Changeset 106893 in vbox for trunk/src/VBox/HostDrivers
- Timestamp:
- Nov 8, 2024 3:54:01 PM (3 months ago)
- svn:sync-xref-src-repo-rev:
- 165814
- Location:
- trunk/src/VBox/HostDrivers/Support
- Files:
-
- 5 edited
-
Makefile.kmk (modified) (10 diffs)
-
win/SUPHardenedVerifyImage-win.cpp (modified) (4 diffs)
-
win/SUPHardenedVerifyProcess-win.cpp (modified) (2 diffs)
-
win/SUPR3HardenedMain-win.cpp (modified) (47 diffs)
-
win/SUPR3HardenedMainImports-win.cpp (modified) (8 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/Makefile.kmk
r106638 r106893 257 257 SUPR3HardenedStatic_SOURCES.win = \ 258 258 win/SUPR3HardenedMain-win.cpp \ 259 win/SUPR3HardenedMainA-win.asm \260 259 win/SUPR3HardenedMainImports-win.cpp \ 261 260 win/SUPHardenedVerifyProcess-win.cpp \ … … 263 262 $(VBOX_SUP_WIN_CERTS_FILE) 264 263 SUPR3HardenedStatic_SOURCES.x86 += \ 264 win/SUPR3HardenedMainA-win.asm \ 265 265 $(VBOX_PATH_RUNTIME_SRC)/common/asm/ASMMemFirstMismatchingU8.asm 266 266 SUPR3HardenedStatic_SOURCES.amd64 += \ 267 win/SUPR3HardenedMainA-win.asm \ 267 268 $(VBOX_PATH_RUNTIME_SRC)/common/asm/ASMMemFirstMismatchingU8.asm 268 269 … … 378 379 $(VBOX_PATH_RUNTIME_SRC)/common/err/errmsg.cpp \ 379 380 $(VBOX_PATH_RUNTIME_SRC)/common/math/bignum.cpp \ 380 $(VBOX_PATH_RUNTIME_SRC)/common/math/bignum-amd64-x86.asm \381 381 $(VBOX_PATH_RUNTIME_SRC)/common/misc/RTAssertMsg1Weak.cpp \ 382 382 $(VBOX_PATH_RUNTIME_SRC)/common/misc/RTAssertMsg2.cpp \ 383 383 $(VBOX_PATH_RUNTIME_SRC)/common/misc/RTAssertMsg2Weak.cpp \ 384 384 $(VBOX_PATH_RUNTIME_SRC)/common/misc/RTAssertMsg2WeakV.cpp \ 385 $(VBOX_PATH_RUNTIME_SRC)/common/misc/zero.asm \386 385 $(VBOX_PATH_RUNTIME_SRC)/common/path/RTPathAbsEx.cpp \ 387 386 $(VBOX_PATH_RUNTIME_SRC)/common/path/RTPathFilename.cpp \ 388 387 $(VBOX_PATH_RUNTIME_SRC)/common/path/RTPathParse.cpp \ 389 388 $(VBOX_PATH_RUNTIME_SRC)/common/path/RTPathParsedReassemble.cpp \ 390 $(VBOX_PATH_RUNTIME_SRC)/common/string/memchr.asm \391 $(VBOX_PATH_RUNTIME_SRC)/common/string/memcmp.asm \392 $(VBOX_PATH_RUNTIME_SRC)/common/string/memcpy.asm \393 $(VBOX_PATH_RUNTIME_SRC)/common/string/memmove.asm \394 $(VBOX_PATH_RUNTIME_SRC)/common/string/mempcpy.asm \395 $(VBOX_PATH_RUNTIME_SRC)/common/string/memset.asm \396 389 $(VBOX_PATH_RUNTIME_SRC)/common/string/strversion.cpp \ 397 390 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrPrintHexBytes.cpp \ … … 399 392 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrCmp.cpp \ 400 393 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrCopy.cpp \ 401 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrEnd.asm \402 394 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrICmpAscii.cpp \ 403 395 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrNCmp.cpp \ … … 405 397 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTUtf16Copy.cpp \ 406 398 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTUtf16NLenEx.cpp \ 407 $(VBOX_PATH_RUNTIME_SRC)/common/string/strchr.asm \408 $(VBOX_PATH_RUNTIME_SRC)/common/string/strcmp.asm \409 $(VBOX_PATH_RUNTIME_SRC)/common/string/strcpy.asm \410 399 $(VBOX_PATH_RUNTIME_SRC)/common/string/strformat.cpp \ 411 400 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrFormat.cpp \ … … 414 403 $(VBOX_PATH_RUNTIME_SRC)/common/string/strformatnum.cpp \ 415 404 $(VBOX_PATH_RUNTIME_SRC)/common/string/stringalloc.cpp \ 416 $(VBOX_PATH_RUNTIME_SRC)/common/string/strlen.asm \417 $(VBOX_PATH_RUNTIME_SRC)/common/string/strncmp.asm \418 $(VBOX_PATH_RUNTIME_SRC)/common/string/strncpy.asm \419 405 $(VBOX_PATH_RUNTIME_SRC)/common/string/strprintf.cpp \ 420 406 $(VBOX_PATH_RUNTIME_SRC)/common/string/strprintf-ellipsis.cpp \ … … 442 428 443 429 SUPR3HardenedStatic_SOURCES.amd64 += \ 430 $(VBOX_PATH_RUNTIME_SRC)/common/string/memchr.asm \ 431 $(VBOX_PATH_RUNTIME_SRC)/common/string/memcmp.asm \ 432 $(VBOX_PATH_RUNTIME_SRC)/common/string/memcpy.asm \ 433 $(VBOX_PATH_RUNTIME_SRC)/common/string/memmove.asm \ 434 $(VBOX_PATH_RUNTIME_SRC)/common/string/mempcpy.asm \ 435 $(VBOX_PATH_RUNTIME_SRC)/common/string/memset.asm \ 436 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrEnd.asm \ 437 $(VBOX_PATH_RUNTIME_SRC)/common/string/strchr.asm \ 438 $(VBOX_PATH_RUNTIME_SRC)/common/string/strcmp.asm \ 439 $(VBOX_PATH_RUNTIME_SRC)/common/string/strcpy.asm \ 440 $(VBOX_PATH_RUNTIME_SRC)/common/string/strlen.asm \ 441 $(VBOX_PATH_RUNTIME_SRC)/common/string/strncmp.asm \ 442 $(VBOX_PATH_RUNTIME_SRC)/common/string/strncpy.asm \ 443 $(VBOX_PATH_RUNTIME_SRC)/common/misc/zero.asm \ 444 444 $(VBOX_PATH_RUNTIME_SRC)/common/math/RTUInt128MulByU64.asm \ 445 $(VBOX_PATH_RUNTIME_SRC)/common/math/bignum-amd64-x86.asm \ 445 446 $(VBOX_PATH_RUNTIME_SRC)/win/amd64/ASMGetCS.asm \ 446 447 $(VBOX_PATH_RUNTIME_SRC)/win/amd64/ASMGetSS.asm … … 458 459 # Add necessary compiler specific files from the compiler lib dir. 459 460 ifeq ($(KBUILD_TARGET),win) 461 ## @todo use the nocrt variants of this glue code! 462 460 463 include $(KBUILD_PATH)/tools/$(VBOX_VCC_TOOL).kmk 461 464 SUPR3HardenedStatic_SOURCES.win += \ … … 475 478 $(SUPR3HardenedStatic_0_OUTDIR)/guard_dispatch.obj \ 476 479 $(SUPR3HardenedStatic_0_OUTDIR)/guard_xfg_dispatch.obj 480 SUPR3HardenedStatic_SOURCES.win.arm64 += \ 481 $(SUPR3HardenedStatic_0_OUTDIR)/guard_dispatch.obj 477 482 # These next ones are for supporting the /GS option. We skip gs_report.obj as it 478 483 # import lots from kernel32 and we're better of reporting the problem ourselves. … … 495 500 $$(SUPR3HardenedStatic_0_OUTDIR)/alloca16.obj: \ 496 501 $(PATH_TOOL_$(VBOX_VCC_TOOL)_LIB)/libcmt.lib | $$(dir $$@) 497 set -x; $(TOOL_$(VBOX_VCC_TOOL)_AR) "/EXTRACT:$$($(TOOL_$(VBOX_VCC_TOOL)_AR) /LIST "$<" | $(SED_EXT) -e '/$(notdir $@)/!d' )" "/OUT:$@" "$<"502 set -x; $(TOOL_$(VBOX_VCC_TOOL)_AR) "/EXTRACT:$$($(TOOL_$(VBOX_VCC_TOOL)_AR) /LIST "$<" | $(SED_EXT) -e '/$(notdir $@)/!d' -e '/arm64ec/d' )" "/OUT:$@" "$<" 498 503 endif 499 504 endif -
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp
r106061 r106893 147 147 SUPSYSROOTDIRBUF g_WinSxSNtPath; 148 148 #if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE) 149 /** The full 'Program Files' path. */149 /** The full 'Program Files' ('Program Files (arm)' on arm64) path. */ 150 150 SUPSYSROOTDIRBUF g_ProgramFilesNtPath; 151 151 # ifdef RT_ARCH_AMD64 … … 1130 1130 */ 1131 1131 KUSER_SHARED_DATA volatile *pUserSharedData = (KUSER_SHARED_DATA volatile *)MM_SHARED_USER_DATA_VA; 1132 # ifdef RT_ARCH_AMD64 1133 uint64_t uRet = *(uint64_t volatile *)&pUserSharedData->SystemTime; /* This is what KeQuerySystemTime does (missaligned). */ 1132 # if defined(RT_ARCH_AMD64) || defined(RT_ARCH_ARM64) 1133 /* This is what KeQuerySystemTime (macro) does. SystemTime is misaligned, 1134 not not badly enough to cause trouble on arm. */ 1135 # ifdef RT_ARCH_ARM64 1136 uint64_t const uRet = __iso_volatile_load64((int64_t volatile *)&pUserSharedData->SystemTime); 1137 # else 1138 uint64_t const uRet = *(uint64_t volatile *)&pUserSharedData->SystemTime; 1139 # endif 1134 1140 return RTTimeSpecSetNtTime(pNow, uRet); 1135 # else 1136 1141 1142 # elif defined(RT_ARCH_X86) 1137 1143 LARGE_INTEGER NtTime; 1138 1144 do … … 1142 1148 } while (pUserSharedData->SystemTime.High2Time != NtTime.HighPart); 1143 1149 return RTTimeSpecSetNtTime(pNow, NtTime.QuadPart); 1150 1151 # else 1152 # error "port me" 1144 1153 # endif 1154 1145 1155 #else /* IN_RING0 */ 1146 1156 return RTTimeNow(pNow); … … 1772 1782 } s_aPaths[] = 1773 1783 { 1784 # if defined(RT_ARCH_AMD64) || defined(RT_ARCH_X86) 1774 1785 { &g_ProgramFilesNtPath, L"ProgramFilesDir", "ProgDir" }, 1775 1786 { &g_CommonFilesNtPath, L"CommonFilesDir", "ComDir" }, 1787 # elif defined(RT_ARCH_ARM64) 1788 { &g_ProgramFilesNtPath, L"ProgramFilesDir (arm)", "ProgDir" }, 1789 { &g_CommonFilesNtPath, L"CommonFilesDir (arm)", "ComDir" }, 1790 # else 1791 # error "port me" 1792 # endif 1776 1793 # ifdef RT_ARCH_AMD64 1777 1794 { &g_ProgramFilesX86NtPath, L"ProgramFilesDir (x86)", "ProgDir32" }, -
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp
r106267 r106893 64 64 #endif 65 65 #include "win/SUPHardenedVerify-win.h" 66 67 68 /********************************************************************************************************************************* 69 * Defined Constants And Macros * 70 *********************************************************************************************************************************/ 71 #if defined(RT_ARCH_ARM64) 72 AssertCompile(PAGE_SIZE == _4K); 73 # define g_abRTZeroPage g_abRTZero4K 74 #endif 75 66 76 67 77 … … 770 780 */ 771 781 #ifdef RT_ARCH_AMD64 772 if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64 && !pImage->f32bitResourceDll) 782 const uint16_t uExpectedMachine = IMAGE_FILE_MACHINE_AMD64; 783 #elif defined(RT_ARCH_ARM64) 784 const uint16_t uExpectedMachine = IMAGE_FILE_MACHINE_ARM64; 785 #elif defined(RT_ARCH_X86) 786 const uint16_t uExpectedMachine = IMAGE_FILE_MACHINE_I386; 773 787 #else 774 if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_I386) 788 # error "port me" 789 #endif 790 #if ARCH_BITS == 64 791 if (pNtHdrs->FileHeader.Machine != uExpectedMachine && !pImage->f32bitResourceDll) 792 #elif defined 793 if (pNtHdrs->FileHeader.Machine != uExpectedMachine) 775 794 #endif 776 795 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_IMAGE_MACHINE, 777 "%s: Unexpected machine: %#x", pImage->pszName, pNtHdrs->FileHeader.Machine); 796 "%s: Unexpected machine: %#x (expected %#x)", 797 pImage->pszName, pNtHdrs->FileHeader.Machine, uExpectedMachine); 778 798 bool const fIs32Bit = pNtHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_I386; 779 799 -
trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
r106061 r106893 63 63 #include <iprt/utf16.h> 64 64 #include <iprt/zero.h> 65 #ifdef RT_ARCH_ARM64 66 # include <iprt/armv8.h> 67 #endif 65 68 66 69 #include "SUPLibInternal.h" … … 267 270 268 271 272 /** 273 * The size (in bytes) of a function replacement patch. 274 */ 275 #if defined(RT_ARCH_AMD64) || defined(RT_ARCH_X86) || defined(DOXYGEN_RUNNING) 276 # define SUPR3HARDENED_NT_PATCH_SIZE 16 277 #elif defined(RT_ARCH_ARM64) 278 # define SUPR3HARDENED_NT_PATCH_SIZE 32 279 #else 280 # error "port me" 281 #endif 282 283 /** 284 * A ntdll code patch. 285 */ 286 typedef union SUPR3HARDNTPATCH 287 { 288 union 289 { 290 uint8_t ab[SUPR3HARDENED_NT_PATCH_SIZE]; 291 uint32_t au32[SUPR3HARDENED_NT_PATCH_SIZE / 4]; 292 uint64_t au64[SUPR3HARDENED_NT_PATCH_SIZE / 8]; 293 }; 294 uint32_t cb; 295 } SUPR3HARDNTPATCH; 296 297 269 298 /********************************************************************************************************************************* 270 299 * Global Variables * … … 307 336 static uint8_t *g_pbNtCreateSection; 308 337 /** The patched NtCreateSection bytes (for restoring). */ 309 static uint8_t g_abNtCreateSectionPatch[16];338 static SUPR3HARDNTPATCH g_NtCreateSectionPatch; 310 339 /** Pointer to the bit of assembly code that will perform the original 311 340 * LdrLoadDll operation. */ … … 314 343 static uint8_t *g_pbLdrLoadDll; 315 344 /** The patched LdrLoadDll bytes (for restoring). */ 316 static uint8_t g_abLdrLoadDllPatch[16];345 static SUPR3HARDNTPATCH g_LdrLoadDllPatch; 317 346 318 347 #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING … … 323 352 static uint8_t *g_pbKiUserExceptionDispatcher; 324 353 /** The patched KiUserExceptionDispatcher bytes (for restoring). */ 325 static uint8_t g_abKiUserExceptionDispatcherPatch[16];354 static SUPR3HARDNTPATCH g_KiUserExceptionDispatcherPatch; 326 355 #endif 327 356 … … 332 361 static uint8_t *g_pbKiUserApcDispatcher; 333 362 /** The patched KiUserApcDispatcher bytes (for restoring). */ 334 static uint8_t g_abKiUserApcDispatcherPatch[16];363 static SUPR3HARDNTPATCH g_KiUserApcDispatcherPatch; 335 364 336 365 /** Pointer to the LdrInitializeThunk function in NtDll for … … 367 396 /** The backup of our own LdrInitializeThunk code, for enabling and disabling 368 397 * thread creation in this process. */ 369 static uint8_t g_abLdrInitThunkSelfBackup[16];398 static SUPR3HARDNTPATCH g_LdrInitThunkSelfBackup; 370 399 371 400 /** Mask of adversaries that we've detected (SUPHARDNT_ADVERSARY_XXX). */ … … 2591 2620 PCONTEXT pCtx = (PCONTEXT)pvApcArgs; 2592 2621 uintptr_t *ppfnRoutine = (uintptr_t *)&pCtx->P4Home; 2593 #el se2594 struct X86APCCTX2622 #elif defined(RT_ARCH_X86) || defined(RT_ARCH_ARM64) 2623 struct GENAPCCTX 2595 2624 { 2596 2625 uintptr_t pfnRoutine; … … 2599 2628 uintptr_t pvUser2; 2600 2629 CONTEXT Ctx; 2601 } *pCtx = (struct X86APCCTX *)pvApcArgs;2630 } *pCtx = (struct GENAPCCTX *)pvApcArgs; 2602 2631 uintptr_t *ppfnRoutine = &pCtx->pfnRoutine; 2632 # ifdef RT_ARCH_ARM64 2633 __debugbreak(); /** @todo debug & check this */ 2634 # endif 2635 #else 2636 # error "port me" 2603 2637 #endif 2604 2638 uintptr_t pfnRoutine = *ppfnRoutine; … … 2660 2694 pCtx->SegCs, pCtx->SegDs, pCtx->SegEs, pCtx->SegFs, pCtx->SegGs, 2661 2695 pCtx->Dr0, pCtx->Dr1, pCtx->Dr2, pCtx->Dr3, pCtx->Dr6, pCtx->Dr7)); 2696 #elif defined(RT_ARCH_ARM64) 2697 SUP_DPRINTF(("%s\n" 2698 " x0 =%016RX64 x1 =%016RX64 x2 =%016RX64 x3 =%016RX64\n" 2699 " x4 =%016RX64 x5 =%016RX64 x6 =%016RX64 x7 =%016RX64\n" 2700 " x8 =%016RX64 x9 =%016RX64 x10=%016RX64 x11=%016RX64\n" 2701 " x12=%016RX64 x13=%016RX64 x14=%016RX64 x15=%016RX64\n" 2702 " x16=%016RX64 x17=%016RX64 x18=%016RX64 x19=%016RX64\n" 2703 " x20=%016RX64 x21=%016RX64 x22=%016RX64 x23=%016RX64\n" 2704 " x24=%016RX64 x25=%016RX64 x26=%016RX64 x27=%016RX64\n" 2705 " x28=%016RX64 fp =%016RX64 lr =%016RX64\n" 2706 " pc =%016RX64 sp =%016RX64 cpsr=%08RX32\n" 2707 " fpcr=%08RX32 fpsr=%08RX32 ContextFlags=%#x\n" 2708 , 2709 pszLeadIn, 2710 pCtx->X0, pCtx->X1, pCtx->X2, pCtx->X3, 2711 pCtx->X4, pCtx->X5, pCtx->X6, pCtx->X7, 2712 pCtx->X8, pCtx->X9, pCtx->X10, pCtx->X11, 2713 pCtx->X12, pCtx->X13, pCtx->X14, pCtx->X15, 2714 pCtx->X16, pCtx->X17, pCtx->X18, pCtx->X19, 2715 pCtx->X20, pCtx->X21, pCtx->X22, pCtx->X23, 2716 pCtx->X24, pCtx->X25, pCtx->X26, pCtx->X27, 2717 pCtx->X28, pCtx->Fp, pCtx->Lr, 2718 pCtx->Pc, pCtx->Sp, pCtx->Cpsr, pCtx->ContextFlags, 2719 pCtx->Fpcr, pCtx->Fpsr)); 2662 2720 #else 2663 2721 # error "Unsupported arch." … … 2875 2933 struct 2876 2934 { 2877 size_t cbPatch; 2878 uint8_t const *pabPatch; 2879 uint8_t **ppbApi; 2880 const char *pszName; 2935 SUPR3HARDNTPATCH *pPatch; 2936 uint8_t **ppbApi; 2937 const char *pszName; 2881 2938 } const s_aPatches[] = 2882 2939 { 2883 { sizeof(g_abNtCreateSectionPatch), g_abNtCreateSectionPatch, &g_pbNtCreateSection, "NtCreateSection" },2884 { sizeof(g_abLdrLoadDllPatch), g_abLdrLoadDllPatch, &g_pbLdrLoadDll, "LdrLoadDll" },2885 { sizeof(g_abKiUserApcDispatcherPatch), g_abKiUserApcDispatcherPatch, &g_pbKiUserApcDispatcher, "KiUserApcDispatcher" },2940 { &g_NtCreateSectionPatch, &g_pbNtCreateSection, "NtCreateSection" }, 2941 { &g_LdrLoadDllPatch, &g_pbLdrLoadDll, "LdrLoadDll" }, 2942 { &g_KiUserApcDispatcherPatch, &g_pbKiUserApcDispatcher, "KiUserApcDispatcher" }, 2886 2943 #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING 2887 { sizeof(g_abKiUserExceptionDispatcherPatch), g_abKiUserExceptionDispatcherPatch, &g_pbKiUserExceptionDispatcher, "KiUserExceptionDispatcher" },2944 { &g_KiUserExceptionDispatcherPatch, &g_pbKiUserExceptionDispatcher, "KiUserExceptionDispatcher" }, 2888 2945 #endif 2889 2946 }; … … 2893 2950 for (uint32_t i = 0; i < RT_ELEMENTS(s_aPatches); i++) 2894 2951 { 2895 uint8_t *pbApi = *s_aPatches[i].ppbApi; 2896 if (memcmp(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch) != 0) 2952 SUPR3HARDNTPATCH * const pPatch = s_aPatches[i].pPatch; 2953 uint8_t * const pbApi = *s_aPatches[i].ppbApi; 2954 if (memcmp(pbApi, pPatch->ab, pPatch->cb) != 0) 2897 2955 { 2898 2956 /* … … 2904 2962 s_cTimes++; 2905 2963 SUP_DPRINTF(("supR3HardenedWinReInstallHooks: Reinstalling %s (%p: %.*Rhxs).\n", 2906 s_aPatches[i].pszName, pbApi, s_aPatches[i].cbPatch, pbApi));2964 s_aPatches[i].pszName, pbApi, pPatch->cb, pbApi)); 2907 2965 } 2908 2966 2909 Assert( s_aPatches[i].cbPatch>= 4);2910 2911 SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READWRITE));2967 Assert(pPatch->cb >= 4); 2968 2969 SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, pPatch->cb, PAGE_EXECUTE_READWRITE)); 2912 2970 2913 2971 /* … … 2918 2976 fAmIAlone = supR3HardenedWinAmIAlone(); 2919 2977 if (fAmIAlone) 2920 memcpy(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch);2978 memcpy(pbApi, pPatch->ab, pPatch->cb); 2921 2979 else 2922 2980 { … … 2927 2985 */ 2928 2986 RTUINT32U uJmpDollarMinus; 2987 #if defined(RT_ARCH_AMD64) || defined(RT_ARCH_X86) 2929 2988 uJmpDollarMinus.au8[0] = 0xeb; 2930 2989 uJmpDollarMinus.au8[1] = 0xfe; 2931 2990 uJmpDollarMinus.au8[2] = pbApi[2]; 2932 2991 uJmpDollarMinus.au8[3] = pbApi[3]; 2933 ASMAtomicXchgU32((uint32_t volatile *)pbApi, uJmpDollarMinus.u); 2992 #else 2993 uJmpDollarMinus.u = Armv8A64MkInstrB(0); 2994 #endif 2995 ASMAtomicWriteU32((uint32_t volatile *)pbApi, uJmpDollarMinus.u); 2934 2996 2935 2997 NtYieldExecution(); … … 2937 2999 2938 3000 /* Copy in the tail bytes of the patch, then xchg the jmp $-2. */ 2939 if ( s_aPatches[i].cbPatch> 4)2940 memcpy(&pbApi[4], & s_aPatches[i].pabPatch[4], s_aPatches[i].cbPatch- 4);2941 ASMAtomic XchgU32((uint32_t volatile *)pbApi, *(uint32_t *)s_aPatches[i].pabPatch);3001 if (pPatch->cb > 4) 3002 memcpy(&pbApi[4], &pPatch->ab[4], pPatch->cb - 4); 3003 ASMAtomicWriteU32((uint32_t volatile *)pbApi, pPatch->au32[0]); 2942 3004 } 2943 3005 2944 SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READ));3006 SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, pPatch->cb, PAGE_EXECUTE_READ)); 2945 3007 } 2946 3008 } … … 3018 3080 uint8_t * const pbNtCreateSection = (uint8_t *)(uintptr_t)pfnNtCreateSection; 3019 3081 g_pbNtCreateSection = pbNtCreateSection; 3020 memcpy(g_ abNtCreateSectionPatch, pbNtCreateSection, sizeof(g_abNtCreateSectionPatch));3082 memcpy(g_NtCreateSectionPatch.ab, pbNtCreateSection, sizeof(g_NtCreateSectionPatch.ab)); 3021 3083 3022 3084 g_pfnNtCreateSectionReal = NtCreateSection; /* our direct syscall */ … … 3037 3099 3038 3100 /* Assemble the patch. */ 3039 g_abNtCreateSectionPatch[0] = 0x48; /* mov rax, qword */ 3040 g_abNtCreateSectionPatch[1] = 0xb8; 3041 *(uint64_t *)&g_abNtCreateSectionPatch[2] = (uint64_t)supR3HardenedMonitor_NtCreateSection; 3042 g_abNtCreateSectionPatch[10] = 0xff; /* jmp rax */ 3043 g_abNtCreateSectionPatch[11] = 0xe0; 3044 3045 #else 3101 g_NtCreateSectionPatch.ab[0] = 0x48; /* mov rax, qword */ 3102 g_NtCreateSectionPatch.ab[1] = 0xb8; 3103 *(uint64_t *)&g_NtCreateSectionPatch.ab[2] = (uint64_t)supR3HardenedMonitor_NtCreateSection; 3104 g_NtCreateSectionPatch.ab[10] = 0xff; /* jmp rax */ 3105 g_NtCreateSectionPatch.ab[11] = 0xe0; 3106 g_NtCreateSectionPatch.cb = 12; 3107 3108 #elif defined(RT_ARCH_X86) 3046 3109 /* 3047 3110 * Patch 32-bit hosts. … … 3069 3132 3070 3133 /* Assemble the patch. */ 3071 g_abNtCreateSectionPatch[0] = 0xe9; /* jmp rel32 */ 3072 *(uint32_t *)&g_abNtCreateSectionPatch[1] = (uintptr_t)supR3HardenedMonitor_NtCreateSection 3073 - (uintptr_t)&pbNtCreateSection[1+4]; 3074 3134 g_NtCreateSectionPatch.ab[0] = 0xe9; /* jmp rel32 */ 3135 *(uint32_t *)&g_NtCreateSectionPatch.ab[1] = (uintptr_t)supR3HardenedMonitor_NtCreateSection 3136 - (uintptr_t)&pbNtCreateSection[1+4]; 3137 g_NtCreateSectionPatch.cb = 5; 3138 3139 #elif defined(RT_ARCH_ARM64) 3140 /* 3141 * Patch 64-bit ARM hosts. 3142 * We can make this work, provided the target address doesn't use bits 63:48. 3143 */ 3144 /* Pattern #1: 3145 NtCreateSection: 3146 180022950: d4000941 svc #0x4a 3147 180022954: d65f03c0 ret 3148 180022958: 00000000 udf #0x00 3149 18002295c: 00000000 udf #0x00 */ 3150 uintptr_t uAddr = (uintptr_t)supR3HardenedMonitor_NtCreateSection; 3151 if (uAddr >= RT_BIT_64(48)) 3152 supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE, 3153 "Address of supR3HardenedMonitor_NtCreateSection (%p) is too high for patching!", uAddr); 3154 uint32_t const * const pu32NtCreateSection = (uint32_t const *)pbNtCreateSection; 3155 3156 if ( (pu32NtCreateSection[0] & ~(UINT32_C(0xffff) << 5)) == UINT32_C(0xd0000001) 3157 || pu32NtCreateSection[1] != ARMV8_A64_INSTR_RET 3158 || pu32NtCreateSection[2] != 0 3159 || pu32NtCreateSection[3] != 0) 3160 supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE, 3161 "Unexpected code found at ntdll!NtCreateSection: %.16Rhxs", pu32NtCreateSection); 3162 g_NtCreateSectionPatch.au32[0] = Armv8A64MkInstrMovZ(ARMV8_A64_REG_X16, uAddr & 0xffff); 3163 g_NtCreateSectionPatch.au32[1] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X16, (uAddr >> 16) & 0xffff, 1); 3164 g_NtCreateSectionPatch.au32[2] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X16, (uAddr >> 32) & 0xffff, 2); 3165 g_NtCreateSectionPatch.au32[3] = Armv8A64MkInstrBr(ARMV8_A64_REG_X16); 3166 g_NtCreateSectionPatch.cb = 16; 3167 3168 #else 3169 # error "port me" 3075 3170 #endif 3076 3171 … … 3086 3181 uint8_t * const pbLdrLoadDll = (uint8_t *)(uintptr_t)pfnLdrLoadDll; 3087 3182 g_pbLdrLoadDll = pbLdrLoadDll; 3088 memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch)); 3089 3183 memcpy(g_LdrLoadDllPatch.ab, pbLdrLoadDll, sizeof(g_LdrLoadDllPatch.ab)); 3184 3185 #if defined(RT_ARCH_AMD64) || defined(RT_ARCH_X86) 3090 3186 DISSTATE Dis; 3091 3187 uint32_t cbInstr; 3188 #endif 3092 3189 uint32_t offJmpBack = 0; 3093 3190 … … 3123 3220 /* Assemble the LdrLoadDll patch. */ 3124 3221 Assert(offJmpBack >= 12); 3125 g_abLdrLoadDllPatch[0] = 0x48; /* mov rax, qword */ 3126 g_abLdrLoadDllPatch[1] = 0xb8; 3127 *(uint64_t *)&g_abLdrLoadDllPatch[2] = (uint64_t)supR3HardenedMonitor_LdrLoadDll; 3128 g_abLdrLoadDllPatch[10] = 0xff; /* jmp rax */ 3129 g_abLdrLoadDllPatch[11] = 0xe0; 3130 3131 #else 3222 g_LdrLoadDllPatch.ab[0] = 0x48; /* mov rax, qword */ 3223 g_LdrLoadDllPatch.ab[1] = 0xb8; 3224 *(uint64_t *)&g_LdrLoadDllPatch.ab[2] = (uint64_t)supR3HardenedMonitor_LdrLoadDll; 3225 g_LdrLoadDllPatch.ab[10] = 0xff; /* jmp rax */ 3226 g_LdrLoadDllPatch.ab[11] = 0xe0; 3227 g_LdrLoadDllPatch.cb = 12; 3228 3229 #elif defined(RT_ARCH_X86) 3132 3230 /* 3133 3231 * Patch 32-bit hosts. … … 3156 3254 3157 3255 /* Assemble the LdrLoadDll patch. */ 3158 memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));3159 3256 Assert(offJmpBack >= 5); 3160 g_abLdrLoadDllPatch[0] = 0xe9; 3161 *(uint32_t *)&g_abLdrLoadDllPatch[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll - (uintptr_t)&pbLdrLoadDll[1+4]; 3257 g_LdrLoadDllPatch.ab[0] = 0xe9; 3258 *(uint32_t *)&g_LdrLoadDllPatch.ab[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll - (uintptr_t)&pbLdrLoadDll[1+4]; 3259 g_LdrLoadDllPatch.cb = 5; 3260 3261 #elif defined(RT_ARCH_ARM64) 3262 /* 3263 * Patch 64-bit ARM hosts. 3264 * 3265 * Note! Blindly ASSUMES that the code is at least 20 bytes long, that x17 3266 * isn't being used, and that there are no branch instructions. 3267 * So, far we've only seen the typical long STP sequence. 3268 */ 3269 /** @todo disassemble to make sure x17 isn't used and there is no branching! */ 3270 offJmpBack = 20; 3271 3272 /* Assemble the code for resuming the call.*/ 3273 *(PFNRT *)&g_pfnLdrLoadDllReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage]; 3274 3275 memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbLdrLoadDll, offJmpBack); 3276 offExecPage += offJmpBack; 3277 3278 uAddr = (uintptr_t)&pbLdrLoadDll[offJmpBack]; 3279 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovZ(ARMV8_A64_REG_X17, uAddr & 0xffff); 3280 offExecPage += 4; 3281 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 1); 3282 offExecPage += 4; 3283 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 32) & 0xffff, 2); 3284 offExecPage += 4; 3285 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 48) & 0xffff, 3); 3286 offExecPage += 4; 3287 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrBr(ARMV8_A64_REG_X17); 3288 offExecPage = RT_ALIGN_32(offExecPage + 4, 16); 3289 3290 /* Assemble the LdrLoadDll patch. */ 3291 # if 0 3292 uAddr = (uintptr_t)supR3HardenedMonitor_LdrLoadDll; 3293 g_LdrLoadDllPatch.au32[0] = Armv8A64MkInstrMovZ(ARMV8_A64_REG_X17, uAddr & 0xffff); 3294 g_LdrLoadDllPatch.au32[1] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 1); 3295 g_LdrLoadDllPatch.au32[2] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 2); 3296 g_LdrLoadDllPatch.au32[3] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 3); 3297 g_LdrLoadDllPatch.au32[4] = Armv8A64MkInstrBr(ARMV8_A64_REG_X17); 3298 g_LdrLoadDllPatch.cb = 20; 3299 # else 3300 g_LdrLoadDllPatch.au32[0] = Armv8A64MkInstrLdrLitteral(kArmv8A64InstrLdrLitteral_Dword, ARMV8_A64_REG_X17, 8); 3301 g_LdrLoadDllPatch.au32[1] = Armv8A64MkInstrBr(ARMV8_A64_REG_X17); 3302 g_LdrLoadDllPatch.au64[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll; 3303 g_LdrLoadDllPatch.cb = 16; 3304 # endif 3305 3306 #else 3307 # error "port me" 3162 3308 #endif 3163 3309 … … 3176 3322 uint8_t * const pbKiUserApcDispatcher = (uint8_t *)(uintptr_t)pfnKiUserApcDispatcher; 3177 3323 g_pbKiUserApcDispatcher = pbKiUserApcDispatcher; 3178 memcpy(g_ abKiUserApcDispatcherPatch, pbKiUserApcDispatcher, sizeof(g_abKiUserApcDispatcherPatch));3324 memcpy(g_KiUserApcDispatcherPatch.ab, pbKiUserApcDispatcher, sizeof(g_KiUserApcDispatcherPatch.ab)); 3179 3325 3180 3326 #ifdef RT_ARCH_AMD64 … … 3210 3356 /* Assemble the KiUserApcDispatcher patch. */ 3211 3357 Assert(offJmpBack >= 12); 3212 g_abKiUserApcDispatcherPatch[0] = 0x48; /* mov rax, qword */ 3213 g_abKiUserApcDispatcherPatch[1] = 0xb8; 3214 *(uint64_t *)&g_abKiUserApcDispatcherPatch[2] = (uint64_t)supR3HardenedMonitor_KiUserApcDispatcher; 3215 g_abKiUserApcDispatcherPatch[10] = 0xff; /* jmp rax */ 3216 g_abKiUserApcDispatcherPatch[11] = 0xe0; 3217 3218 #else 3358 g_KiUserApcDispatcherPatch.ab[0] = 0x48; /* mov rax, qword */ 3359 g_KiUserApcDispatcherPatch.ab[1] = 0xb8; 3360 *(uint64_t *)&g_KiUserApcDispatcherPatch.ab[2] = (uint64_t)supR3HardenedMonitor_KiUserApcDispatcher; 3361 g_KiUserApcDispatcherPatch.ab[10] = 0xff; /* jmp rax */ 3362 g_KiUserApcDispatcherPatch.ab[11] = 0xe0; 3363 g_KiUserApcDispatcherPatch.cb = 12; 3364 3365 #elif defined(RT_ARCH_X86) 3219 3366 /* 3220 3367 * Patch 32-bit hosts. … … 3244 3391 3245 3392 /* Assemble the KiUserApcDispatcher patch. */ 3246 memcpy(g_abKiUserApcDispatcherPatch, pbKiUserApcDispatcher, sizeof(g_abKiUserApcDispatcherPatch));3247 3393 Assert(offJmpBack >= 5); 3248 g_abKiUserApcDispatcherPatch[0] = 0xe9; 3249 *(uint32_t *)&g_abKiUserApcDispatcherPatch[1] = (uintptr_t)supR3HardenedMonitor_KiUserApcDispatcher - (uintptr_t)&pbKiUserApcDispatcher[1+4]; 3394 g_KiUserApcDispatcherPatch.ab[0] = 0xe9; 3395 *(uint32_t *)&g_KiUserApcDispatcherPatch.ab[1] = (uintptr_t)supR3HardenedMonitor_KiUserApcDispatcher - (uintptr_t)&pbKiUserApcDispatcher[1+4]; 3396 g_KiUserApcDispatcherPatch.cb = 5; 3397 3398 #elif defined(RT_ARCH_ARM64) 3399 /* 3400 * Patch 64-bit ARM hosts. 3401 * 3402 * Note! Blindly ASSUMES that the code is at least 16 bytes long, that x17 3403 * isn't being used, and that there are no branch instructions. 3404 * In the code we've been looking at, the 4th instruction is a CBZ, 3405 * which means we can only use 16 bytes here to do the patching. 3406 * 3407 * w10-1709: 3408 * 1800243a0: f94003ef ldr x15, [sp] ; The APC routine address. 3409 * 1800243a4: 9342fde2 asr x2, x15, #2 3410 * 1800243a8: cb0203e2 neg x2, x2 3411 * 1800243ac: d360fc40 lsr x0, x2, #32 3412 * 1800243b0: 340001a0 cbz w0, 0x1800243e4 <KiUserApcDispatcher+0x44> ; jump if WOW stuff. 3413 * 1800243b4: f94007e0 ldr x0, [sp, #0x8] ; APC arg #0 3414 * 1800243b8: f9400be1 ldr x1, [sp, #0x10] ; APC arg #1 3415 * 1800243bc: f9400fe2 ldr x2, [sp, #0x18] ; APC arg #2 3416 * 1800243c0: 97ffffe4 bl 0x180024350 <RtlFirstEntrySList+0x10> 3417 * 1800243c4: 910083e0 add x0, sp, #0x20 ; x0=PCONTEXT 3418 * 1800243c8: d2800021 mov x1, #0x1 // =1 3419 * 1800243cc: 97fff945 bl 0x1800228e0 <ZwContinue> 3420 */ 3421 /** @todo disassemble to make sure x17 isn't used and there is no branching! */ 3422 offJmpBack = 16; 3423 uint32_t const * const pu32KiUserApcDispatcher = (uint32_t const *)pbKiUserApcDispatcher; 3424 if ( pu32KiUserApcDispatcher[0] != UINT32_C(0xf94003ef) 3425 || pu32KiUserApcDispatcher[1] != UINT32_C(0x9342fde2) 3426 || pu32KiUserApcDispatcher[2] != UINT32_C(0xcb0203e2) 3427 || pu32KiUserApcDispatcher[3] != UINT32_C(0xd360fc40)) 3428 supR3HardenedWinHookFailed("KiUserApcDispatcher", pbKiUserApcDispatcher); 3429 3430 /* Assemble the code for resuming the call.*/ 3431 *(PFNRT *)&g_pfnKiUserApcDispatcherReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage]; 3432 3433 memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbKiUserApcDispatcher, offJmpBack); 3434 offExecPage += offJmpBack; 3435 3436 uAddr = (uintptr_t)&pbKiUserApcDispatcher[offJmpBack]; 3437 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovZ(ARMV8_A64_REG_X17, uAddr & 0xffff); 3438 offExecPage += 4; 3439 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 1); 3440 offExecPage += 4; 3441 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 32) & 0xffff, 2); 3442 offExecPage += 4; 3443 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 48) & 0xffff, 3); 3444 offExecPage += 4; 3445 *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = Armv8A64MkInstrBr(ARMV8_A64_REG_X17); 3446 offExecPage = RT_ALIGN_32(offExecPage + 4, 16); 3447 3448 /* Assemble the KiUserApcDispatcher patch. */ 3449 # if 0 3450 uAddr = (uintptr_t)supR3HardenedMonitor_LdrLoadDll; 3451 if (uAddr >= RT_BIT_64(48)) 3452 supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE, 3453 "Address of supR3HardenedMonitor_LdrLoadDll (%p) is too high for patching!", uAddr); 3454 g_KiUserApcDispatcherPatch.au32[0] = Armv8A64MkInstrMovZ(ARMV8_A64_REG_X17, uAddr & 0xffff); 3455 g_KiUserApcDispatcherPatch.au32[1] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 1); 3456 g_KiUserApcDispatcherPatch.au32[2] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 2); 3457 //g_KiUserApcDispatcherPatch.au32[3] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X17, (uAddr >> 16) & 0xffff, 3); 3458 g_KiUserApcDispatcherPatch.au32[3] = Armv8A64MkInstrBr(ARMV8_A64_REG_X17); 3459 g_KiUserApcDispatcherPatch.cb = 16; 3460 # else 3461 g_KiUserApcDispatcherPatch.au32[0] = Armv8A64MkInstrLdrLitteral(kArmv8A64InstrLdrLitteral_Dword, ARMV8_A64_REG_X17, 8); 3462 g_KiUserApcDispatcherPatch.au32[1] = Armv8A64MkInstrBr(ARMV8_A64_REG_X17); 3463 g_KiUserApcDispatcherPatch.au64[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll; 3464 # endif 3465 3466 #else 3467 # error "port me" 3250 3468 #endif 3469 3251 3470 3252 3471 #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING … … 3261 3480 uint8_t * const pbKiUserExceptionDispatcher = (uint8_t *)(uintptr_t)pfnKiUserExceptionDispatcher; 3262 3481 g_pbKiUserExceptionDispatcher = pbKiUserExceptionDispatcher; 3263 memcpy(g_ abKiUserExceptionDispatcherPatch, pbKiUserExceptionDispatcher, sizeof(g_abKiUserExceptionDispatcherPatch));3482 memcpy(g_KiUserExceptionDispatcherPatch.ab, pbKiUserExceptionDispatcher, sizeof(g_KiUserExceptionDispatcherPatch.ab)); 3264 3483 3265 3484 # ifdef RT_ARCH_AMD64 … … 3286 3505 { 3287 3506 /* Assemble the KiUserExceptionDispatcher patch. */ 3288 g_abKiUserExceptionDispatcherPatch[1] = 0x48; /* MOV RAX, supR3HardenedMonitor_KiUserExceptionDispatcher */ 3289 g_abKiUserExceptionDispatcherPatch[2] = 0xb8; 3290 *(uint64_t *)&g_abKiUserExceptionDispatcherPatch[3] = (uint64_t)supR3HardenedMonitor_KiUserExceptionDispatcher; 3291 g_abKiUserExceptionDispatcherPatch[11] = 0x90; /* NOP (was JZ) */ 3292 g_abKiUserExceptionDispatcherPatch[12] = 0x90; /* NOP (was DISP8 of JZ) */ 3507 g_KiUserExceptionDispatcherPatch.ab[1] = 0x48; /* MOV RAX, supR3HardenedMonitor_KiUserExceptionDispatcher */ 3508 g_KiUserExceptionDispatcherPatch.ab[2] = 0xb8; 3509 *(uint64_t *)&g_KiUserExceptionDispatcherPatch.ab[3] = (uint64_t)supR3HardenedMonitor_KiUserExceptionDispatcher; 3510 g_KiUserExceptionDispatcherPatch.ab[11] = 0x90; /* NOP (was JZ) */ 3511 g_KiUserExceptionDispatcherPatch.ab[12] = 0x90; /* NOP (was DISP8 of JZ) */ 3512 g_KiUserExceptionDispatcherPatch.cb = 13; 3293 3513 } 3294 3514 else 3295 3515 SUP_DPRINTF(("supR3HardenedWinInstallHooks: failed to patch KiUserExceptionDispatcher (%.20Rhxs)\n", 3296 3516 pbKiUserExceptionDispatcher)); 3297 # else 3517 3518 # elif defined(RT_ARCH_X86) 3298 3519 /* 3299 3520 * Patch 32-bit hosts. … … 3328 3549 3329 3550 /* Assemble the KiUserExceptionDispatcher patch. */ 3330 memcpy(g_abKiUserExceptionDispatcherPatch, pbKiUserExceptionDispatcher, sizeof(g_abKiUserExceptionDispatcherPatch));3331 3551 Assert(offJmpBack >= 5); 3332 g_abKiUserExceptionDispatcherPatch[0] = 0xe9; 3333 *(uint32_t *)&g_abKiUserExceptionDispatcherPatch[1] = (uintptr_t)supR3HardenedMonitor_KiUserExceptionDispatcher - (uintptr_t)&pbKiUserExceptionDispatcher[1+4]; 3334 } 3552 g_KiUserExceptionDispatcherPatch.ab[0] = 0xe9; 3553 *(uint32_t *)&g_KiUserExceptionDispatcherPatch.ab[1] = (uintptr_t)supR3HardenedMonitor_KiUserExceptionDispatcher - (uintptr_t)&pbKiUserExceptionDispatcher[1+4]; 3554 g_KiUserExceptionDispatcherPatch.cb = 5; 3555 } 3556 3557 # elif defined(RT_ARCH_ARM64) 3558 /* 3559 * Patch 64-bit ARM. 3560 * 3561 * This is a bit more interesting as the w10-1709 code looks like this: 3562 * 0000000180024490 <KiUserExceptionDispatcher>: 3563 * 180024490: 5800028f ldr x15, 0x1800244e0 <KiUserExceptionDispatcher+0x50> 3564 * 180024494: f94001ef ldr x15, [x15] 3565 * 180024498: b400008f cbz x15, 0x1800244a8 <KiUserExceptionDispatcher+0x18> 3566 * 18002449c: 910e43e0 add x0, sp, #0x390 3567 * 1800244a0: 910003e1 mov x1, sp 3568 * 1800244a4: d63f01e0 blr x15 3569 * 1800244a8: 910e43e0 add x0, sp, #0x390 3570 * 1800244ac: 910003e1 mov x1, sp 3571 * 1800244b0: 94011b76 bl 0x18006b288 <RtlQueryEnvironmentVariable+0x21d8> 3572 * 1800244b4: b40000a0 cbz x0, 0x1800244c8 <KiUserExceptionDispatcher+0x38> 3573 * 3574 * What is loaded and checked at the beginning is a function poitner caller 3575 * Wow64PrepareForException, which we can presume is NULL for a native 3576 * arm64 process. 3577 * 3578 * The easiest thing to do would be to hijack the pointer. Unfortunately 3579 * that differs too much from the others architectures, as the patching 3580 * will be done at 0x1800244e0 rather 0000000180024490. Instead, we can 3581 * just replace the first three functions and load our own address directly 3582 * into x15. We will still differ from the others in that we get other 3583 * parameters and don't have any g_pfnKiUserExceptionDispatcherReal but can 3584 * just return from the hook. 3585 */ 3586 uint32_t const * const pu32KiUserExceptionDispatcher = (uint32_t const *)pbKiUserExceptionDispatcher; 3587 if ( (pu32KiUserExceptionDispatcher[0] & UINT32_C(0xff00001f)) == (UINT32_C(0x58000000) | ARMV8_A64_REG_X15) 3588 && pu32KiUserExceptionDispatcher[1] == UINT32_C(0xf94001ef) 3589 && (pu32KiUserExceptionDispatcher[2] & UINT32_C(0xff00001f)) == (UINT32_C(0xb4000000) | ARMV8_A64_REG_X15) 3590 && (pu32KiUserExceptionDispatcher[3] & UINT32_C(0xffc003ff)) == (UINT32_C(0x91000000) | ARMV8_A64_REG_X0 | (ARMV8_A64_REG_SP << 5)) 3591 && pu32KiUserExceptionDispatcher[4] == UINT32_C(0x910003e1) 3592 && pu32KiUserExceptionDispatcher[5] == UINT32_C(0xd63f01e0) ) 3593 { 3594 *(uintptr_t *)&g_pfnKiUserExceptionDispatcherReal = (uintptr_t)&pu32KiUserExceptionDispatcher[6]; /* after BLR */ 3595 uAddr = (uintptr_t)supR3HardenedMonitor_KiUserExceptionDispatcher; 3596 if (uAddr >= RT_BIT_64(48)) 3597 supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE, 3598 "Address of supR3HardenedMonitor_KiUserExceptionDispatcher (%p) is too high for patching!", uAddr); 3599 g_KiUserExceptionDispatcherPatch.au32[0] = Armv8A64MkInstrMovZ(ARMV8_A64_REG_X15, uAddr & 0xffff); 3600 g_KiUserExceptionDispatcherPatch.au32[1] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X15, (uAddr >> 16) & 0xffff, 1); 3601 g_KiUserExceptionDispatcherPatch.au32[2] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X15, (uAddr >> 16) & 0xffff, 2); 3602 g_KiUserExceptionDispatcherPatch.cb = 12; 3603 } 3604 else 3605 SUP_DPRINTF(("supR3HardenedWinInstallHooks: failed to patch KiUserExceptionDispatcher (%.20Rhxs)\n", 3606 pbKiUserExceptionDispatcher)); 3607 3608 # else 3609 # error "port me" 3335 3610 # endif 3336 3611 #endif /* !VBOX_WITHOUT_HARDENDED_XCPT_LOGGING */ … … 3374 3649 * the NTDLL instance we're patching. (Must be +/- 3375 3650 * 2GB from the thunk code.) 3376 * @param p abBackupWhere to back up the original instruction bytes3651 * @param pBackup Where to back up the original instruction bytes 3377 3652 * at pvLdrInitThunk. 3378 * @param cbBackup The size of the backup area. Must be 16 bytes.3379 3653 * @param pErrInfo Where to return extended error information. 3380 3654 * Optional. 3381 3655 */ 3382 3656 static int supR3HardNtDisableThreadCreationEx(HANDLE hProcess, void *pvLdrInitThunk, void *pvNtTerminateThread, 3383 uint8_t *pabBackup, size_t cbBackup, PRTERRINFO pErrInfo)3657 SUPR3HARDNTPATCH *pBackup, PRTERRINFO pErrInfo) 3384 3658 { 3385 3659 SUP_DPRINTF(("supR3HardNtDisableThreadCreation: pvLdrInitThunk=%p pvNtTerminateThread=%p\n", pvLdrInitThunk, pvNtTerminateThread)); 3386 SUPR3HARDENED_ASSERT( cbBackup== 16);3660 SUPR3HARDENED_ASSERT(pBackup->cb == 16); 3387 3661 SUPR3HARDENED_ASSERT(RT_ABS((intptr_t)pvLdrInitThunk - (intptr_t)pvNtTerminateThread) < 16*_1M); 3388 3662 … … 3391 3665 */ 3392 3666 SIZE_T cbIgnored; 3393 NTSTATUS rcNt = NtReadVirtualMemory(hProcess, pvLdrInitThunk, p abBackup, cbBackup, &cbIgnored);3667 NTSTATUS rcNt = NtReadVirtualMemory(hProcess, pvLdrInitThunk, pBackup->ab, sizeof(pBackup->ab), &cbIgnored); 3394 3668 if (!NT_SUCCESS(rcNt)) 3395 3669 return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, … … 3399 3673 * Cook up replacement code that calls NtTerminateThread. 3400 3674 */ 3401 uint8_t abReplacement[16];3402 memcpy( abReplacement, pabBackup, sizeof(abReplacement));3675 SUPR3HARDNTPATCH Replacement; 3676 memcpy(Replacement.ab, pBackup->ab, sizeof(Replacement.ab)); 3403 3677 3404 3678 #ifdef RT_ARCH_AMD64 3405 abReplacement[0] = 0x31; /* xor ecx, ecx */ 3406 abReplacement[1] = 0xc9; 3407 abReplacement[2] = 0x31; /* xor edx, edx */ 3408 abReplacement[3] = 0xd2; 3409 abReplacement[4] = 0xe8; /* call near NtTerminateThread */ 3410 *(int32_t *)&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9)); 3411 abReplacement[9] = 0xcc; /* int3 */ 3679 Replacement.ab[0] = 0x31; /* xor ecx, ecx */ 3680 Replacement.ab[1] = 0xc9; 3681 Replacement.ab[2] = 0x31; /* xor edx, edx */ 3682 Replacement.ab[3] = 0xd2; 3683 Replacement.ab[4] = 0xe8; /* call near NtTerminateThread */ 3684 *(int32_t *)&Replacement.ab[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9)); 3685 Replacement.ab[9] = 0xcc; /* int3 */ 3686 Replacement.cb = 10; 3687 3412 3688 #elif defined(RT_ARCH_X86) 3413 abReplacement[0] = 0x6a; /* push 0 */ 3414 abReplacement[1] = 0x00; 3415 abReplacement[2] = 0x6a; /* push 0 */ 3416 abReplacement[3] = 0x00; 3417 abReplacement[4] = 0xe8; /* call near NtTerminateThread */ 3418 *(int32_t *)&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9)); 3419 abReplacement[9] = 0xcc; /* int3 */ 3689 Replacement.ab[0] = 0x6a; /* push 0 */ 3690 Replacement.ab[1] = 0x00; 3691 Replacement.ab[2] = 0x6a; /* push 0 */ 3692 Replacement.ab[3] = 0x00; 3693 Replacement.ab[4] = 0xe8; /* call near NtTerminateThread */ 3694 *(int32_t *)&Replacement.ab[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9)); 3695 Replacement.ab[9] = 0xcc; /* int3 */ 3696 Replacement.cb = 10; 3697 3698 #elif defined(RT_ARCH_ARM64) 3699 Replacement.au32[0] = Armv8A64MkInstrEor(ARMV8_A64_REG_X0, ARMV8_A64_REG_X0, ARMV8_A64_REG_X0); 3700 Replacement.au32[1] = Armv8A64MkInstrEor(ARMV8_A64_REG_X1, ARMV8_A64_REG_X1, ARMV8_A64_REG_X1); 3701 intptr_t const offDisp = (intptr_t)pvNtTerminateThread - ((intptr_t)pvLdrInitThunk + 8); 3702 if (offDisp >= (int32_t)RT_BIT_32(25) || offDisp < -(int32_t)RT_BIT_32(25)) 3703 return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 3704 "supR3HardNtDisableThreadCreation: relative distance too large for BL: %p", offDisp); 3705 Replacement.au32[2] = Armv8A64MkInstrBl((int32_t)offDisp); 3706 Replacement.cb = 12; 3707 3420 3708 #else 3421 3709 # error "Unsupported arch." 3422 3710 #endif 3711 pBackup->cb = Replacement.cb; 3423 3712 3424 3713 /* … … 3426 3715 */ 3427 3716 PVOID pvProt = pvLdrInitThunk; 3428 SIZE_T cbProt = cbBackup;3717 SIZE_T cbProt = Replacement.cb; 3429 3718 ULONG fOldProt = 0; 3430 3719 rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt); … … 3433 3722 "supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt); 3434 3723 3435 rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, abReplacement, sizeof(abReplacement), &cbIgnored);3724 rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, Replacement.ab, Replacement.cb, &cbIgnored); 3436 3725 if (!NT_SUCCESS(rcNt)) 3437 3726 return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, … … 3439 3728 3440 3729 pvProt = pvLdrInitThunk; 3441 cbProt = cbBackup;3730 cbProt = pBackup->cb; 3442 3731 rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt); 3443 3732 if (!NT_SUCCESS(rcNt)) … … 3456 3745 * @param pvLdrInitThunk The address of the LdrInitializeThunk code to 3457 3746 * override. 3458 * @param p abBackupWhere to back up the original instruction bytes3747 * @param pBackup Where to back up the original instruction bytes 3459 3748 * at pvLdrInitThunk. 3460 * @param cbBackup The size of the backup area. Must be 16 bytes.3461 3749 * @param pErrInfo Where to return extended error information. 3462 3750 * Optional. 3463 3751 */ 3464 static int supR3HardNtEnableThreadCreationEx(HANDLE hProcess, void *pvLdrInitThunk, uint8_t const *pabBackup, size_t cbBackup,3752 static int supR3HardNtEnableThreadCreationEx(HANDLE hProcess, void *pvLdrInitThunk, SUPR3HARDNTPATCH const *pBackup, 3465 3753 PRTERRINFO pErrInfo) 3466 3754 { 3467 3755 SUP_DPRINTF(("supR3HardNtEnableThreadCreationEx:\n")); 3468 SUPR3HARDENED_ASSERT( cbBackup == 16);3756 SUPR3HARDENED_ASSERT(pBackup->cb > 4); 3469 3757 3470 3758 PVOID pvProt = pvLdrInitThunk; 3471 SIZE_T cbProt = cbBackup;3759 SIZE_T cbProt = pBackup->cb; 3472 3760 ULONG fOldProt = 0; 3473 3761 NTSTATUS rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt); … … 3477 3765 3478 3766 SIZE_T cbIgnored; 3479 rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, p abBackup, cbBackup, &cbIgnored);3767 rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, pBackup->ab, pBackup->cb, &cbIgnored); 3480 3768 if (!NT_SUCCESS(rcNt)) 3481 3769 return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, … … 3484 3772 3485 3773 pvProt = pvLdrInitThunk; 3486 cbProt = cbBackup;3774 cbProt = pBackup->cb; 3487 3775 rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt); 3488 3776 if (!NT_SUCCESS(rcNt)) … … 3513 3801 (void *)(uintptr_t)&LdrInitializeThunk, 3514 3802 (void *)(uintptr_t)s_pfnNtTerminateThread, 3515 g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),3803 &g_LdrInitThunkSelfBackup, 3516 3804 NULL /* pErrInfo*/); 3517 3805 g_fSupInitThunkSelfPatched = RT_SUCCESS(rc); … … 3528 3816 int rc = supR3HardNtEnableThreadCreationEx(NtCurrentProcess(), 3529 3817 (void *)(uintptr_t)&LdrInitializeThunk, 3530 g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),3818 &g_LdrInitThunkSelfBackup, 3531 3819 RTErrInfoInitStatic(&g_ErrInfoStatic)); 3532 3820 if (RT_FAILURE(rc)) … … 4350 4638 * the process verification code ignores. 4351 4639 */ 4352 uint8_t abNew[16];4353 memcpy( abNew, pbChildNtDllBits + ((uintptr_t)uLdrInitThunk - pThis->uNtDllAddr), sizeof(abNew));4640 SUPR3HARDNTPATCH New; 4641 memcpy(New.ab, pbChildNtDllBits + ((uintptr_t)uLdrInitThunk - pThis->uNtDllAddr), sizeof(New.ab)); 4354 4642 #ifdef RT_ARCH_AMD64 4355 abNew[0] = 0xff; 4356 abNew[1] = 0x25; 4357 *(uint32_t *)&abNew[2] = 0; 4358 *(uint64_t *)&abNew[6] = uEarlyProcInitEP; 4643 New.ab[0] = 0xff; /* jmp [addr wrt RIP] */ 4644 New.ab[1] = 0x25; 4645 *(uint32_t *)&New.ab[2] = 0; 4646 /* addr: */ 4647 *(uint64_t *)&New.ab[6] = uEarlyProcInitEP; 4648 New.cb = 6+8; 4649 4359 4650 #elif defined(RT_ARCH_X86) 4360 abNew[0] = 0xe9; 4361 *(uint32_t *)&abNew[1] = uEarlyProcInitEP - ((uint32_t)uLdrInitThunk + 5); 4651 New.ab[0] = 0xe9; /* jmp rel32 */ 4652 *(uint32_t *)&New.ab[1] = uEarlyProcInitEP - ((uint32_t)uLdrInitThunk + 5); 4653 New.cb = 5; 4654 4655 #elif defined(RT_ARCH_ARM64) 4656 /* LdrInitializeThunk: 4657 180088970: f81f0ff3 str x19, [sp, #-0x10]! 4658 180088974: a9bf7bfd stp x29, x30, [sp, #-0x10]! 4659 180088978: 910003fd mov x29, sp 4660 18008897c: aa0003f3 mov x19, x0 4661 180088980: 94000006 bl 0x180088998 <LdrInitializeThunk+0x28> 4662 180088984: 52800021 mov w1, #0x1 // =1 4663 180088988: aa1303e0 mov x0, x19 4664 18008898c: 97fe67d5 bl 0x1800228e0 <ZwContinue> */ 4665 # if 0 4666 New.au32[0] = Armv8A64MkInstrMovZ(ARMV8_A64_REG_X16, uEarlyProcInitEP & 0xffff); 4667 New.au32[1] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X16, (uEarlyProcInitEP >> 16) & 0xffff, 1); 4668 New.au32[2] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X16, (uEarlyProcInitEP >> 24) & 0xffff, 2); 4669 New.au32[3] = Armv8A64MkInstrMovK(ARMV8_A64_REG_X16, (uEarlyProcInitEP >> 32) & 0xffff, 3); 4670 New.au32[4] = Armv8A64MkInstrBr(ARMV8_A64_REG_X16); 4671 New.cb = 20; 4672 # else 4673 New.au32[0] = Armv8A64MkInstrLdrLitteral(kArmv8A64InstrLdrLitteral_Dword, ARMV8_A64_REG_X16, 8); 4674 New.au32[1] = Armv8A64MkInstrBr(ARMV8_A64_REG_X16); 4675 New.au64[1] = uEarlyProcInitEP; 4676 New.cb = 16; 4677 # endif 4362 4678 #else 4363 4679 # error "Unsupported arch." … … 4368 4684 */ 4369 4685 PVOID pvProt = pvLdrInitThunk; 4370 SIZE_T cbProt = sizeof(abNew);4686 SIZE_T cbProt = New.cb; 4371 4687 ULONG fOldProt; 4372 4688 rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt); … … 4375 4691 "NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt); 4376 4692 4377 rcNt = NtWriteVirtualMemory(pThis->hProcess, pvLdrInitThunk, abNew, sizeof(abNew), &cbIgnored);4693 rcNt = NtWriteVirtualMemory(pThis->hProcess, pvLdrInitThunk, New.ab, New.cb, &cbIgnored); 4378 4694 if (!NT_SUCCESS(rcNt)) 4379 4695 supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt, … … 4381 4697 4382 4698 pvProt = pvLdrInitThunk; 4383 cbProt = sizeof(abNew);4699 cbProt = New.cb; 4384 4700 rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, fOldProt, &fOldProt); 4385 4701 if (!NT_SUCCESS(rcNt)) … … 4400 4716 #elif defined(RT_ARCH_X86) 4401 4717 DWORD *pPC = &Ctx.Eip; 4718 #elif defined(RT_ARCH_ARM64) 4719 DWORD64 *pPC = &Ctx.Pc; 4402 4720 #else 4403 4721 # error "Unsupported arch." … … 4479 4797 SUP_DPRINTF(("Warning! Misaligned RSP: %016RX64\n", Ctx.Rsp)); 4480 4798 #endif 4799 #if defined(RT_ARCH_AMD64) || defined(RT_ARCH_X86) 4481 4800 if (Ctx.SegCs != ASMGetCS()) 4482 4801 SUP_DPRINTF(("Warning! Bogus CS: %04x, expected %04x\n", Ctx.SegCs, ASMGetCS())); … … 4499 4818 fUpdateContext = true; 4500 4819 } 4820 #endif 4501 4821 4502 4822 if (fUpdateContext) … … 4529 4849 /* Make ImageBaseAddress useless. */ 4530 4850 Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress ^ UINT32_C(0x5f139000)); 4531 #if def RT_ARCH_AMD644851 #if defined(RT_ARCH_AMD64) || defined(RT_ARCH_ARM64) 4532 4852 Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress | UINT64_C(0x0313000000000000)); 4533 4853 #endif -
trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp
r106061 r106893 48 48 #include <iprt/string.h> 49 49 #include <iprt/utf16.h> 50 #ifdef RT_ARCH_ARM64 51 # include <iprt/armv8.h> 52 #endif 50 53 51 54 #include "SUPLibInternal.h" … … 104 107 /** Assembly system call routine, type 1. */ 105 108 PFNRT pfnType1; 109 #if defined(RT_ARCH_AMD64) || defined(RT_ARCH_X86) 106 110 /** Assembly system call routine, type 2. */ 107 111 PFNRT pfnType2; 112 #endif 108 113 #ifdef RT_ARCH_X86 109 114 /** The parameter size in bytes for a standard call. */ … … 177 182 extern PFNRT RT_CONCAT(g_pfn, a_Name); 178 183 #define SUPHARNT_IMPORT_STDCALL_EARLY_OPTIONAL(a_Name, a_cbParamsX86) SUPHARNT_IMPORT_STDCALL_EARLY(a_Name, a_cbParamsX86) 179 #define SUPHARNT_IMPORT_SYSCALL(a_Name, a_cbParamsX86) \ 184 #if defined(RT_ARCH_AMD64) || defined(RT_ARCH_X86) 185 # define SUPHARNT_IMPORT_SYSCALL(a_Name, a_cbParamsX86) \ 180 186 SUPHARNT_IMPORT_STDCALL_EARLY(a_Name, a_cbParamsX86) \ 181 187 extern uint32_t RT_CONCAT(g_uApiNo, a_Name); \ 182 188 extern FNRT RT_CONCAT(a_Name, _SyscallType1); \ 183 189 extern FNRT RT_CONCAT(a_Name, _SyscallType2); 190 #else 191 # define SUPHARNT_IMPORT_SYSCALL(a_Name, a_cbParamsX86) \ 192 SUPHARNT_IMPORT_STDCALL_EARLY(a_Name, a_cbParamsX86) \ 193 extern uint32_t RT_CONCAT(g_uApiNo, a_Name); \ 194 extern FNRT RT_CONCAT(a_Name, _Syscall); 195 #endif 184 196 #define SUPHARNT_IMPORT_STDCALL(a_Name, a_cbParamsX86) \ 185 197 extern PFNRT RT_CONCAT(g_pfn, a_Name); \ … … 235 247 # define SUPHARNT_IMPORT_SYSCALL(a_Name, a_cbParamsX86) \ 236 248 { &RT_CONCAT(g_uApiNo, a_Name), &RT_CONCAT(a_Name, _SyscallType1), &RT_CONCAT(a_Name, _SyscallType2) }, 249 250 #elif defined(RT_ARCH_ARM64) 251 # define SUPHARNT_IMPORT_STDCALL(a_Name, a_cbParamsX86) \ 252 { NULL, NULL }, 253 # define SUPHARNT_IMPORT_SYSCALL(a_Name, a_cbParamsX86) \ 254 { &RT_CONCAT(g_uApiNo, a_Name), &RT_CONCAT(a_Name, _Syscall) }, 255 237 256 #elif defined(RT_ARCH_X86) 238 257 # define SUPHARNT_IMPORT_STDCALL(a_Name, a_cbParamsX86) \ … … 240 259 # define SUPHARNT_IMPORT_SYSCALL(a_Name, a_cbParamsX86) \ 241 260 { &RT_CONCAT(g_uApiNo, a_Name), &RT_CONCAT(a_Name,_SyscallType1), &RT_CONCAT(a_Name, _SyscallType2), a_cbParamsX86 }, 261 262 #else 263 # error "port me" 242 264 #endif 243 265 #define SUPHARNT_IMPORT_STDCALL_OPTIONAL(a_Name, a_cbParamsX86) SUPHARNT_IMPORT_STDCALL(a_Name, a_cbParamsX86) … … 466 488 } 467 489 uintptr_t offSymbol = (uintptr_t)uValue - (uintptr_t)pDll->pbImageBase; 468 uint8_t const * pbFunction= &pbBits[offSymbol];490 uint8_t const * const pbFunction = &pbBits[offSymbol]; 469 491 470 492 /* … … 532 554 } 533 555 } 534 #else 556 557 #elif defined(RT_ARCH_X86) 535 558 /* Pattern #1: XP thru Windows 7 536 559 kd> u ntdll!NtCreateSection … … 595 618 } 596 619 } 620 621 #elif defined(RT_ARCH_ARM64) 622 /* Only pattern (W10-1709): 623 0000000180022950 <ZwCreateSection>: 624 180022950: d4000941 svc #0x4a 625 180022954: d65f03c0 ret 626 180022958: 00000000 udf #0x0 627 18002295c: 00000000 udf #0x0 */ 628 uint32_t const * const pu32Function = (uint32_t const *)pbFunction; 629 if ( pu32Function[1] == ARMV8_A64_INSTR_RET 630 && (pu32Function[0] & ~(UINT32_C(0xffff) << 5)) == UINT32_C(0xd0000001)) 631 { 632 *pSyscall->puApiNo = (pu32Function[0] >> 5) & UINT32_C(0xffff); 633 *pImport->ppfnImport = pSyscall->pfnType1; 634 return; 635 } 636 637 #else 638 # error "port me" 597 639 #endif 598 640
Note:
See TracChangeset
for help on using the changeset viewer.
