branches/azimutz/Chazi/i386/modules/KernelPatcher/kernel_patcher.c - Chameleon Svn Source Tree - Chameleon open source boot loader project.

Root/branches/azimutz/Chazi/i386/modules/KernelPatcher/kernel_patcher.c

1	/*␊
2	* Copyright (c) 2009-2010 Evan Lojewski. All rights reserved.␊
3	*␊
4	*/␊
5	␊
6	//#include "libsaio.h"␊
7	#include "saio_types.h"␊
8	//---␊
9	#include "kernel_patcher.h"␊
10	#include "platform.h"␊
11	#include "modules.h"␊
12	␊
13	extern PlatformInfo_t Platform;␊
14	␊
15	patchRoutine_t* patches = NULL;␊
16	kernSymbols_t* kernelSymbols = NULL;␊
17	␊
18	␊
19	UInt32 textSection = 0;␊
20	UInt32 textAddress = 0;␊
21	␊
22	␊
23	void KernelPatcher_start()␊
24	{␊
25	␉//register_kernel_patch(patch_cpuid_set_info, KERNEL_32, CPUID_MODEL_ATOM);␉␉// TODO: CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN␊
26	␉//register_kernel_patch(patch_cpuid_set_info, KERNEL_32, CPUID_MODEL_UNKNOWN);␉// 0, 0 ␊
27	␉register_kernel_patch(patch_cpuid_set_info_all, KERNEL_32, CPUID_MODEL_UNKNOWN); ␊
28	␊
29	␉register_kernel_patch(patch_commpage_stuff_routine, KERNEL_32, CPUID_MODEL_ANY);␊
30	␉␊
31	␉register_kernel_patch(patch_lapic_init, KERNEL_32, CPUID_MODEL_ANY);␊
32	␊
33	␉register_kernel_patch(patch_lapic_configure, KERNEL_32, CPUID_MODEL_ANY);␊
34	␉//register_kernel_patch(patch_lapic_interrupt, KERNEL_32, CPUID_MODEL_ANY);␊
35	␊
36	␉␊
37	␉register_kernel_symbol(KERNEL_32, "_panic");␊
38	␉register_kernel_symbol(KERNEL_32, "_cpuid_set_info");␊
39	␉register_kernel_symbol(KERNEL_32, "_pmCPUExitHaltToOff");␊
40	␉register_kernel_symbol(KERNEL_32, "_lapic_init");␊
41	␉register_kernel_symbol(KERNEL_32, "_commpage_stuff_routine");␊
42	␊
43	␉// LAPIC configure symbols␊
44	␉register_kernel_symbol(KERNEL_32, "_lapic_configure");␊
45	␉register_kernel_symbol(KERNEL_32, "_lapic_interrupt");␊
46	␊
47	␉register_kernel_symbol(KERNEL_32, "_lapic_start");␊
48	␉register_kernel_symbol(KERNEL_32, "_lapic_interrupt_base");␊
49	␊
50	␉␊
51	␉// TODO: register needed symbols␊
52	␉␊
53	␉␊
54	␉register_hook_callback("ExecKernel", &patch_kernel); ␊
55	}␊
56	␊
57	/*␊
58	* Register a kerenl patch␊
59	*/␊
60	void register_kernel_patch(void* patch, int arch, int cpus)␊
61	{␊
62	␉// TODO: only insert valid patches based on current cpuid and architecture␊
63	␉// AKA, don't at 64bit patches if it's a 32bit only machine␊
64	␉patchRoutine_t* entry;␊
65	␉␊
66	␉// TODO: verify Platform.CPU.Model is populated this early in bootup␊
67	␉// Check to ensure that the patch is valid on this machine␊
68	␉// If it is not, exit early form this function␊
69	␉if(cpus != Platform.CPU.Model)␊
70	␉{␊
71	␉␉if(cpus != CPUID_MODEL_ANY)␊
72	␉␉{␊
73	␉␉␉if(cpus == CPUID_MODEL_UNKNOWN)␊
74	␉␉␉{␊
75	␉␉␉␉switch(Platform.CPU.Model)␊
76	␉␉␉␉{␊
77	␉␉␉␉␉case 13:␊
78	␉␉␉␉␉case CPUID_MODEL_YONAH:␊
79	␉␉␉␉␉case CPUID_MODEL_MEROM:␊
80	␉␉␉␉␉case CPUID_MODEL_PENRYN:␊
81	␉␉␉␉␉case CPUID_MODEL_NEHALEM:␊
82	␉␉␉␉␉case CPUID_MODEL_FIELDS:␊
83	␉␉␉␉␉case CPUID_MODEL_DALES:␊
84	␉␉␉␉␉case CPUID_MODEL_NEHALEM_EX:␊
85	␉␉␉␉␉␉// Known cpu's we don't want to add the patch␊
86	␉␉␉␉␉␉return;␊
87	␉␉␉␉␉␉break;␊
88	␊
89	␉␉␉␉␉default:␊
90	␉␉␉␉␉␉// CPU not in supported list, so we are going to add␊
91	␉␉␉␉␉␉// The patch will be applied␊
92	␉␉␉␉␉␉break;␊
93	␉␉␉␉␉␉␊
94	␉␉␉␉}␊
95	␉␉␉}␊
96	␉␉␉else␊
97	␉␉␉{␊
98	␉␉␉␉// Invalid cpuid for current cpu. Ignoring patch␊
99	␉␉␉␉return;␊
100	␉␉␉}␊
101	␊
102	␉␉}␊
103	␉}␊
104	␉␉␊
105	␉if(patches == NULL)␊
106	␉{␊
107	␉␉patches = entry = malloc(sizeof(patchRoutine_t));␊
108	␉}␊
109	␉else␊
110	␉{␊
111	␉␉entry = patches;␊
112	␉␉while(entry->next)␊
113	␉␉{␊
114	␉␉␉entry = entry->next;␊
115	␉␉}␊
116	␉␉␊
117	␉␉entry->next = malloc(sizeof(patchRoutine_t));␊
118	␉␉entry = entry->next;␊
119	␉}␊
120	␉␊
121	␉entry->next = NULL;␊
122	␉entry->patchRoutine = patch;␊
123	␉entry->validArchs = arch;␊
124	␉entry->validCpu = cpus;␊
125	}␊
126	␊
127	void register_kernel_symbol(int kernelType, const char* name)␊
128	{␊
129	␉if(kernelSymbols == NULL)␊
130	␉{␊
131	␉␉kernelSymbols = malloc(sizeof(kernSymbols_t));␊
132	␉␉kernelSymbols->next = NULL;␊
133	␉␉kernelSymbols->symbol = (char*)name;␊
134	␉␉kernelSymbols->addr = 0;␊
135	␉}␊
136	␉else {␊
137	␉␉kernSymbols_t *symbol = kernelSymbols;␊
138	␉␉while(symbol->next != NULL)␊
139	␉␉{␊
140	␉␉␉symbol = symbol->next;␊
141	␉␉}␊
142	␉␉␊
143	␉␉symbol->next = malloc(sizeof(kernSymbols_t));␊
144	␉␉symbol = symbol->next;␊
145	␊
146	␉␉symbol->next = NULL;␊
147	␉␉symbol->symbol = (char*)name;␊
148	␉␉symbol->addr = 0;␊
149	␉}␊
150	}␊
151	␊
152	kernSymbols_t* lookup_kernel_symbol(const char* name)␊
153	{␊
154	␉kernSymbols_t *symbol = kernelSymbols;␊
155	␊
156	␉while(symbol && strcmp(symbol->symbol, name) !=0)␊
157	␉{␊
158	␉␉symbol = symbol->next;␊
159	␉}␊
160	␉␊
161	␉if(!symbol)␊
162	␉{␊
163	␉␉return NULL;␊
164	␉}␊
165	␉else␊
166	␉{␊
167	␉␉return symbol;␊
168	␉}␊
169	␊
170	}␊
171	␊
172	void patch_kernel(void* kernelData, void* arg2, void* arg3, void *arg4)␊
173	{␊
174	␉patchRoutine_t* entry = patches;␊
175	␊
176	␉␊
177	␉int arch = determineKernelArchitecture(kernelData);␊
178	␊
179	␉locate_symbols(kernelData);␊
180	␉␊
181	␉␊
182	␉if(patches != NULL)␊
183	␉{␊
184	␉␉while(entry)␊
185	␉␉{␊
186	␉␉␉if(entry->validArchs == KERNEL_ANY \|\| arch == entry->validArchs)␊
187	␉␉␉{␊
188	␉␉␉␉if(entry->patchRoutine) entry->patchRoutine(kernelData);␊
189	␉␉␉}␊
190	␉␉␉entry = entry->next;␊
191	␉␉}␊
192	␉␉␊
193	␉}␊
194	}␊
195	␊
196	int determineKernelArchitecture(void* kernelData)␊
197	{␉␊
198	␉if(((struct mach_header*)kernelData)->magic == MH_MAGIC)␊
199	␉{␊
200	␉␉return KERNEL_32;␊
201	␉}␊
202	␉if(((struct mach_header*)kernelData)->magic == MH_MAGIC_64)␊
203	␉{␊
204	␉␉return KERNEL_64;␊
205	␉}␊
206	␉else␊
207	␉{␊
208	␉␉return KERNEL_ERR;␊
209	␉}␊
210	}␊
211	␊
212	␊
213	/**␊
214	**␉␉This functions located the requested symbols in the mach-o file.␊
215	**␉␉␉as well as determines the start of the __TEXT segment and __TEXT,__text sections␊
216	**/␊
217	int locate_symbols(void* kernelData)␊
218	{␊
219	␊
220	␉struct load_command *loadCommand;␊
221	␉struct symtab_command *symtableData = 0; //Azi:warning␊
222	␉//␉struct nlist *symbolEntry;␊
223	␉␊
224	␉char* symbolString;␊
225	␊
226	␉UInt32 kernelIndex = 0;␊
227	␉kernelIndex += sizeof(struct mach_header);␊
228	␉␊
229	␉if(((struct mach_header*)kernelData)->magic != MH_MAGIC) return KERNEL_64;␊
230	␉␊
231	␉␊
232	␉int cmd = 0;␊
233	␉while(cmd < ((struct mach_header*)kernelData)->ncmds)␉// TODO: for loop instead␊
234	␉{␊
235	␉␉cmd++;␊
236	␉␉␊
237	␉␉loadCommand = kernelData + kernelIndex;␊
238	␉␉␊
239	␉␉UInt cmdSize = loadCommand->cmdsize;␊
240	␉␉␊
241	␉␉␊
242	␉␉if((loadCommand->cmd & 0x7FFFFFFF) == LC_SYMTAB)␉␉// We only care about the symtab segment␊
243	␉␉{␊
244	␉␉␉//printf("Located symtable, length is 0x%X, 0x%X\n", (unsigned int)loadCommand->cmdsize, (unsigned int)sizeof(symtableData));␊
245	␉␉␉␊
246	␉␉␉symtableData = kernelData + kernelIndex;␊
247	␉␉␉kernelIndex += sizeof(struct symtab_command);␊
248	␉␉␊
249	␉␉␉symbolString = kernelData + symtableData->stroff;␊
250	␉␉}␊
251	␉␉else if((loadCommand->cmd & 0x7FFFFFFF) == LC_SEGMENT)␉␉// We only care about the __TEXT segment, any other load command can be ignored␊
252	␉␉{␊
253	␉␉␉␊
254	␉␉␉struct segment_command *segCommand;␊
255	␉␉␉␊
256	␉␉␉segCommand = kernelData + kernelIndex;␊
257	␉␉␉␊
258	␉␉␉//printf("Segment name is %s\n", segCommand->segname);␊
259	␉␉␉␊
260	␉␉␉if(strcmp("__TEXT", segCommand->segname) == 0)␊
261	␉␉␉{␊
262	␉␉␉␉UInt32 sectionIndex;␊
263	␉␉␉␉␊
264	␉␉␉␉sectionIndex = sizeof(struct segment_command);␊
265	␉␉␉␉␊
266	␉␉␉␉struct section *sect;␊
267	␉␉␉␉␊
268	␉␉␉␉while(sectionIndex < segCommand->cmdsize)␊
269	␉␉␉␉{␊
270	␉␉␉␉␉sect = kernelData + kernelIndex + sectionIndex;␊
271	␉␉␉␉␉␊
272	␉␉␉␉␉sectionIndex += sizeof(struct section);␊
273	␉␉␉␉␉␊
274	␉␉␉␉␉␊
275	␉␉␉␉␉if(strcmp("__text", sect->sectname) == 0)␊
276	␉␉␉␉␉{␊
277	␉␉␉␉␉␉// __TEXT,__text found, save the offset and address for when looking for the calls.␊
278	␉␉␉␉␉␉textSection = sect->offset;␊
279	␉␉␉␉␉␉textAddress = sect->addr;␊
280	␉␉␉␉␉␉break;␊
281	␉␉␉␉␉}␉␉␉␉␉␊
282	␉␉␉␉}␊
283	␉␉␉}␊
284	␉␉␉␊
285	␉␉␉␊
286	␉␉␉kernelIndex += cmdSize;␊
287	␉␉} else {␊
288	␉␉␉kernelIndex += cmdSize;␊
289	␉␉}␊
290	␉}␊
291	␉␊
292	␉return handle_symtable((UInt32)kernelData, symtableData, &symbol_handler,␊
293	␉␉␉␉␉␉␉determineKernelArchitecture(kernelData) == KERNEL_64);␊
294	}␊
295	␊
296	long long symbol_handler(char* symbolName, long long addr, char is64)␊
297	{␊
298	␉// Locate the symbol in the list, if it exists, update it's address␊
299	␉kernSymbols_t *symbol = lookup_kernel_symbol(symbolName);␊
300	␉␊
301	␉␊
302	␉if(symbol)␊
303	␉{␊
304	␉␉symbol->addr = addr;␊
305	␉}␊
306	␉return 0xFFFFFFFF; // fixme␊
307	}␊
308	␊
309	␊
310	/**␊
311	** Locate the fisrt instance of _panic inside of _cpuid_set_info, and either remove it␊
312	** Or replace it so that the cpuid is set to a valid value.␊
313	**/␊
314	void patch_cpuid_set_info_all(void* kernelData)␊
315	{␊
316	␉switch(Platform.CPU.Model)␊
317	␉{␊
318	␉␉case CPUID_MODEL_ATOM:␊
319	␉␉␉patch_cpuid_set_info(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN); ␊
320	␉␉␉break;␊
321	␉␉␉␊
322	␉␉default:␊
323	␉␉␉patch_cpuid_set_info(kernelData, 0, 0);␊
324	␉␉␉break;␊
325	␉}␊
326	}␊
327	␊
328	void patch_cpuid_set_info(void* kernelData, UInt32 impersonateFamily, UInt8 impersonateModel)␊
329	{␉␊
330	␉UInt8* bytes = (UInt8*)kernelData;␊
331	␉␊
332	␉kernSymbols_t *symbol = lookup_kernel_symbol("_cpuid_set_info");␊
333	␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //␉(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);␊
334	␉␊
335	␉UInt32 jumpLocation = 0;␊
336	␉␊
337	␉␊
338	␉if(symbol == 0 \|\| symbol->addr == 0)␊
339	␉{␊
340	␉␉printf("Unable to locate _cpuid_set_info\n");␊
341	␉␉return;␊
342	␉␉␊
343	␉}␊
344	␊
345	␉symbol = lookup_kernel_symbol("_panic");␊
346	␉UInt32 panicAddr = symbol ? symbol->addr - textAddress: 0; //kernelSymbolAddresses[SYMBOL_PANIC] - textAddress;␊
347	␉if(symbol == 0 \|\| symbol->addr == 0)␊
348	␉{␊
349	␉␉printf("Unable to locate _panic\n");␊
350	␉␉return;␊
351	␉}␊
352	␉␊
353	␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
354	␉panicAddr -= (UInt32)kernelData;␊
355	␊
356	␊
357	␉␊
358	␉␊
359	␉␊
360	␉//TODO: don't assume it'll always work (Look for next function address in symtab and fail once it's been reached)␊
361	␉while( ␊
362	␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
363	␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
364	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
365	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
366	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
367	␉␉ )␊
368	␉{␊
369	␉␉patchLocation++;␊
370	␉}␊
371	␉patchLocation--;␊
372	␉␊
373	␉// Remove panic call, just in case the following patch routines fail␊
374	␉bytes[patchLocation + 0] = 0x90;␊
375	␉bytes[patchLocation + 1] = 0x90;␊
376	␉bytes[patchLocation + 2] = 0x90;␊
377	␉bytes[patchLocation + 3] = 0x90;␊
378	␉bytes[patchLocation + 4] = 0x90;␊
379	␉␊
380	␉␊
381	␉// Locate the jump call, so that 10 bytes can be reclamed.␊
382	␉// NOTE: This will NOT be located on pre 10.6.2 kernels␊
383	␉jumpLocation = patchLocation - 15;␊
384	␉while((bytes[jumpLocation - 1] != 0x77 \|\|␊
385	␉␉ bytes[jumpLocation] != (patchLocation - jumpLocation - -8)) &&␊
386	␉␉ (patchLocation - jumpLocation) < 0xF0)␊
387	␉{␊
388	␉␉jumpLocation--;␊
389	␉}␊
390	␉␊
391	␉// If found... AND we want to impersonate a specific cpumodel / family...␊
392	␉if(impersonateFamily &&␊
393	␉ impersonateModel &&␊
394	␉ ((patchLocation - jumpLocation) < 0xF0))␊
395	␉{␊
396	␉␉␊
397	␉␉bytes[jumpLocation] -= 10;␉␉// sizeof(movl␉$0x6b5a4cd2,0x00872eb4) = 10bytes␊
398	␉␉␊
399	␉␉/* ␊
400	␉␉ * Inpersonate the specified CPU FAMILY and CPU Model␊
401	␉␉ */␊
402	␊
403	␉␉// bytes[patchLocation - 17] = 0xC7;␉// already here... not needed to be done␊
404	␉␉// bytes[patchLocation - 16] = 0x05;␉// see above␊
405	␉␉UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 15] << 0 \|␊
406	␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 14] << 8 \|␊
407	␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 13] << 16 \|␊
408	␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 12] << 24;␊
409	␉␉␊
410	␉␉// NOTE: may change, determined based on cpuid_info struct␊
411	␉␉UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 299; ␊
412	␉␉␊
413	␉␉␊
414	␉␉// cpufamily = CPUFAMILY_INTEL_PENRYN␊
415	␉␉bytes[patchLocation - 11] = (impersonateFamily & 0x000000FF) >> 0;␊
416	␉␉bytes[patchLocation - 10] = (impersonateFamily & 0x0000FF00) >> 8;␊
417	␉␉bytes[patchLocation - 9] = (impersonateFamily & 0x00FF0000) >> 16;␉␊
418	␉␉bytes[patchLocation - 8] = (impersonateFamily & 0xFF000000) >> 24;␊
419	␉␉␊
420	␉␉// NOPS, just in case if the jmp call wasn't patched, we'll jump to a␊
421	␉␉// nop and continue with the rest of the patch␊
422	␉␉// Yay two free bytes :), 10 more can be reclamed if needed, as well as a few␊
423	␉␉// from the above code (only cpuid_model needs to be set.␊
424	␉␉bytes[patchLocation - 7] = 0x90;␊
425	␉␉bytes[patchLocation - 6] = 0x90;␊
426	␉␉␊
427	␉␉bytes[patchLocation - 5] = 0xC7;␊
428	␉␉bytes[patchLocation - 4] = 0x05;␊
429	␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊
430	␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊
431	␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊
432	␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊
433	␉␉␊
434	␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊
435	␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊
436	␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊
437	␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊
438	␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊
439	␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊
440	␉␉␊
441	␉}␊
442	␉else if(impersonateFamily && impersonateModel)␊
443	␉{␊
444	␉␉// pre 10.6.2 kernel␊
445	␉␉// Locate the jump to directly after the panic call,␊
446	␉␉jumpLocation = patchLocation - 4;␊
447	␉␉while((bytes[jumpLocation - 1] != 0x77 \|\|␊
448	␉␉␉ bytes[jumpLocation] != (patchLocation - jumpLocation + 4)) &&␊
449	␉␉␉ (patchLocation - jumpLocation) < 0x20)␊
450	␉␉{␊
451	␉␉␉jumpLocation--;␊
452	␉␉}␊
453	␉␉// NOTE above isn't needed (I was going to use it, but I'm not, so instead,␊
454	␉␉// I'll just leave it to verify the binary stucture.␊
455	␉␉␊
456	␉␉// NOTE: the cpumodel_familt data is not set in _cpuid_set_info␊
457	␉␉// so we don't need to set it here, I'll get set later based on the model␊
458	␉␉// we set now.␊
459	␉␉␊
460	␉␉if((patchLocation - jumpLocation) < 0x20)␊
461	␉␉{␊
462	␉␉␉UInt32 cpuid_model_addr =␉(bytes[patchLocation - 14] << 0 \|␊
463	␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 13] << 8 \|␊
464	␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 12] << 16 \|␊
465	␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 11] << 24);␊
466	␉␉␉// Remove jump␊
467	␉␉␉bytes[patchLocation - 9] = 0x90;␉␉/// Was a jump if supported cpu␊
468	␉␉␉bytes[patchLocation - 8] = 0x90;␉␉// jumped past the panic call, we want to override the panic␊
469	␊
470	␉␉␉bytes[patchLocation - 7] = 0x90;␊
471	␉␉␉bytes[patchLocation - 6] = 0x90;␊
472	␉␉␉␊
473	␉␉␉bytes[patchLocation - 5] = 0xC7;␊
474	␉␉␉bytes[patchLocation - 4] = 0x05;␊
475	␉␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊
476	␉␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊
477	␉␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊
478	␉␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊
479	␉␉␉␊
480	␉␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊
481	␉␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊
482	␉␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊
483	␉␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊
484	␉␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊
485	␉␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊
486	␉␉␉␊
487	␉␉␉␊
488	␉␉␉␊
489	␉␉␉patchLocation = jumpLocation;␊
490	␉␉␉// We now have 14 bytes available for a patch␊
491	␉␉␉␊
492	␉␉}␊
493	␉␉else ␊
494	␉␉{␊
495	␉␉␉// Patching failed, using NOP replacement done initialy␊
496	␉␉}␊
497	␉}␊
498	␉else ␊
499	␉{␊
500	␉␉// Either We were unable to change the jump call due to the function's sctructure␊
501	␉␉// changing, or the user did not request a patch. As such, resort to just ␊
502	␉␉// removing the panic call (using NOP replacement above). Note that the␊
503	␉␉// IntelCPUPM kext may still panic due to the cpu's Model ID not being patched␊
504	␉}␊
505	}␊
506	␊
507	␊
508	/**␊
509	** SleepEnabler.kext replacement (for those that need it)␊
510	** Located the KERN_INVALID_ARGUMENT return and replace it with KERN_SUCCESS␊
511	**/␊
512	void patch_pmCPUExitHaltToOff(void* kernelData)␊
513	{␊
514	␉UInt8* bytes = (UInt8*)kernelData;␊
515	␊
516	␉kernSymbols_t *symbol = lookup_kernel_symbol("_PmCpuExitHaltToOff");␊
517	␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0;␊
518	␉␊
519	␉if(symbol == 0 \|\| symbol->addr == 0)␊
520	␉{␊
521	␉␉printf("Unable to locate _pmCPUExitHaltToOff\n");␊
522	␉␉return;␊
523	␉}␊
524	␉␊
525	␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
526	␉␊
527	␉␊
528	␉␊
529	␉while(bytes[patchLocation - 1]␉!= 0xB8 \|\|␊
530	␉␉ bytes[patchLocation]␉␉!= 0x04 \|\|␉// KERN_INVALID_ARGUMENT (0x00000004)␊
531	␉␉ bytes[patchLocation + 1]␉!= 0x00 \|\|␉// KERN_INVALID_ARGUMENT␊
532	␉␉ bytes[patchLocation + 2]␉!= 0x00 \|\|␉// KERN_INVALID_ARGUMENT␊
533	␉␉ bytes[patchLocation + 3]␉!= 0x00)␉// KERN_INVALID_ARGUMENT␊
534	␊
535	␉{␊
536	␉␉patchLocation++;␊
537	␉}␊
538	␉bytes[patchLocation] = 0x00;␉// KERN_SUCCESS;␊
539	}␊
540	␊
541	void patch_lapic_init(void* kernelData)␊
542	{␊
543	␊
544	␉UInt8 panicIndex = 0;␊
545	␉UInt8* bytes = (UInt8*)kernelData;␊
546	␉␊
547	␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_init");␊
548	␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; ␊
549	␉if(symbol == 0 \|\| symbol->addr == 0)␊
550	␉{␊
551	␉␉printf("Unable to locate %s\n", "_lapic_init");␊
552	␉␉return;␊
553	␉␉␊
554	␉}␊
555	␉␊
556	␉symbol = lookup_kernel_symbol("_panic");␊
557	␉UInt32 panicAddr = symbol ? symbol->addr - textAddress: 0; ␊
558	␉if(symbol == 0 \|\| symbol->addr == 0)␊
559	␉{␊
560	␉␉printf("Unable to locate %s\n", "_panic");␊
561	␉␉return;␊
562	␉}␊
563	␉␊
564	␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
565	␉panicAddr -= (UInt32)kernelData;␉// Remove offset␊
566	␊
567	␉␊
568	␉␊
569	␉␊
570	␉// Locate the (panicIndex + 1) panic call␊
571	␉while(panicIndex < 3)␉// Find the third panic call␊
572	␉{␊
573	␉␉while( ␊
574	␉␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
575	␉␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
576	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
577	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
578	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
579	␉␉␉ )␊
580	␉␉{␊
581	␉␉␉patchLocation++;␊
582	␉␉}␊
583	␉␉patchLocation++;␊
584	␉␉panicIndex++;␊
585	␉}␊
586	␉patchLocation--;␉// Remove extra increment from the < 3 while loop␊
587	␉␊
588	␉bytes[--patchLocation] = 0x90;␉␊
589	␉bytes[++patchLocation] = 0x90;␊
590	␉bytes[++patchLocation] = 0x90;␊
591	␉bytes[++patchLocation] = 0x90;␊
592	␉bytes[++patchLocation] = 0x90;␊
593	␉␊
594	␉␊
595	}␊
596	␊
597	␊
598	void patch_commpage_stuff_routine(void* kernelData)␊
599	{␊
600	␉UInt8* bytes = (UInt8*)kernelData;␊
601	␊
602	␉kernSymbols_t *symbol = lookup_kernel_symbol("_commpage_stuff_routine");␊
603	␉if(symbol == 0 \|\| symbol->addr == 0)␊
604	␉{␊
605	␉␉printf("Unable to locate %s\n", "_commpage_stuff_routine");␊
606	␉␉return;␊
607	␉␉␊
608	␉}␊
609	␉␊
610	␉UInt32 patchLocation = symbol->addr - textAddress + textSection; ␊
611	␊
612	␉␊
613	␉symbol = lookup_kernel_symbol("_panic");␊
614	␉if(symbol == 0 \|\| symbol->addr == 0)␊
615	␉{␊
616	␉␉printf("Unable to locate %s\n", "_panic");␊
617	␉␉return;␊
618	␉}␊
619	␉UInt32 panicAddr = symbol->addr - textAddress; ␊
620	␊
621	␉patchLocation -= (UInt32)kernelData;␊
622	␉panicAddr -= (UInt32)kernelData;␊
623	␉␊
624	␉while( ␊
625	␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
626	␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
627	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
628	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
629	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
630	␉␉ )␊
631	␉{␊
632	␉␉patchLocation++;␊
633	␉}␊
634	␉patchLocation--;␊
635	␉␊
636	␉// Replace panic with nops␊
637	␉bytes[patchLocation + 0] = 0x90;␊
638	␉bytes[patchLocation + 1] = 0x90;␊
639	␉bytes[patchLocation + 2] = 0x90;␊
640	␉bytes[patchLocation + 3] = 0x90;␊
641	␉bytes[patchLocation + 4] = 0x90;␊
642	␉␊
643	␉␊
644	}␊
645	␊
646	void patch_lapic_interrupt(void* kernelData)␊
647	{␊
648	␉// NOTE: this is a hack untill I finish patch_lapic_configure␊
649	␉UInt8* bytes = (UInt8*)kernelData;␊
650	␉␊
651	␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_interrupt");␊
652	␉if(symbol == 0 \|\| symbol->addr == 0)␊
653	␉{␊
654	␉␉printf("Unable to locate %s\n", "_lapic_interrupt");␊
655	␉␉return;␊
656	␉␉␊
657	␉}␊
658	␉␊
659	␉UInt32 patchLocation = symbol->addr - textAddress + textSection; ␊
660	␉␊
661	␉␊
662	␉symbol = lookup_kernel_symbol("_panic");␊
663	␉if(symbol == 0 \|\| symbol->addr == 0)␊
664	␉{␊
665	␉␉printf("Unable to locate %s\n", "_panic");␊
666	␉␉return;␊
667	␉}␊
668	␉UInt32 panicAddr = symbol->addr - textAddress; ␊
669	␉␊
670	␉patchLocation -= (UInt32)kernelData;␊
671	␉panicAddr -= (UInt32)kernelData;␊
672	␉␊
673	␉while( ␊
674	␉␉ (bytes[patchLocation -1] != 0xE8) \|\|␊
675	␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 \| ␊
676	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 \| ␊
677	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 \|␊
678	␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊
679	␉␉ )␊
680	␉{␊
681	␉␉patchLocation++;␊
682	␉}␊
683	␉patchLocation--;␊
684	␉␊
685	␉// Replace panic with nops␊
686	␉bytes[patchLocation + 0] = 0x90;␊
687	␉bytes[patchLocation + 1] = 0x90;␊
688	␉bytes[patchLocation + 2] = 0x90;␊
689	␉bytes[patchLocation + 3] = 0x90;␊
690	␉bytes[patchLocation + 4] = 0x90;␊
691	␉␊
692	␉␊
693	}␊
694	␊
695	␊
696	void patch_lapic_configure(void* kernelData)␊
697	{␊
698	␉UInt8* bytes = (UInt8*)kernelData;␊
699	␉␊
700	␉UInt32 patchLocation;␊
701	␉UInt32 lapicStart;␊
702	␉UInt32 lapicInterruptBase;␊
703	␉␊
704	␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_configure");␊
705	␉if(symbol == 0 \|\| symbol->addr == 0)␊
706	␉{␊
707	␉␉printf("Unable to locate %s\n", "_lapic_configure");␊
708	␉␉return;␊
709	␉}␊
710	␉patchLocation = symbol->addr - textAddress + textSection; ␊
711	␉␊
712	␉symbol = lookup_kernel_symbol("_lapic_start");␊
713	␉if(symbol == 0 \|\| symbol->addr == 0)␊
714	␉{␊
715	␉␉printf("Unable to locate %s\n", "_lapic_start");␊
716	␉␉return;␊
717	␉}␊
718	␉lapicStart = symbol->addr; ␊
719	␊
720	␊
721	␉symbol = lookup_kernel_symbol("_lapic_interrupt_base");␊
722	␉if(symbol == 0 \|\| symbol->addr == 0)␊
723	␉{␊
724	␉␉printf("Unable to locate %s\n", "_lapic_interrupt_base");␊
725	␉␉return;␊
726	␉}␊
727	␉lapicInterruptBase = symbol->addr;␊
728	␉patchLocation -= (UInt32)kernelData;␊
729	␉lapicStart -= (UInt32)kernelData;␊
730	␉lapicInterruptBase -= (UInt32)kernelData;␊
731	␉␊
732	␉␊
733	␉// Looking for the following:␊
734	␉//movl _lapic_start,%e_x␊
735	␉//addl $0x00000320,%e_x␊
736	␉// 8b 15 __ __ __ __ 81 c2 20 03 00 00␊
737	␉while( ␊
738	␉␉ (bytes[patchLocation - 2] != 0x8b) \|\|␊
739	␉␉ //bytes[patchLocation -1] != 0x15) \|\|␉// Register, we don't care what it is␊
740	␉␉ ( lapicStart != (UInt32)(␊
741	␉␉␉␉␉␉␉␉␉(bytes[patchLocation + 0] << 0 \| ␊
742	␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 1] << 8 \| ␊
743	␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 2] << 16 \|␊
744	␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 3] << 24␊
745	␉␉␉␉␉␉␉␉␉)␊
746	␉␉␉␉␉␉␉␉ )␊
747	␉␉ ) \|\| ␊
748	␉␉ (bytes[patchLocation + 4 ] != 0x81) \|\|␊
749	␉␉ //(bytes[patchLocation + 5 ] != 0Cx2) \|\|␉// register␊
750	␉␉ (bytes[patchLocation + 6 ] != 0x20) \|\|␊
751	␉␉ (bytes[patchLocation + 7 ] != 0x03) \|\|␊
752	␉␉ (bytes[patchLocation + 8 ] != 0x00) \|\|␊
753	␉␉ (bytes[patchLocation + 9] != 0x00)␊
754	␊
755	␉␉ )␊
756	␉{␊
757	␉␉patchLocation++;␊
758	␉}␊
759	␉patchLocation-=2;␊
760	␊
761	␉// NOTE: this is currently hardcoded, change it to be more resilient to changes␊
762	␉// At a minimum, I should have this do a cheksup first and if not matching, remove the panic instead.␊
763	␉␊
764	␉// 8b 15 __ __ __ __ -> movl␉␉ _lapic_start,%edx (NOTE: this should already be here)␊
765	␉/*␊
766	␉bytes[patchLocation++] = 0x8B;␊
767	␉bytes[patchLocation++] = 0x15;␊
768	␉bytes[patchLocation++] = (lapicStart & 0x000000FF) >> 0;␊
769	␉bytes[patchLocation++] = (lapicStart & 0x0000FF00) >> 8;␊
770	␉bytes[patchLocation++] = (lapicStart & 0x00FF0000) >> 16;␊
771	␉bytes[patchLocation++] = (lapicStart & 0xFF000000) >> 24;␊
772	␉*/␊
773	␉patchLocation += 6;␊
774	␉␊
775	␉// 81 c2 60 03 00 00 -> addl␉␉ $0x00000320,%edx␊
776	␉/*␊
777	␉bytes[patchLocation++] = 0x81;␊
778	␉bytes[patchLocation++] = 0xC2;␊
779	␉*/␊
780	␉patchLocation += 2;␊
781	␉bytes[patchLocation++] = 0x60;␊
782	␉/*␊
783	␉bytes[patchLocation++];// = 0x03;␊
784	␉bytes[patchLocation++];// = 0x00;␊
785	␉bytes[patchLocation++];// = 0x00;␊
786	␉*/␊
787	␉ patchLocation += 3;␊
788	␊
789	␉// c7 02 00 04 00 00 -> movl␉␉ $0x00000400,(%edx)␊
790	␉bytes[patchLocation++] = 0xC7;␊
791	␉bytes[patchLocation++] = 0x02;␊
792	␉bytes[patchLocation++] = 0x00;␊
793	␉bytes[patchLocation++] = 0x04;␊
794	␉bytes[patchLocation++] = 0x00;␊
795	␉bytes[patchLocation++] = 0x00;␊
796	␉␊
797	␉// 83 ea 40 -> subl␉␉ $0x40,edx␊
798	␉bytes[patchLocation++] = 0x83;␊
799	␉bytes[patchLocation++] = 0xEA;␊
800	␉bytes[patchLocation++] = 0x40;␊
801	␊
802	␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊
803	␉bytes[patchLocation++] = 0xA1;␊
804	␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊
805	␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊
806	␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊
807	␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊
808	␊
809	␉// 83 c0 0e -> addl␉␉ $0x0e,%eax␊
810	␉bytes[patchLocation++] = 0x83;␊
811	␉bytes[patchLocation++] = 0xC0;␊
812	␉bytes[patchLocation++] = 0x0E;␊
813	␊
814	␉// 89 02 -> movl␉␉ %eax,(%edx)␊
815	␉bytes[patchLocation++] = 0x89;␊
816	␉bytes[patchLocation++] = 0x02;␊
817	␉␊
818	␉// 81c230030000␉␉ addl␉␉ $0x00000330,%edx␊
819	␉bytes[patchLocation++] = 0x81;␊
820	␉bytes[patchLocation++] = 0xC2;␊
821	␉bytes[patchLocation++] = 0x30;␊
822	␉bytes[patchLocation++] = 0x03;␊
823	␉bytes[patchLocation++] = 0x00;␊
824	␉bytes[patchLocation++] = 0x00;␊
825	␉␊
826	␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊
827	␉bytes[patchLocation++] = 0xA1;␊
828	␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊
829	␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊
830	␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊
831	␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊
832	␉␊
833	␉// 83 c0 0f -> addl␉␉ $0x0f,%eax␊
834	␉bytes[patchLocation++] = 0x83;␊
835	␉bytes[patchLocation++] = 0xC0;␊
836	␉bytes[patchLocation++] = 0x0F;␊
837	␉␊
838	␉// 89 02 -> movl␉␉ %eax,(%edx)␊
839	␉bytes[patchLocation++] = 0x89;␊
840	␉bytes[patchLocation++] = 0x02;␊
841	␉␊
842	␉// 83 ea 10 -> subl␉␉ $0x10,edx␊
843	␉bytes[patchLocation++] = 0x83;␊
844	␉bytes[patchLocation++] = 0xEA;␊
845	␉bytes[patchLocation++] = 0x10;␊
846	␊
847	␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊
848	␉bytes[patchLocation++] = 0xA1;␊
849	␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊
850	␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊
851	␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊
852	␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊
853	␉␊
854	␉// 83 c0 0c -> addl␉␉ $0x0c,%eax␊
855	␉bytes[patchLocation++] = 0x83;␊
856	␉bytes[patchLocation++] = 0xC0;␊
857	␉bytes[patchLocation++] = 0x0C;␊
858	␊
859	␉// 89 02 -> movl␉␉ %eax,(%edx)␊
860	␉bytes[patchLocation++] = 0x89;␊
861	␉bytes[patchLocation++] = 0x02;␊
862	␊
863	␉// Replace remaining with nops␊
864	␊
865	␊
866	␉bytes[patchLocation++] = 0x90;␊
867	␉bytes[patchLocation++] = 0x90;␊
868	␉bytes[patchLocation++] = 0x90;␊
869	␉bytes[patchLocation++] = 0x90;␊
870	␉//␉bytes[patchLocation++] = 0x90; // double check the lenght of the patch...␊
871	␉//␉bytes[patchLocation++] = 0x90;␊
872	}␊
873

Download this file