VirtualBox

source: vbox/trunk/src/VBox/Debugger/DBGPlugInWinNt.cpp@ 86117

Last change on this file since 86117 was 86111, checked in by vboxsync, 4 years ago

Debugger/DBGPlugInWinNt: Implement the OS WinNT interface [doxygen fix]

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 53.3 KB
Line 
1/* $Id: DBGPlugInWinNt.cpp 86111 2020-09-13 08:49:37Z vboxsync $ */
2/** @file
3 * DBGPlugInWindows - Debugger and Guest OS Digger Plugin For Windows NT.
4 */
5
6/*
7 * Copyright (C) 2009-2020 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18
19/*********************************************************************************************************************************
20* Header Files *
21*********************************************************************************************************************************/
22#define LOG_GROUP LOG_GROUP_DBGF /// @todo add new log group.
23#include "DBGPlugIns.h"
24#include <VBox/vmm/dbgf.h>
25#include <VBox/vmm/cpumctx.h>
26#include <VBox/vmm/mm.h>
27#include <VBox/err.h>
28#include <VBox/param.h>
29#include <iprt/ctype.h>
30#include <iprt/ldr.h>
31#include <iprt/mem.h>
32#include <iprt/path.h>
33#include <iprt/stream.h>
34#include <iprt/string.h>
35#include <iprt/utf16.h>
36#include <iprt/formats/pecoff.h>
37#include <iprt/formats/mz.h>
38#include <iprt/nt/nt-structures.h>
39
40
41/*********************************************************************************************************************************
42* Structures and Typedefs *
43*********************************************************************************************************************************/
44
45/** @name Internal WinNT structures
46 * @{ */
47/**
48 * PsLoadedModuleList entry for 32-bit NT aka LDR_DATA_TABLE_ENTRY.
49 * Tested with XP.
50 */
51typedef struct NTMTE32
52{
53 struct
54 {
55 uint32_t Flink;
56 uint32_t Blink;
57 } InLoadOrderLinks,
58 InMemoryOrderModuleList,
59 InInitializationOrderModuleList;
60 uint32_t DllBase;
61 uint32_t EntryPoint;
62 /** @note This field is not a size in NT 3.1. It's NULL for images loaded by the
63 * boot loader, for other images it looks like some kind of pointer. */
64 uint32_t SizeOfImage;
65 struct
66 {
67 uint16_t Length;
68 uint16_t MaximumLength;
69 uint32_t Buffer;
70 } FullDllName,
71 BaseDllName;
72 uint32_t Flags;
73 uint16_t LoadCount;
74 uint16_t TlsIndex;
75 /* ... there is more ... */
76} NTMTE32;
77typedef NTMTE32 *PNTMTE32;
78
79/**
80 * PsLoadedModuleList entry for 64-bit NT aka LDR_DATA_TABLE_ENTRY.
81 */
82typedef struct NTMTE64
83{
84 struct
85 {
86 uint64_t Flink;
87 uint64_t Blink;
88 } InLoadOrderLinks, /**< 0x00 */
89 InMemoryOrderModuleList, /**< 0x10 */
90 InInitializationOrderModuleList; /**< 0x20 */
91 uint64_t DllBase; /**< 0x30 */
92 uint64_t EntryPoint; /**< 0x38 */
93 uint32_t SizeOfImage; /**< 0x40 */
94 uint32_t Alignment; /**< 0x44 */
95 struct
96 {
97 uint16_t Length; /**< 0x48,0x58 */
98 uint16_t MaximumLength; /**< 0x4a,0x5a */
99 uint32_t Alignment; /**< 0x4c,0x5c */
100 uint64_t Buffer; /**< 0x50,0x60 */
101 } FullDllName, /**< 0x48 */
102 BaseDllName; /**< 0x58 */
103 uint32_t Flags; /**< 0x68 */
104 uint16_t LoadCount; /**< 0x6c */
105 uint16_t TlsIndex; /**< 0x6e */
106 /* ... there is more ... */
107} NTMTE64;
108typedef NTMTE64 *PNTMTE64;
109
110/** MTE union. */
111typedef union NTMTE
112{
113 NTMTE32 vX_32;
114 NTMTE64 vX_64;
115} NTMTE;
116typedef NTMTE *PNTMTE;
117
118
119/**
120 * The essential bits of the KUSER_SHARED_DATA structure.
121 */
122typedef struct NTKUSERSHAREDDATA
123{
124 uint32_t TickCountLowDeprecated;
125 uint32_t TickCountMultiplier;
126 struct
127 {
128 uint32_t LowPart;
129 int32_t High1Time;
130 int32_t High2Time;
131
132 } InterruptTime,
133 SystemTime,
134 TimeZoneBias;
135 uint16_t ImageNumberLow;
136 uint16_t ImageNumberHigh;
137 RTUTF16 NtSystemRoot[260];
138 uint32_t MaxStackTraceDepth;
139 uint32_t CryptoExponent;
140 uint32_t TimeZoneId;
141 uint32_t LargePageMinimum;
142 uint32_t Reserved2[7];
143 uint32_t NtProductType;
144 uint8_t ProductTypeIsValid;
145 uint8_t abPadding[3];
146 uint32_t NtMajorVersion;
147 uint32_t NtMinorVersion;
148 /* uint8_t ProcessorFeatures[64];
149 ...
150 */
151} NTKUSERSHAREDDATA;
152typedef NTKUSERSHAREDDATA *PNTKUSERSHAREDDATA;
153
154/** KI_USER_SHARED_DATA for i386 */
155#define NTKUSERSHAREDDATA_WINNT32 UINT32_C(0xffdf0000)
156/** KI_USER_SHARED_DATA for AMD64 */
157#define NTKUSERSHAREDDATA_WINNT64 UINT64_C(0xfffff78000000000)
158
159/** NTKUSERSHAREDDATA::NtProductType */
160typedef enum NTPRODUCTTYPE
161{
162 kNtProductType_Invalid = 0,
163 kNtProductType_WinNt = 1,
164 kNtProductType_LanManNt,
165 kNtProductType_Server
166} NTPRODUCTTYPE;
167
168
169/** NT image header union. */
170typedef union NTHDRSU
171{
172 IMAGE_NT_HEADERS32 vX_32;
173 IMAGE_NT_HEADERS64 vX_64;
174} NTHDRS;
175/** Pointer to NT image header union. */
176typedef NTHDRS *PNTHDRS;
177/** Pointer to const NT image header union. */
178typedef NTHDRS const *PCNTHDRS;
179
180/** @} */
181
182
183
184typedef enum DBGDIGGERWINNTVER
185{
186 DBGDIGGERWINNTVER_UNKNOWN,
187 DBGDIGGERWINNTVER_3_1,
188 DBGDIGGERWINNTVER_3_5,
189 DBGDIGGERWINNTVER_4_0,
190 DBGDIGGERWINNTVER_5_0,
191 DBGDIGGERWINNTVER_5_1,
192 DBGDIGGERWINNTVER_6_0
193} DBGDIGGERWINNTVER;
194
195/**
196 * WinNT guest OS digger instance data.
197 */
198typedef struct DBGDIGGERWINNT
199{
200 /** Whether the information is valid or not.
201 * (For fending off illegal interface method calls.) */
202 bool fValid;
203 /** 32-bit (true) or 64-bit (false) */
204 bool f32Bit;
205 /** Set if NT 3.1 was detected.
206 * This implies both Misc.VirtualSize and NTMTE32::SizeOfImage are zero. */
207 bool fNt31;
208
209 /** The NT version. */
210 DBGDIGGERWINNTVER enmVer;
211 /** NTKUSERSHAREDDATA::NtProductType */
212 NTPRODUCTTYPE NtProductType;
213 /** NTKUSERSHAREDDATA::NtMajorVersion */
214 uint32_t NtMajorVersion;
215 /** NTKUSERSHAREDDATA::NtMinorVersion */
216 uint32_t NtMinorVersion;
217
218 /** The address of the ntoskrnl.exe image. */
219 DBGFADDRESS KernelAddr;
220 /** The address of the ntoskrnl.exe module table entry. */
221 DBGFADDRESS KernelMteAddr;
222 /** The address of PsLoadedModuleList. */
223 DBGFADDRESS PsLoadedModuleListAddr;
224
225 /** Array of detected KPCR addresses for each vCPU. */
226 PDBGFADDRESS paKpcrAddr;
227 /** Array of detected KPCRB addresses for each vCPU. */
228 PDBGFADDRESS paKpcrbAddr;
229
230 /** The Windows NT specifics interface. */
231 DBGFOSIWINNT IWinNt;
232} DBGDIGGERWINNT;
233/** Pointer to the linux guest OS digger instance data. */
234typedef DBGDIGGERWINNT *PDBGDIGGERWINNT;
235
236
237/**
238 * The WinNT digger's loader reader instance data.
239 */
240typedef struct DBGDIGGERWINNTRDR
241{
242 /** The VM handle (referenced). */
243 PUVM pUVM;
244 /** The image base. */
245 DBGFADDRESS ImageAddr;
246 /** The image size. */
247 uint32_t cbImage;
248 /** The file offset of the SizeOfImage field in the optional header if it
249 * needs patching, otherwise set to UINT32_MAX. */
250 uint32_t offSizeOfImage;
251 /** The correct image size. */
252 uint32_t cbCorrectImageSize;
253 /** Number of entries in the aMappings table. */
254 uint32_t cMappings;
255 /** Mapping hint. */
256 uint32_t iHint;
257 /** Mapping file offset to memory offsets, ordered by file offset. */
258 struct
259 {
260 /** The file offset. */
261 uint32_t offFile;
262 /** The size of this mapping. */
263 uint32_t cbMem;
264 /** The offset to the memory from the start of the image. */
265 uint32_t offMem;
266 } aMappings[1];
267} DBGDIGGERWINNTRDR;
268/** Pointer a WinNT loader reader instance data. */
269typedef DBGDIGGERWINNTRDR *PDBGDIGGERWINNTRDR;
270
271
272/*********************************************************************************************************************************
273* Defined Constants And Macros *
274*********************************************************************************************************************************/
275/** Validates a 32-bit Windows NT kernel address */
276#define WINNT32_VALID_ADDRESS(Addr) ((Addr) > UINT32_C(0x80000000) && (Addr) < UINT32_C(0xfffff000))
277/** Validates a 64-bit Windows NT kernel address */
278#define WINNT64_VALID_ADDRESS(Addr) ((Addr) > UINT64_C(0xffff800000000000) && (Addr) < UINT64_C(0xfffffffffffff000))
279/** Validates a kernel address. */
280#define WINNT_VALID_ADDRESS(pThis, Addr) ((pThis)->f32Bit ? WINNT32_VALID_ADDRESS(Addr) : WINNT64_VALID_ADDRESS(Addr))
281/** Versioned and bitness wrapper. */
282#define WINNT_UNION(pThis, pUnion, Member) ((pThis)->f32Bit ? (pUnion)->vX_32. Member : (pUnion)->vX_64. Member )
283
284/** The length (in chars) of the kernel file name (no path). */
285#define WINNT_KERNEL_BASE_NAME_LEN 12
286
287/** WindowsNT on little endian ASCII systems. */
288#define DIG_WINNT_MOD_TAG UINT64_C(0x54696e646f774e54)
289
290
291/*********************************************************************************************************************************
292* Internal Functions *
293*********************************************************************************************************************************/
294static DECLCALLBACK(int) dbgDiggerWinNtInit(PUVM pUVM, void *pvData);
295
296
297/*********************************************************************************************************************************
298* Global Variables *
299*********************************************************************************************************************************/
300/** Kernel names. */
301static const RTUTF16 g_wszKernelNames[][WINNT_KERNEL_BASE_NAME_LEN + 1] =
302{
303 { 'n', 't', 'o', 's', 'k', 'r', 'n', 'l', '.', 'e', 'x', 'e' }
304};
305
306
307
308/**
309 * Tries to resolve the KPCR and KPCRB addresses for each vCPU.
310 *
311 * @returns nothing.
312 * @param pThis The instance data.
313 * @param pUVM The user mode VM handle.
314 */
315static void dbgDiggerWinNtResolveKpcr(PDBGDIGGERWINNT pThis, PUVM pUVM)
316{
317 if (pThis->f32Bit)
318 { /** @todo */ }
319 else
320 {
321 /*
322 * Getting at the KPCR and KPCRB is explained here:
323 * https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kprcb/amd64.htm
324 * Together with the available offsets from:
325 * https://github.com/tpn/winsdk-10/blob/master/Include/10.0.16299.0/shared/ksamd64.inc#L883
326 * we can verify that the found addresses are valid by cross checking that the GDTR and self reference
327 * match what we expect.
328 */
329 VMCPUID cCpus = DBGFR3CpuGetCount(pUVM);
330 pThis->paKpcrAddr = (PDBGFADDRESS)RTMemAllocZ(cCpus * 2 * sizeof(DBGFADDRESS));
331 if (RT_LIKELY(pThis->paKpcrAddr))
332 {
333 pThis->paKpcrbAddr = &pThis->paKpcrAddr[cCpus];
334
335 /* Work each CPU, unexpected values in each CPU make the whole thing fail to play safe. */
336 int rc = VINF_SUCCESS;
337 for (VMCPUID idCpu = 0; (idCpu < cCpus) && RT_SUCCESS(rc); idCpu++)
338 {
339 PDBGFADDRESS pKpcrAddr = &pThis->paKpcrAddr[idCpu];
340 PDBGFADDRESS pKpcrbAddr = &pThis->paKpcrbAddr[idCpu];
341
342 /* Read GS base which points to the base of the KPCR for each CPU. */
343 RTGCUINTPTR GCPtrTmp = 0;
344 rc = DBGFR3RegCpuQueryU64(pUVM, idCpu, DBGFREG_GS_BASE, &GCPtrTmp);
345 if (RT_SUCCESS(rc))
346 {
347 LogFlow(("DigWinNt/KPCR[%u]: GS Base %RGv\n", idCpu, GCPtrTmp));
348 DBGFR3AddrFromFlat(pUVM, pKpcrAddr, GCPtrTmp);
349
350 rc = DBGFR3RegCpuQueryU64(pUVM, idCpu, DBGFREG_GDTR_BASE, &GCPtrTmp);
351 if (RT_SUCCESS(rc))
352 {
353 /*
354 * Read the start of the KPCR (@todo Probably move this to a global header)
355 * and verify its content.
356 */
357 struct
358 {
359 RTGCUINTPTR GCPtrGdt;
360 RTGCUINTPTR GCPtrTss;
361 RTGCUINTPTR GCPtrUserRsp;
362 RTGCUINTPTR GCPtrSelf;
363 RTGCUINTPTR GCPtrCurrentPrcb;
364 } Kpcr;
365
366 rc = DBGFR3MemRead(pUVM, idCpu, pKpcrAddr, &Kpcr, sizeof(Kpcr));
367 if (RT_SUCCESS(rc))
368 {
369 if ( Kpcr.GCPtrGdt == GCPtrTmp
370 && Kpcr.GCPtrSelf == pKpcrAddr->FlatPtr
371 /** @todo && TSS */ )
372 {
373 DBGFR3AddrFromFlat(pUVM, pKpcrbAddr, Kpcr.GCPtrCurrentPrcb);
374 LogRel(("DigWinNt/KPCR[%u]: KPCR=%RGv KPCRB=%RGv\n", idCpu, pKpcrAddr->FlatPtr, pKpcrbAddr->FlatPtr));
375 }
376 else
377 LogRel(("DigWinNt/KPCR[%u]: KPCR validation error GDT=(%RGv vs %RGv) KPCRB=(%RGv vs %RGv)\n", idCpu,
378 Kpcr.GCPtrGdt, GCPtrTmp, Kpcr.GCPtrSelf, pKpcrAddr->FlatPtr));
379 }
380 else
381 LogRel(("DigWinNt/KPCR[%u]: Reading KPCR start at %RGv failed with %Rrc\n", idCpu, pKpcrAddr->FlatPtr, rc));
382 }
383 else
384 LogRel(("DigWinNt/KPCR[%u]: Getting GDT base register failed with %Rrc\n", idCpu, rc));
385 }
386 else
387 LogRel(("DigWinNt/KPCR[%u]: Getting GS base register failed with %Rrc\n", idCpu, rc));
388 }
389
390 if (RT_FAILURE(rc))
391 {
392 LogRel(("DigWinNt/KPCR: Failed to detmine KPCR and KPCRB rc=%Rrc\n", rc));
393 RTMemFree(pThis->paKpcrAddr);
394 pThis->paKpcrAddr = NULL;
395 pThis->paKpcrbAddr = NULL;
396 }
397 }
398 else
399 LogRel(("DigWinNt/KPCR: Failed to allocate %u entries for the KPCR/KPCRB addresses\n", cCpus * 2));
400 }
401}
402
403
404/**
405 * Process a PE image found in guest memory.
406 *
407 * @param pThis The instance data.
408 * @param pUVM The user mode VM handle.
409 * @param pszName The module name.
410 * @param pszFilename The image filename.
411 * @param pImageAddr The image address.
412 * @param cbImage The size of the image.
413 */
414static void dbgDiggerWinNtProcessImage(PDBGDIGGERWINNT pThis, PUVM pUVM, const char *pszName, const char *pszFilename,
415 PCDBGFADDRESS pImageAddr, uint32_t cbImage)
416{
417 LogFlow(("DigWinNt: %RGp %#x %s\n", pImageAddr->FlatPtr, cbImage, pszName));
418
419 /*
420 * Do some basic validation first.
421 */
422 if ( (cbImage < sizeof(IMAGE_NT_HEADERS64) && !pThis->fNt31)
423 || cbImage >= _1M * 256)
424 {
425 Log(("DigWinNt: %s: Bad image size: %#x\n", pszName, cbImage));
426 return;
427 }
428
429 /*
430 * Use the common in-memory module reader to create a debug module.
431 */
432 RTERRINFOSTATIC ErrInfo;
433 RTDBGMOD hDbgMod = NIL_RTDBGMOD;
434 int rc = DBGFR3ModInMem(pUVM, pImageAddr, pThis->fNt31 ? DBGFMODINMEM_F_PE_NT31 : 0, pszName, pszFilename,
435 pThis->f32Bit ? RTLDRARCH_X86_32 : RTLDRARCH_AMD64, cbImage,
436 &hDbgMod, RTErrInfoInitStatic(&ErrInfo));
437 if (RT_SUCCESS(rc))
438 {
439 /*
440 * Tag the module.
441 */
442 rc = RTDbgModSetTag(hDbgMod, DIG_WINNT_MOD_TAG);
443 AssertRC(rc);
444
445 /*
446 * Link the module.
447 */
448 RTDBGAS hAs = DBGFR3AsResolveAndRetain(pUVM, DBGF_AS_KERNEL);
449 if (hAs != NIL_RTDBGAS)
450 rc = RTDbgAsModuleLink(hAs, hDbgMod, pImageAddr->FlatPtr, RTDBGASLINK_FLAGS_REPLACE /*fFlags*/);
451 else
452 rc = VERR_INTERNAL_ERROR;
453 RTDbgModRelease(hDbgMod);
454 RTDbgAsRelease(hAs);
455 }
456 else if (RTErrInfoIsSet(&ErrInfo.Core))
457 Log(("DigWinNt: %s: DBGFR3ModInMem failed: %Rrc - %s\n", pszName, rc, ErrInfo.Core.pszMsg));
458 else
459 Log(("DigWinNt: %s: DBGFR3ModInMem failed: %Rrc\n", pszName, rc));
460}
461
462
463/**
464 * Generate a debugger compatible module name from a filename.
465 *
466 * @returns Pointer to module name (doesn't need to be pszName).
467 * @param pszFilename The source filename.
468 * @param pszName Buffer to put the module name in.
469 * @param cbName Buffer size.
470 */
471static const char *dbgDiggerWintNtFilenameToModuleName(const char *pszFilename, char *pszName, size_t cbName)
472{
473 /* Skip to the filename part of the filename. :-) */
474 pszFilename = RTPathFilenameEx(pszFilename, RTPATH_STR_F_STYLE_DOS);
475
476 /* We try use 'nt' for the kernel. */
477 if ( RTStrICmpAscii(pszFilename, "ntoskrnl.exe") == 0
478 || RTStrICmpAscii(pszFilename, "ntkrnlmp.exe") == 0)
479 return "nt";
480
481
482 /* Drop the extension if .dll or .sys. */
483 size_t cchFilename = strlen(pszFilename);
484 if ( cchFilename > 4
485 && pszFilename[cchFilename - 4] == '.')
486 {
487 if ( RTStrICmpAscii(&pszFilename[cchFilename - 4], ".sys") == 0
488 || RTStrICmpAscii(&pszFilename[cchFilename - 4], ".dll") == 0)
489 cchFilename -= 4;
490 }
491
492 /* Copy and do replacements. */
493 if (cchFilename >= cbName)
494 cchFilename = cbName - 1;
495 size_t off;
496 for (off = 0; off < cchFilename; off++)
497 {
498 char ch = pszFilename[off];
499 if (!RT_C_IS_ALNUM(ch))
500 ch = '_';
501 pszName[off] = ch;
502 }
503 pszName[off] = '\0';
504 return pszName;
505}
506
507
508/**
509 * @interface_method_impl{DBGFOSIWINNT,pfnQueryVersion}
510 */
511static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryVersion(struct DBGFOSIWINNT *pThis, PUVM pUVM,
512 uint32_t *puVersMajor, uint32_t *puVersMinor)
513{
514 RT_NOREF(pUVM);
515 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
516
517 *puVersMajor = pData->NtMajorVersion;
518 *puVersMinor = pData->NtMinorVersion;
519 return VINF_SUCCESS;
520}
521
522
523/**
524 * @interface_method_impl{DBGFOSIWINNT,pfnQueryKernelPtrs}
525 */
526static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryKernelPtrs(struct DBGFOSIWINNT *pThis, PUVM pUVM,
527 PRTGCUINTPTR pGCPtrKernBase, PRTGCUINTPTR pGCPtrPsLoadedModuleList)
528{
529 RT_NOREF(pUVM);
530 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
531
532 *pGCPtrKernBase = pData->KernelAddr.FlatPtr;
533 *pGCPtrPsLoadedModuleList = pData->PsLoadedModuleListAddr.FlatPtr;
534 return VINF_SUCCESS;
535}
536
537
538/**
539 * @interface_method_impl{DBGFOSIWINNT,pfnQueryKpcrForVCpu}
540 */
541static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryKpcrForVCpu(struct DBGFOSIWINNT *pThis, PUVM pUVM, VMCPUID idCpu,
542 PRTGCUINTPTR pKpcr, PRTGCUINTPTR pKpcrb)
543{
544 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
545
546 if (!pData->paKpcrAddr)
547 return VERR_NOT_SUPPORTED;
548
549 AssertReturn(idCpu < DBGFR3CpuGetCount(pUVM), VERR_INVALID_PARAMETER);
550
551 if (pKpcr)
552 *pKpcr = pData->paKpcrAddr[idCpu].FlatPtr;
553 if (pKpcrb)
554 *pKpcrb = pData->paKpcrbAddr[idCpu].FlatPtr;
555 return VINF_SUCCESS;
556}
557
558
559/**
560 * @interface_method_impl{DBGFOSIWINNT,pfnQueryCurThrdForVCpu}
561 */
562static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryCurThrdForVCpu(struct DBGFOSIWINNT *pThis, PUVM pUVM, VMCPUID idCpu,
563 PRTGCUINTPTR pCurThrd)
564{
565 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
566
567 if (!pData->paKpcrAddr)
568 return VERR_NOT_SUPPORTED;
569
570 AssertReturn(idCpu < DBGFR3CpuGetCount(pUVM), VERR_INVALID_PARAMETER);
571
572 DBGFADDRESS AddrCurThrdPtr = pData->paKpcrbAddr[idCpu];
573 DBGFR3AddrAdd(&AddrCurThrdPtr, 0x08); /** @todo Make this prettier. */
574 return DBGFR3MemRead(pUVM, idCpu, &AddrCurThrdPtr, pCurThrd, sizeof(*pCurThrd));
575}
576
577
578/**
579 * @copydoc DBGFOSREG::pfnStackUnwindAssist
580 */
581static DECLCALLBACK(int) dbgDiggerWinNtStackUnwindAssist(PUVM pUVM, void *pvData, VMCPUID idCpu, PDBGFSTACKFRAME pFrame,
582 PRTDBGUNWINDSTATE pState, PCCPUMCTX pInitialCtx, RTDBGAS hAs,
583 uint64_t *puScratch)
584{
585 Assert(pInitialCtx);
586
587 /*
588 * We want to locate trap frames here. The trap frame structure contains
589 * the 64-bit IRET frame, so given unwind information it's easy to identify
590 * using the return type and frame address.
591 */
592 if (pFrame->fFlags & DBGFSTACKFRAME_FLAGS_64BIT)
593 {
594 /*
595 * Is this a trap frame? If so, try read the trap frame.
596 */
597 if ( pFrame->enmReturnType == RTDBGRETURNTYPE_IRET64
598 && !(pFrame->AddrFrame.FlatPtr & 0x7)
599 && WINNT64_VALID_ADDRESS(pFrame->AddrFrame.FlatPtr) )
600 {
601 KTRAP_FRAME_AMD64 TrapFrame;
602 RT_ZERO(TrapFrame);
603 uint64_t const uTrapFrameAddr = pFrame->AddrFrame.FlatPtr
604 - RT_UOFFSETOF(KTRAP_FRAME_AMD64, ErrCdOrXcptFrameOrS);
605 int rc = pState->pfnReadStack(pState, uTrapFrameAddr, sizeof(TrapFrame), &TrapFrame);
606 if (RT_SUCCESS(rc))
607 {
608 /* Valid? Not too much else we can check here (EFlags isn't
609 reliable in manually construct frames). */
610 if (TrapFrame.ExceptionActive <= 2)
611 {
612 pFrame->fFlags |= DBGFSTACKFRAME_FLAGS_TRAP_FRAME;
613
614 /*
615 * Add sure 'register' information from the frame to the frame.
616 *
617 * To avoid code duplication, we do this in two steps in a loop.
618 * The first iteration only figures out how many registers we're
619 * going to save and allocates room for them. The second iteration
620 * does the actual adding.
621 */
622 uint32_t cRegs = pFrame->cSureRegs;
623 PDBGFREGVALEX paSureRegs = NULL;
624#define ADD_REG_NAMED(a_Type, a_ValMemb, a_Value, a_pszName) do { \
625 if (paSureRegs) \
626 { \
627 paSureRegs[iReg].pszName = a_pszName;\
628 paSureRegs[iReg].enmReg = DBGFREG_END; \
629 paSureRegs[iReg].enmType = a_Type; \
630 paSureRegs[iReg].Value.a_ValMemb = (a_Value); \
631 } \
632 iReg++; \
633 } while (0)
634#define MAYBE_ADD_GREG(a_Value, a_enmReg, a_idxReg) do { \
635 if (!(pState->u.x86.Loaded.s.fRegs & RT_BIT(a_idxReg))) \
636 { \
637 if (paSureRegs) \
638 { \
639 pState->u.x86.Loaded.s.fRegs |= RT_BIT(a_idxReg); \
640 pState->u.x86.auRegs[a_idxReg] = (a_Value); \
641 paSureRegs[iReg].Value.u64 = (a_Value); \
642 paSureRegs[iReg].enmReg = a_enmReg; \
643 paSureRegs[iReg].enmType = DBGFREGVALTYPE_U64; \
644 paSureRegs[iReg].pszName = NULL; \
645 } \
646 iReg++; \
647 } \
648 } while (0)
649 for (unsigned iLoop = 0; iLoop < 2; iLoop++)
650 {
651 uint32_t iReg = pFrame->cSureRegs;
652 ADD_REG_NAMED(DBGFREGVALTYPE_U64, u64, uTrapFrameAddr, "TrapFrame");
653 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, TrapFrame.ExceptionActive, "ExceptionActive");
654 if (TrapFrame.ExceptionActive == 0)
655 {
656 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, TrapFrame.PreviousIrql, "PrevIrql");
657 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, (uint8_t)TrapFrame.ErrCdOrXcptFrameOrS, "IntNo");
658 }
659 else if ( TrapFrame.ExceptionActive == 1
660 && TrapFrame.FaultIndicator == ((TrapFrame.ErrCdOrXcptFrameOrS >> 1) & 0x9))
661 ADD_REG_NAMED(DBGFREGVALTYPE_U64, u64, TrapFrame.FaultAddrOrCtxRecOrTS, "cr2-probably");
662 if (TrapFrame.SegCs & X86_SEL_RPL)
663 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, 1, "UserMode");
664 else
665 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, 1, "KernelMode");
666 if (TrapFrame.ExceptionActive <= 1)
667 {
668 MAYBE_ADD_GREG(TrapFrame.Rax, DBGFREG_RAX, X86_GREG_xAX);
669 MAYBE_ADD_GREG(TrapFrame.Rcx, DBGFREG_RCX, X86_GREG_xCX);
670 MAYBE_ADD_GREG(TrapFrame.Rdx, DBGFREG_RDX, X86_GREG_xDX);
671 MAYBE_ADD_GREG(TrapFrame.R8, DBGFREG_R8, X86_GREG_x8);
672 MAYBE_ADD_GREG(TrapFrame.R9, DBGFREG_R9, X86_GREG_x9);
673 MAYBE_ADD_GREG(TrapFrame.R10, DBGFREG_R10, X86_GREG_x10);
674 MAYBE_ADD_GREG(TrapFrame.R11, DBGFREG_R11, X86_GREG_x11);
675 }
676 else if (TrapFrame.ExceptionActive == 2)
677 {
678 MAYBE_ADD_GREG(TrapFrame.Rbx, DBGFREG_RBX, X86_GREG_xBX);
679 MAYBE_ADD_GREG(TrapFrame.Rsi, DBGFREG_RSI, X86_GREG_xSI);
680 MAYBE_ADD_GREG(TrapFrame.Rdi, DBGFREG_RDI, X86_GREG_xDI);
681 }
682 // MAYBE_ADD_GREG(TrapFrame.Rbp, DBGFREG_RBP, X86_GREG_xBP); - KiInterrupt[Sub]Dispatch* may leave this invalid.
683
684 /* Done? */
685 if (iLoop > 0)
686 {
687 Assert(cRegs == iReg);
688 break;
689 }
690
691 /* Resize the array, zeroing the extension. */
692 if (pFrame->cSureRegs)
693 paSureRegs = (PDBGFREGVALEX)MMR3HeapRealloc(pFrame->paSureRegs, iReg * sizeof(paSureRegs[0]));
694 else
695 paSureRegs = (PDBGFREGVALEX)MMR3HeapAllocU(pUVM, MM_TAG_DBGF_STACK, iReg * sizeof(paSureRegs[0]));
696 AssertReturn(paSureRegs, VERR_NO_MEMORY);
697
698 pFrame->paSureRegs = paSureRegs;
699 RT_BZERO(&paSureRegs[pFrame->cSureRegs], (iReg - pFrame->cSureRegs) * sizeof(paSureRegs[0]));
700 cRegs = iReg;
701 }
702#undef ADD_REG_NAMED
703#undef MAYBE_ADD_GREG
704
705 /* Commit the register update. */
706 pFrame->cSureRegs = cRegs;
707 }
708 }
709 }
710 }
711
712 RT_NOREF(pUVM, pvData, idCpu, hAs, pInitialCtx, puScratch);
713 return VINF_SUCCESS;
714}
715
716
717/**
718 * @copydoc DBGFOSREG::pfnQueryInterface
719 */
720static DECLCALLBACK(void *) dbgDiggerWinNtQueryInterface(PUVM pUVM, void *pvData, DBGFOSINTERFACE enmIf)
721{
722 RT_NOREF(pUVM);
723 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
724
725 switch (enmIf)
726 {
727 case DBGFOSINTERFACE_WINNT:
728 return &pThis->IWinNt;
729 default:
730 return NULL;
731 }
732}
733
734
735/**
736 * @copydoc DBGFOSREG::pfnQueryVersion
737 */
738static DECLCALLBACK(int) dbgDiggerWinNtQueryVersion(PUVM pUVM, void *pvData, char *pszVersion, size_t cchVersion)
739{
740 RT_NOREF1(pUVM);
741 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
742 Assert(pThis->fValid);
743 const char *pszNtProductType;
744 switch (pThis->NtProductType)
745 {
746 case kNtProductType_WinNt: pszNtProductType = "-WinNT"; break;
747 case kNtProductType_LanManNt: pszNtProductType = "-LanManNT"; break;
748 case kNtProductType_Server: pszNtProductType = "-Server"; break;
749 default: pszNtProductType = ""; break;
750 }
751 RTStrPrintf(pszVersion, cchVersion, "%u.%u-%s%s", pThis->NtMajorVersion, pThis->NtMinorVersion,
752 pThis->f32Bit ? "x86" : "AMD64", pszNtProductType);
753 return VINF_SUCCESS;
754}
755
756
757/**
758 * @copydoc DBGFOSREG::pfnTerm
759 */
760static DECLCALLBACK(void) dbgDiggerWinNtTerm(PUVM pUVM, void *pvData)
761{
762 RT_NOREF1(pUVM);
763 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
764 Assert(pThis->fValid);
765
766 /*
767 * As long as we're using our private LDR reader implementation,
768 * we must unlink and ditch the modules we created.
769 */
770 RTDBGAS hDbgAs = DBGFR3AsResolveAndRetain(pUVM, DBGF_AS_KERNEL);
771 if (hDbgAs != NIL_RTDBGAS)
772 {
773 uint32_t iMod = RTDbgAsModuleCount(hDbgAs);
774 while (iMod-- > 0)
775 {
776 RTDBGMOD hMod = RTDbgAsModuleByIndex(hDbgAs, iMod);
777 if (hMod != NIL_RTDBGMOD)
778 {
779 if (RTDbgModGetTag(hMod) == DIG_WINNT_MOD_TAG)
780 {
781 int rc = RTDbgAsModuleUnlink(hDbgAs, hMod);
782 AssertRC(rc);
783 }
784 RTDbgModRelease(hMod);
785 }
786 }
787 RTDbgAsRelease(hDbgAs);
788 }
789
790 if (pThis->paKpcrAddr)
791 RTMemFree(pThis->paKpcrAddr);
792 /* pThis->paKpcrbAddr comes from the same allocation as pThis->paKpcrAddr. */
793
794 pThis->paKpcrAddr = NULL;
795 pThis->paKpcrbAddr = NULL;
796
797 pThis->fValid = false;
798}
799
800
801/**
802 * @copydoc DBGFOSREG::pfnRefresh
803 */
804static DECLCALLBACK(int) dbgDiggerWinNtRefresh(PUVM pUVM, void *pvData)
805{
806 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
807 NOREF(pThis);
808 Assert(pThis->fValid);
809
810 /*
811 * For now we'll flush and reload everything.
812 */
813 dbgDiggerWinNtTerm(pUVM, pvData);
814
815 return dbgDiggerWinNtInit(pUVM, pvData);
816}
817
818
819/**
820 * @copydoc DBGFOSREG::pfnInit
821 */
822static DECLCALLBACK(int) dbgDiggerWinNtInit(PUVM pUVM, void *pvData)
823{
824 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
825 Assert(!pThis->fValid);
826
827 union
828 {
829 uint8_t au8[0x2000];
830 RTUTF16 wsz[0x2000/2];
831 NTKUSERSHAREDDATA UserSharedData;
832 } u;
833 DBGFADDRESS Addr;
834 int rc;
835
836 /*
837 * Figure the NT version.
838 */
839 DBGFR3AddrFromFlat(pUVM, &Addr, pThis->f32Bit ? NTKUSERSHAREDDATA_WINNT32 : NTKUSERSHAREDDATA_WINNT64);
840 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &Addr, &u, PAGE_SIZE);
841 if (RT_SUCCESS(rc))
842 {
843 pThis->NtProductType = u.UserSharedData.ProductTypeIsValid && u.UserSharedData.NtProductType <= kNtProductType_Server
844 ? (NTPRODUCTTYPE)u.UserSharedData.NtProductType
845 : kNtProductType_Invalid;
846 pThis->NtMajorVersion = u.UserSharedData.NtMajorVersion;
847 pThis->NtMinorVersion = u.UserSharedData.NtMinorVersion;
848 }
849 else if (pThis->fNt31)
850 {
851 pThis->NtProductType = kNtProductType_WinNt;
852 pThis->NtMajorVersion = 3;
853 pThis->NtMinorVersion = 1;
854 }
855 else
856 {
857 Log(("DigWinNt: Error reading KUSER_SHARED_DATA: %Rrc\n", rc));
858 return rc;
859 }
860
861 /*
862 * Dig out the module chain.
863 */
864 DBGFADDRESS AddrPrev = pThis->PsLoadedModuleListAddr;
865 Addr = pThis->KernelMteAddr;
866 do
867 {
868 /* Read the validate the MTE. */
869 NTMTE Mte;
870 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &Addr, &Mte, pThis->f32Bit ? sizeof(Mte.vX_32) : sizeof(Mte.vX_64));
871 if (RT_FAILURE(rc))
872 break;
873 if (WINNT_UNION(pThis, &Mte, InLoadOrderLinks.Blink) != AddrPrev.FlatPtr)
874 {
875 Log(("DigWinNt: Bad Mte At %RGv - backpointer\n", Addr.FlatPtr));
876 break;
877 }
878 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, InLoadOrderLinks.Flink)) )
879 {
880 Log(("DigWinNt: Bad Mte at %RGv - forward pointer\n", Addr.FlatPtr));
881 break;
882 }
883 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, BaseDllName.Buffer)))
884 {
885 Log(("DigWinNt: Bad Mte at %RGv - BaseDllName=%llx\n", Addr.FlatPtr, WINNT_UNION(pThis, &Mte, BaseDllName.Buffer)));
886 break;
887 }
888 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, FullDllName.Buffer)))
889 {
890 Log(("DigWinNt: Bad Mte at %RGv - FullDllName=%llx\n", Addr.FlatPtr, WINNT_UNION(pThis, &Mte, FullDllName.Buffer)));
891 break;
892 }
893 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, DllBase)))
894 {
895 Log(("DigWinNt: Bad Mte at %RGv - DllBase=%llx\n", Addr.FlatPtr, WINNT_UNION(pThis, &Mte, DllBase) ));
896 break;
897 }
898
899 uint32_t const cbImageMte = !pThis->fNt31 ? WINNT_UNION(pThis, &Mte, SizeOfImage) : 0;
900 if ( !pThis->fNt31
901 && ( cbImageMte > _256M
902 || WINNT_UNION(pThis, &Mte, EntryPoint) - WINNT_UNION(pThis, &Mte, DllBase) > cbImageMte) )
903 {
904 Log(("DigWinNt: Bad Mte at %RGv - EntryPoint=%llx SizeOfImage=%x DllBase=%llx\n",
905 Addr.FlatPtr, WINNT_UNION(pThis, &Mte, EntryPoint), cbImageMte, WINNT_UNION(pThis, &Mte, DllBase)));
906 break;
907 }
908
909 /* Read the full name. */
910 DBGFADDRESS AddrName;
911 DBGFR3AddrFromFlat(pUVM, &AddrName, WINNT_UNION(pThis, &Mte, FullDllName.Buffer));
912 uint16_t cbName = WINNT_UNION(pThis, &Mte, FullDllName.Length);
913 if (cbName < sizeof(u))
914 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &AddrName, &u, cbName);
915 else
916 rc = VERR_OUT_OF_RANGE;
917 if (RT_FAILURE(rc))
918 {
919 DBGFR3AddrFromFlat(pUVM, &AddrName, WINNT_UNION(pThis, &Mte, BaseDllName.Buffer));
920 cbName = WINNT_UNION(pThis, &Mte, BaseDllName.Length);
921 if (cbName < sizeof(u))
922 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &AddrName, &u, cbName);
923 else
924 rc = VERR_OUT_OF_RANGE;
925 }
926 if (RT_SUCCESS(rc))
927 {
928 u.wsz[cbName / 2] = '\0';
929
930 char *pszFilename;
931 rc = RTUtf16ToUtf8(u.wsz, &pszFilename);
932 if (RT_SUCCESS(rc))
933 {
934 char szModName[128];
935 const char *pszModName = dbgDiggerWintNtFilenameToModuleName(pszFilename, szModName, sizeof(szModName));
936
937 /* Read the start of the PE image and pass it along to a worker. */
938 DBGFADDRESS ImageAddr;
939 DBGFR3AddrFromFlat(pUVM, &ImageAddr, WINNT_UNION(pThis, &Mte, DllBase));
940 dbgDiggerWinNtProcessImage(pThis, pUVM, pszModName, pszFilename, &ImageAddr, cbImageMte);
941 RTStrFree(pszFilename);
942 }
943 }
944
945 /* next */
946 AddrPrev = Addr;
947 DBGFR3AddrFromFlat(pUVM, &Addr, WINNT_UNION(pThis, &Mte, InLoadOrderLinks.Flink));
948 } while ( Addr.FlatPtr != pThis->KernelMteAddr.FlatPtr
949 && Addr.FlatPtr != pThis->PsLoadedModuleListAddr.FlatPtr);
950
951 /* Try resolving the KPCR and KPCRB addresses for each vCPU. */
952 dbgDiggerWinNtResolveKpcr(pThis, pUVM);
953
954 pThis->fValid = true;
955 return VINF_SUCCESS;
956}
957
958
959/**
960 * @copydoc DBGFOSREG::pfnProbe
961 */
962static DECLCALLBACK(bool) dbgDiggerWinNtProbe(PUVM pUVM, void *pvData)
963{
964 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
965 DBGFADDRESS Addr;
966 union
967 {
968 uint8_t au8[8192];
969 uint16_t au16[8192/2];
970 uint32_t au32[8192/4];
971 IMAGE_DOS_HEADER MzHdr;
972 RTUTF16 wsz[8192/2];
973 X86DESCGATE a32Gates[X86_XCPT_PF + 1];
974 X86DESC64GATE a64Gates[X86_XCPT_PF + 1];
975 } u;
976
977 union
978 {
979 NTMTE32 v32;
980 NTMTE64 v64;
981 } uMte, uMte2, uMte3;
982
983 /*
984 * NT only runs in protected or long mode.
985 */
986 CPUMMODE const enmMode = DBGFR3CpuGetMode(pUVM, 0 /*idCpu*/);
987 if (enmMode != CPUMMODE_PROTECTED && enmMode != CPUMMODE_LONG)
988 return false;
989 bool const f64Bit = enmMode == CPUMMODE_LONG;
990 uint64_t const uStart = f64Bit ? UINT64_C(0xffff080000000000) : UINT32_C(0x80001000);
991 uint64_t const uEnd = f64Bit ? UINT64_C(0xffffffffffff0000) : UINT32_C(0xffff0000);
992
993 /*
994 * To approximately locate the kernel we examine the IDTR handlers.
995 *
996 * The exception/trap/fault handlers are all in NT kernel image, we pick
997 * KiPageFault here.
998 */
999 uint64_t uIdtrBase = 0;
1000 uint16_t uIdtrLimit = 0;
1001 int rc = DBGFR3RegCpuQueryXdtr(pUVM, 0, DBGFREG_IDTR, &uIdtrBase, &uIdtrLimit);
1002 AssertRCReturn(rc, false);
1003
1004 const uint16_t cbMinIdtr = (X86_XCPT_PF + 1) * (f64Bit ? sizeof(X86DESC64GATE) : sizeof(X86DESCGATE));
1005 if (uIdtrLimit < cbMinIdtr)
1006 return false;
1007
1008 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &Addr, uIdtrBase), &u, cbMinIdtr);
1009 if (RT_FAILURE(rc))
1010 return false;
1011
1012 uint64_t uKrnlStart = uStart;
1013 uint64_t uKrnlEnd = uEnd;
1014 if (f64Bit)
1015 {
1016 uint64_t uHandler = u.a64Gates[X86_XCPT_PF].u16OffsetLow
1017 | ((uint32_t)u.a64Gates[X86_XCPT_PF].u16OffsetHigh << 16)
1018 | ((uint64_t)u.a64Gates[X86_XCPT_PF].u32OffsetTop << 32);
1019 if (uHandler < uStart || uHandler > uEnd)
1020 return false;
1021 uKrnlStart = (uHandler & ~(uint64_t)_4M) - _512M;
1022 uKrnlEnd = (uHandler + (uint64_t)_4M) & ~(uint64_t)_4M;
1023 }
1024 else
1025 {
1026 uint32_t uHandler = RT_MAKE_U32(u.a32Gates[X86_XCPT_PF].u16OffsetLow, u.a32Gates[X86_XCPT_PF].u16OffsetHigh);
1027 if (uHandler < uStart || uHandler > uEnd)
1028 return false;
1029 uKrnlStart = (uHandler & ~(uint64_t)_4M) - _64M;
1030 uKrnlEnd = (uHandler + (uint64_t)_4M) & ~(uint64_t)_4M;
1031 }
1032
1033 /*
1034 * Look for the PAGELK section name that seems to be a part of all kernels.
1035 * Then try find the module table entry for it. Since it's the first entry
1036 * in the PsLoadedModuleList we can easily validate the list head and report
1037 * success.
1038 *
1039 * Note! We ASSUME the section name is 8 byte aligned.
1040 */
1041 DBGFADDRESS KernelAddr;
1042 for (DBGFR3AddrFromFlat(pUVM, &KernelAddr, uKrnlStart);
1043 KernelAddr.FlatPtr < uKrnlEnd;
1044 KernelAddr.FlatPtr += PAGE_SIZE)
1045 {
1046 bool fNt31 = false;
1047 DBGFADDRESS const RetryAddress = KernelAddr;
1048 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &KernelAddr, uEnd - KernelAddr.FlatPtr,
1049 8, "PAGELK\0", sizeof("PAGELK\0"), &KernelAddr);
1050 if ( rc == VERR_DBGF_MEM_NOT_FOUND
1051 && enmMode != CPUMMODE_LONG)
1052 {
1053 /* NT3.1 didn't have a PAGELK section, so look for _TEXT instead. The
1054 following VirtualSize is zero, so check for that too. */
1055 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &RetryAddress, uEnd - RetryAddress.FlatPtr,
1056 8, "_TEXT\0\0\0\0\0\0", sizeof("_TEXT\0\0\0\0\0\0"), &KernelAddr);
1057 fNt31 = true;
1058 }
1059 if (RT_FAILURE(rc))
1060 break;
1061 DBGFR3AddrSub(&KernelAddr, KernelAddr.FlatPtr & PAGE_OFFSET_MASK);
1062
1063 /* MZ + PE header. */
1064 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &KernelAddr, &u, sizeof(u));
1065 if ( RT_SUCCESS(rc)
1066 && u.MzHdr.e_magic == IMAGE_DOS_SIGNATURE
1067 && !(u.MzHdr.e_lfanew & 0x7)
1068 && u.MzHdr.e_lfanew >= 0x080
1069 && u.MzHdr.e_lfanew <= 0x400) /* W8 is at 0x288*/
1070 {
1071 if (enmMode != CPUMMODE_LONG)
1072 {
1073 IMAGE_NT_HEADERS32 const *pHdrs = (IMAGE_NT_HEADERS32 const *)&u.au8[u.MzHdr.e_lfanew];
1074 if ( pHdrs->Signature == IMAGE_NT_SIGNATURE
1075 && pHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_I386
1076 && pHdrs->FileHeader.SizeOfOptionalHeader == sizeof(pHdrs->OptionalHeader)
1077 && pHdrs->FileHeader.NumberOfSections >= 10 /* the kernel has lots */
1078 && (pHdrs->FileHeader.Characteristics & (IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_DLL)) == IMAGE_FILE_EXECUTABLE_IMAGE
1079 && pHdrs->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC
1080 && pHdrs->OptionalHeader.NumberOfRvaAndSizes == IMAGE_NUMBEROF_DIRECTORY_ENTRIES
1081 )
1082 {
1083 /* Find the MTE. */
1084 RT_ZERO(uMte);
1085 uMte.v32.DllBase = KernelAddr.FlatPtr;
1086 uMte.v32.EntryPoint = KernelAddr.FlatPtr + pHdrs->OptionalHeader.AddressOfEntryPoint;
1087 uMte.v32.SizeOfImage = !fNt31 ? pHdrs->OptionalHeader.SizeOfImage : 0; /* NT 3.1 didn't set the size. */
1088 DBGFADDRESS HitAddr;
1089 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &KernelAddr, uEnd - KernelAddr.FlatPtr,
1090 4 /*align*/, &uMte.v32.DllBase, 3 * sizeof(uint32_t), &HitAddr);
1091 while (RT_SUCCESS(rc))
1092 {
1093 /* check the name. */
1094 DBGFADDRESS MteAddr = HitAddr;
1095 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrSub(&MteAddr, RT_OFFSETOF(NTMTE32, DllBase)),
1096 &uMte2.v32, sizeof(uMte2.v32));
1097 if ( RT_SUCCESS(rc)
1098 && uMte2.v32.DllBase == uMte.v32.DllBase
1099 && uMte2.v32.EntryPoint == uMte.v32.EntryPoint
1100 && uMte2.v32.SizeOfImage == uMte.v32.SizeOfImage
1101 && WINNT32_VALID_ADDRESS(uMte2.v32.InLoadOrderLinks.Flink)
1102 && WINNT32_VALID_ADDRESS(uMte2.v32.BaseDllName.Buffer)
1103 && WINNT32_VALID_ADDRESS(uMte2.v32.FullDllName.Buffer)
1104 && uMte2.v32.BaseDllName.Length <= 128
1105 && uMte2.v32.FullDllName.Length <= 260
1106 )
1107 {
1108 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v32.BaseDllName.Buffer),
1109 u.wsz, uMte2.v32.BaseDllName.Length);
1110 u.wsz[uMte2.v32.BaseDllName.Length / 2] = '\0';
1111 if ( RT_SUCCESS(rc)
1112 && ( !RTUtf16ICmp(u.wsz, g_wszKernelNames[0])
1113 /* || !RTUtf16ICmp(u.wsz, g_wszKernelNames[1]) */
1114 )
1115 )
1116 {
1117 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/,
1118 DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v32.InLoadOrderLinks.Blink),
1119 &uMte3.v32, RT_SIZEOFMEMB(NTMTE32, InLoadOrderLinks));
1120 if ( RT_SUCCESS(rc)
1121 && uMte3.v32.InLoadOrderLinks.Flink == MteAddr.FlatPtr
1122 && WINNT32_VALID_ADDRESS(uMte3.v32.InLoadOrderLinks.Blink) )
1123 {
1124 Log(("DigWinNt: MteAddr=%RGv KernelAddr=%RGv SizeOfImage=%x &PsLoadedModuleList=%RGv (32-bit)\n",
1125 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v32.SizeOfImage, Addr.FlatPtr));
1126 pThis->KernelAddr = KernelAddr;
1127 pThis->KernelMteAddr = MteAddr;
1128 pThis->PsLoadedModuleListAddr = Addr;
1129 pThis->f32Bit = true;
1130 pThis->fNt31 = fNt31;
1131 return true;
1132 }
1133 }
1134 else if (RT_SUCCESS(rc))
1135 {
1136 Log2(("DigWinNt: Wrong module: MteAddr=%RGv ImageAddr=%RGv SizeOfImage=%#x '%ls'\n",
1137 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v32.SizeOfImage, u.wsz));
1138 break; /* Not NT kernel */
1139 }
1140 }
1141
1142 /* next */
1143 DBGFR3AddrAdd(&HitAddr, 4);
1144 if (HitAddr.FlatPtr < uEnd)
1145 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &HitAddr, uEnd - HitAddr.FlatPtr,
1146 4 /*align*/, &uMte.v32.DllBase, 3 * sizeof(uint32_t), &HitAddr);
1147 else
1148 rc = VERR_DBGF_MEM_NOT_FOUND;
1149 }
1150 }
1151 }
1152 else
1153 {
1154 IMAGE_NT_HEADERS64 const *pHdrs = (IMAGE_NT_HEADERS64 const *)&u.au8[u.MzHdr.e_lfanew];
1155 if ( pHdrs->Signature == IMAGE_NT_SIGNATURE
1156 && pHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64
1157 && pHdrs->FileHeader.SizeOfOptionalHeader == sizeof(pHdrs->OptionalHeader)
1158 && pHdrs->FileHeader.NumberOfSections >= 10 /* the kernel has lots */
1159 && (pHdrs->FileHeader.Characteristics & (IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_DLL))
1160 == IMAGE_FILE_EXECUTABLE_IMAGE
1161 && pHdrs->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC
1162 && pHdrs->OptionalHeader.NumberOfRvaAndSizes == IMAGE_NUMBEROF_DIRECTORY_ENTRIES
1163 )
1164 {
1165 /* Find the MTE. */
1166 RT_ZERO(uMte.v64);
1167 uMte.v64.DllBase = KernelAddr.FlatPtr;
1168 uMte.v64.EntryPoint = KernelAddr.FlatPtr + pHdrs->OptionalHeader.AddressOfEntryPoint;
1169 uMte.v64.SizeOfImage = pHdrs->OptionalHeader.SizeOfImage;
1170 DBGFADDRESS ScanAddr;
1171 DBGFADDRESS HitAddr;
1172 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &ScanAddr, uStart),
1173 uEnd - uStart, 8 /*align*/, &uMte.v64.DllBase, 5 * sizeof(uint32_t), &HitAddr);
1174 while (RT_SUCCESS(rc))
1175 {
1176 /* Read the start of the MTE and check some basic members. */
1177 DBGFADDRESS MteAddr = HitAddr;
1178 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrSub(&MteAddr, RT_OFFSETOF(NTMTE64, DllBase)),
1179 &uMte2.v64, sizeof(uMte2.v64));
1180 if ( RT_SUCCESS(rc)
1181 && uMte2.v64.DllBase == uMte.v64.DllBase
1182 && uMte2.v64.EntryPoint == uMte.v64.EntryPoint
1183 && uMte2.v64.SizeOfImage == uMte.v64.SizeOfImage
1184 && WINNT64_VALID_ADDRESS(uMte2.v64.InLoadOrderLinks.Flink)
1185 && WINNT64_VALID_ADDRESS(uMte2.v64.BaseDllName.Buffer)
1186 && WINNT64_VALID_ADDRESS(uMte2.v64.FullDllName.Buffer)
1187 && uMte2.v64.BaseDllName.Length <= 128
1188 && uMte2.v64.FullDllName.Length <= 260
1189 )
1190 {
1191 /* Try read the base name and compare with known NT kernel names. */
1192 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v64.BaseDllName.Buffer),
1193 u.wsz, uMte2.v64.BaseDllName.Length);
1194 u.wsz[uMte2.v64.BaseDllName.Length / 2] = '\0';
1195 if ( RT_SUCCESS(rc)
1196 && ( !RTUtf16ICmp(u.wsz, g_wszKernelNames[0])
1197 /* || !RTUtf16ICmp(u.wsz, g_wszKernelNames[1]) */
1198 )
1199 )
1200 {
1201 /* Read the link entry of the previous entry in the list and check that its
1202 forward pointer points at the MTE we've found. */
1203 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/,
1204 DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v64.InLoadOrderLinks.Blink),
1205 &uMte3.v64, RT_SIZEOFMEMB(NTMTE64, InLoadOrderLinks));
1206 if ( RT_SUCCESS(rc)
1207 && uMte3.v64.InLoadOrderLinks.Flink == MteAddr.FlatPtr
1208 && WINNT64_VALID_ADDRESS(uMte3.v64.InLoadOrderLinks.Blink) )
1209 {
1210 Log(("DigWinNt: MteAddr=%RGv KernelAddr=%RGv SizeOfImage=%x &PsLoadedModuleList=%RGv (32-bit)\n",
1211 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v64.SizeOfImage, Addr.FlatPtr));
1212 pThis->KernelAddr = KernelAddr;
1213 pThis->KernelMteAddr = MteAddr;
1214 pThis->PsLoadedModuleListAddr = Addr;
1215 pThis->f32Bit = false;
1216 pThis->fNt31 = false;
1217 return true;
1218 }
1219 }
1220 else if (RT_SUCCESS(rc))
1221 {
1222 Log2(("DigWinNt: Wrong module: MteAddr=%RGv ImageAddr=%RGv SizeOfImage=%#x '%ls'\n",
1223 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v64.SizeOfImage, u.wsz));
1224 break; /* Not NT kernel */
1225 }
1226 }
1227
1228 /* next */
1229 DBGFR3AddrAdd(&HitAddr, 8);
1230 if (HitAddr.FlatPtr < uEnd)
1231 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &HitAddr, uEnd - HitAddr.FlatPtr,
1232 8 /*align*/, &uMte.v64.DllBase, 3 * sizeof(uint32_t), &HitAddr);
1233 else
1234 rc = VERR_DBGF_MEM_NOT_FOUND;
1235 }
1236 }
1237 }
1238 }
1239 }
1240 return false;
1241}
1242
1243
1244/**
1245 * @copydoc DBGFOSREG::pfnDestruct
1246 */
1247static DECLCALLBACK(void) dbgDiggerWinNtDestruct(PUVM pUVM, void *pvData)
1248{
1249 RT_NOREF2(pUVM, pvData);
1250}
1251
1252
1253/**
1254 * @copydoc DBGFOSREG::pfnConstruct
1255 */
1256static DECLCALLBACK(int) dbgDiggerWinNtConstruct(PUVM pUVM, void *pvData)
1257{
1258 RT_NOREF1(pUVM);
1259 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
1260 pThis->fValid = false;
1261 pThis->f32Bit = false;
1262 pThis->enmVer = DBGDIGGERWINNTVER_UNKNOWN;
1263
1264 pThis->IWinNt.u32Magic = DBGFOSIWINNT_MAGIC;
1265 pThis->IWinNt.pfnQueryVersion = dbgDiggerWinNtIWinNt_QueryVersion;
1266 pThis->IWinNt.pfnQueryKernelPtrs = dbgDiggerWinNtIWinNt_QueryKernelPtrs;
1267 pThis->IWinNt.pfnQueryKpcrForVCpu = dbgDiggerWinNtIWinNt_QueryKpcrForVCpu;
1268 pThis->IWinNt.pfnQueryCurThrdForVCpu = dbgDiggerWinNtIWinNt_QueryCurThrdForVCpu;
1269 pThis->IWinNt.u32EndMagic = DBGFOSIWINNT_MAGIC;
1270
1271 return VINF_SUCCESS;
1272}
1273
1274
1275const DBGFOSREG g_DBGDiggerWinNt =
1276{
1277 /* .u32Magic = */ DBGFOSREG_MAGIC,
1278 /* .fFlags = */ 0,
1279 /* .cbData = */ sizeof(DBGDIGGERWINNT),
1280 /* .szName = */ "WinNT",
1281 /* .pfnConstruct = */ dbgDiggerWinNtConstruct,
1282 /* .pfnDestruct = */ dbgDiggerWinNtDestruct,
1283 /* .pfnProbe = */ dbgDiggerWinNtProbe,
1284 /* .pfnInit = */ dbgDiggerWinNtInit,
1285 /* .pfnRefresh = */ dbgDiggerWinNtRefresh,
1286 /* .pfnTerm = */ dbgDiggerWinNtTerm,
1287 /* .pfnQueryVersion = */ dbgDiggerWinNtQueryVersion,
1288 /* .pfnQueryInterface = */ dbgDiggerWinNtQueryInterface,
1289 /* .pfnStackUnwindAssist = */ dbgDiggerWinNtStackUnwindAssist,
1290 /* .u32EndMagic = */ DBGFOSREG_MAGIC
1291};
1292
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette