VirtualBox

source: vbox/trunk/src/VBox/VMM/PATM/PATMA.asm@ 7932

Last change on this file since 7932 was 5999, checked in by vboxsync, 17 years ago

The Giant CDDL Dual-License Header Change.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 70.3 KB
Line 
1; $Id: PATMA.asm 5999 2007-12-07 15:05:06Z vboxsync $
2;; @file
3; PATM Assembly Routines.
4;
5
6; Copyright (C) 2006-2007 innotek GmbH
7;
8; This file is part of VirtualBox Open Source Edition (OSE), as
9; available from http://www.virtualbox.org. This file is free software;
10; you can redistribute it and/or modify it under the terms of the GNU
11; General Public License (GPL) as published by the Free Software
12; Foundation, in version 2 as it comes in the "COPYING" file of the
13; VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14; hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15;
16
17;;
18; @note This method has problems in theory. If we fault for any reason, then we won't be able to restore
19; the guest's context properly!!
20; E.g if one of the push instructions causes a fault or SS isn't wide open and our patch GC state accesses aren't valid.
21; @assumptions
22; - Enough stack for a few pushes
23; - The SS selector has base 0 and limit 0xffffffff
24;
25; @todo stack probing is currently hardcoded and not present everywhere (search for 'probe stack')
26
27
28;*******************************************************************************
29;* Header Files *
30;*******************************************************************************
31%include "VBox/asmdefs.mac"
32%include "VBox/err.mac"
33%include "VBox/x86.mac"
34%include "VBox/vm.mac"
35%include "PATMA.mac"
36
37%ifdef DEBUG
38; Noisy, but useful for debugging certain problems
39;;;%define PATM_LOG_PATCHINSTR
40;;%define PATM_LOG_PATCHIRET
41%endif
42
43BEGINCONST
44
45%ifdef RT_ARCH_AMD64
46 BITS 32 ; switch to 32-bit mode (x86).
47%endif
48
49%ifdef VBOX_WITH_STATISTICS
50;
51; Patch call statistics
52;
53BEGINPROC PATMStats
54PATMStats_Start:
55 mov dword [ss:PATM_INTERRUPTFLAG], 0
56 pushf
57 inc dword [ss:PATM_ALLPATCHCALLS]
58 inc dword [ss:PATM_PERPATCHCALLS]
59 popf
60 mov dword [ss:PATM_INTERRUPTFLAG], 1
61PATMStats_End:
62ENDPROC PATMStats
63
64
65; Patch record for statistics
66GLOBALNAME PATMStatsRecord
67 RTCCPTR_DEF PATMStats_Start
68 DD 0
69 DD 0
70 DD 0
71 DD PATMStats_End - PATMStats_Start
72 DD 4
73 DD PATM_INTERRUPTFLAG
74 DD 0
75 DD PATM_ALLPATCHCALLS
76 DD 0
77 DD PATM_PERPATCHCALLS
78 DD 0
79 DD PATM_INTERRUPTFLAG
80 DD 0
81 DD 0ffffffffh
82%endif
83
84;
85; Set PATM_INTERRUPTFLAG
86;
87BEGINPROC PATMSetPIF
88PATMSetPIF_Start:
89 mov dword [ss:PATM_INTERRUPTFLAG], 1
90PATMSetPIF_End:
91ENDPROC PATMSetPIF
92
93
94; Patch record for setting PATM_INTERRUPTFLAG
95GLOBALNAME PATMSetPIFRecord
96 RTCCPTR_DEF PATMSetPIF_Start
97 DD 0
98 DD 0
99 DD 0
100 DD PATMSetPIF_End - PATMSetPIF_Start
101 DD 1
102 DD PATM_INTERRUPTFLAG
103 DD 0
104 DD 0ffffffffh
105
106;
107; Clear PATM_INTERRUPTFLAG
108;
109BEGINPROC PATMClearPIF
110PATMClearPIF_Start:
111 ; probe stack here as we can't recover from page faults later on
112 not dword [esp-64]
113 not dword [esp-64]
114 mov dword [ss:PATM_INTERRUPTFLAG], 0
115PATMClearPIF_End:
116ENDPROC PATMClearPIF
117
118
119; Patch record for clearing PATM_INTERRUPTFLAG
120GLOBALNAME PATMClearPIFRecord
121 RTCCPTR_DEF PATMClearPIF_Start
122 DD 0
123 DD 0
124 DD 0
125 DD PATMClearPIF_End - PATMClearPIF_Start
126 DD 1
127 DD PATM_INTERRUPTFLAG
128 DD 0
129 DD 0ffffffffh
130
131;
132; Clear PATM_INHIBITIRQADDR and fault if IF=0
133;
134BEGINPROC PATMClearInhibitIRQFaultIF0
135PATMClearInhibitIRQFaultIF0_Start:
136 mov dword [ss:PATM_INTERRUPTFLAG], 0
137 mov dword [ss:PATM_INHIBITIRQADDR], 0
138 pushf
139
140 test dword [ss:PATM_VMFLAGS], X86_EFL_IF
141 jz PATMClearInhibitIRQFaultIF0_Fault
142
143 ; if interrupts are pending, then we must go back to the host context to handle them!
144 test dword [ss:PATM_VM_FORCEDACTIONS], VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST
145 jz PATMClearInhibitIRQFaultIF0_Continue
146
147 ; Go to our hypervisor trap handler to dispatch the pending irq
148 mov dword [ss:PATM_TEMP_EAX], eax
149 mov dword [ss:PATM_TEMP_ECX], ecx
150 mov dword [ss:PATM_TEMP_EDI], edi
151 mov dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX | PATM_RESTORE_EDI
152 mov eax, PATM_ACTION_DISPATCH_PENDING_IRQ
153 lock or dword [ss:PATM_PENDINGACTION], eax
154 mov ecx, PATM_ACTION_MAGIC
155 mov edi, PATM_NEXTINSTRADDR
156 popfd ; restore flags we pushed above (the or instruction changes the flags as well)
157 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
158 ; does not return
159
160PATMClearInhibitIRQFaultIF0_Fault:
161 popf
162 mov dword [ss:PATM_INTERRUPTFLAG], 1
163 PATM_INT3
164
165PATMClearInhibitIRQFaultIF0_Continue:
166 popf
167 mov dword [ss:PATM_INTERRUPTFLAG], 1
168PATMClearInhibitIRQFaultIF0_End:
169ENDPROC PATMClearInhibitIRQFaultIF0
170
171
172; Patch record for clearing PATM_INHIBITIRQADDR
173GLOBALNAME PATMClearInhibitIRQFaultIF0Record
174 RTCCPTR_DEF PATMClearInhibitIRQFaultIF0_Start
175 DD 0
176 DD 0
177 DD 0
178 DD PATMClearInhibitIRQFaultIF0_End - PATMClearInhibitIRQFaultIF0_Start
179 DD 12
180 DD PATM_INTERRUPTFLAG
181 DD 0
182 DD PATM_INHIBITIRQADDR
183 DD 0
184 DD PATM_VMFLAGS
185 DD 0
186 DD PATM_VM_FORCEDACTIONS
187 DD 0
188 DD PATM_TEMP_EAX
189 DD 0
190 DD PATM_TEMP_ECX
191 DD 0
192 DD PATM_TEMP_EDI
193 DD 0
194 DD PATM_TEMP_RESTORE_FLAGS
195 DD 0
196 DD PATM_PENDINGACTION
197 DD 0
198 DD PATM_NEXTINSTRADDR
199 DD 0
200 DD PATM_INTERRUPTFLAG
201 DD 0
202 DD PATM_INTERRUPTFLAG
203 DD 0
204 DD 0ffffffffh
205
206;
207; Clear PATM_INHIBITIRQADDR and continue if IF=0 (duplicated function only; never jump back to guest code afterwards!!)
208;
209BEGINPROC PATMClearInhibitIRQContIF0
210PATMClearInhibitIRQContIF0_Start:
211 mov dword [ss:PATM_INTERRUPTFLAG], 0
212 mov dword [ss:PATM_INHIBITIRQADDR], 0
213 pushf
214
215 test dword [ss:PATM_VMFLAGS], X86_EFL_IF
216 jz PATMClearInhibitIRQContIF0_Continue
217
218 ; if interrupts are pending, then we must go back to the host context to handle them!
219 test dword [ss:PATM_VM_FORCEDACTIONS], VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST
220 jz PATMClearInhibitIRQContIF0_Continue
221
222 ; Go to our hypervisor trap handler to dispatch the pending irq
223 mov dword [ss:PATM_TEMP_EAX], eax
224 mov dword [ss:PATM_TEMP_ECX], ecx
225 mov dword [ss:PATM_TEMP_EDI], edi
226 mov dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX | PATM_RESTORE_EDI
227 mov eax, PATM_ACTION_DISPATCH_PENDING_IRQ
228 lock or dword [ss:PATM_PENDINGACTION], eax
229 mov ecx, PATM_ACTION_MAGIC
230 mov edi, PATM_NEXTINSTRADDR
231 popfd ; restore flags we pushed above (the or instruction changes the flags as well)
232 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
233 ; does not return
234
235PATMClearInhibitIRQContIF0_Continue:
236 popf
237 mov dword [ss:PATM_INTERRUPTFLAG], 1
238PATMClearInhibitIRQContIF0_End:
239ENDPROC PATMClearInhibitIRQContIF0
240
241
242; Patch record for clearing PATM_INHIBITIRQADDR
243GLOBALNAME PATMClearInhibitIRQContIF0Record
244 RTCCPTR_DEF PATMClearInhibitIRQContIF0_Start
245 DD 0
246 DD 0
247 DD 0
248 DD PATMClearInhibitIRQContIF0_End - PATMClearInhibitIRQContIF0_Start
249 DD 11
250 DD PATM_INTERRUPTFLAG
251 DD 0
252 DD PATM_INHIBITIRQADDR
253 DD 0
254 DD PATM_VMFLAGS
255 DD 0
256 DD PATM_VM_FORCEDACTIONS
257 DD 0
258 DD PATM_TEMP_EAX
259 DD 0
260 DD PATM_TEMP_ECX
261 DD 0
262 DD PATM_TEMP_EDI
263 DD 0
264 DD PATM_TEMP_RESTORE_FLAGS
265 DD 0
266 DD PATM_PENDINGACTION
267 DD 0
268 DD PATM_NEXTINSTRADDR
269 DD 0
270 DD PATM_INTERRUPTFLAG
271 DD 0
272 DD 0ffffffffh
273
274
275BEGINPROC PATMCliReplacement
276PATMCliStart:
277 mov dword [ss:PATM_INTERRUPTFLAG], 0
278 pushf
279%ifdef PATM_LOG_PATCHINSTR
280 push eax
281 push ecx
282 mov eax, PATM_ACTION_LOG_CLI
283 lock or dword [ss:PATM_PENDINGACTION], eax
284 mov ecx, PATM_ACTION_MAGIC
285 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
286 pop ecx
287 pop eax
288%endif
289
290 and dword [ss:PATM_VMFLAGS], ~X86_EFL_IF
291 popf
292
293 mov dword [ss:PATM_INTERRUPTFLAG], 1
294 DB 0xE9
295PATMCliJump:
296 DD PATM_JUMPDELTA
297PATMCliEnd:
298ENDPROC PATMCliReplacement
299
300
301; Patch record for 'cli'
302GLOBALNAME PATMCliRecord
303 RTCCPTR_DEF PATMCliStart
304 DD PATMCliJump - PATMCliStart
305 DD 0
306 DD 0
307 DD PATMCliEnd - PATMCliStart
308%ifdef PATM_LOG_PATCHINSTR
309 DD 4
310%else
311 DD 3
312%endif
313 DD PATM_INTERRUPTFLAG
314 DD 0
315%ifdef PATM_LOG_PATCHINSTR
316 DD PATM_PENDINGACTION
317 DD 0
318%endif
319 DD PATM_VMFLAGS
320 DD 0
321 DD PATM_INTERRUPTFLAG
322 DD 0
323 DD 0ffffffffh
324
325
326BEGINPROC PATMStiReplacement
327PATMStiStart:
328 mov dword [ss:PATM_INTERRUPTFLAG], 0
329 mov dword [ss:PATM_INHIBITIRQADDR], PATM_NEXTINSTRADDR
330 pushf
331%ifdef PATM_LOG_PATCHINSTR
332 push eax
333 push ecx
334 mov eax, PATM_ACTION_LOG_STI
335 lock or dword [ss:PATM_PENDINGACTION], eax
336 mov ecx, PATM_ACTION_MAGIC
337 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
338 pop ecx
339 pop eax
340%endif
341 or dword [ss:PATM_VMFLAGS], X86_EFL_IF
342 popf
343 mov dword [ss:PATM_INTERRUPTFLAG], 1
344PATMStiEnd:
345ENDPROC PATMStiReplacement
346
347; Patch record for 'sti'
348GLOBALNAME PATMStiRecord
349 RTCCPTR_DEF PATMStiStart
350 DD 0
351 DD 0
352 DD 0
353 DD PATMStiEnd - PATMStiStart
354%ifdef PATM_LOG_PATCHINSTR
355 DD 6
356%else
357 DD 5
358%endif
359 DD PATM_INTERRUPTFLAG
360 DD 0
361 DD PATM_INHIBITIRQADDR
362 DD 0
363 DD PATM_NEXTINSTRADDR
364 DD 0
365%ifdef PATM_LOG_PATCHINSTR
366 DD PATM_PENDINGACTION
367 DD 0
368%endif
369 DD PATM_VMFLAGS
370 DD 0
371 DD PATM_INTERRUPTFLAG
372 DD 0
373 DD 0ffffffffh
374
375;
376; Trampoline code for trap entry (without error code on the stack)
377;
378; esp + 32 - GS (V86 only)
379; esp + 28 - FS (V86 only)
380; esp + 24 - DS (V86 only)
381; esp + 20 - ES (V86 only)
382; esp + 16 - SS (if transfer to inner ring)
383; esp + 12 - ESP (if transfer to inner ring)
384; esp + 8 - EFLAGS
385; esp + 4 - CS
386; esp - EIP
387;
388BEGINPROC PATMTrapEntry
389PATMTrapEntryStart:
390 mov dword [ss:PATM_INTERRUPTFLAG], 0
391 pushf
392
393%ifdef PATM_LOG_PATCHIRET
394 push eax
395 push ecx
396 push edx
397 lea edx, dword [ss:esp+12+4] ;3 dwords + pushed flags -> iret eip
398 mov eax, PATM_ACTION_LOG_GATE_ENTRY
399 lock or dword [ss:PATM_PENDINGACTION], eax
400 mov ecx, PATM_ACTION_MAGIC
401 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
402 pop edx
403 pop ecx
404 pop eax
405%endif
406
407 test dword [esp+12], X86_EFL_VM
408 jnz PATMTrapNoRing1
409
410 ; make sure the saved CS selector for ring 1 is made 0
411 test dword [esp+8], 2
412 jnz PATMTrapNoRing1
413 test dword [esp+8], 1
414 jz PATMTrapNoRing1
415 and dword [esp+8], dword ~1 ; yasm / nasm dword
416PATMTrapNoRing1:
417
418 ; correct EFLAGS on the stack to include the current IOPL
419 push eax
420 mov eax, dword [ss:PATM_VMFLAGS]
421 and eax, X86_EFL_IOPL
422 and dword [esp+16], ~X86_EFL_IOPL ; esp+16 = eflags = esp+8+4(efl)+4(eax)
423 or dword [esp+16], eax
424 pop eax
425
426 popf
427 mov dword [ss:PATM_INTERRUPTFLAG], 1
428 DB 0xE9
429PATMTrapEntryJump:
430 DD PATM_JUMPDELTA
431PATMTrapEntryEnd:
432ENDPROC PATMTrapEntry
433
434
435; Patch record for trap gate entrypoint
436GLOBALNAME PATMTrapEntryRecord
437 RTCCPTR_DEF PATMTrapEntryStart
438 DD PATMTrapEntryJump - PATMTrapEntryStart
439 DD 0
440 DD 0
441 DD PATMTrapEntryEnd - PATMTrapEntryStart
442%ifdef PATM_LOG_PATCHIRET
443 DD 4
444%else
445 DD 3
446%endif
447 DD PATM_INTERRUPTFLAG
448 DD 0
449%ifdef PATM_LOG_PATCHIRET
450 DD PATM_PENDINGACTION
451 DD 0
452%endif
453 DD PATM_VMFLAGS
454 DD 0
455 DD PATM_INTERRUPTFLAG
456 DD 0
457 DD 0ffffffffh
458
459;
460; Trampoline code for trap entry (with error code on the stack)
461;
462; esp + 36 - GS (V86 only)
463; esp + 32 - FS (V86 only)
464; esp + 28 - DS (V86 only)
465; esp + 24 - ES (V86 only)
466; esp + 20 - SS (if transfer to inner ring)
467; esp + 16 - ESP (if transfer to inner ring)
468; esp + 12 - EFLAGS
469; esp + 8 - CS
470; esp + 4 - EIP
471; esp - error code
472;
473BEGINPROC PATMTrapEntryErrorCode
474PATMTrapErrorCodeEntryStart:
475 mov dword [ss:PATM_INTERRUPTFLAG], 0
476 pushf
477
478%ifdef PATM_LOG_PATCHIRET
479 push eax
480 push ecx
481 push edx
482 lea edx, dword [ss:esp+12+4+4] ;3 dwords + pushed flags + error code -> iret eip
483 mov eax, PATM_ACTION_LOG_GATE_ENTRY
484 lock or dword [ss:PATM_PENDINGACTION], eax
485 mov ecx, PATM_ACTION_MAGIC
486 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
487 pop edx
488 pop ecx
489 pop eax
490%endif
491
492 test dword [esp+16], X86_EFL_VM
493 jnz PATMTrapErrorCodeNoRing1
494
495 ; make sure the saved CS selector for ring 1 is made 0
496 test dword [esp+12], 2
497 jnz PATMTrapErrorCodeNoRing1
498 test dword [esp+12], 1
499 jz PATMTrapErrorCodeNoRing1
500 and dword [esp+12], dword ~1 ; yasm / nasm dword
501PATMTrapErrorCodeNoRing1:
502
503 ; correct EFLAGS on the stack to include the current IOPL
504 push eax
505 mov eax, dword [ss:PATM_VMFLAGS]
506 and eax, X86_EFL_IOPL
507 and dword [esp+20], ~X86_EFL_IOPL ; esp+20 = eflags = esp+8+4(efl)+4(error code)+4(eax)
508 or dword [esp+20], eax
509 pop eax
510
511 popf
512 mov dword [ss:PATM_INTERRUPTFLAG], 1
513 DB 0xE9
514PATMTrapErrorCodeEntryJump:
515 DD PATM_JUMPDELTA
516PATMTrapErrorCodeEntryEnd:
517ENDPROC PATMTrapEntryErrorCode
518
519
520; Patch record for trap gate entrypoint
521GLOBALNAME PATMTrapEntryRecordErrorCode
522 RTCCPTR_DEF PATMTrapErrorCodeEntryStart
523 DD PATMTrapErrorCodeEntryJump - PATMTrapErrorCodeEntryStart
524 DD 0
525 DD 0
526 DD PATMTrapErrorCodeEntryEnd - PATMTrapErrorCodeEntryStart
527%ifdef PATM_LOG_PATCHIRET
528 DD 4
529%else
530 DD 3
531%endif
532 DD PATM_INTERRUPTFLAG
533 DD 0
534%ifdef PATM_LOG_PATCHIRET
535 DD PATM_PENDINGACTION
536 DD 0
537%endif
538 DD PATM_VMFLAGS
539 DD 0
540 DD PATM_INTERRUPTFLAG
541 DD 0
542 DD 0ffffffffh
543
544
545;
546; Trampoline code for interrupt gate entry (without error code on the stack)
547;
548; esp + 32 - GS (V86 only)
549; esp + 28 - FS (V86 only)
550; esp + 24 - DS (V86 only)
551; esp + 20 - ES (V86 only)
552; esp + 16 - SS (if transfer to inner ring)
553; esp + 12 - ESP (if transfer to inner ring)
554; esp + 8 - EFLAGS
555; esp + 4 - CS
556; esp - EIP
557;
558BEGINPROC PATMIntEntry
559PATMIntEntryStart:
560 mov dword [ss:PATM_INTERRUPTFLAG], 0
561 pushf
562
563%ifdef PATM_LOG_PATCHIRET
564 push eax
565 push ecx
566 push edx
567 lea edx, dword [ss:esp+12+4] ;3 dwords + pushed flags -> iret eip
568 mov eax, PATM_ACTION_LOG_GATE_ENTRY
569 lock or dword [ss:PATM_PENDINGACTION], eax
570 mov ecx, PATM_ACTION_MAGIC
571 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
572 pop edx
573 pop ecx
574 pop eax
575%endif
576
577 test dword [esp+12], X86_EFL_VM
578 jnz PATMIntNoRing1
579
580 ; make sure the saved CS selector for ring 1 is made 0
581 test dword [esp+8], 2
582 jnz PATMIntNoRing1
583 test dword [esp+8], 1
584 jz PATMIntNoRing1
585 and dword [esp+8], dword ~1 ; yasm / nasm dword
586PATMIntNoRing1:
587
588 ; correct EFLAGS on the stack to include the current IOPL
589 push eax
590 mov eax, dword [ss:PATM_VMFLAGS]
591 and eax, X86_EFL_IOPL
592 and dword [esp+16], ~X86_EFL_IOPL ; esp+16 = eflags = esp+8+4(efl)+4(eax)
593 or dword [esp+16], eax
594 pop eax
595
596 popf
597 mov dword [ss:PATM_INTERRUPTFLAG], 1
598PATMIntEntryEnd:
599ENDPROC PATMIntEntry
600
601
602; Patch record for interrupt gate entrypoint
603GLOBALNAME PATMIntEntryRecord
604 RTCCPTR_DEF PATMIntEntryStart
605 DD 0
606 DD 0
607 DD 0
608 DD PATMIntEntryEnd - PATMIntEntryStart
609%ifdef PATM_LOG_PATCHIRET
610 DD 4
611%else
612 DD 3
613%endif
614 DD PATM_INTERRUPTFLAG
615 DD 0
616%ifdef PATM_LOG_PATCHIRET
617 DD PATM_PENDINGACTION
618 DD 0
619%endif
620 DD PATM_VMFLAGS
621 DD 0
622 DD PATM_INTERRUPTFLAG
623 DD 0
624 DD 0ffffffffh
625
626;
627; Trampoline code for interrupt gate entry (*with* error code on the stack)
628;
629; esp + 36 - GS (V86 only)
630; esp + 32 - FS (V86 only)
631; esp + 28 - DS (V86 only)
632; esp + 24 - ES (V86 only)
633; esp + 20 - SS (if transfer to inner ring)
634; esp + 16 - ESP (if transfer to inner ring)
635; esp + 12 - EFLAGS
636; esp + 8 - CS
637; esp + 4 - EIP
638; esp - error code
639;
640BEGINPROC PATMIntEntryErrorCode
641PATMIntEntryErrorCodeStart:
642 mov dword [ss:PATM_INTERRUPTFLAG], 0
643 pushf
644
645%ifdef PATM_LOG_PATCHIRET
646 push eax
647 push ecx
648 push edx
649 lea edx, dword [ss:esp+12+4+4] ;3 dwords + pushed flags + error code -> iret eip
650 mov eax, PATM_ACTION_LOG_GATE_ENTRY
651 lock or dword [ss:PATM_PENDINGACTION], eax
652 mov ecx, PATM_ACTION_MAGIC
653 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
654 pop edx
655 pop ecx
656 pop eax
657%endif
658
659 test dword [esp+16], X86_EFL_VM
660 jnz PATMIntNoRing1_ErrorCode
661
662 ; make sure the saved CS selector for ring 1 is made 0
663 test dword [esp+12], 2
664 jnz PATMIntNoRing1_ErrorCode
665 test dword [esp+12], 1
666 jz PATMIntNoRing1_ErrorCode
667 and dword [esp+12], dword ~1 ; yasm / nasm dword
668PATMIntNoRing1_ErrorCode:
669
670 ; correct EFLAGS on the stack to include the current IOPL
671 push eax
672 mov eax, dword [ss:PATM_VMFLAGS]
673 and eax, X86_EFL_IOPL
674 and dword [esp+20], ~X86_EFL_IOPL ; esp+20 = eflags = esp+8+4(efl)+4(eax)+4(error code)
675 or dword [esp+20], eax
676 pop eax
677
678 popf
679 mov dword [ss:PATM_INTERRUPTFLAG], 1
680PATMIntEntryErrorCodeEnd:
681ENDPROC PATMIntEntryErrorCode
682
683
684; Patch record for interrupt gate entrypoint
685GLOBALNAME PATMIntEntryRecordErrorCode
686 RTCCPTR_DEF PATMIntEntryErrorCodeStart
687 DD 0
688 DD 0
689 DD 0
690 DD PATMIntEntryErrorCodeEnd - PATMIntEntryErrorCodeStart
691%ifdef PATM_LOG_PATCHIRET
692 DD 4
693%else
694 DD 3
695%endif
696 DD PATM_INTERRUPTFLAG
697 DD 0
698%ifdef PATM_LOG_PATCHIRET
699 DD PATM_PENDINGACTION
700 DD 0
701%endif
702 DD PATM_VMFLAGS
703 DD 0
704 DD PATM_INTERRUPTFLAG
705 DD 0
706 DD 0ffffffffh
707
708;
709; 32 bits Popf replacement that faults when IF remains 0
710;
711BEGINPROC PATMPopf32Replacement
712PATMPopf32Start:
713 mov dword [ss:PATM_INTERRUPTFLAG], 0
714%ifdef PATM_LOG_PATCHINSTR
715 push eax
716 push ecx
717 mov eax, PATM_ACTION_LOG_POPF_IF1
718 test dword [esp+8], X86_EFL_IF
719 jnz PATMPopf32_Log
720 mov eax, PATM_ACTION_LOG_POPF_IF0
721
722PATMPopf32_Log:
723 lock or dword [ss:PATM_PENDINGACTION], eax
724 mov ecx, PATM_ACTION_MAGIC
725 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
726 pop ecx
727 pop eax
728%endif
729
730 test dword [esp], X86_EFL_IF
731 jnz PATMPopf32_Ok
732 mov dword [ss:PATM_INTERRUPTFLAG], 1
733 PATM_INT3
734
735PATMPopf32_Ok:
736 ; Note: we don't allow popf instructions to change the current IOPL; we simply ignore such changes (!!!)
737 ; In this particular patch it's rather unlikely the pushf was included, so we have no way to check if the flags on the stack were correctly synched
738 ; PATMPopf32Replacement_NoExit is different, because it's only used in IDT and function patches
739 or dword [ss:PATM_VMFLAGS], X86_EFL_IF
740
741 ; if interrupts are pending, then we must go back to the host context to handle them!
742 test dword [ss:PATM_VM_FORCEDACTIONS], VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST
743 jz PATMPopf32_Continue
744
745 ; Go to our hypervisor trap handler to dispatch the pending irq
746 mov dword [ss:PATM_TEMP_EAX], eax
747 mov dword [ss:PATM_TEMP_ECX], ecx
748 mov dword [ss:PATM_TEMP_EDI], edi
749 mov dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX | PATM_RESTORE_EDI
750 mov eax, PATM_ACTION_DISPATCH_PENDING_IRQ
751 lock or dword [ss:PATM_PENDINGACTION], eax
752 mov ecx, PATM_ACTION_MAGIC
753 mov edi, PATM_NEXTINSTRADDR
754
755 popfd ; restore flags we pushed above (the or instruction changes the flags as well)
756 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
757 ; does not return
758
759PATMPopf32_Continue:
760 popfd ; restore flags we pushed above
761 mov dword [ss:PATM_INTERRUPTFLAG], 1
762 DB 0xE9
763PATMPopf32Jump:
764 DD PATM_JUMPDELTA
765PATMPopf32End:
766ENDPROC PATMPopf32Replacement
767
768
769; Patch record for 'popfd'
770GLOBALNAME PATMPopf32Record
771 RTCCPTR_DEF PATMPopf32Start
772 DD PATMPopf32Jump - PATMPopf32Start
773 DD 0
774 DD 0
775 DD PATMPopf32End - PATMPopf32Start
776%ifdef PATM_LOG_PATCHINSTR
777 DD 12
778%else
779 DD 11
780%endif
781 DD PATM_INTERRUPTFLAG
782 DD 0
783%ifdef PATM_LOG_PATCHINSTR
784 DD PATM_PENDINGACTION
785 DD 0
786%endif
787 DD PATM_INTERRUPTFLAG
788 DD 0
789 DD PATM_VMFLAGS
790 DD 0
791 DD PATM_VM_FORCEDACTIONS
792 DD 0
793 DD PATM_TEMP_EAX
794 DD 0
795 DD PATM_TEMP_ECX
796 DD 0
797 DD PATM_TEMP_EDI
798 DD 0
799 DD PATM_TEMP_RESTORE_FLAGS
800 DD 0
801 DD PATM_PENDINGACTION
802 DD 0
803 DD PATM_NEXTINSTRADDR
804 DD 0
805 DD PATM_INTERRUPTFLAG
806 DD 0
807 DD 0ffffffffh
808
809; no need to check the IF flag when popf isn't an exit point of a patch (e.g. function duplication)
810BEGINPROC PATMPopf32Replacement_NoExit
811PATMPopf32_NoExitStart:
812 mov dword [ss:PATM_INTERRUPTFLAG], 0
813%ifdef PATM_LOG_PATCHINSTR
814 push eax
815 push ecx
816 mov eax, PATM_ACTION_LOG_POPF_IF1
817 test dword [esp+8], X86_EFL_IF
818 jnz PATMPopf32_NoExitLog
819 mov eax, PATM_ACTION_LOG_POPF_IF0
820
821PATMPopf32_NoExitLog:
822 lock or dword [ss:PATM_PENDINGACTION], eax
823 mov ecx, PATM_ACTION_MAGIC
824 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
825 pop ecx
826 pop eax
827%endif
828 test dword [esp], X86_EFL_IF
829 jz PATMPopf32_NoExit_Continue
830
831 ; if interrupts are pending, then we must go back to the host context to handle them!
832 test dword [ss:PATM_VM_FORCEDACTIONS], VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST
833 jz PATMPopf32_NoExit_Continue
834
835 ; Go to our hypervisor trap handler to dispatch the pending irq
836 mov dword [ss:PATM_TEMP_EAX], eax
837 mov dword [ss:PATM_TEMP_ECX], ecx
838 mov dword [ss:PATM_TEMP_EDI], edi
839 mov dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX | PATM_RESTORE_EDI
840 mov eax, PATM_ACTION_DISPATCH_PENDING_IRQ
841 lock or dword [ss:PATM_PENDINGACTION], eax
842 mov ecx, PATM_ACTION_MAGIC
843 mov edi, PATM_NEXTINSTRADDR
844
845 pop dword [ss:PATM_VMFLAGS] ; restore flags now (the or instruction changes the flags as well)
846 push dword [ss:PATM_VMFLAGS]
847 popfd
848
849 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
850 ; does not return
851
852PATMPopf32_NoExit_Continue:
853 pop dword [ss:PATM_VMFLAGS]
854 push dword [ss:PATM_VMFLAGS]
855 popfd
856 mov dword [ss:PATM_INTERRUPTFLAG], 1
857PATMPopf32_NoExitEnd:
858ENDPROC PATMPopf32Replacement_NoExit
859
860
861; Patch record for 'popfd'
862GLOBALNAME PATMPopf32Record_NoExit
863 RTCCPTR_DEF PATMPopf32_NoExitStart
864 DD 0
865 DD 0
866 DD 0
867 DD PATMPopf32_NoExitEnd - PATMPopf32_NoExitStart
868%ifdef PATM_LOG_PATCHINSTR
869 DD 14
870%else
871 DD 13
872%endif
873 DD PATM_INTERRUPTFLAG
874 DD 0
875%ifdef PATM_LOG_PATCHINSTR
876 DD PATM_PENDINGACTION
877 DD 0
878%endif
879 DD PATM_VM_FORCEDACTIONS
880 DD 0
881 DD PATM_TEMP_EAX
882 DD 0
883 DD PATM_TEMP_ECX
884 DD 0
885 DD PATM_TEMP_EDI
886 DD 0
887 DD PATM_TEMP_RESTORE_FLAGS
888 DD 0
889 DD PATM_PENDINGACTION
890 DD 0
891 DD PATM_NEXTINSTRADDR
892 DD 0
893 DD PATM_VMFLAGS
894 DD 0
895 DD PATM_VMFLAGS
896 DD 0
897 DD PATM_VMFLAGS
898 DD 0
899 DD PATM_VMFLAGS
900 DD 0
901 DD PATM_INTERRUPTFLAG
902 DD 0
903 DD 0ffffffffh
904
905
906;
907; 16 bits Popf replacement that faults when IF remains 0
908;
909BEGINPROC PATMPopf16Replacement
910PATMPopf16Start:
911 mov dword [ss:PATM_INTERRUPTFLAG], 0
912 test word [esp], X86_EFL_IF
913 jnz PATMPopf16_Ok
914 mov dword [ss:PATM_INTERRUPTFLAG], 1
915 PATM_INT3
916
917PATMPopf16_Ok:
918 ; if interrupts are pending, then we must go back to the host context to handle them!
919 ; @note we destroy the flags here, but that should really not matter (PATM_INT3 case)
920 test dword [ss:PATM_VM_FORCEDACTIONS], VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST
921 jz PATMPopf16_Continue
922 mov dword [ss:PATM_INTERRUPTFLAG], 1
923 PATM_INT3
924
925PATMPopf16_Continue:
926
927 pop word [ss:PATM_VMFLAGS]
928 push word [ss:PATM_VMFLAGS]
929 and dword [ss:PATM_VMFLAGS], PATM_VIRTUAL_FLAGS_MASK
930 or dword [ss:PATM_VMFLAGS], PATM_VIRTUAL_FLAGS_MASK
931
932 DB 0x66 ; size override
933 popf ;after the and and or operations!! (flags must be preserved)
934 mov dword [ss:PATM_INTERRUPTFLAG], 1
935
936 DB 0xE9
937PATMPopf16Jump:
938 DD PATM_JUMPDELTA
939PATMPopf16End:
940ENDPROC PATMPopf16Replacement
941
942
943; Patch record for 'popf'
944GLOBALNAME PATMPopf16Record
945 RTCCPTR_DEF PATMPopf16Start
946 DD PATMPopf16Jump - PATMPopf16Start
947 DD 0
948 DD 0
949 DD PATMPopf16End - PATMPopf16Start
950 DD 9
951 DD PATM_INTERRUPTFLAG
952 DD 0
953 DD PATM_INTERRUPTFLAG
954 DD 0
955 DD PATM_VM_FORCEDACTIONS
956 DD 0
957 DD PATM_INTERRUPTFLAG
958 DD 0
959 DD PATM_VMFLAGS
960 DD 0
961 DD PATM_VMFLAGS
962 DD 0
963 DD PATM_VMFLAGS
964 DD 0
965 DD PATM_VMFLAGS
966 DD 0
967 DD PATM_INTERRUPTFLAG
968 DD 0
969 DD 0ffffffffh
970
971;
972; 16 bits Popf replacement that faults when IF remains 0
973; @todo not necessary to fault in that case (see 32 bits version)
974BEGINPROC PATMPopf16Replacement_NoExit
975PATMPopf16Start_NoExit:
976 mov dword [ss:PATM_INTERRUPTFLAG], 0
977 test word [esp], X86_EFL_IF
978 jnz PATMPopf16_Ok_NoExit
979 mov dword [ss:PATM_INTERRUPTFLAG], 1
980 PATM_INT3
981
982PATMPopf16_Ok_NoExit:
983 ; if interrupts are pending, then we must go back to the host context to handle them!
984 ; @note we destroy the flags here, but that should really not matter (PATM_INT3 case)
985 test dword [ss:PATM_VM_FORCEDACTIONS], VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST
986 jz PATMPopf16_Continue_NoExit
987 mov dword [ss:PATM_INTERRUPTFLAG], 1
988 PATM_INT3
989
990PATMPopf16_Continue_NoExit:
991
992 pop word [ss:PATM_VMFLAGS]
993 push word [ss:PATM_VMFLAGS]
994 and dword [ss:PATM_VMFLAGS], PATM_VIRTUAL_FLAGS_MASK
995 or dword [ss:PATM_VMFLAGS], PATM_VIRTUAL_FLAGS_MASK
996
997 DB 0x66 ; size override
998 popf ;after the and and or operations!! (flags must be preserved)
999 mov dword [ss:PATM_INTERRUPTFLAG], 1
1000PATMPopf16End_NoExit:
1001ENDPROC PATMPopf16Replacement_NoExit
1002
1003
1004; Patch record for 'popf'
1005GLOBALNAME PATMPopf16Record_NoExit
1006 RTCCPTR_DEF PATMPopf16Start_NoExit
1007 DD 0
1008 DD 0
1009 DD 0
1010 DD PATMPopf16End_NoExit - PATMPopf16Start_NoExit
1011 DD 9
1012 DD PATM_INTERRUPTFLAG
1013 DD 0
1014 DD PATM_INTERRUPTFLAG
1015 DD 0
1016 DD PATM_VM_FORCEDACTIONS
1017 DD 0
1018 DD PATM_INTERRUPTFLAG
1019 DD 0
1020 DD PATM_VMFLAGS
1021 DD 0
1022 DD PATM_VMFLAGS
1023 DD 0
1024 DD PATM_VMFLAGS
1025 DD 0
1026 DD PATM_VMFLAGS
1027 DD 0
1028 DD PATM_INTERRUPTFLAG
1029 DD 0
1030 DD 0ffffffffh
1031
1032
1033BEGINPROC PATMPushf32Replacement
1034PATMPushf32Start:
1035 mov dword [ss:PATM_INTERRUPTFLAG], 0
1036 pushfd
1037%ifdef PATM_LOG_PATCHINSTR
1038 push eax
1039 push ecx
1040 mov eax, PATM_ACTION_LOG_PUSHF
1041 lock or dword [ss:PATM_PENDINGACTION], eax
1042 mov ecx, PATM_ACTION_MAGIC
1043 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1044 pop ecx
1045 pop eax
1046%endif
1047
1048 pushfd
1049 push eax
1050 mov eax, dword [esp+8]
1051 and eax, PATM_FLAGS_MASK
1052 or eax, dword [ss:PATM_VMFLAGS]
1053 mov dword [esp+8], eax
1054 pop eax
1055 popfd
1056 mov dword [ss:PATM_INTERRUPTFLAG], 1
1057PATMPushf32End:
1058ENDPROC PATMPushf32Replacement
1059
1060
1061; Patch record for 'pushfd'
1062GLOBALNAME PATMPushf32Record
1063 RTCCPTR_DEF PATMPushf32Start
1064 DD 0
1065 DD 0
1066 DD 0
1067 DD PATMPushf32End - PATMPushf32Start
1068%ifdef PATM_LOG_PATCHINSTR
1069 DD 4
1070%else
1071 DD 3
1072%endif
1073 DD PATM_INTERRUPTFLAG
1074 DD 0
1075%ifdef PATM_LOG_PATCHINSTR
1076 DD PATM_PENDINGACTION
1077 DD 0
1078%endif
1079 DD PATM_VMFLAGS
1080 DD 0
1081 DD PATM_INTERRUPTFLAG
1082 DD 0
1083 DD 0ffffffffh
1084
1085
1086BEGINPROC PATMPushf16Replacement
1087PATMPushf16Start:
1088 mov dword [ss:PATM_INTERRUPTFLAG], 0
1089 DB 0x66 ; size override
1090 pushf
1091 DB 0x66 ; size override
1092 pushf
1093 push eax
1094 xor eax, eax
1095 mov ax, word [esp+6]
1096 and eax, PATM_FLAGS_MASK
1097 or eax, dword [ss:PATM_VMFLAGS]
1098 mov word [esp+6], ax
1099 pop eax
1100
1101 DB 0x66 ; size override
1102 popf
1103 mov dword [ss:PATM_INTERRUPTFLAG], 1
1104PATMPushf16End:
1105ENDPROC PATMPushf16Replacement
1106
1107
1108; Patch record for 'pushf'
1109GLOBALNAME PATMPushf16Record
1110 RTCCPTR_DEF PATMPushf16Start
1111 DD 0
1112 DD 0
1113 DD 0
1114 DD PATMPushf16End - PATMPushf16Start
1115 DD 3
1116 DD PATM_INTERRUPTFLAG
1117 DD 0
1118 DD PATM_VMFLAGS
1119 DD 0
1120 DD PATM_INTERRUPTFLAG
1121 DD 0
1122 DD 0ffffffffh
1123
1124
1125BEGINPROC PATMPushCSReplacement
1126PATMPushCSStart:
1127 mov dword [ss:PATM_INTERRUPTFLAG], 0
1128 push cs
1129 pushfd
1130
1131 test dword [esp+4], 2
1132 jnz pushcs_notring1
1133
1134 ; change dpl from 1 to 0
1135 and dword [esp+4], dword ~1 ; yasm / nasm dword
1136
1137pushcs_notring1:
1138 popfd
1139
1140 mov dword [ss:PATM_INTERRUPTFLAG], 1
1141 DB 0xE9
1142PATMPushCSJump:
1143 DD PATM_JUMPDELTA
1144PATMPushCSEnd:
1145ENDPROC PATMPushCSReplacement
1146
1147
1148; Patch record for 'push cs'
1149GLOBALNAME PATMPushCSRecord
1150 RTCCPTR_DEF PATMPushCSStart
1151 DD PATMPushCSJump - PATMPushCSStart
1152 DD 0
1153 DD 0
1154 DD PATMPushCSEnd - PATMPushCSStart
1155 DD 2
1156 DD PATM_INTERRUPTFLAG
1157 DD 0
1158 DD PATM_INTERRUPTFLAG
1159 DD 0
1160 DD 0ffffffffh
1161
1162;;****************************************************
1163;; Abstract:
1164;;
1165;; if eflags.NT==0 && iretstack.eflags.VM==0 && iretstack.eflags.IOPL==0
1166;; then
1167;; if return to ring 0 (iretstack.new_cs & 3 == 0)
1168;; then
1169;; if iretstack.new_eflags.IF == 1 && iretstack.new_eflags.IOPL == 0
1170;; then
1171;; iretstack.new_cs |= 1
1172;; else
1173;; int 3
1174;; endif
1175;; uVMFlags &= ~X86_EFL_IF
1176;; iret
1177;; else
1178;; int 3
1179;;****************************************************
1180;;
1181; Stack:
1182;
1183; esp + 32 - GS (V86 only)
1184; esp + 28 - FS (V86 only)
1185; esp + 24 - DS (V86 only)
1186; esp + 20 - ES (V86 only)
1187; esp + 16 - SS (if transfer to outer ring)
1188; esp + 12 - ESP (if transfer to outer ring)
1189; esp + 8 - EFLAGS
1190; esp + 4 - CS
1191; esp - EIP
1192;;
1193BEGINPROC PATMIretReplacement
1194PATMIretStart:
1195 mov dword [ss:PATM_INTERRUPTFLAG], 0
1196 pushfd
1197
1198%ifdef PATM_LOG_PATCHIRET
1199 push eax
1200 push ecx
1201 push edx
1202 lea edx, dword [ss:esp+12+4] ;3 dwords + pushed flags -> iret eip
1203 mov eax, PATM_ACTION_LOG_IRET
1204 lock or dword [ss:PATM_PENDINGACTION], eax
1205 mov ecx, PATM_ACTION_MAGIC
1206 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1207 pop edx
1208 pop ecx
1209 pop eax
1210%endif
1211
1212 test dword [esp], X86_EFL_NT
1213 jnz near iret_fault1
1214
1215 ; we can't do an iret to v86 code, as we run with CPL=1. The iret would attempt a protected mode iret and (most likely) fault.
1216 test dword [esp+12], X86_EFL_VM
1217 jnz near iret_return_to_v86
1218
1219 ;;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1220 ;;@todo: not correct for iret back to ring 2!!!!!
1221 ;;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1222
1223 test dword [esp+8], 2
1224 jnz iret_notring0
1225
1226 test dword [esp+12], X86_EFL_IF
1227 jz near iret_clearIF
1228
1229 ; force ring 1 CS RPL
1230 or dword [esp+8], 1
1231iret_notring0:
1232
1233; if interrupts are pending, then we must go back to the host context to handle them!
1234; Note: This is very important as pending pic interrupts can be overriden by apic interrupts if we don't check early enough (Fedora 5 boot)
1235; @@todo fix this properly, so we can dispatch pending interrupts in GC
1236 test dword [ss:PATM_VM_FORCEDACTIONS], VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC
1237 jz iret_continue
1238
1239; Go to our hypervisor trap handler to dispatch the pending irq
1240 mov dword [ss:PATM_TEMP_EAX], eax
1241 mov dword [ss:PATM_TEMP_ECX], ecx
1242 mov dword [ss:PATM_TEMP_EDI], edi
1243 mov dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX | PATM_RESTORE_EDI
1244 mov eax, PATM_ACTION_PENDING_IRQ_AFTER_IRET
1245 lock or dword [ss:PATM_PENDINGACTION], eax
1246 mov ecx, PATM_ACTION_MAGIC
1247 mov edi, PATM_CURINSTRADDR
1248
1249 popfd
1250 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1251 ; does not return
1252
1253iret_continue :
1254 ; This section must *always* be executed (!!)
1255 ; Extract the IOPL from the return flags, save them to our virtual flags and
1256 ; put them back to zero
1257 ; @note we assume iretd doesn't fault!!!
1258 push eax
1259 mov eax, dword [esp+16]
1260 and eax, X86_EFL_IOPL
1261 and dword [ss:PATM_VMFLAGS], ~X86_EFL_IOPL
1262 or dword [ss:PATM_VMFLAGS], eax
1263 pop eax
1264 and dword [esp+12], ~X86_EFL_IOPL
1265
1266 ; Set IF again; below we make sure this won't cause problems.
1267 or dword [ss:PATM_VMFLAGS], X86_EFL_IF
1268
1269 ; make sure iret is executed fully (including the iret below; cli ... iret can otherwise be interrupted)
1270 mov dword [ss:PATM_INHIBITIRQADDR], PATM_CURINSTRADDR
1271
1272 popfd
1273 mov dword [ss:PATM_INTERRUPTFLAG], 1
1274 iretd
1275 PATM_INT3
1276
1277iret_fault:
1278 popfd
1279 mov dword [ss:PATM_INTERRUPTFLAG], 1
1280 PATM_INT3
1281
1282iret_fault1:
1283 nop
1284 popfd
1285 mov dword [ss:PATM_INTERRUPTFLAG], 1
1286 PATM_INT3
1287
1288iret_clearIF:
1289 push dword [esp+4] ; eip to return to
1290 pushfd
1291 push eax
1292 push PATM_FIXUP
1293 DB 0E8h ; call
1294 DD PATM_IRET_FUNCTION
1295 add esp, 4 ; pushed address of jump table
1296
1297 cmp eax, 0
1298 je near iret_fault3
1299
1300 mov dword [esp+12+4], eax ; stored eip in iret frame
1301 pop eax
1302 popfd
1303 add esp, 4 ; pushed eip
1304
1305 ; always ring 0 return -> change to ring 1 (CS in iret frame)
1306 or dword [esp+8], 1
1307
1308 ; This section must *always* be executed (!!)
1309 ; Extract the IOPL from the return flags, save them to our virtual flags and
1310 ; put them back to zero
1311 push eax
1312 mov eax, dword [esp+16]
1313 and eax, X86_EFL_IOPL
1314 and dword [ss:PATM_VMFLAGS], ~X86_EFL_IOPL
1315 or dword [ss:PATM_VMFLAGS], eax
1316 pop eax
1317 and dword [esp+12], ~X86_EFL_IOPL
1318
1319 ; Clear IF
1320 and dword [ss:PATM_VMFLAGS], ~X86_EFL_IF
1321 popfd
1322
1323 ; the patched destination code will set PATM_INTERRUPTFLAG after the return!
1324 iretd
1325
1326iret_return_to_v86:
1327 test dword [esp+12], X86_EFL_IF
1328 jz iret_fault
1329
1330 ; Go to our hypervisor trap handler to perform the iret to v86 code
1331 mov dword [ss:PATM_TEMP_EAX], eax
1332 mov dword [ss:PATM_TEMP_ECX], ecx
1333 mov dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX
1334 mov eax, PATM_ACTION_DO_V86_IRET
1335 lock or dword [ss:PATM_PENDINGACTION], eax
1336 mov ecx, PATM_ACTION_MAGIC
1337
1338 popfd
1339
1340 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1341 ; does not return
1342
1343
1344iret_fault3:
1345 pop eax
1346 popfd
1347 add esp, 4 ; pushed eip
1348 jmp iret_fault
1349
1350align 4
1351PATMIretTable:
1352 DW PATM_MAX_JUMPTABLE_ENTRIES ; nrSlots
1353 DW 0 ; ulInsertPos
1354 DD 0 ; cAddresses
1355 TIMES PATCHJUMPTABLE_SIZE DB 0 ; lookup slots
1356
1357PATMIretEnd:
1358ENDPROC PATMIretReplacement
1359
1360; Patch record for 'iretd'
1361GLOBALNAME PATMIretRecord
1362 RTCCPTR_DEF PATMIretStart
1363 DD 0
1364 DD 0
1365 DD 0
1366 DD PATMIretEnd- PATMIretStart
1367%ifdef PATM_LOG_PATCHIRET
1368 DD 26
1369%else
1370 DD 25
1371%endif
1372 DD PATM_INTERRUPTFLAG
1373 DD 0
1374%ifdef PATM_LOG_PATCHIRET
1375 DD PATM_PENDINGACTION
1376 DD 0
1377%endif
1378 DD PATM_VM_FORCEDACTIONS
1379 DD 0
1380 DD PATM_TEMP_EAX
1381 DD 0
1382 DD PATM_TEMP_ECX
1383 DD 0
1384 DD PATM_TEMP_EDI
1385 DD 0
1386 DD PATM_TEMP_RESTORE_FLAGS
1387 DD 0
1388 DD PATM_PENDINGACTION
1389 DD 0
1390 DD PATM_CURINSTRADDR
1391 DD 0
1392 DD PATM_VMFLAGS
1393 DD 0
1394 DD PATM_VMFLAGS
1395 DD 0
1396 DD PATM_VMFLAGS
1397 DD 0
1398 DD PATM_INHIBITIRQADDR
1399 DD 0
1400 DD PATM_CURINSTRADDR
1401 DD 0
1402 DD PATM_INTERRUPTFLAG
1403 DD 0
1404 DD PATM_INTERRUPTFLAG
1405 DD 0
1406 DD PATM_INTERRUPTFLAG
1407 DD 0
1408 DD PATM_FIXUP
1409 DD PATMIretTable - PATMIretStart
1410 DD PATM_IRET_FUNCTION
1411 DD 0
1412 DD PATM_VMFLAGS
1413 DD 0
1414 DD PATM_VMFLAGS
1415 DD 0
1416 DD PATM_VMFLAGS
1417 DD 0
1418 DD PATM_TEMP_EAX
1419 DD 0
1420 DD PATM_TEMP_ECX
1421 DD 0
1422 DD PATM_TEMP_RESTORE_FLAGS
1423 DD 0
1424 DD PATM_PENDINGACTION
1425 DD 0
1426 DD 0ffffffffh
1427
1428
1429;
1430; global function for implementing 'iret' to code with IF cleared
1431;
1432; Caller is responsible for right stack layout
1433; + 16 original return address
1434; + 12 eflags
1435; + 8 eax
1436; + 4 Jump table address
1437;( + 0 return address )
1438;
1439; @note assumes PATM_INTERRUPTFLAG is zero
1440; @note assumes it can trash eax and eflags
1441;
1442; @returns eax=0 on failure
1443; otherwise return address in eax
1444;
1445; @note NEVER change this without bumping the SSM version
1446align 32
1447BEGINPROC PATMIretFunction
1448PATMIretFunction_Start:
1449 push ecx
1450 push edx
1451 push edi
1452
1453 ; Event order:
1454 ; 1) Check if the return patch address can be found in the lookup table
1455 ; 2) Query return patch address from the hypervisor
1456
1457 ; 1) Check if the return patch address can be found in the lookup table
1458 mov edx, dword [esp+12+16] ; pushed target address
1459
1460 xor eax, eax ; default result -> nothing found
1461 mov edi, dword [esp+12+4] ; jump table
1462 mov ecx, [ss:edi + PATCHJUMPTABLE.cAddresses]
1463 cmp ecx, 0
1464 je near PATMIretFunction_AskHypervisor
1465
1466PATMIretFunction_SearchStart:
1467 cmp [ss:edi + PATCHJUMPTABLE.Slot_pInstrGC + eax*8], edx ; edx = GC address to search for
1468 je near PATMIretFunction_SearchHit
1469 inc eax
1470 cmp eax, ecx
1471 jl near PATMIretFunction_SearchStart
1472
1473PATMIretFunction_AskHypervisor:
1474 ; 2) Query return patch address from the hypervisor
1475 ; @todo private ugly interface, since we have nothing generic at the moment
1476 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOOKUP_ADDRESS
1477 mov eax, PATM_ACTION_LOOKUP_ADDRESS
1478 mov ecx, PATM_ACTION_MAGIC
1479 mov edi, dword [esp+12+4] ; jump table address
1480 mov edx, dword [esp+12+16] ; original return address
1481 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1482 jmp near PATMIretFunction_SearchEnd
1483
1484PATMIretFunction_SearchHit:
1485 mov eax, [ss:edi + PATCHJUMPTABLE.Slot_pRelPatchGC + eax*8] ; found a match!
1486 ;@note can be zero, so the next check is required!!
1487
1488PATMIretFunction_SearchEnd:
1489 cmp eax, 0
1490 jz PATMIretFunction_Failure
1491
1492 add eax, PATM_PATCHBASE
1493
1494 pop edi
1495 pop edx
1496 pop ecx
1497 ret
1498
1499PATMIretFunction_Failure:
1500 ;signal error
1501 xor eax, eax
1502 pop edi
1503 pop edx
1504 pop ecx
1505 ret
1506
1507PATMIretFunction_End:
1508ENDPROC PATMIretFunction
1509
1510GLOBALNAME PATMIretFunctionRecord
1511 RTCCPTR_DEF PATMIretFunction_Start
1512 DD 0
1513 DD 0
1514 DD 0
1515 DD PATMIretFunction_End - PATMIretFunction_Start
1516 DD 2
1517 DD PATM_PENDINGACTION
1518 DD 0
1519 DD PATM_PATCHBASE
1520 DD 0
1521 DD 0ffffffffh
1522
1523
1524align 32 ; yasm / nasm diff - remove me!
1525BEGINPROC PATMCpuidReplacement
1526PATMCpuidStart:
1527 mov dword [ss:PATM_INTERRUPTFLAG], 0
1528 pushf
1529
1530 cmp eax, PATM_CPUID_STD_MAX
1531 jb cpuid_std
1532 cmp eax, 0x80000000
1533 jb cpuid_def
1534 cmp eax, PATM_CPUID_EXT_MAX
1535 jb cpuid_ext
1536 cmp eax, 0xc0000000
1537 jb cpuid_def
1538 cmp eax, PATM_CPUID_CENTAUR_MAX
1539 jb cpuid_centaur
1540
1541cpuid_def:
1542 mov eax, PATM_CPUID_DEF_PTR
1543 jmp cpuid_fetch
1544
1545cpuid_std:
1546 mov edx, PATM_CPUID_STD_PTR
1547 jmp cpuid_calc
1548
1549cpuid_ext:
1550 and eax, 0ffh ; strictly speaking not necessary.
1551 mov edx, PATM_CPUID_EXT_PTR
1552 jmp cpuid_calc
1553
1554cpuid_centaur:
1555 and eax, 0ffh ; strictly speaking not necessary.
1556 mov edx, PATM_CPUID_CENTAUR_PTR
1557
1558cpuid_calc:
1559 lea eax, [ss:eax * 4] ; 4 entries...
1560 lea eax, [ss:eax * 4] ; 4 bytes each
1561 add eax, edx
1562
1563cpuid_fetch:
1564 mov edx, [ss:eax + 12] ; CPUMCPUID layout assumptions!
1565 mov ecx, [ss:eax + 8]
1566 mov ebx, [ss:eax + 4]
1567 mov eax, [ss:eax]
1568
1569 popf
1570 mov dword [ss:PATM_INTERRUPTFLAG], 1
1571
1572PATMCpuidEnd:
1573ENDPROC PATMCpuidReplacement
1574
1575; Patch record for 'cpuid'
1576GLOBALNAME PATMCpuidRecord
1577 RTCCPTR_DEF PATMCpuidStart
1578 DD 0
1579 DD 0
1580 DD 0
1581 DD PATMCpuidEnd- PATMCpuidStart
1582 DD 9
1583 DD PATM_INTERRUPTFLAG
1584 DD 0
1585 DD PATM_CPUID_STD_MAX
1586 DD 0
1587 DD PATM_CPUID_EXT_MAX
1588 DD 0
1589 DD PATM_CPUID_CENTAUR_MAX
1590 DD 0
1591 DD PATM_CPUID_DEF_PTR
1592 DD 0
1593 DD PATM_CPUID_STD_PTR
1594 DD 0
1595 DD PATM_CPUID_EXT_PTR
1596 DD 0
1597 DD PATM_CPUID_CENTAUR_PTR
1598 DD 0
1599 DD PATM_INTERRUPTFLAG
1600 DD 0
1601 DD 0ffffffffh
1602
1603
1604BEGINPROC PATMJEcxReplacement
1605PATMJEcxStart:
1606 mov dword [ss:PATM_INTERRUPTFLAG], 0
1607 pushfd
1608PATMJEcxSizeOverride:
1609 DB 0x90 ; nop
1610 cmp ecx, dword 0 ; yasm / nasm dword
1611 jnz PATMJEcxContinue
1612
1613 popfd
1614 mov dword [ss:PATM_INTERRUPTFLAG], 1
1615 DB 0xE9
1616PATMJEcxJump:
1617 DD PATM_JUMPDELTA
1618
1619PATMJEcxContinue:
1620 popfd
1621 mov dword [ss:PATM_INTERRUPTFLAG], 1
1622PATMJEcxEnd:
1623ENDPROC PATMJEcxReplacement
1624
1625; Patch record for 'JEcx'
1626GLOBALNAME PATMJEcxRecord
1627 RTCCPTR_DEF PATMJEcxStart
1628 DD 0
1629 DD PATMJEcxJump - PATMJEcxStart
1630 DD PATMJEcxSizeOverride - PATMJEcxStart
1631 DD PATMJEcxEnd- PATMJEcxStart
1632 DD 3
1633 DD PATM_INTERRUPTFLAG
1634 DD 0
1635 DD PATM_INTERRUPTFLAG
1636 DD 0
1637 DD PATM_INTERRUPTFLAG
1638 DD 0
1639 DD 0ffffffffh
1640
1641align 32; yasm / nasm diffing. remove me!
1642BEGINPROC PATMLoopReplacement
1643PATMLoopStart:
1644 mov dword [ss:PATM_INTERRUPTFLAG], 0
1645 pushfd
1646PATMLoopSizeOverride:
1647 DB 0x90 ; nop
1648 dec ecx
1649 jz PATMLoopContinue
1650
1651 popfd
1652 mov dword [ss:PATM_INTERRUPTFLAG], 1
1653 DB 0xE9
1654PATMLoopJump:
1655 DD PATM_JUMPDELTA
1656
1657PATMLoopContinue:
1658 popfd
1659 mov dword [ss:PATM_INTERRUPTFLAG], 1
1660PATMLoopEnd:
1661ENDPROC PATMLoopReplacement
1662
1663; Patch record for 'Loop'
1664GLOBALNAME PATMLoopRecord
1665 RTCCPTR_DEF PATMLoopStart
1666 DD 0
1667 DD PATMLoopJump - PATMLoopStart
1668 DD PATMLoopSizeOverride - PATMLoopStart
1669 DD PATMLoopEnd- PATMLoopStart
1670 DD 3
1671 DD PATM_INTERRUPTFLAG
1672 DD 0
1673 DD PATM_INTERRUPTFLAG
1674 DD 0
1675 DD PATM_INTERRUPTFLAG
1676 DD 0
1677 DD 0ffffffffh
1678
1679BEGINPROC PATMLoopZReplacement
1680PATMLoopZStart:
1681 ; jump if ZF=1 AND (E)CX != 0
1682
1683 mov dword [ss:PATM_INTERRUPTFLAG], 0
1684 jnz PATMLoopZEnd
1685 pushfd
1686PATMLoopZSizeOverride:
1687 DB 0x90 ; nop
1688 dec ecx
1689 jz PATMLoopZContinue
1690
1691 popfd
1692 mov dword [ss:PATM_INTERRUPTFLAG], 1
1693 DB 0xE9
1694PATMLoopZJump:
1695 DD PATM_JUMPDELTA
1696
1697PATMLoopZContinue:
1698 popfd
1699 mov dword [ss:PATM_INTERRUPTFLAG], 1
1700PATMLoopZEnd:
1701ENDPROC PATMLoopZReplacement
1702
1703; Patch record for 'Loopz'
1704GLOBALNAME PATMLoopZRecord
1705 RTCCPTR_DEF PATMLoopZStart
1706 DD 0
1707 DD PATMLoopZJump - PATMLoopZStart
1708 DD PATMLoopZSizeOverride - PATMLoopZStart
1709 DD PATMLoopZEnd- PATMLoopZStart
1710 DD 3
1711 DD PATM_INTERRUPTFLAG
1712 DD 0
1713 DD PATM_INTERRUPTFLAG
1714 DD 0
1715 DD PATM_INTERRUPTFLAG
1716 DD 0
1717 DD 0ffffffffh
1718
1719
1720BEGINPROC PATMLoopNZReplacement
1721PATMLoopNZStart:
1722 ; jump if ZF=0 AND (E)CX != 0
1723
1724 mov dword [ss:PATM_INTERRUPTFLAG], 0
1725 jz PATMLoopNZEnd
1726 pushfd
1727PATMLoopNZSizeOverride:
1728 DB 0x90 ; nop
1729 dec ecx
1730 jz PATMLoopNZContinue
1731
1732 popfd
1733 mov dword [ss:PATM_INTERRUPTFLAG], 1
1734 DB 0xE9
1735PATMLoopNZJump:
1736 DD PATM_JUMPDELTA
1737
1738PATMLoopNZContinue:
1739 popfd
1740 mov dword [ss:PATM_INTERRUPTFLAG], 1
1741PATMLoopNZEnd:
1742ENDPROC PATMLoopNZReplacement
1743
1744; Patch record for 'LoopNZ'
1745GLOBALNAME PATMLoopNZRecord
1746 RTCCPTR_DEF PATMLoopNZStart
1747 DD 0
1748 DD PATMLoopNZJump - PATMLoopNZStart
1749 DD PATMLoopNZSizeOverride - PATMLoopNZStart
1750 DD PATMLoopNZEnd- PATMLoopNZStart
1751 DD 3
1752 DD PATM_INTERRUPTFLAG
1753 DD 0
1754 DD PATM_INTERRUPTFLAG
1755 DD 0
1756 DD PATM_INTERRUPTFLAG
1757 DD 0
1758 DD 0ffffffffh
1759
1760align 32
1761; Global patch function for indirect calls
1762; Caller is responsible for clearing PATM_INTERRUPTFLAG and doing:
1763; + 20 push [pTargetGC]
1764; + 16 pushfd
1765; + 12 push [JumpTableAddress]
1766; + 8 push [PATMRelReturnAddress]
1767; + 4 push [GuestReturnAddress]
1768;( + 0 return address )
1769;
1770; @note NEVER change this without bumping the SSM version
1771BEGINPROC PATMLookupAndCall
1772PATMLookupAndCallStart:
1773 push eax
1774 push edx
1775 push edi
1776 push ecx
1777
1778 mov eax, dword [esp+16+4] ; guest return address
1779 mov dword [ss:PATM_CALL_RETURN_ADDR], eax ; temporary storage
1780
1781 mov edx, dword [esp+16+20] ; pushed target address
1782
1783 xor eax, eax ; default result -> nothing found
1784 mov edi, dword [esp+16+12] ; jump table
1785 mov ecx, [ss:edi + PATCHJUMPTABLE.cAddresses]
1786 cmp ecx, 0
1787 je near PATMLookupAndCall_QueryPATM
1788
1789PATMLookupAndCall_SearchStart:
1790 cmp [ss:edi + PATCHJUMPTABLE.Slot_pInstrGC + eax*8], edx ; edx = GC address to search for
1791 je near PATMLookupAndCall_SearchHit
1792 inc eax
1793 cmp eax, ecx
1794 jl near PATMLookupAndCall_SearchStart
1795
1796PATMLookupAndCall_QueryPATM:
1797 ; nothing found -> let our trap handler try to find it
1798 ; @todo private ugly interface, since we have nothing generic at the moment
1799 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOOKUP_ADDRESS
1800 mov eax, PATM_ACTION_LOOKUP_ADDRESS
1801 mov ecx, PATM_ACTION_MAGIC
1802 ; edx = GC address to find
1803 ; edi = jump table address
1804 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1805
1806 jmp near PATMLookupAndCall_SearchEnd
1807
1808PATMLookupAndCall_Failure:
1809 ; return to caller; it must raise an error, due to patch to guest address translation (remember that there's only one copy of this code block).
1810 pop ecx
1811 pop edi
1812 pop edx
1813 pop eax
1814 ret
1815
1816PATMLookupAndCall_SearchHit:
1817 mov eax, [ss:edi + PATCHJUMPTABLE.Slot_pRelPatchGC + eax*8] ; found a match!
1818
1819 ;@note can be zero, so the next check is required!!
1820
1821PATMLookupAndCall_SearchEnd:
1822 cmp eax, 0
1823 je near PATMLookupAndCall_Failure
1824
1825 mov ecx, eax ; ECX = target address (relative!)
1826 add ecx, PATM_PATCHBASE ; Make it absolute
1827
1828 mov edx, dword PATM_STACKPTR
1829 cmp dword [ss:edx], PATM_STACK_SIZE
1830 ja near PATMLookupAndCall_Failure ; should never happen actually!!!
1831 cmp dword [ss:edx], 0
1832 je near PATMLookupAndCall_Failure ; no more room
1833
1834 ; save the patch return address on our private stack
1835 sub dword [ss:edx], 4 ; sizeof(RTGCPTR)
1836 mov eax, dword PATM_STACKBASE
1837 add eax, dword [ss:edx] ; stack base + stack position
1838 mov edi, dword [esp+16+8] ; PATM return address
1839 mov dword [ss:eax], edi ; relative address of patch return (instruction following this block)
1840
1841 ; save the original return address as well (checked by ret to make sure the guest hasn't messed around with the stack)
1842 mov edi, dword PATM_STACKBASE_GUEST
1843 add edi, dword [ss:edx] ; stack base (guest) + stack position
1844 mov eax, dword [esp+16+4] ; guest return address
1845 mov dword [ss:edi], eax
1846
1847 mov dword [ss:PATM_CALL_PATCH_TARGET_ADDR], ecx ; temporarily store the target address
1848 pop ecx
1849 pop edi
1850 pop edx
1851 pop eax
1852 add esp, 24 ; parameters + return address pushed by caller (changes the flags, but that shouldn't matter)
1853
1854%ifdef PATM_LOG_PATCHINSTR
1855 push eax
1856 push ecx
1857 push edx
1858 lea edx, [esp + 12 - 4] ; stack address to store return address
1859 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOG_CALL
1860 mov eax, PATM_ACTION_LOG_CALL
1861 mov ecx, PATM_ACTION_MAGIC
1862 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1863 pop edx
1864 pop ecx
1865 pop eax
1866%endif
1867
1868 push dword [ss:PATM_CALL_RETURN_ADDR] ; push original guest return address
1869
1870 ; the called function will set PATM_INTERRUPTFLAG (!!)
1871 jmp dword [ss:PATM_CALL_PATCH_TARGET_ADDR]
1872
1873PATMLookupAndCallEnd:
1874; returning here -> do not add code here or after the jmp!!!!!
1875ENDPROC PATMLookupAndCall
1876
1877; Patch record for indirect calls and jumps
1878GLOBALNAME PATMLookupAndCallRecord
1879 RTCCPTR_DEF PATMLookupAndCallStart
1880 DD 0
1881 DD 0
1882 DD 0
1883 DD PATMLookupAndCallEnd - PATMLookupAndCallStart
1884%ifdef PATM_LOG_PATCHINSTR
1885 DD 10
1886%else
1887 DD 9
1888%endif
1889 DD PATM_CALL_RETURN_ADDR
1890 DD 0
1891 DD PATM_PENDINGACTION
1892 DD 0
1893 DD PATM_PATCHBASE
1894 DD 0
1895 DD PATM_STACKPTR
1896 DD 0
1897 DD PATM_STACKBASE
1898 DD 0
1899 DD PATM_STACKBASE_GUEST
1900 DD 0
1901 DD PATM_CALL_PATCH_TARGET_ADDR
1902 DD 0
1903%ifdef PATM_LOG_PATCHINSTR
1904 DD PATM_PENDINGACTION
1905 DD 0
1906%endif
1907 DD PATM_CALL_RETURN_ADDR
1908 DD 0
1909 DD PATM_CALL_PATCH_TARGET_ADDR
1910 DD 0
1911 DD 0ffffffffh
1912
1913
1914align 32
1915; Global patch function for indirect jumps
1916; Caller is responsible for clearing PATM_INTERRUPTFLAG and doing:
1917; + 8 push [pTargetGC]
1918; + 4 push [JumpTableAddress]
1919;( + 0 return address )
1920; And saving eflags in PATM_TEMP_EFLAGS
1921;
1922; @note NEVER change this without bumping the SSM version
1923BEGINPROC PATMLookupAndJump
1924PATMLookupAndJumpStart:
1925 push eax
1926 push edx
1927 push edi
1928 push ecx
1929
1930 mov edx, dword [esp+16+8] ; pushed target address
1931
1932 xor eax, eax ; default result -> nothing found
1933 mov edi, dword [esp+16+4] ; jump table
1934 mov ecx, [ss:edi + PATCHJUMPTABLE.cAddresses]
1935 cmp ecx, 0
1936 je near PATMLookupAndJump_QueryPATM
1937
1938PATMLookupAndJump_SearchStart:
1939 cmp [ss:edi + PATCHJUMPTABLE.Slot_pInstrGC + eax*8], edx ; edx = GC address to search for
1940 je near PATMLookupAndJump_SearchHit
1941 inc eax
1942 cmp eax, ecx
1943 jl near PATMLookupAndJump_SearchStart
1944
1945PATMLookupAndJump_QueryPATM:
1946 ; nothing found -> let our trap handler try to find it
1947 ; @todo private ugly interface, since we have nothing generic at the moment
1948 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOOKUP_ADDRESS
1949 mov eax, PATM_ACTION_LOOKUP_ADDRESS
1950 mov ecx, PATM_ACTION_MAGIC
1951 ; edx = GC address to find
1952 ; edi = jump table address
1953 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
1954
1955 jmp near PATMLookupAndJump_SearchEnd
1956
1957PATMLookupAndJump_Failure:
1958 ; return to caller; it must raise an error, due to patch to guest address translation (remember that there's only one copy of this code block).
1959 pop ecx
1960 pop edi
1961 pop edx
1962 pop eax
1963 ret
1964
1965PATMLookupAndJump_SearchHit:
1966 mov eax, [ss:edi + PATCHJUMPTABLE.Slot_pRelPatchGC + eax*8] ; found a match!
1967
1968 ;@note can be zero, so the next check is required!!
1969
1970PATMLookupAndJump_SearchEnd:
1971 cmp eax, 0
1972 je near PATMLookupAndJump_Failure
1973
1974 mov ecx, eax ; ECX = target address (relative!)
1975 add ecx, PATM_PATCHBASE ; Make it absolute
1976
1977 ; save jump patch target
1978 mov dword [ss:PATM_TEMP_EAX], ecx
1979 pop ecx
1980 pop edi
1981 pop edx
1982 pop eax
1983 add esp, 12 ; parameters + return address pushed by caller
1984 ; restore flags (just to be sure)
1985 push dword [ss:PATM_TEMP_EFLAGS]
1986 popfd
1987
1988 ; the jump destination will set PATM_INTERRUPTFLAG (!!)
1989 jmp dword [ss:PATM_TEMP_EAX] ; call duplicated patch destination address
1990
1991PATMLookupAndJumpEnd:
1992ENDPROC PATMLookupAndJump
1993
1994; Patch record for indirect calls and jumps
1995GLOBALNAME PATMLookupAndJumpRecord
1996 RTCCPTR_DEF PATMLookupAndJumpStart
1997 DD 0
1998 DD 0
1999 DD 0
2000 DD PATMLookupAndJumpEnd - PATMLookupAndJumpStart
2001 DD 5
2002 DD PATM_PENDINGACTION
2003 DD 0
2004 DD PATM_PATCHBASE
2005 DD 0
2006 DD PATM_TEMP_EAX
2007 DD 0
2008 DD PATM_TEMP_EFLAGS
2009 DD 0
2010 DD PATM_TEMP_EAX
2011 DD 0
2012 DD 0ffffffffh
2013
2014
2015
2016
2017align 32
2018; Patch function for static calls
2019; @note static calls have only one lookup slot!
2020; Caller is responsible for clearing PATM_INTERRUPTFLAG and adding:
2021; push [pTargetGC]
2022;
2023BEGINPROC PATMCall
2024PATMCallStart:
2025 pushfd
2026 push PATM_FIXUP ; fixup for jump table below
2027 push PATM_PATCHNEXTBLOCK
2028 push PATM_RETURNADDR
2029 DB 0E8h ; call
2030 DD PATM_LOOKUP_AND_CALL_FUNCTION
2031 ; we only return in case of a failure
2032 add esp, 12 ; pushed address of jump table
2033 popfd
2034 add esp, 4 ; pushed by caller (changes the flags, but that shouldn't matter (@todo))
2035 mov dword [ss:PATM_INTERRUPTFLAG], 1
2036 PATM_INT3
2037%ifdef DEBUG
2038 ; for disassembly
2039 jmp PATMCallEnd
2040%endif
2041
2042align 4
2043PATMCallTable:
2044 DW 1 ; nrSlots
2045 DW 0 ; ulInsertPos
2046 DD 0 ; cAddresses
2047 TIMES PATCHDIRECTJUMPTABLE_SIZE DB 0 ; only one lookup slot
2048
2049PATMCallEnd:
2050; returning here -> do not add code here or after the jmp!!!!!
2051ENDPROC PATMCall
2052
2053; Patch record for direct calls
2054GLOBALNAME PATMCallRecord
2055 RTCCPTR_DEF PATMCallStart
2056 DD 0
2057 DD 0
2058 DD 0
2059 DD PATMCallEnd - PATMCallStart
2060 DD 5
2061 DD PATM_FIXUP
2062 DD PATMCallTable - PATMCallStart
2063 DD PATM_PATCHNEXTBLOCK
2064 DD 0
2065 DD PATM_RETURNADDR
2066 DD 0
2067 DD PATM_LOOKUP_AND_CALL_FUNCTION
2068 DD 0
2069 DD PATM_INTERRUPTFLAG
2070 DD 0
2071 DD 0ffffffffh
2072
2073
2074align 32
2075; Patch function for indirect calls
2076; Caller is responsible for clearing PATM_INTERRUPTFLAG and adding:
2077; push [pTargetGC]
2078;
2079BEGINPROC PATMCallIndirect
2080PATMCallIndirectStart:
2081 pushfd
2082 push PATM_FIXUP ; fixup for jump table below
2083 push PATM_PATCHNEXTBLOCK
2084 push PATM_RETURNADDR
2085 DB 0E8h ; call
2086 DD PATM_LOOKUP_AND_CALL_FUNCTION
2087 ; we only return in case of a failure
2088 add esp, 12 ; pushed address of jump table
2089 popfd
2090 add esp, 4 ; pushed by caller (changes the flags, but that shouldn't matter (@todo))
2091 mov dword [ss:PATM_INTERRUPTFLAG], 1
2092 PATM_INT3
2093%ifdef DEBUG
2094 ; for disassembly
2095 jmp PATMCallIndirectEnd
2096%endif
2097
2098align 4
2099PATMCallIndirectTable:
2100 DW PATM_MAX_JUMPTABLE_ENTRIES ; nrSlots
2101 DW 0 ; ulInsertPos
2102 DD 0 ; cAddresses
2103 TIMES PATCHJUMPTABLE_SIZE DB 0 ; lookup slots
2104
2105PATMCallIndirectEnd:
2106; returning here -> do not add code here or after the jmp!!!!!
2107ENDPROC PATMCallIndirect
2108
2109; Patch record for indirect calls
2110GLOBALNAME PATMCallIndirectRecord
2111 RTCCPTR_DEF PATMCallIndirectStart
2112 DD 0
2113 DD 0
2114 DD 0
2115 DD PATMCallIndirectEnd - PATMCallIndirectStart
2116 DD 5
2117 DD PATM_FIXUP
2118 DD PATMCallIndirectTable - PATMCallIndirectStart
2119 DD PATM_PATCHNEXTBLOCK
2120 DD 0
2121 DD PATM_RETURNADDR
2122 DD 0
2123 DD PATM_LOOKUP_AND_CALL_FUNCTION
2124 DD 0
2125 DD PATM_INTERRUPTFLAG
2126 DD 0
2127 DD 0ffffffffh
2128
2129
2130align 32
2131; Patch function for indirect jumps
2132; Caller is responsible for clearing PATM_INTERRUPTFLAG and adding:
2133; push [pTargetGC]
2134;
2135BEGINPROC PATMJumpIndirect
2136PATMJumpIndirectStart:
2137 ; save flags (just to be sure)
2138 pushfd
2139 pop dword [ss:PATM_TEMP_EFLAGS]
2140
2141 push PATM_FIXUP ; fixup for jump table below
2142 DB 0E8h ; call
2143 DD PATM_LOOKUP_AND_JUMP_FUNCTION
2144 ; we only return in case of a failure
2145 add esp, 8 ; pushed address of jump table + pushed target address
2146
2147 ; restore flags (just to be sure)
2148 push dword [ss:PATM_TEMP_EFLAGS]
2149 popfd
2150
2151 mov dword [ss:PATM_INTERRUPTFLAG], 1
2152 PATM_INT3
2153
2154%ifdef DEBUG
2155 ; for disassembly
2156 jmp PATMJumpIndirectEnd
2157%endif
2158
2159align 4
2160PATMJumpIndirectTable:
2161 DW PATM_MAX_JUMPTABLE_ENTRIES ; nrSlots
2162 DW 0 ; ulInsertPos
2163 DD 0 ; cAddresses
2164 TIMES PATCHJUMPTABLE_SIZE DB 0 ; lookup slots
2165
2166PATMJumpIndirectEnd:
2167; returning here -> do not add code here or after the jmp!!!!!
2168ENDPROC PATMJumpIndirect
2169
2170; Patch record for indirect jumps
2171GLOBALNAME PATMJumpIndirectRecord
2172 RTCCPTR_DEF PATMJumpIndirectStart
2173 DD 0
2174 DD 0
2175 DD 0
2176 DD PATMJumpIndirectEnd - PATMJumpIndirectStart
2177 DD 5
2178 DD PATM_TEMP_EFLAGS
2179 DD 0
2180 DD PATM_FIXUP
2181 DD PATMJumpIndirectTable - PATMJumpIndirectStart
2182 DD PATM_LOOKUP_AND_JUMP_FUNCTION
2183 DD 0
2184 DD PATM_TEMP_EFLAGS
2185 DD 0
2186 DD PATM_INTERRUPTFLAG
2187 DD 0
2188 DD 0ffffffffh
2189
2190;
2191; return from duplicated function
2192;
2193align 32
2194BEGINPROC PATMRet
2195PATMRet_Start:
2196 ; probe stack here as we can't recover from page faults later on
2197 not dword [esp-32]
2198 not dword [esp-32]
2199 mov dword [ss:PATM_INTERRUPTFLAG], 0
2200 pushfd
2201 push eax
2202 push PATM_FIXUP
2203 DB 0E8h ; call
2204 DD PATM_RETURN_FUNCTION
2205 add esp, 4 ; pushed address of jump table
2206
2207 cmp eax, 0
2208 jne near PATMRet_Success
2209
2210 pop eax
2211 popfd
2212 mov dword [ss:PATM_INTERRUPTFLAG], 1
2213 PATM_INT3
2214
2215%ifdef DEBUG
2216 ; for disassembly
2217 jmp PATMRet_Success
2218%endif
2219align 4
2220PATMRetTable:
2221 DW PATM_MAX_JUMPTABLE_ENTRIES ; nrSlots
2222 DW 0 ; ulInsertPos
2223 DD 0 ; cAddresses
2224 TIMES PATCHJUMPTABLE_SIZE DB 0 ; lookup slots
2225
2226PATMRet_Success:
2227 mov dword [esp+8], eax ; overwrite the saved return address
2228 pop eax
2229 popf
2230 ; caller will duplicate the ret or ret n instruction
2231 ; the patched call will set PATM_INTERRUPTFLAG after the return!
2232PATMRet_End:
2233ENDPROC PATMRet
2234
2235GLOBALNAME PATMRetRecord
2236 RTCCPTR_DEF PATMRet_Start
2237 DD 0
2238 DD 0
2239 DD 0
2240 DD PATMRet_End - PATMRet_Start
2241 DD 4
2242 DD PATM_INTERRUPTFLAG
2243 DD 0
2244 DD PATM_FIXUP
2245 DD PATMRetTable - PATMRet_Start
2246 DD PATM_RETURN_FUNCTION
2247 DD 0
2248 DD PATM_INTERRUPTFLAG
2249 DD 0
2250 DD 0ffffffffh
2251
2252;
2253; global function for implementing 'retn'
2254;
2255; Caller is responsible for right stack layout
2256; + 16 original return address
2257; + 12 eflags
2258; + 8 eax
2259; + 4 Jump table address
2260;( + 0 return address )
2261;
2262; @note assumes PATM_INTERRUPTFLAG is zero
2263; @note assumes it can trash eax and eflags
2264;
2265; @returns eax=0 on failure
2266; otherwise return address in eax
2267;
2268; @note NEVER change this without bumping the SSM version
2269align 32
2270BEGINPROC PATMRetFunction
2271PATMRetFunction_Start:
2272 push ecx
2273 push edx
2274 push edi
2275
2276 ; Event order:
2277 ; (@todo figure out which path is taken most often (1 or 2))
2278 ; 1) Check if the return patch address was pushed onto the PATM stack
2279 ; 2) Check if the return patch address can be found in the lookup table
2280 ; 3) Query return patch address from the hypervisor
2281
2282
2283 ; 1) Check if the return patch address was pushed on the PATM stack
2284 cmp dword [ss:PATM_STACKPTR], PATM_STACK_SIZE
2285 jae near PATMRetFunction_FindReturnAddress
2286
2287 mov edx, dword PATM_STACKPTR
2288
2289 ; check if the return address is what we expect it to be
2290 mov eax, dword PATM_STACKBASE_GUEST
2291 add eax, dword [ss:edx] ; stack base + stack position
2292 mov eax, dword [ss:eax] ; original return address
2293 cmp eax, dword [esp+12+16] ; pushed return address
2294
2295 ; the return address was changed -> let our trap handler try to find it
2296 ; (can happen when the guest messes with the stack (seen it) or when we didn't call this function ourselves)
2297 jne near PATMRetFunction_FindReturnAddress
2298
2299 ; found it, convert relative to absolute patch address and return the result to the caller
2300 mov eax, dword PATM_STACKBASE
2301 add eax, dword [ss:edx] ; stack base + stack position
2302 mov eax, dword [ss:eax] ; relative patm return address
2303 add eax, PATM_PATCHBASE
2304
2305%ifdef PATM_LOG_PATCHINSTR
2306 push eax
2307 push ebx
2308 push ecx
2309 push edx
2310 mov edx, eax ; return address
2311 lea ebx, [esp+16+12+16] ; stack address containing the return address
2312 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOG_RET
2313 mov eax, PATM_ACTION_LOG_RET
2314 mov ecx, PATM_ACTION_MAGIC
2315 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
2316 pop edx
2317 pop ecx
2318 pop ebx
2319 pop eax
2320%endif
2321
2322 add dword [ss:edx], 4 ; pop return address from the PATM stack (sizeof(RTGCPTR); @note hardcoded assumption!)
2323
2324 pop edi
2325 pop edx
2326 pop ecx
2327 ret
2328
2329PATMRetFunction_FindReturnAddress:
2330 ; 2) Check if the return patch address can be found in the lookup table
2331 mov edx, dword [esp+12+16] ; pushed target address
2332
2333 xor eax, eax ; default result -> nothing found
2334 mov edi, dword [esp+12+4] ; jump table
2335 mov ecx, [ss:edi + PATCHJUMPTABLE.cAddresses]
2336 cmp ecx, 0
2337 je near PATMRetFunction_AskHypervisor
2338
2339PATMRetFunction_SearchStart:
2340 cmp [ss:edi + PATCHJUMPTABLE.Slot_pInstrGC + eax*8], edx ; edx = GC address to search for
2341 je near PATMRetFunction_SearchHit
2342 inc eax
2343 cmp eax, ecx
2344 jl near PATMRetFunction_SearchStart
2345
2346PATMRetFunction_AskHypervisor:
2347 ; 3) Query return patch address from the hypervisor
2348 ; @todo private ugly interface, since we have nothing generic at the moment
2349 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOOKUP_ADDRESS
2350 mov eax, PATM_ACTION_LOOKUP_ADDRESS
2351 mov ecx, PATM_ACTION_MAGIC
2352 mov edi, dword [esp+12+4] ; jump table address
2353 mov edx, dword [esp+12+16] ; original return address
2354 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
2355 jmp near PATMRetFunction_SearchEnd
2356
2357PATMRetFunction_SearchHit:
2358 mov eax, [ss:edi + PATCHJUMPTABLE.Slot_pRelPatchGC + eax*8] ; found a match!
2359 ;@note can be zero, so the next check is required!!
2360
2361PATMRetFunction_SearchEnd:
2362 cmp eax, 0
2363 jz PATMRetFunction_Failure
2364
2365 add eax, PATM_PATCHBASE
2366
2367%ifdef PATM_LOG_PATCHINSTR
2368 push eax
2369 push ebx
2370 push ecx
2371 push edx
2372 mov edx, eax ; return address
2373 lea ebx, [esp+16+12+16] ; stack address containing the return address
2374 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOG_RET
2375 mov eax, PATM_ACTION_LOG_RET
2376 mov ecx, PATM_ACTION_MAGIC
2377 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
2378 pop edx
2379 pop ecx
2380 pop ebx
2381 pop eax
2382%endif
2383
2384 pop edi
2385 pop edx
2386 pop ecx
2387 ret
2388
2389PATMRetFunction_Failure:
2390 ;signal error
2391 xor eax, eax
2392 pop edi
2393 pop edx
2394 pop ecx
2395 ret
2396
2397PATMRetFunction_End:
2398ENDPROC PATMRetFunction
2399
2400GLOBALNAME PATMRetFunctionRecord
2401 RTCCPTR_DEF PATMRetFunction_Start
2402 DD 0
2403 DD 0
2404 DD 0
2405 DD PATMRetFunction_End - PATMRetFunction_Start
2406%ifdef PATM_LOG_PATCHINSTR
2407 DD 9
2408%else
2409 DD 7
2410%endif
2411 DD PATM_STACKPTR
2412 DD 0
2413 DD PATM_STACKPTR
2414 DD 0
2415 DD PATM_STACKBASE_GUEST
2416 DD 0
2417 DD PATM_STACKBASE
2418 DD 0
2419 DD PATM_PATCHBASE
2420 DD 0
2421%ifdef PATM_LOG_PATCHINSTR
2422 DD PATM_PENDINGACTION
2423 DD 0
2424%endif
2425 DD PATM_PENDINGACTION
2426 DD 0
2427 DD PATM_PATCHBASE
2428 DD 0
2429%ifdef PATM_LOG_PATCHINSTR
2430 DD PATM_PENDINGACTION
2431 DD 0
2432%endif
2433 DD 0ffffffffh
2434
2435
2436;
2437; Jump to original instruction if IF=1
2438;
2439BEGINPROC PATMCheckIF
2440PATMCheckIF_Start:
2441 mov dword [ss:PATM_INTERRUPTFLAG], 0
2442 pushf
2443 test dword [ss:PATM_VMFLAGS], X86_EFL_IF
2444 jnz PATMCheckIF_Safe
2445 nop
2446
2447 ; IF=0 -> unsafe, so we must call the duplicated function (which we don't do here)
2448 popf
2449 mov dword [ss:PATM_INTERRUPTFLAG], 1
2450 jmp PATMCheckIF_End
2451
2452PATMCheckIF_Safe:
2453 ; invalidate the PATM stack as we'll jump back to guest code
2454 mov dword [ss:PATM_STACKPTR], PATM_STACK_SIZE
2455
2456%ifdef PATM_LOG_PATCHINSTR
2457 push eax
2458 push ecx
2459 lock or dword [ss:PATM_PENDINGACTION], PATM_ACTION_LOG_IF1
2460 mov eax, PATM_ACTION_LOG_IF1
2461 mov ecx, PATM_ACTION_MAGIC
2462 db 0fh, 0bh ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
2463 pop ecx
2464 pop eax
2465%endif
2466 popf
2467 mov dword [ss:PATM_INTERRUPTFLAG], 1
2468 ; IF=1 -> we can safely jump back to the original instruction
2469 DB 0xE9
2470PATMCheckIF_Jump:
2471 DD PATM_JUMPDELTA
2472PATMCheckIF_End:
2473ENDPROC PATMCheckIF
2474
2475; Patch record for call instructions
2476GLOBALNAME PATMCheckIFRecord
2477 RTCCPTR_DEF PATMCheckIF_Start
2478 DD PATMCheckIF_Jump - PATMCheckIF_Start
2479 DD 0
2480 DD 0
2481 DD PATMCheckIF_End - PATMCheckIF_Start
2482%ifdef PATM_LOG_PATCHINSTR
2483 DD 6
2484%else
2485 DD 5
2486%endif
2487 DD PATM_INTERRUPTFLAG
2488 DD 0
2489 DD PATM_VMFLAGS
2490 DD 0
2491 DD PATM_INTERRUPTFLAG
2492 DD 0
2493 DD PATM_STACKPTR
2494 DD 0
2495%ifdef PATM_LOG_PATCHINSTR
2496 DD PATM_PENDINGACTION
2497 DD 0
2498%endif
2499 DD PATM_INTERRUPTFLAG
2500 DD 0
2501 DD 0ffffffffh
2502
2503;
2504; Jump back to guest if IF=1, else fault
2505;
2506BEGINPROC PATMJumpToGuest_IF1
2507PATMJumpToGuest_IF1_Start:
2508 mov dword [ss:PATM_INTERRUPTFLAG], 0
2509 pushf
2510 test dword [ss:PATM_VMFLAGS], X86_EFL_IF
2511 jnz PATMJumpToGuest_IF1_Safe
2512 nop
2513
2514 ; IF=0 -> unsafe, so fault
2515 popf
2516 mov dword [ss:PATM_INTERRUPTFLAG], 1
2517 PATM_INT3
2518
2519PATMJumpToGuest_IF1_Safe:
2520 ; IF=1 -> we can safely jump back to the original instruction
2521 popf
2522 mov dword [ss:PATM_INTERRUPTFLAG], 1
2523 DB 0xE9
2524PATMJumpToGuest_IF1_Jump:
2525 DD PATM_JUMPDELTA
2526PATMJumpToGuest_IF1_End:
2527ENDPROC PATMJumpToGuest_IF1
2528
2529; Patch record for call instructions
2530GLOBALNAME PATMJumpToGuest_IF1Record
2531 RTCCPTR_DEF PATMJumpToGuest_IF1_Start
2532 DD PATMJumpToGuest_IF1_Jump - PATMJumpToGuest_IF1_Start
2533 DD 0
2534 DD 0
2535 DD PATMJumpToGuest_IF1_End - PATMJumpToGuest_IF1_Start
2536 DD 4
2537 DD PATM_INTERRUPTFLAG
2538 DD 0
2539 DD PATM_VMFLAGS
2540 DD 0
2541 DD PATM_INTERRUPTFLAG
2542 DD 0
2543 DD PATM_INTERRUPTFLAG
2544 DD 0
2545 DD 0ffffffffh
2546
2547
2548; check and correct RPL of pushed ss
2549BEGINPROC PATMMovFromSS
2550PATMMovFromSS_Start:
2551 push eax
2552 pushfd
2553 mov ax, ss
2554 and ax, 3
2555 cmp ax, 1
2556 jne near PATMMovFromSS_Continue
2557
2558 and dword [esp+8], ~3 ; clear RPL 1
2559PATMMovFromSS_Continue:
2560 popfd
2561 pop eax
2562PATMMovFromSS_Start_End:
2563ENDPROC PATMMovFromSS
2564
2565GLOBALNAME PATMMovFromSSRecord
2566 RTCCPTR_DEF PATMMovFromSS_Start
2567 DD 0
2568 DD 0
2569 DD 0
2570 DD PATMMovFromSS_Start_End - PATMMovFromSS_Start
2571 DD 0
2572 DD 0ffffffffh
2573
2574
2575
2576
2577; For assertion during init (to make absolutely sure the flags are in sync in vm.mac & vm.h)
2578GLOBALNAME PATMInterruptFlag
2579 DD VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST
2580
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette