1 | /*␊ |
2 | * Copyright (c) 2009-2010 Evan Lojewski. All rights reserved.␊ |
3 | *␊ |
4 | */␊ |
5 | ␊ |
6 | #include "boot.h"␊ |
7 | #include "bootstruct.h" // replaces libsaio.h.␊ |
8 | //#include "libsaio.h"␊ |
9 | #include "kernel_patcher.h"␊ |
10 | #include "platform.h"␊ |
11 | #include "modules.h"␊ |
12 | ␊ |
13 | extern PlatformInfo_t Platform;␊ |
14 | ␊ |
15 | patchRoutine_t* patches = NULL;␊ |
16 | kernSymbols_t* kernelSymbols = NULL;␊ |
17 | ␊ |
18 | ␊ |
19 | void KernelPatcher_start()␊ |
20 | {␊ |
21 | ␉register_kernel_patch(patch_cpuid_set_info_all, KERNEL_ANY, CPUID_MODEL_UNKNOWN); ␊ |
22 | ␊ |
23 | ␉register_kernel_patch(patch_commpage_stuff_routine, KERNEL_ANY, CPUID_MODEL_ANY);␊ |
24 | ␉␊ |
25 | ␉register_kernel_patch(patch_lapic_init, KERNEL_ANY, CPUID_MODEL_ANY);␊ |
26 | ␊ |
27 | ␉// NOTE: following is currently 32bit only␊ |
28 | ␉register_kernel_patch(patch_lapic_configure, KERNEL_32, CPUID_MODEL_ANY);␊ |
29 | ␊ |
30 | ␉␊ |
31 | ␉register_kernel_symbol(KERNEL_ANY, "_panic");␊ |
32 | ␉register_kernel_symbol(KERNEL_ANY, "_cpuid_set_info");␊ |
33 | ␉register_kernel_symbol(KERNEL_ANY, "_pmCPUExitHaltToOff");␊ |
34 | ␉register_kernel_symbol(KERNEL_ANY, "_lapic_init");␊ |
35 | ␉register_kernel_symbol(KERNEL_ANY, "_commpage_stuff_routine");␊ |
36 | ␊ |
37 | ␉// lapic_configure symbols␊ |
38 | ␉register_kernel_symbol(KERNEL_ANY, "_lapic_configure");␊ |
39 | ␉register_kernel_symbol(KERNEL_ANY, "_lapic_start");␊ |
40 | ␉register_kernel_symbol(KERNEL_ANY, "_lapic_interrupt_base");␊ |
41 | ␉␊ |
42 | ␉// lapic_interrup symbols␊ |
43 | ␉//register_kernel_patch(patch_lapic_interrupt, KERNEL_ANY, CPUID_MODEL_ANY);␊ |
44 | ␉//register_kernel_symbol(KERNEL_ANY, "_lapic_interrupt");␊ |
45 | ␊ |
46 | ␊ |
47 | ␉␊ |
48 | ␉// TODO: register needed symbols␊ |
49 | ␉␊ |
50 | ␉␊ |
51 | ␉register_hook_callback("ExecKernel", &patch_kernel); ␊ |
52 | }␊ |
53 | ␊ |
54 | /*␊ |
55 | * Register a kerenl patch␊ |
56 | */␊ |
57 | void register_kernel_patch(void* patch, int arch, int cpus)␊ |
58 | {␊ |
59 | ␉// TODO: only insert valid patches based on current cpuid and architecture␊ |
60 | ␉// AKA, don't at 64bit patches if it's a 32bit only machine␊ |
61 | ␉patchRoutine_t* entry;␊ |
62 | ␉␊ |
63 | ␉// TODO: verify Platform.CPU.Model is populated this early in bootup␊ |
64 | ␉// Check to ensure that the patch is valid on this machine␊ |
65 | ␉// If it is not, exit early form this function␊ |
66 | ␉if(cpus != Platform.CPU.Model)␊ |
67 | ␉{␊ |
68 | ␉␉if(cpus != CPUID_MODEL_ANY)␊ |
69 | ␉␉{␊ |
70 | ␉␉␉if(cpus == CPUID_MODEL_UNKNOWN)␊ |
71 | ␉␉␉{␊ |
72 | ␉␉␉␉switch(Platform.CPU.Model)␊ |
73 | ␉␉␉␉{␊ |
74 | ␉␉␉␉␉case 13:␊ |
75 | ␉␉␉␉␉case CPUID_MODEL_YONAH:␊ |
76 | ␉␉␉␉␉case CPUID_MODEL_MEROM:␊ |
77 | ␉␉␉␉␉case CPUID_MODEL_PENRYN:␊ |
78 | ␉␉␉␉␉case CPUID_MODEL_NEHALEM:␊ |
79 | ␉␉␉␉␉case CPUID_MODEL_FIELDS:␊ |
80 | ␉␉␉␉␉case CPUID_MODEL_DALES:␊ |
81 | ␉␉␉␉␉case CPUID_MODEL_NEHALEM_EX:␊ |
82 | ␉␉␉␉␉␉// Known cpu's we don't want to add the patch␊ |
83 | ␉␉␉␉␉␉return;␊ |
84 | ␉␉␉␉␉␉break;␊ |
85 | ␊ |
86 | ␉␉␉␉␉default:␊ |
87 | ␉␉␉␉␉␉// CPU not in supported list, so we are going to add␊ |
88 | ␉␉␉␉␉␉// The patch will be applied␊ |
89 | ␉␉␉␉␉␉break;␊ |
90 | ␉␉␉␉␉␉␊ |
91 | ␉␉␉␉}␊ |
92 | ␉␉␉}␊ |
93 | ␉␉␉else␊ |
94 | ␉␉␉{␊ |
95 | ␉␉␉␉// Invalid cpuid for current cpu. Ignoring patch␊ |
96 | ␉␉␉␉return;␊ |
97 | ␉␉␉}␊ |
98 | ␊ |
99 | ␉␉}␊ |
100 | ␉}␊ |
101 | ␉␉␊ |
102 | ␉if(patches == NULL)␊ |
103 | ␉{␊ |
104 | ␉␉patches = entry = malloc(sizeof(patchRoutine_t));␊ |
105 | ␉}␊ |
106 | ␉else␊ |
107 | ␉{␊ |
108 | ␉␉entry = patches;␊ |
109 | ␉␉while(entry->next)␊ |
110 | ␉␉{␊ |
111 | ␉␉␉entry = entry->next;␊ |
112 | ␉␉}␊ |
113 | ␉␉␊ |
114 | ␉␉entry->next = malloc(sizeof(patchRoutine_t));␊ |
115 | ␉␉entry = entry->next;␊ |
116 | ␉}␊ |
117 | ␉␊ |
118 | ␉entry->next = NULL;␊ |
119 | ␉entry->patchRoutine = patch;␊ |
120 | ␉entry->validArchs = arch;␊ |
121 | ␉entry->validCpu = cpus;␊ |
122 | }␊ |
123 | ␊ |
124 | void register_kernel_symbol(int kernelType, const char* name)␊ |
125 | {␊ |
126 | ␉if(kernelSymbols == NULL)␊ |
127 | ␉{␊ |
128 | ␉␉kernelSymbols = malloc(sizeof(kernSymbols_t));␊ |
129 | ␉␉kernelSymbols->next = NULL;␊ |
130 | ␉␉kernelSymbols->symbol = (char*)name;␊ |
131 | ␉␉kernelSymbols->addr = 0;␊ |
132 | ␉}␊ |
133 | ␉else {␊ |
134 | ␉␉kernSymbols_t *symbol = kernelSymbols;␊ |
135 | ␉␉while(symbol->next != NULL)␊ |
136 | ␉␉{␊ |
137 | ␉␉␉symbol = symbol->next;␊ |
138 | ␉␉}␊ |
139 | ␉␉␊ |
140 | ␉␉symbol->next = malloc(sizeof(kernSymbols_t));␊ |
141 | ␉␉symbol = symbol->next;␊ |
142 | ␊ |
143 | ␉␉symbol->next = NULL;␊ |
144 | ␉␉symbol->symbol = (char*)name;␊ |
145 | ␉␉symbol->addr = 0;␊ |
146 | ␉}␊ |
147 | }␊ |
148 | ␊ |
149 | kernSymbols_t* lookup_kernel_symbol(const char* name)␊ |
150 | {␊ |
151 | ␉kernSymbols_t *symbol = kernelSymbols;␊ |
152 | ␊ |
153 | ␉while(symbol && strcmp(symbol->symbol, name) !=0)␊ |
154 | ␉{␊ |
155 | ␉␉symbol = symbol->next;␊ |
156 | ␉}␊ |
157 | ␉␊ |
158 | ␉if(!symbol)␊ |
159 | ␉{␊ |
160 | ␉␉return NULL;␊ |
161 | ␉}␊ |
162 | ␉else␊ |
163 | ␉{␊ |
164 | ␉␉return symbol;␊ |
165 | ␉}␊ |
166 | ␊ |
167 | }␊ |
168 | ␊ |
169 | void patch_kernel(void* kernelData, void* arg2, void* arg3, void *arg4)␊ |
170 | {␊ |
171 | ␉bool␉␉␉patchKernel = false; //Kpatcher - default value.␊ |
172 | ␉patchRoutine_t* entry = patches;␊ |
173 | ␊ |
174 | ␉int arch = determineKernelArchitecture(kernelData);␊ |
175 | ␊ |
176 | ␉locate_symbols(kernelData);␊ |
177 | ␊ |
178 | ␉// check if kernel patcher is requested by user.␊ |
179 | ␉getBoolForKey(kKPatcherKey, &patchKernel, &bootInfo->bootConfig);␊ |
180 | ␊ |
181 | ␉if (patches != NULL && patchKernel == true)␊ |
182 | ␉{␊ |
183 | ␉␉while(entry)␊ |
184 | ␉␉{␊ |
185 | ␉␉␉if (entry->validArchs == KERNEL_ANY || arch == entry->validArchs)␊ |
186 | ␉␉␉{␊ |
187 | ␉␉␉␉if (entry->patchRoutine) entry->patchRoutine(kernelData);␊ |
188 | ␉␉␉}␊ |
189 | ␉␉␉entry = entry->next;␊ |
190 | ␉␉}␊ |
191 | ␉}␊ |
192 | }␊ |
193 | ␊ |
194 | int determineKernelArchitecture(void* kernelData)␊ |
195 | {␉␊ |
196 | ␉if(((struct mach_header*)kernelData)->magic == MH_MAGIC)␊ |
197 | ␉{␊ |
198 | ␉␉return KERNEL_32;␊ |
199 | ␉}␊ |
200 | ␉if(((struct mach_header*)kernelData)->magic == MH_MAGIC_64)␊ |
201 | ␉{␊ |
202 | ␉␉return KERNEL_64;␊ |
203 | ␉}␊ |
204 | ␉else␊ |
205 | ␉{␊ |
206 | ␉␉return KERNEL_ERR;␊ |
207 | ␉}␊ |
208 | }␊ |
209 | ␊ |
210 | ␊ |
211 | /**␊ |
212 | **␉␉This functions located the requested symbols in the mach-o file.␊ |
213 | **␉␉␉as well as determines the start of the __TEXT segment and __TEXT,__text sections␊ |
214 | **/␊ |
215 | int locate_symbols(void* kernelData)␊ |
216 | {␊ |
217 | ␉char is64 = 1;␊ |
218 | ␉parse_mach(kernelData, NULL, symbol_handler);␊ |
219 | ␉//handle_symtable((UInt32)kernelData, symtableData, &symbol_handler, determineKernelArchitecture(kernelData) == KERNEL_64);␊ |
220 | ␉return 1 << is64;␊ |
221 | }␊ |
222 | ␊ |
223 | long long symbol_handler(char* symbolName, long long addr, char is64)␊ |
224 | {␊ |
225 | ␉// Locate the symbol in the list, if it exists, update it's address␊ |
226 | ␉kernSymbols_t *symbol = lookup_kernel_symbol(symbolName);␊ |
227 | ␉␊ |
228 | ␉␊ |
229 | ␉␊ |
230 | ␉if(symbol)␊ |
231 | ␉{␊ |
232 | ␊ |
233 | ␉␉//printf("Located %sbit symbol %s at 0x%lX\n", is64 ? "64" : "32", symbolName, addr);␊ |
234 | ␉␉//getc();␊ |
235 | ␉␉␊ |
236 | ␉␉symbol->addr = addr;␊ |
237 | ␉}␊ |
238 | ␉return 0xFFFFFFFF; // fixme␊ |
239 | }␊ |
240 | ␊ |
241 | ␊ |
242 | /**␊ |
243 | ** Locate the fisrt instance of _panic inside of _cpuid_set_info, and either remove it␊ |
244 | ** Or replace it so that the cpuid is set to a valid value.␊ |
245 | **/␊ |
246 | void patch_cpuid_set_info_all(void* kernelData)␊ |
247 | {␊ |
248 | ␉switch(Platform.CPU.Model)␊ |
249 | ␉{␊ |
250 | ␉␉case CPUID_MODEL_ATOM:␊ |
251 | ␉␉␉if(determineKernelArchitecture(kernelData) == KERNEL_32)␊ |
252 | ␉␉␉{␊ |
253 | ␉␉␉␉patch_cpuid_set_info_32(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN); ␊ |
254 | ␉␉␉}␊ |
255 | ␉␉␉else ␊ |
256 | ␉␉␉{␊ |
257 | ␉␉␉␉patch_cpuid_set_info_64(kernelData, CPUFAMILY_INTEL_PENRYN, CPUID_MODEL_PENRYN); ␊ |
258 | ␊ |
259 | ␉␉␉}␊ |
260 | ␊ |
261 | ␉␉␉break;␊ |
262 | ␉␉␉␊ |
263 | ␉␉default:␊ |
264 | ␉␉␉if(determineKernelArchitecture(kernelData) == KERNEL_32)␊ |
265 | ␉␉␉{␊ |
266 | ␉␉␉␉patch_cpuid_set_info_32(kernelData, 0, 0);␊ |
267 | ␉␉␉}␊ |
268 | ␉␉␉else␊ |
269 | ␉␉␉{␊ |
270 | ␉␉␉␉patch_cpuid_set_info_64(kernelData, 0, 0);␊ |
271 | ␉␉␉}␊ |
272 | ␊ |
273 | ␉␉␉break;␊ |
274 | ␉}␊ |
275 | }␊ |
276 | ␊ |
277 | void patch_cpuid_set_info_64(void* kernelData, UInt32 impersonateFamily, UInt8 impersonateModel)␊ |
278 | {␊ |
279 | ␉UInt8* bytes = (UInt8*)kernelData;␊ |
280 | ␉␊ |
281 | ␉kernSymbols_t *symbol = lookup_kernel_symbol("_cpuid_set_info");␊ |
282 | ␉␊ |
283 | ␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //␉(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);␊ |
284 | ␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊ |
285 | ␉␊ |
286 | ␉␊ |
287 | ␉␊ |
288 | ␉UInt32 jumpLocation = 0;␊ |
289 | ␉␊ |
290 | ␉␊ |
291 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
292 | ␉{␊ |
293 | ␉␉printf("Unable to locate _cpuid_set_info\n");␊ |
294 | ␉␉return;␊ |
295 | ␉␉␊ |
296 | ␉}␊ |
297 | ␉␊ |
298 | ␉symbol = lookup_kernel_symbol("_panic");␊ |
299 | ␉UInt32 panicAddr = symbol ? symbol->addr - textAddress: 0; //kernelSymbolAddresses[SYMBOL_PANIC] - textAddress;␊ |
300 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
301 | ␉{␊ |
302 | ␉␉printf("Unable to locate _panic\n");␊ |
303 | ␉␉return;␊ |
304 | ␉}␊ |
305 | ␉panicAddr -= (UInt32)kernelData;␊ |
306 | ␉␊ |
307 | ␉␊ |
308 | ␉␊ |
309 | ␉//TODO: don't assume it'll always work (Look for *next* function address in symtab and fail once it's been reached)␊ |
310 | ␉while( ␊ |
311 | ␉␉ (bytes[patchLocation -1] != 0xE8) ||␊ |
312 | ␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 | ␊ |
313 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 | ␊ |
314 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 |␊ |
315 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊ |
316 | ␉␉ )␊ |
317 | ␉{␊ |
318 | ␉␉patchLocation++;␊ |
319 | ␉}␊ |
320 | ␉patchLocation--;␊ |
321 | ␉␊ |
322 | ␉verbose("0x%X 0x%X 0x%X 0x%X 0x%X\n", bytes[patchLocation ], bytes[patchLocation +1], bytes[patchLocation +2], bytes[patchLocation +3], bytes[patchLocation +4]);␊ |
323 | ␉␊ |
324 | ␉// Remove panic just in case␊ |
325 | ␉// The panic instruction is exactly 5 bytes long.␊ |
326 | ␉bytes[patchLocation + 0] = 0x90;␊ |
327 | ␉bytes[patchLocation + 1] = 0x90;␊ |
328 | ␉bytes[patchLocation + 2] = 0x90;␊ |
329 | ␉bytes[patchLocation + 3] = 0x90;␊ |
330 | ␉bytes[patchLocation + 4] = 0x90;␊ |
331 | ␉verbose("0x%X 0x%X 0x%X 0x%X 0x%X\n", bytes[patchLocation ], bytes[patchLocation +1], bytes[patchLocation +2], bytes[patchLocation +3], bytes[patchLocation +4]);␊ |
332 | ␉␊ |
333 | ␉// Check for a 10.2.0+ kernel␊ |
334 | ␉if(bytes[patchLocation - 19] == 0xC7 && bytes[patchLocation - 18] == 0x05)␊ |
335 | ␉{␊ |
336 | ␉␉␊ |
337 | ␉␉UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 17] << 0 |␊ |
338 | ␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 16] << 8 |␊ |
339 | ␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 15] << 16 |␊ |
340 | ␉␉␉␉␉␉␉␉␉␉bytes[patchLocation - 14] << 24;␊ |
341 | ␉␉␊ |
342 | ␉␉// NOTE: may change, determined based on cpuid_info struct␊ |
343 | ␉␉UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 310; ␊ |
344 | ␉␉␊ |
345 | ␉␉␊ |
346 | ␉␉//ffffff8000228b3b -> 0x00490e8b␊ |
347 | ␉␉//ffffff8000228c28 -> -237 -> 0x490D9E -> -310␊ |
348 | ␉␉␊ |
349 | ␉␉␊ |
350 | ␉␉// The mov is 10 bytes␊ |
351 | ␉␉/*␊ |
352 | ␉␉ bytes[patchLocation - 19] = 0x90;␉// c7␊ |
353 | ␉␉ bytes[patchLocation - 18] = 0x90;␉// 05␊ |
354 | ␉␉ bytes[patchLocation - 17] = 0x90;␉// family location␊ |
355 | ␉␉ bytes[patchLocation - 16] = 0x90;␉// family location␊ |
356 | ␉␉ bytes[patchLocation - 15] = 0x90;␉// family location␊ |
357 | ␉␉ bytes[patchLocation - 14] = 0x90;␉// family location␊ |
358 | ␉␉ */␊ |
359 | ␉␉bytes[patchLocation - 13] = (impersonateFamily & 0x000000FF) >> 0;␊ |
360 | ␉␉bytes[patchLocation - 12] = (impersonateFamily & 0x0000FF00) >> 8;␊ |
361 | ␉␉bytes[patchLocation - 11] = (impersonateFamily & 0x00FF0000) >> 16;␉␊ |
362 | ␉␉bytes[patchLocation - 10] = (impersonateFamily & 0xFF000000) >> 24;␊ |
363 | ␉␉␊ |
364 | ␉␉␊ |
365 | ␉␉// The lea (%rip),%rip is 7 bytes␊ |
366 | ␉␉bytes[patchLocation - 9] = 0xC7;␊ |
367 | ␉␉bytes[patchLocation - 8] = 0x05;␊ |
368 | ␉␉bytes[patchLocation - 7] = ((cpuid_model_addr -10) & 0x000000FF) >> 0;␉// NOTE: this opcode is relative in 64bit mode, subtract offset␊ |
369 | ␉␉bytes[patchLocation - 6] = ((cpuid_model_addr -10) & 0x0000FF00) >> 8;␉␊ |
370 | ␉␉bytes[patchLocation - 5] = ((cpuid_model_addr -10) & 0x00FF0000) >> 16;␊ |
371 | ␉␉bytes[patchLocation - 4] = ((cpuid_model_addr -10) & 0xFF000000) >> 24;␊ |
372 | ␉␉bytes[patchLocation - 3] = impersonateModel;␉// cpuid_model␊ |
373 | ␉␉␊ |
374 | ␉␉ ␊ |
375 | ␉␉ ␊ |
376 | ␉␉ // The xor eax eax is 2 bytes␊ |
377 | ␉␉bytes[patchLocation - 2] = 0x01;␉// cpuid_extmodel␊ |
378 | ␉␉bytes[patchLocation - 1] = 0x00;␉// cpuid_extfamily␊ |
379 | ␉␉␊ |
380 | ␉␉// The panic instruction is exactly 5 bytes long.␊ |
381 | ␉␉bytes[patchLocation - 0] = 0x02;␉// cpuid_stepping␊ |
382 | ␉␉/*bytes[patchLocation + 1] = 0x90;␊ |
383 | ␉␉bytes[patchLocation + 2] = 0x90;␊ |
384 | ␉␉bytes[patchLocation + 3] = 0x90;␊ |
385 | ␉␉bytes[patchLocation + 4] = 0x90;␊ |
386 | ␉␉*/␊ |
387 | ␉␉␊ |
388 | ␉␉// Panic call has been removed.␊ |
389 | ␉␉// Override the CPUID now. This requires ~ 10 bytes on 10.0.0 kernels␊ |
390 | ␉␉// On 10.2.0+ kernels, this requires ~16 bytes␊ |
391 | ␉␉␊ |
392 | ␉␉// Total: 24 bytes␊ |
393 | ␉␉printf("Running on a 10.2.0+ kernel\n");␊ |
394 | ␉␉getc();␊ |
395 | ␊ |
396 | ␉}␊ |
397 | ␉else {␊ |
398 | ␉␉printf("Running on a 10.0.0 kernel, patch unsupported\n");␊ |
399 | ␉␉getc();␊ |
400 | ␉}␊ |
401 | ␊ |
402 | ␉␊ |
403 | }␊ |
404 | ␊ |
405 | void patch_cpuid_set_info_32(void* kernelData, UInt32 impersonateFamily, UInt8 impersonateModel)␊ |
406 | {␊ |
407 | ␉UInt8* bytes = (UInt8*)kernelData;␊ |
408 | ␉␊ |
409 | ␉kernSymbols_t *symbol = lookup_kernel_symbol("_cpuid_set_info");␊ |
410 | ␊ |
411 | ␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //␉(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);␊ |
412 | ␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊ |
413 | ␉␊ |
414 | ␉␊ |
415 | ␊ |
416 | ␉UInt32 jumpLocation = 0;␊ |
417 | ␉␊ |
418 | ␉␊ |
419 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
420 | ␉{␊ |
421 | ␉␉printf("Unable to locate _cpuid_set_info\n");␊ |
422 | ␉␉return;␊ |
423 | ␉␉␊ |
424 | ␉}␊ |
425 | ␊ |
426 | ␉symbol = lookup_kernel_symbol("_panic");␊ |
427 | ␉UInt32 panicAddr = symbol ? symbol->addr - textAddress: 0; //kernelSymbolAddresses[SYMBOL_PANIC] - textAddress;␊ |
428 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
429 | ␉{␊ |
430 | ␉␉printf("Unable to locate _panic\n");␊ |
431 | ␉␉return;␊ |
432 | ␉}␊ |
433 | ␉panicAddr -= (UInt32)kernelData;␊ |
434 | ␊ |
435 | ␉␊ |
436 | ␉␊ |
437 | ␉//TODO: don't assume it'll always work (Look for *next* function address in symtab and fail once it's been reached)␊ |
438 | ␉while( ␊ |
439 | ␉␉ (bytes[patchLocation -1] != 0xE8) ||␊ |
440 | ␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 | ␊ |
441 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 | ␊ |
442 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 |␊ |
443 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊ |
444 | ␉␉ )␊ |
445 | ␉{␊ |
446 | ␉␉patchLocation++;␊ |
447 | ␉}␊ |
448 | ␉patchLocation--;␊ |
449 | ␉␊ |
450 | ␉verbose("0x%X 0x%X 0x%X 0x%X 0x%X\n", bytes[patchLocation ], bytes[patchLocation +1], bytes[patchLocation +2], bytes[patchLocation +3], bytes[patchLocation +4]);␊ |
451 | ␊ |
452 | ␉// Remove panic call, just in case the following patch routines fail␊ |
453 | ␉bytes[patchLocation + 0] = 0x90;␊ |
454 | ␉bytes[patchLocation + 1] = 0x90;␊ |
455 | ␉bytes[patchLocation + 2] = 0x90;␊ |
456 | ␉bytes[patchLocation + 3] = 0x90;␊ |
457 | ␉bytes[patchLocation + 4] = 0x90;␊ |
458 | ␉verbose("0x%X 0x%X 0x%X 0x%X 0x%X\n", bytes[patchLocation ], bytes[patchLocation +1], bytes[patchLocation +2], bytes[patchLocation +3], bytes[patchLocation +4]);␊ |
459 | ␉␊ |
460 | ␉␊ |
461 | ␉// Locate the jump call, so that 10 bytes can be reclamed.␊ |
462 | ␉// NOTE: This will *NOT* be located on pre 10.6.2 kernels␊ |
463 | ␉jumpLocation = patchLocation - 15;␊ |
464 | ␉while((bytes[jumpLocation - 1] != 0x77 ||␊ |
465 | ␉␉ bytes[jumpLocation] != (patchLocation - jumpLocation - -8)) &&␊ |
466 | ␉␉ (patchLocation - jumpLocation) < 0xF0)␊ |
467 | ␉{␊ |
468 | ␉␉jumpLocation--;␊ |
469 | ␉}␊ |
470 | ␉␊ |
471 | ␉// If found... AND we want to impersonate a specific cpumodel / family...␊ |
472 | ␉if(impersonateFamily &&␊ |
473 | ␉ impersonateModel &&␊ |
474 | ␉ ((patchLocation - jumpLocation) < 0xF0))␊ |
475 | ␉{␊ |
476 | ␉␉␊ |
477 | ␉␉bytes[jumpLocation] -= 10;␉␉// sizeof(movl␉$0x6b5a4cd2,0x00872eb4) = 10bytes␊ |
478 | ␉␉␊ |
479 | ␉␉/* ␊ |
480 | ␉␉ * Inpersonate the specified CPU FAMILY and CPU Model␊ |
481 | ␉␉ */␊ |
482 | ␉␉␊ |
483 | ␉␉// bytes[patchLocation - 17] = 0xC7;␉// already here... not needed to be done␊ |
484 | ␉␉// bytes[patchLocation - 16] = 0x05;␉// see above␊ |
485 | ␉␉UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 15] << 0 |␊ |
486 | ␉␉bytes[patchLocation - 14] << 8 |␊ |
487 | ␉␉bytes[patchLocation - 13] << 16 |␊ |
488 | ␉␉bytes[patchLocation - 12] << 24;␊ |
489 | ␉␉␊ |
490 | ␉␉// NOTE: may change, determined based on cpuid_info struct␊ |
491 | ␉␉UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 299; ␊ |
492 | ␉␉␊ |
493 | ␉␉␊ |
494 | ␉␉// cpufamily␊ |
495 | ␉␉bytes[patchLocation - 11] = (impersonateFamily & 0x000000FF) >> 0;␊ |
496 | ␉␉bytes[patchLocation - 10] = (impersonateFamily & 0x0000FF00) >> 8;␊ |
497 | ␉␉bytes[patchLocation - 9] = (impersonateFamily & 0x00FF0000) >> 16;␉␊ |
498 | ␉␉bytes[patchLocation - 8] = (impersonateFamily & 0xFF000000) >> 24;␊ |
499 | ␉␉␊ |
500 | ␉␉// NOPS, just in case if the jmp call wasn't patched, we'll jump to a␊ |
501 | ␉␉// nop and continue with the rest of the patch␊ |
502 | ␉␉// Yay two free bytes :), 10 more can be reclamed if needed, as well as a few␊ |
503 | ␉␉// from the above code (only cpuid_model needs to be set.␊ |
504 | ␉␉bytes[patchLocation - 7] = 0x90;␊ |
505 | ␉␉bytes[patchLocation - 6] = 0x90;␊ |
506 | ␉␉␊ |
507 | ␉␉bytes[patchLocation - 5] = 0xC7;␊ |
508 | ␉␉bytes[patchLocation - 4] = 0x05;␊ |
509 | ␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊ |
510 | ␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊ |
511 | ␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊ |
512 | ␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊ |
513 | ␉␉␊ |
514 | ␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊ |
515 | ␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊ |
516 | ␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊ |
517 | ␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊ |
518 | ␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊ |
519 | ␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊ |
520 | ␉␉␊ |
521 | ␉}␊ |
522 | ␉else if(impersonateFamily && impersonateModel)␊ |
523 | ␉{␊ |
524 | ␉␉// pre 10.6.2 kernel␊ |
525 | ␉␉// Locate the jump to directly *after* the panic call,␊ |
526 | ␉␉jumpLocation = patchLocation - 4;␊ |
527 | ␉␉while((bytes[jumpLocation - 1] != 0x77 ||␊ |
528 | ␉␉␉ bytes[jumpLocation] != (patchLocation - jumpLocation + 4)) &&␊ |
529 | ␉␉␉ (patchLocation - jumpLocation) < 0x20)␊ |
530 | ␉␉{␊ |
531 | ␉␉␉jumpLocation--;␊ |
532 | ␉␉}␊ |
533 | ␉␉// NOTE above isn't needed (I was going to use it, but I'm not, so instead,␊ |
534 | ␉␉// I'll just leave it to verify the binary stucture.␊ |
535 | ␉␉␊ |
536 | ␉␉// NOTE: the cpumodel_familt data is not set in _cpuid_set_info␊ |
537 | ␉␉// so we don't need to set it here, I'll get set later based on the model␊ |
538 | ␉␉// we set now.␊ |
539 | ␉␉␊ |
540 | ␉␉if((patchLocation - jumpLocation) < 0x20)␊ |
541 | ␉␉{␊ |
542 | ␉␉␉UInt32 cpuid_model_addr =␉(bytes[patchLocation - 14] << 0 |␊ |
543 | ␉␉␉␉␉␉␉␉␉␉ bytes[patchLocation - 13] << 8 |␊ |
544 | ␉␉␉␉␉␉␉␉␉␉ bytes[patchLocation - 12] << 16 |␊ |
545 | ␉␉␉␉␉␉␉␉␉␉ bytes[patchLocation - 11] << 24);␊ |
546 | ␉␉␉// Remove jump␊ |
547 | ␉␉␉bytes[patchLocation - 9] = 0x90;␉␉/// Was a jump if supported cpu␊ |
548 | ␉␉␉bytes[patchLocation - 8] = 0x90;␉␉// jumped past the panic call, we want to override the panic␊ |
549 | ␉␉␉␊ |
550 | ␉␉␉bytes[patchLocation - 7] = 0x90;␊ |
551 | ␉␉␉bytes[patchLocation - 6] = 0x90;␊ |
552 | ␉␉␉␊ |
553 | ␉␉␉bytes[patchLocation - 5] = 0xC7;␊ |
554 | ␉␉␉bytes[patchLocation - 4] = 0x05;␊ |
555 | ␉␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊ |
556 | ␉␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊ |
557 | ␉␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊ |
558 | ␉␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊ |
559 | ␉␉␉␊ |
560 | ␉␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊ |
561 | ␉␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊ |
562 | ␉␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊ |
563 | ␉␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊ |
564 | ␉␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊ |
565 | ␉␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊ |
566 | ␉␉␉␊ |
567 | ␉␉␉␊ |
568 | ␉␉␉␊ |
569 | ␉␉␉patchLocation = jumpLocation;␊ |
570 | ␉␉␉// We now have 14 bytes available for a patch␊ |
571 | ␉␉␉␊ |
572 | ␉␉}␊ |
573 | ␉␉else ␊ |
574 | ␉␉{␊ |
575 | ␉␉␉// Patching failed, using NOP replacement done initialy␊ |
576 | ␉␉}␊ |
577 | ␉}␊ |
578 | ␉else ␊ |
579 | ␉{␊ |
580 | ␉␉// Either We were unable to change the jump call due to the function's sctructure␊ |
581 | ␉␉// changing, or the user did not request a patch. As such, resort to just ␊ |
582 | ␉␉// removing the panic call (using NOP replacement above). Note that the␊ |
583 | ␉␉// IntelCPUPM kext may still panic due to the cpu's Model ID not being patched␊ |
584 | ␉}␊ |
585 | }␊ |
586 | ␊ |
587 | ␊ |
588 | /**␊ |
589 | ** SleepEnabler.kext replacement (for those that need it)␊ |
590 | ** Located the KERN_INVALID_ARGUMENT return and replace it with KERN_SUCCESS␊ |
591 | **/␊ |
592 | void patch_pmCPUExitHaltToOff(void* kernelData)␊ |
593 | {␊ |
594 | ␉UInt8* bytes = (UInt8*)kernelData;␊ |
595 | ␊ |
596 | ␉kernSymbols_t *symbol = lookup_kernel_symbol("_PmCpuExitHaltToOff");␊ |
597 | ␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0;␊ |
598 | ␉␊ |
599 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
600 | ␉{␊ |
601 | ␉␉printf("Unable to locate _pmCPUExitHaltToOff\n");␊ |
602 | ␉␉return;␊ |
603 | ␉}␊ |
604 | ␉␊ |
605 | ␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊ |
606 | ␉␊ |
607 | ␉␊ |
608 | ␉␊ |
609 | ␉while(bytes[patchLocation - 1]␉!= 0xB8 ||␊ |
610 | ␉␉ bytes[patchLocation]␉␉!= 0x04 ||␉// KERN_INVALID_ARGUMENT (0x00000004)␊ |
611 | ␉␉ bytes[patchLocation + 1]␉!= 0x00 ||␉// KERN_INVALID_ARGUMENT␊ |
612 | ␉␉ bytes[patchLocation + 2]␉!= 0x00 ||␉// KERN_INVALID_ARGUMENT␊ |
613 | ␉␉ bytes[patchLocation + 3]␉!= 0x00)␉// KERN_INVALID_ARGUMENT␊ |
614 | ␊ |
615 | ␉{␊ |
616 | ␉␉patchLocation++;␊ |
617 | ␉}␊ |
618 | ␉bytes[patchLocation] = 0x00;␉// KERN_SUCCESS;␊ |
619 | }␊ |
620 | ␊ |
621 | void patch_lapic_init(void* kernelData)␊ |
622 | {␊ |
623 | ␊ |
624 | ␉UInt8 panicIndex = 0;␊ |
625 | ␉UInt8* bytes = (UInt8*)kernelData;␊ |
626 | ␉␊ |
627 | ␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_init");␊ |
628 | ␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; ␊ |
629 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
630 | ␉{␊ |
631 | ␉␉printf("Unable to locate %s\n", "_lapic_init");␊ |
632 | ␉␉return;␊ |
633 | ␉␉␊ |
634 | ␉}␊ |
635 | ␉␊ |
636 | ␉symbol = lookup_kernel_symbol("_panic");␊ |
637 | ␉UInt32 panicAddr = symbol ? symbol->addr - textAddress: 0; ␊ |
638 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
639 | ␉{␊ |
640 | ␉␉printf("Unable to locate %s\n", "_panic");␊ |
641 | ␉␉return;␊ |
642 | ␉}␊ |
643 | ␉␊ |
644 | ␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊ |
645 | ␉panicAddr -= (UInt32)kernelData;␉// Remove offset␊ |
646 | ␊ |
647 | ␉␊ |
648 | ␉␊ |
649 | ␉␊ |
650 | ␉// Locate the (panicIndex + 1) panic call␊ |
651 | ␉while(panicIndex < 3)␉// Find the third panic call␊ |
652 | ␉{␊ |
653 | ␉␉while( ␊ |
654 | ␉␉␉ (bytes[patchLocation -1] != 0xE8) ||␊ |
655 | ␉␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 | ␊ |
656 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 | ␊ |
657 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 |␊ |
658 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊ |
659 | ␉␉␉ )␊ |
660 | ␉␉{␊ |
661 | ␉␉␉patchLocation++;␊ |
662 | ␉␉}␊ |
663 | ␉␉patchLocation++;␊ |
664 | ␉␉panicIndex++;␊ |
665 | ␉}␊ |
666 | ␉patchLocation--;␉// Remove extra increment from the < 3 while loop␊ |
667 | ␉␊ |
668 | ␉bytes[--patchLocation] = 0x90;␉␊ |
669 | ␉bytes[++patchLocation] = 0x90;␊ |
670 | ␉bytes[++patchLocation] = 0x90;␊ |
671 | ␉bytes[++patchLocation] = 0x90;␊ |
672 | ␉bytes[++patchLocation] = 0x90;␊ |
673 | ␉␊ |
674 | ␉␊ |
675 | }␊ |
676 | ␊ |
677 | ␊ |
678 | void patch_commpage_stuff_routine(void* kernelData)␊ |
679 | {␊ |
680 | ␉UInt8* bytes = (UInt8*)kernelData;␊ |
681 | ␊ |
682 | ␉kernSymbols_t *symbol = lookup_kernel_symbol("_commpage_stuff_routine");␊ |
683 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
684 | ␉{␊ |
685 | ␉␉verbose("Unable to locate %s\n", "_commpage_stuff_routine");␊ |
686 | ␉␉return;␊ |
687 | ␉␉␊ |
688 | ␉}␊ |
689 | ␉␊ |
690 | ␉UInt32 patchLocation = symbol->addr - textAddress + textSection; ␊ |
691 | ␊ |
692 | ␉␊ |
693 | ␉symbol = lookup_kernel_symbol("_panic");␊ |
694 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
695 | ␉{␊ |
696 | ␉␉printf("Unable to locate %s\n", "_panic");␊ |
697 | ␉␉return;␊ |
698 | ␉}␊ |
699 | ␉UInt32 panicAddr = symbol->addr - textAddress; ␊ |
700 | ␊ |
701 | ␉patchLocation -= (UInt32)kernelData;␊ |
702 | ␉panicAddr -= (UInt32)kernelData;␊ |
703 | ␉␊ |
704 | ␉while( ␊ |
705 | ␉␉ (bytes[patchLocation -1] != 0xE8) ||␊ |
706 | ␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 | ␊ |
707 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 | ␊ |
708 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 |␊ |
709 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊ |
710 | ␉␉ )␊ |
711 | ␉{␊ |
712 | ␉␉patchLocation++;␊ |
713 | ␉}␊ |
714 | ␉patchLocation--;␊ |
715 | ␉␊ |
716 | ␉// Replace panic with nops␊ |
717 | ␉bytes[patchLocation + 0] = 0x90;␊ |
718 | ␉bytes[patchLocation + 1] = 0x90;␊ |
719 | ␉bytes[patchLocation + 2] = 0x90;␊ |
720 | ␉bytes[patchLocation + 3] = 0x90;␊ |
721 | ␉bytes[patchLocation + 4] = 0x90;␊ |
722 | ␉␊ |
723 | ␉␊ |
724 | }␊ |
725 | ␊ |
726 | void patch_lapic_interrupt(void* kernelData)␊ |
727 | {␊ |
728 | ␉// NOTE: this is a hack untill I finish patch_lapic_configure␊ |
729 | ␉UInt8* bytes = (UInt8*)kernelData;␊ |
730 | ␉␊ |
731 | ␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_interrupt");␊ |
732 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
733 | ␉{␊ |
734 | ␉␉printf("Unable to locate %s\n", "_lapic_interrupt");␊ |
735 | ␉␉return;␊ |
736 | ␉␉␊ |
737 | ␉}␊ |
738 | ␉␊ |
739 | ␉UInt32 patchLocation = symbol->addr - textAddress + textSection; ␊ |
740 | ␉␊ |
741 | ␉␊ |
742 | ␉symbol = lookup_kernel_symbol("_panic");␊ |
743 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
744 | ␉{␊ |
745 | ␉␉printf("Unable to locate %s\n", "_panic");␊ |
746 | ␉␉return;␊ |
747 | ␉}␊ |
748 | ␉UInt32 panicAddr = symbol->addr - textAddress; ␊ |
749 | ␉␊ |
750 | ␉patchLocation -= (UInt32)kernelData;␊ |
751 | ␉panicAddr -= (UInt32)kernelData;␊ |
752 | ␉␊ |
753 | ␉while( ␊ |
754 | ␉␉ (bytes[patchLocation -1] != 0xE8) ||␊ |
755 | ␉␉ ( ( (UInt32)(panicAddr - patchLocation - 4) + textSection ) != (UInt32)((bytes[patchLocation + 0] << 0 | ␊ |
756 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 1] << 8 | ␊ |
757 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 2] << 16 |␊ |
758 | ␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉␉bytes[patchLocation + 3] << 24)))␊ |
759 | ␉␉ )␊ |
760 | ␉{␊ |
761 | ␉␉patchLocation++;␊ |
762 | ␉}␊ |
763 | ␉patchLocation--;␊ |
764 | ␉␊ |
765 | ␉// Replace panic with nops␊ |
766 | ␉bytes[patchLocation + 0] = 0x90;␊ |
767 | ␉bytes[patchLocation + 1] = 0x90;␊ |
768 | ␉bytes[patchLocation + 2] = 0x90;␊ |
769 | ␉bytes[patchLocation + 3] = 0x90;␊ |
770 | ␉bytes[patchLocation + 4] = 0x90;␊ |
771 | ␉␊ |
772 | ␉␊ |
773 | }␊ |
774 | ␊ |
775 | ␊ |
776 | void patch_lapic_configure(void* kernelData)␊ |
777 | {␊ |
778 | ␉UInt8* bytes = (UInt8*)kernelData;␊ |
779 | ␉␊ |
780 | ␉UInt32 patchLocation;␊ |
781 | ␉UInt32 lapicStart;␊ |
782 | ␉UInt32 lapicInterruptBase;␊ |
783 | ␉␊ |
784 | ␉kernSymbols_t *symbol = lookup_kernel_symbol("_lapic_configure");␊ |
785 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
786 | ␉{␊ |
787 | ␉␉printf("Unable to locate %s\n", "_lapic_configure");␊ |
788 | ␉␉return;␊ |
789 | ␉}␊ |
790 | ␉patchLocation = symbol->addr - textAddress + textSection; ␊ |
791 | ␉␊ |
792 | ␉symbol = lookup_kernel_symbol("_lapic_start");␊ |
793 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
794 | ␉{␊ |
795 | ␉␉printf("Unable to locate %s\n", "_lapic_start");␊ |
796 | ␉␉return;␊ |
797 | ␉}␊ |
798 | ␉lapicStart = symbol->addr; ␊ |
799 | ␊ |
800 | ␊ |
801 | ␉symbol = lookup_kernel_symbol("_lapic_interrupt_base");␊ |
802 | ␉if(symbol == 0 || symbol->addr == 0)␊ |
803 | ␉{␊ |
804 | ␉␉printf("Unable to locate %s\n", "_lapic_interrupt_base");␊ |
805 | ␉␉return;␊ |
806 | ␉}␊ |
807 | ␉lapicInterruptBase = symbol->addr;␊ |
808 | ␉patchLocation -= (UInt32)kernelData;␊ |
809 | ␉lapicStart -= (UInt32)kernelData;␊ |
810 | ␉lapicInterruptBase -= (UInt32)kernelData;␊ |
811 | ␉␊ |
812 | ␉␊ |
813 | ␉// Looking for the following:␊ |
814 | ␉//movl _lapic_start,%e_x␊ |
815 | ␉//addl $0x00000320,%e_x␊ |
816 | ␉// 8b 15 __ __ __ __ 81 c2 20 03 00 00␊ |
817 | ␉while( ␊ |
818 | ␉␉ (bytes[patchLocation - 2] != 0x8b) ||␊ |
819 | ␉␉ //bytes[patchLocation -1] != 0x15) ||␉// Register, we don't care what it is␊ |
820 | ␉␉ ( lapicStart != (UInt32)(␊ |
821 | ␉␉␉␉␉␉␉␉␉(bytes[patchLocation + 0] << 0 | ␊ |
822 | ␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 1] << 8 | ␊ |
823 | ␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 2] << 16 |␊ |
824 | ␉␉␉␉␉␉␉␉␉ bytes[patchLocation + 3] << 24␊ |
825 | ␉␉␉␉␉␉␉␉␉)␊ |
826 | ␉␉␉␉␉␉␉␉ )␊ |
827 | ␉␉ ) || ␊ |
828 | ␉␉ (bytes[patchLocation + 4 ] != 0x81) ||␊ |
829 | ␉␉ //(bytes[patchLocation + 5 ] != 0Cx2) ||␉// register␊ |
830 | ␉␉ (bytes[patchLocation + 6 ] != 0x20) ||␊ |
831 | ␉␉ (bytes[patchLocation + 7 ] != 0x03) ||␊ |
832 | ␉␉ (bytes[patchLocation + 8 ] != 0x00) ||␊ |
833 | ␉␉ (bytes[patchLocation + 9] != 0x00)␊ |
834 | ␊ |
835 | ␉␉ )␊ |
836 | ␉{␊ |
837 | ␉␉patchLocation++;␊ |
838 | ␉}␊ |
839 | ␉patchLocation-=2;␊ |
840 | ␊ |
841 | ␉// NOTE: this is currently hardcoded, change it to be more resilient to changes␊ |
842 | ␉// At a minimum, I should have this do a cheksup first and if not matching, remove the panic instead.␊ |
843 | ␉␊ |
844 | ␉// 8b 15 __ __ __ __ -> movl␉␉ _lapic_start,%edx (NOTE: this should already be here)␊ |
845 | ␉/*␊ |
846 | ␉bytes[patchLocation++] = 0x8B;␊ |
847 | ␉bytes[patchLocation++] = 0x15;␊ |
848 | ␉bytes[patchLocation++] = (lapicStart & 0x000000FF) >> 0;␊ |
849 | ␉bytes[patchLocation++] = (lapicStart & 0x0000FF00) >> 8;␊ |
850 | ␉bytes[patchLocation++] = (lapicStart & 0x00FF0000) >> 16;␊ |
851 | ␉bytes[patchLocation++] = (lapicStart & 0xFF000000) >> 24;␊ |
852 | ␉*/␊ |
853 | ␉patchLocation += 6;␊ |
854 | ␉␊ |
855 | ␉// 81 c2 60 03 00 00 -> addl␉␉ $0x00000320,%edx␊ |
856 | ␉/*␊ |
857 | ␉bytes[patchLocation++] = 0x81;␊ |
858 | ␉bytes[patchLocation++] = 0xC2;␊ |
859 | ␉*/␊ |
860 | ␉patchLocation += 2;␊ |
861 | ␉bytes[patchLocation++] = 0x60;␊ |
862 | ␉/*␊ |
863 | ␉bytes[patchLocation++];// = 0x03;␊ |
864 | ␉bytes[patchLocation++];// = 0x00;␊ |
865 | ␉bytes[patchLocation++];// = 0x00;␊ |
866 | ␉*/␊ |
867 | ␉ patchLocation += 3;␊ |
868 | ␊ |
869 | ␉// c7 02 00 04 00 00 -> movl␉␉ $0x00000400,(%edx)␊ |
870 | ␉bytes[patchLocation++] = 0xC7;␊ |
871 | ␉bytes[patchLocation++] = 0x02;␊ |
872 | ␉bytes[patchLocation++] = 0x00;␊ |
873 | ␉bytes[patchLocation++] = 0x04;␊ |
874 | ␉bytes[patchLocation++] = 0x00;␊ |
875 | ␉bytes[patchLocation++] = 0x00;␊ |
876 | ␉␊ |
877 | ␉// 83 ea 40 -> subl␉␉ $0x40,edx␊ |
878 | ␉bytes[patchLocation++] = 0x83;␊ |
879 | ␉bytes[patchLocation++] = 0xEA;␊ |
880 | ␉bytes[patchLocation++] = 0x40;␊ |
881 | ␊ |
882 | ␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊ |
883 | ␉bytes[patchLocation++] = 0xA1;␊ |
884 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊ |
885 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊ |
886 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊ |
887 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊ |
888 | ␊ |
889 | ␉// 83 c0 0e -> addl␉␉ $0x0e,%eax␊ |
890 | ␉bytes[patchLocation++] = 0x83;␊ |
891 | ␉bytes[patchLocation++] = 0xC0;␊ |
892 | ␉bytes[patchLocation++] = 0x0E;␊ |
893 | ␊ |
894 | ␉// 89 02 -> movl␉␉ %eax,(%edx)␊ |
895 | ␉bytes[patchLocation++] = 0x89;␊ |
896 | ␉bytes[patchLocation++] = 0x02;␊ |
897 | ␉␊ |
898 | ␉// 81c230030000␉␉ addl␉␉ $0x00000330,%edx␊ |
899 | ␉bytes[patchLocation++] = 0x81;␊ |
900 | ␉bytes[patchLocation++] = 0xC2;␊ |
901 | ␉bytes[patchLocation++] = 0x30;␊ |
902 | ␉bytes[patchLocation++] = 0x03;␊ |
903 | ␉bytes[patchLocation++] = 0x00;␊ |
904 | ␉bytes[patchLocation++] = 0x00;␊ |
905 | ␉␊ |
906 | ␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊ |
907 | ␉bytes[patchLocation++] = 0xA1;␊ |
908 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊ |
909 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊ |
910 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊ |
911 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊ |
912 | ␉␊ |
913 | ␉// 83 c0 0f -> addl␉␉ $0x0f,%eax␊ |
914 | ␉bytes[patchLocation++] = 0x83;␊ |
915 | ␉bytes[patchLocation++] = 0xC0;␊ |
916 | ␉bytes[patchLocation++] = 0x0F;␊ |
917 | ␉␊ |
918 | ␉// 89 02 -> movl␉␉ %eax,(%edx)␊ |
919 | ␉bytes[patchLocation++] = 0x89;␊ |
920 | ␉bytes[patchLocation++] = 0x02;␊ |
921 | ␉␊ |
922 | ␉// 83 ea 10 -> subl␉␉ $0x10,edx␊ |
923 | ␉bytes[patchLocation++] = 0x83;␊ |
924 | ␉bytes[patchLocation++] = 0xEA;␊ |
925 | ␉bytes[patchLocation++] = 0x10;␊ |
926 | ␊ |
927 | ␉// a1 __ __ __ __ -> movl␉␉ _lapic_interrupt_base,%eax␊ |
928 | ␉bytes[patchLocation++] = 0xA1;␊ |
929 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x000000FF) >> 0;␊ |
930 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x0000FF00) >> 8;␊ |
931 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0x00FF0000) >> 16;␊ |
932 | ␉bytes[patchLocation++] = (lapicInterruptBase & 0xFF000000) >> 24;␊ |
933 | ␉␊ |
934 | ␉// 83 c0 0c -> addl␉␉ $0x0c,%eax␊ |
935 | ␉bytes[patchLocation++] = 0x83;␊ |
936 | ␉bytes[patchLocation++] = 0xC0;␊ |
937 | ␉bytes[patchLocation++] = 0x0C;␊ |
938 | ␊ |
939 | ␉// 89 02 -> movl␉␉ %eax,(%edx)␊ |
940 | ␉bytes[patchLocation++] = 0x89;␊ |
941 | ␉bytes[patchLocation++] = 0x02;␊ |
942 | ␊ |
943 | ␉// Replace remaining with nops␊ |
944 | ␊ |
945 | ␊ |
946 | ␉bytes[patchLocation++] = 0x90;␊ |
947 | ␉bytes[patchLocation++] = 0x90;␊ |
948 | ␉bytes[patchLocation++] = 0x90;␊ |
949 | ␉bytes[patchLocation++] = 0x90;␊ |
950 | ␉//␉bytes[patchLocation++] = 0x90; // double check the lenght of the patch...␊ |
951 | ␉//␉bytes[patchLocation++] = 0x90;␊ |
952 | }␊ |
953 | |