411	␉␉bytes[patchLocation - 11] = (impersonateFamily & 0x000000FF) >> 0;␊
412	␉␉bytes[patchLocation - 10] = (impersonateFamily & 0x0000FF00) >> 8;␊
413	␉␉bytes[patchLocation - 9] = (impersonateFamily & 0x00FF0000) >> 16;␉␊
414	␉␉bytes[patchLocation - 8] = (impersonateFamily & 0xFF000000) >> 24;␊
415	␉␉␊
416	␉␉// NOPS, just in case if the jmp call wasn't patched, we'll jump to a␊
417	␉␉// nop and continue with the rest of the patch␊
418	␉␉// Yay two free bytes :), 10 more can be reclamed if needed, as well as a few␊
419	␉␉// from the above code (only cpuid_model needs to be set.␊
420	␉␉bytes[patchLocation - 7] = 0x90;␊
421	␉␉bytes[patchLocation - 6] = 0x90;␊
422	␉␉␊
423	␉␉bytes[patchLocation - 5] = 0xC7;␊
424	␉␉bytes[patchLocation - 4] = 0x05;␊
425	␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊
426	␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊
427	␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊
428	␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊
429	␉␉␊
430	␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊
431	␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊
432	␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊
433	␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊
434	␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊
435	␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊
436	␉␉␊
437	␉}␊
438	␉else if(impersonateFamily && impersonateModel)␊
439	␉{␊
440	␉␉// pre 10.6.2 kernel␊
441	␉␉// Locate the jump to directly after the panic call,␊
442	␉␉jumpLocation = patchLocation - 4;␊
443	␉␉while((bytes[jumpLocation - 1] != 0x77 \|\|␊
444	␉␉␉ bytes[jumpLocation] != (patchLocation - jumpLocation + 4)) &&␊
445	␉␉␉ (patchLocation - jumpLocation) < 0x20)␊
446	␉␉{␊
447	␉␉␉jumpLocation--;␊
448	␉␉}␊
449	␉␉// NOTE above isn't needed (I was going to use it, but I'm not, so instead,␊
450	␉␉// I'll just leave it to verify the binary stucture.␊
451	␉␉␊
452	␉␉// NOTE: the cpumodel_familt data is not set in _cpuid_set_info␊
453	␉␉// so we don't need to set it here, I'll get set later based on the model␊
454	␉␉// we set now.␊
455	␉␉␊
456	␉␉if((patchLocation - jumpLocation) < 0x20)␊
457	␉␉{␊
458	␉␉␉UInt32 cpuid_model_addr =␉(bytes[patchLocation - 14] << 0 \|␊
459	␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 13] << 8 \|␊
460	␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 12] << 16 \|␊
461	␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 11] << 24);␊
462	␉␉␉// Remove jump␊
463	␉␉␉bytes[patchLocation - 9] = 0x90;␉␉/// Was a jump if supported cpu␊
464	␉␉␉bytes[patchLocation - 8] = 0x90;␉␉// jumped past the panic call, we want to override the panic␊
465	␊
466	␉␉␉bytes[patchLocation - 7] = 0x90;␊
467	␉␉␉bytes[patchLocation - 6] = 0x90;␊
468	␉␉␉␊
469	␉␉␉bytes[patchLocation - 5] = 0xC7;␊
470	␉␉␉bytes[patchLocation - 4] = 0x05;␊
471	␉␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊
472	␉␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊
473	␉␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊
474	␉␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊
475	␉␉␉␊
476	␉␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊
477	␉␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊
478	␉␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊
479	␉␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊
480	␉␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊
481	␉␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊
482	␉␉␉␊
483	␉␉␉␊
484	␉␉␉␊
485	␉␉␉patchLocation = jumpLocation;␊
486	␉␉␉// We now have 14 bytes available for a patch␊
487	␉␉␉␊
488	␉␉}␊
489	␉␉else ␊
490	␉␉{␊
491	␉␉␉// Patching failed, using NOP replacement done initialy␊
492	␉␉}␊
493	␉}␊
494	␉else ␊
495	␉{␊
496	␉␉// Either We were unable to change the jump call due to the function's sctructure␊
497	␉␉// changing, or the user did not request a patch. As such, resort to just ␊
498	␉␉// removing the panic call (using NOP replacement above). Note that the␊
499	␉␉// IntelCPUPM kext may still panic due to the cpu's Model ID not being patched␊
500	␉}␊
501	}␊
502	␊
503	␊
504	/**␊
505	** SleepEnabler.kext replacement (for those that need it)␊
506	** Located the KERN_INVALID_ARGUMENT return and replace it with KERN_SUCCESS␊
507	**/␊
508	void patch_pmCPUExitHaltToOff(void* kernelData)␊
509	{␊
510	␉UInt8* bytes = (UInt8*)kernelData;␊
511	␊
512	␉kernSymbols_t *symbol = lookup_kernel_symbol("_PmCpuExitHaltToOff");␊
513	␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0;␊
514	␉␊
515	␉if(symbol == 0 \|\| symbol->addr == 0)␊
516	␉{␊
517	␉␉printf("Unable to locate _pmCPUExitHaltToOff\n");␊
518	␉␉return;␊
519	␉}␊
520	␉␊
521	␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
522	␉␊
523	␉␊
524	␉␊
525	␉while(bytes[patchLocation - 1]␉!= 0xB8 \|\|␊
526	␉␉ bytes[patchLocation]␉␉!= 0x04 \|\|␉// KERN_INVALID_ARGUMENT (0x00000004)␊
527	␉␉ bytes[patchLocation + 1]␉!= 0x00 \|\|␉// KERN_INVALID_ARGUMENT␊
528	␉␉ bytes[patchLocation + 2]␉!= 0x00 \|\|␉// KERN_INVALID_ARGUMENT␊
529	␉␉ bytes[patchLocation + 3]␉!= 0x00)␉// KERN_INVALID_ARGUMENT␊
530	␊
531	␉{␊
532	␉␉patchLocation++;␊
533	␉}␊
534	␉bytes[patchLocation] = 0x00;␉// KERN_SUCCESS;␊
535	}␊
536	␊
537	void patch_lapic_init(void* kernelData)␊
538	{␊
539	␊
540	␉UInt8 panicIndex = 0;␊
541	␉UInt8* bytes = (UInt8*)kernelData;␊
542	␉␊
543	␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_init");␊
544	␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; ␊
545	␉if(symbol == 0 \|\| symbol->addr == 0)␊
546	␉{␊
547	␉␉printf("Unable to locate %s\n", "_lapic_init");␊
548	␉␉return;␊
549	␉␉␊
550	␉}␊
551	␉␊
552	␉symbol = lookup_kernel_symbol("_panic");␊
553	␉UInt32 panicAddr = symbol ? symbol->addr - textAddress: 0; ␊
554	␉if(symbol == 0 \|\| symbol->addr == 0)␊
555	␉{␊
556	␉␉printf("Unable to locate %s\n", "_panic");␊
557	␉␉return;␊
558	␉}␊
559	␉␊
560	␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
561	␉panicAddr -= (UInt32)kernelData;␉// Remove offset␊
562	␊
563	␉␊
564	␉␊
565	␉␊
566	␉// Locate the (panicIndex + 1) panic call␊
567	␉while(panicIndex < 3)␉// Find the third panic call␊
568	␉{␊
569	␉␉while( ␊
570	␉␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
571	␉␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
572	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
573	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
574	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
575	␉␉␉ )␊
576	␉␉{␊
577	␉␉␉patchLocation++;␊
578	␉␉}␊
579	␉␉patchLocation++;␊
580	␉␉panicIndex++;␊
581	␉}␊
582	␉patchLocation--;␉// Remove extra increment from the < 3 while loop␊
583	␉␊
584	␉bytes[--patchLocation] = 0x90;␉␊
585	␉bytes[++patchLocation] = 0x90;␊
586	␉bytes[++patchLocation] = 0x90;␊
587	␉bytes[++patchLocation] = 0x90;␊
588	␉bytes[++patchLocation] = 0x90;␊
589	␉␊
590	␉␊
591	}␊
592	␊
593	␊
594	void patch_commpage_stuff_routine(void* kernelData)␊
595	{␊
596	␉UInt8* bytes = (UInt8*)kernelData;␊
597	␊
598	␉kernSymbols_t *symbol = lookup_kernel_symbol("_commpage_stuff_routine");␊
599	␉if(symbol == 0 \|\| symbol->addr == 0)␊
600	␉{␊
601	␉␉printf("Unable to locate %s\n", "_commpage_stuff_routine");␊
602	␉␉return;␊
603	␉␉␊
604	␉}␊
605	␉␊
606	␉UInt32 patchLocation = symbol->addr - textAddress + textSection; ␊
607	␊
608	␉␊
609	␉symbol = lookup_kernel_symbol("_panic");␊
610	␉if(symbol == 0 \|\| symbol->addr == 0)␊
611	␉{␊
612	␉␉printf("Unable to locate %s\n", "_panic");␊
613	␉␉return;␊
614	␉}␊
615	␉UInt32 panicAddr = symbol->addr - textAddress; ␊
616	␊
617	␉patchLocation -= (UInt32)kernelData;␊
618	␉panicAddr -= (UInt32)kernelData;␊
619	␉␊
620	␉while( ␊
621	␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
622	␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
623	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
624	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
625	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
626	␉␉ )␊
627	␉{␊
628	␉␉patchLocation++;␊
629	␉}␊
630	␉patchLocation--;␊
631	␉␊
632	␉// Replace panic with nops␊
633	␉bytes[patchLocation + 0] = 0x90;␊
634	␉bytes[patchLocation + 1] = 0x90;␊
635	␉bytes[patchLocation + 2] = 0x90;␊
636	␉bytes[patchLocation + 3] = 0x90;␊
637	␉bytes[patchLocation + 4] = 0x90;␊
638	␉␊
639	␉␊
640	}␊
641	␊
642	void patch_lapic_interrupt(void* kernelData)␊
643	{␊
644	␉// NOTE: this is a hack untill I finish patch_lapic_configure␊
645	␉UInt8* bytes = (UInt8*)kernelData;␊
646	␉␊
647	␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_interrupt");␊
648	␉if(symbol == 0 \|\| symbol->addr == 0)␊
649	␉{␊
650	␉␉printf("Unable to locate %s\n", "_lapic_interrupt");␊
651	␉␉return;␊
652	␉␉␊
653	␉}␊
654	␉␊
655	␉UInt32 patchLocation = symbol->addr - textAddress + textSection; ␊
656	␉␊
657	␉␊
658	␉symbol = lookup_kernel_symbol("_panic");␊
659	␉if(symbol == 0 \|\| symbol->addr == 0)␊
660	␉{␊
661	␉␉printf("Unable to locate %s\n", "_panic");␊
662	␉␉return;␊
663	␉}␊
664	␉UInt32 panicAddr = symbol->addr - textAddress; ␊
665	␉␊
666	␉patchLocation -= (UInt32)kernelData;␊
667	␉panicAddr -= (UInt32)kernelData;␊
668	␉␊
669	␉while( ␊
670	␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
671	␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
672	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
673	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
674	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
675	␉␉ )␊
676	␉{␊
677	␉␉patchLocation++;␊
678	␉}␊
679	␉patchLocation--;␊
680	␉␊
681	␉// Replace panic with nops␊
682	␉bytes[patchLocation + 0] = 0x90;␊
683	␉bytes[patchLocation + 1] = 0x90;␊
684	␉bytes[patchLocation + 2] = 0x90;␊
685	␉bytes[patchLocation + 3] = 0x90;␊
686	␉bytes[patchLocation + 4] = 0x90;␊
687	␉␊
688	␉␊
689	}␊
690	␊
691	␊
692	void patch_lapic_configure(void* kernelData)␊
693	{␊
694	␉UInt8* bytes = (UInt8*)kernelData;␊
695	␉␊
696	␉UInt32 patchLocation;␊
697	␉UInt32 lapicStart;␊
698	␉UInt32 lapicInterruptBase;␊
699	␉␊
700	␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_configure");␊
701	␉if(symbol == 0 \|\| symbol->addr == 0)␊
702	␉{␊
703	␉␉printf("Unable to locate %s\n", "_lapic_configure");␊
704	␉␉return;␊
705	␉}␊
706	␉patchLocation = symbol->addr - textAddress + textSection; ␊
707	␉␊
708	␉symbol = lookup_kernel_symbol("_lapic_start");␊
709	␉if(symbol == 0 \|\| symbol->addr == 0)␊
710	␉{␊
711	␉␉printf("Unable to locate %s\n", "_lapic_start");␊
712	␉␉return;␊
713	␉}␊
714	␉lapicStart = symbol->addr; ␊
715	␊
716	␊
717	␉symbol = lookup_kernel_symbol("_lapic_interrupt_base");␊
718	␉if(symbol == 0 \|\| symbol->addr == 0)␊
719	␉{␊
720	␉␉printf("Unable to locate %s\n", "_lapic_interrupt_base");␊
721	␉␉return;␊
722	␉}␊
723	␉lapicInterruptBase = symbol->addr;␊
724	␉patchLocation -= (UInt32)kernelData;␊
725	␉lapicStart -= (UInt32)kernelData;␊
726	␉lapicInterruptBase -= (UInt32)kernelData;␊
727	␉␊
728	␉␊
729	␉// Looking for the following:␊
730	␉//movl _lapic_start,%e_x␊
731	␉//addl $0x00000320,%e_x␊
732	␉// 8b 15 __ __ __ __ 81 c2 20 03 00 00␊
733	␉while( ␊
734	␉␉ (bytes[patchLocation - 2] != 0x8b) \|\|␊
735	␉␉ //bytes[patchLocation -1] != 0x15) \|\|␉// Register, we don't care what it is␊
736	␉␉ ( lapicStart != (UInt32)(␊
737	␉␉␉␉␉␉␉␉␉(bytes[patchLocation + 0] << 0 \| ␊
738	␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 1] << 8 \| ␊
739	␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 2] << 16 \|␊
740	␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 3] << 24␊
741	␉␉␉␉␉␉␉␉␉)␊
742	␉␉␉␉␉␉␉␉ )␊
743	␉␉ ) \|\| ␊
744	␉␉ (bytes[patchLocation + 4 ] != 0x81) \|\|␊
745	␉␉ //(bytes[patchLocation + 5 ] != 0Cx2) \|\|␉// register␊
746	␉␉ (bytes[patchLocation + 6 ] != 0x20) \|\|␊
747	␉␉ (bytes[patchLocation + 7 ] != 0x03) \|\|␊
748	␉␉ (bytes[patchLocation + 8 ] != 0x00) \|\|␊
749	␉␉ (bytes[patchLocation + 9] != 0x00)␊
750	␊
751	␉␉ )␊
752	␉{␊
753	␉␉patchLocation++;␊
754	␉}␊
755	␉patchLocation-=2;␊
756	␊
757	␉// NOTE: this is currently hardcoded, change it to be more resilient to changes␊
758	␉// At a minimum, I should have this do a cheksup first and if not matching, remove the panic instead.␊
759	␉␊
760	␉// 8b 15 __ __ __ __ -> movl␉␉ _lapic_start,%edx (NOTE: this should already be here)␊
761	␉/*␊
762	␉bytes[patchLocation++] = 0x8B;␊
763	␉bytes[patchLocation++] = 0x15;␊
764	␉bytes[patchLocation++] = (lapicStart & 0x000000FF) >> 0;␊
765	␉bytes[patchLocation++] = (lapicStart & 0x0000FF00) >> 8;␊
766	␉bytes[patchLocation++] = (lapicStart & 0x00FF0000) >> 16;␊
767	␉bytes[patchLocation++] = (lapicStart & 0xFF000000) >> 24;␊
768	␉*/␊
769	␉patchLocation += 6;␊
770	␉␊
771	␉// 81 c2 60 03 00 00 -> addl␉␉ $0x00000320,%edx␊
772	␉/*␊
773	␉bytes[patchLocation++] = 0x81;␊
774	␉bytes[patchLocation++] = 0xC2;␊
775	␉*/␊
776	␉patchLocation += 2;␊
777	␉bytes[patchLocation++] = 0x60;␊
778	␉/*␊
779	␉bytes[patchLocation++];// = 0x03;␊
780	␉bytes[patchLocation++];// = 0x00;␊
781	␉bytes[patchLocation++];// = 0x00;␊
782	␉*/␊
783	␉ patchLocation += 3;␊
784	␊
785	␉// c7 02 00 04 00 00 -> movl␉␉ $0x00000400,(%edx)␊
786	␉bytes[patchLocation++] = 0xC7;␊
787	␉bytes[patchLocation++] = 0x02;␊
788	␉bytes[patchLocation++] = 0x00;␊
789	␉bytes[patchLocation++] = 0x04;␊
790	␉bytes[patchLocation++] = 0x00;␊
791	␉bytes[patchLocation++] = 0x00;␊
792	␉␊
793	␉// 83 ea 40 -> subl␉␉ $0x40,edx␊
794	␉bytes[patchLocation++] = 0x83;␊
795	␉bytes[patchLocation++] = 0xEA;␊
796	␉bytes[patchLocation++] = 0x40;␊
797	␊
798	␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊
799	␉bytes[patchLocation++] = 0xA1;␊
800	␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊
801	␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊
802	␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊
803	␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊
804	␊
805	␉// 83 c0 0e -> addl␉␉ $0x0e,%eax␊
806	␉bytes[patchLocation++] = 0x83;␊
807	␉bytes[patchLocation++] = 0xC0;␊
808	␉bytes[patchLocation++] = 0x0E;␊
809	␊
810	␉// 89 02 -> movl␉␉ %eax,(%edx)␊
811	␉bytes[patchLocation++] = 0x89;␊
812	␉bytes[patchLocation++] = 0x02;␊
813	␉␊
814	␉// 81c230030000␉␉ addl␉␉ $0x00000330,%edx␊
815	␉bytes[patchLocation++] = 0x81;␊
816	␉bytes[patchLocation++] = 0xC2;␊
817	␉bytes[patchLocation++] = 0x30;␊
818	␉bytes[patchLocation++] = 0x03;␊
819	␉bytes[patchLocation++] = 0x00;␊
820	␉bytes[patchLocation++] = 0x00;␊
821	␉␊
822	␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊
823	␉bytes[patchLocation++] = 0xA1;␊
824	␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊
825	␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊
826	␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊
827	␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊
828	␉␊
829	␉// 83 c0 0f -> addl␉␉ $0x0f,%eax␊
830	␉bytes[patchLocation++] = 0x83;␊
831	␉bytes[patchLocation++] = 0xC0;␊
832	␉bytes[patchLocation++] = 0x0F;␊
833	␉␊
834	␉// 89 02 -> movl␉␉ %eax,(%edx)␊
835	␉bytes[patchLocation++] = 0x89;␊
836	␉bytes[patchLocation++] = 0x02;␊
837	␉␊
838	␉// 83 ea 10 -> subl␉␉ $0x10,edx␊
839	␉bytes[patchLocation++] = 0x83;␊
840	␉bytes[patchLocation++] = 0xEA;␊
841	␉bytes[patchLocation++] = 0x10;␊
842	␊
843	␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊
844	␉bytes[patchLocation++] = 0xA1;␊
845	␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊
846	␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊
847	␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊
848	␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊
849	␉␊
850	␉// 83 c0 0c -> addl␉␉ $0x0c,%eax␊
851	␉bytes[patchLocation++] = 0x83;␊
852	␉bytes[patchLocation++] = 0xC0;␊
853	␉bytes[patchLocation++] = 0x0C;␊
854	␊
855	␉// 89 02 -> movl␉␉ %eax,(%edx)␊
856	␉bytes[patchLocation++] = 0x89;␊
857	␉bytes[patchLocation++] = 0x02;␊
858	␊
859	␉// Replace remaining with nops␊
860	␊
861	␊
862	␉bytes[patchLocation++] = 0x90;␊
863	␉bytes[patchLocation++] = 0x90;␊
864	␉bytes[patchLocation++] = 0x90;␊
865	␉bytes[patchLocation++] = 0x90;␊
866	␉//␉bytes[patchLocation++] = 0x90; // double check the lenght of the patch...␊
867	␉//␉bytes[patchLocation++] = 0x90;␊
868	}␊
869

Download this file