1 /*
2 * kdd.c -- stub for debugging guest OSes with the windows kernel debugger.
3 *
4 * Tim Deegan <Tim.Deegan@citrix.com>
5 *
6 * Copyright (c) 2007-2010, Citrix Systems Inc.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #include <ctype.h>
35 #include <string.h>
36 #include <stdio.h>
37 #include <stdarg.h>
38 #include <stdlib.h>
39 #include <unistd.h>
40 #include <err.h>
41 #include <errno.h>
42 #include <inttypes.h>
43 #include <netdb.h>
44 #include <stddef.h>
45
46 #include <sys/socket.h>
47 #include <sys/types.h>
48 #include <sys/select.h>
49
50 #include <netinet/in.h>
51 #include <netinet/tcp.h>
52
53 #include "kdd.h"
54
55 /*
56 * TODO: kdd_os is a type which is used to represent os array. Adding a
57 * variable here would result in adding a new field to each element in array.
58 * However, since most of the fields are part of the same struct that we are
59 * trying to read from memory, we have added kddl to this structure. If
60 * required, we can possibly separate the kddl value to someplace else
61 *
62 * We also use kddl of size uint32_t which is actually used to represent the
63 * offset from image base rather than actual address
64 */
65 /* Windows version details */
66 typedef struct {
67 uint32_t build;
68 int w64;
69 int mp;
70 char *name;
71 uint64_t base; /* KernBase: start looking here */
72 uint32_t range; /* | and search an area this size */
73 uint32_t version; /* +-> NtBuildNumber */
74 uint32_t modules; /* +-> PsLoadedModuleList */
75 uint32_t prcbs; /* +-> KiProcessorBlock */
76 uint32_t kddl; /* +-> KdDebuggerList */
77 } kdd_os;
78
79 /* State of the debugger stub */
80 typedef struct {
81 union {
82 uint8_t txb[sizeof (kdd_pkt)]; /* Marshalling area for tx */
83 kdd_pkt txp; /* Also readable as a packet structure */
84 };
85 union {
86 uint8_t rxb[sizeof (kdd_pkt)]; /* Marshalling area for rx */
87 kdd_pkt rxp; /* Also readable as a packet structure */
88 };
89 unsigned int cur; /* Offset into rx where we'll put the next byte */
90 uint32_t next_id; /* ID of next packet we will send */
91 int running; /* Are the guest's processors active? */
92 int cpuid; /* Current selected CPU */
93 int fd; /* TCP socket for client comms */
94 FILE *log; /* For tracing output */
95 int verbosity; /* How much detail to trace */
96 kdd_guest *guest; /* Arch-specific state for guest control */
97 kdd_os os; /* OS-specific magic numbers */
98 } kdd_state;
99
100 /**
101 * @brief Structure to represent DBGKD_GET_VERSION64
102 *
103 * reference: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdbgexts/ns-wdbgexts-_dbgkd_get_version64
104 */
105 typedef struct {
106 uint16_t MajorVersion; /* usually 0xf for free build */
107 uint16_t MinorVersion; /* build number of target OS */
108 uint8_t ProtocolVersion; /* version of the debugger protocol */
109 uint8_t KdSecondaryVersion; /* secondary version number */
110 uint16_t Flags; /* set of bit flags for the current debugging session */
111 uint16_t MachineType; /* type of the target's processor */
112 uint8_t MaxPacketType; /* one plus the highest number for a debugger */
113 /* packet type recognized by the target */
114 uint8_t MaxStateChagne; /* one plus the highest number for a state */
115 /* change generated by the target */
116 uint8_t MaxManipulate; /* one more that the highest number, recognized */
117 /* by the target, for a command to manipulate the target */
118 uint8_t Simulation; /* indication if target is in simulated execution */
119 uint16_t Unused[1];
120 uint64_t KernBase; /* base address of the kernel image */
121 uint64_t PsLoadedModuleList; /* value of the kernel variable */
122 /* PsLoadedModuleList */
123 uint64_t DebuggerDataList; /* value of the kernel variable */
124 /* KdDebuggerDataBlock */
125 } PACKED DBGKD_GET_VERSION64;
126
127 /**
128 * @brief Structure to represent the section in PE headers
129 *
130 * reference: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#section-table-section-headers
131 */
132 typedef struct {
133 uint8_t Name[8]; /* name of section */
134 uint32_t VirtualSize; /* total size of section in memory */
135 uint32_t VirtualAddr; /* offset from image base */
136 uint32_t SizeOfRawData; /* size of section in for object files */
137 uint32_t PointerToRawData; /* file pointer to first page in COFF */
138 uint32_t PointerToRelocations; /* file pointer to beginning of relocation entry */
139 uint32_t PointerToLinenumbers; /* file pointer to the beginning of line-number entries */
140 uint16_t NumberOfRelocations; /* number of relocation entries for the section */
141 uint16_t NumberOfLinenumbers; /* number of line-number entries for the section */
142 uint32_t Characteristics; /* flags that describe the characteristics of the section */
143 } PACKED PE_SECTION_ENTRY;
144
145 /**
146 * @brief Size of pointer on 64 machine
147 */
148 #define SIZE_PTR64 8
149
150 /**
151 * @brief Size of pointer on 32 machine
152 */
153 #define SIZE_PTR32 4
154
155
156 /*****************************************************************************
157 * PE and DOS Header related offsets
158 */
159
160 /**
161 * @brief Offset in DOS header to look for PE header
162 */
163 #define DOS_HDR_PE_OFF 0x3c
164
165 /**
166 * @brief Size of PE header offset field in DOS header
167 */
168 #define DOS_HDR_PE_SZ 4
169
170 /**
171 * @brief Offset of number of sections field in PE header
172 */
173 #define PE_NUM_SECTION_OFF 0x6
174
175 /**
176 * @brief Size of number of sections field in PE header
177 */
178 #define PE_NUM_SECTION_SZ 2
179
180 /**
181 * @brief Offset of optional header size field in PE header
182 */
183 #define PE_OPT_HDR_SZ_OFF 0x14
184
185 /**
186 * @brief Size of optional header size field in PE header
187 */
188 #define PE_OPT_HDR_SZ_SZ 2
189
190 /**
191 * @brief Size of PE header
192 */
193 #define PE_HDR_SZ 0x18
194
195 /**
196 * @brief MZ header
197 */
198 #define MZ_HEADER 0x5a4d
199
200 /**
201 * @brief Limit on the number of sections to look for while iterating through
202 * PE sections
203 */
204 #define NUM_SECT_LIMIT 100
205
206 /**
207 * @brief Major Version for the DBGKD_GET_VERSION64 structure
208 */
209 #define NT_MAJOR_VERSION 0xf
210
211 /*****************************************************************************
212 * Utility functions
213 */
214
215 /* Get the instruction pointer */
kdd_get_ip(kdd_state * s)216 static uint64_t kdd_get_ip(kdd_state *s)
217 {
218 kdd_regs r;
219 if (!s->os.w64 && kdd_get_regs(s->guest, s->cpuid, &r, 0) == 0)
220 return r.r32.eip;
221 else if (s->os.w64 && kdd_get_regs(s->guest, s->cpuid, &r, 1) == 0)
222 return r.r64.rip;
223 else
224 return -1ULL;
225 }
226
227 /* Turn write(2) into a proper blocking write. */
blocking_write(int fd,const void * buf,size_t count)228 static size_t blocking_write(int fd, const void *buf, size_t count)
229 {
230 size_t left = count;
231 ssize_t r;
232 while (left > 0 && ((r = write(fd, buf, left)) >= 0 || errno == EINTR)) {
233 buf += r;
234 left -= r;
235 }
236 return count - left;
237 }
238
239 /* Dump the contents of a complete serial packet into a log file. */
kdd_log_pkt(kdd_state * s,char * name,kdd_pkt * p)240 static void kdd_log_pkt(kdd_state *s, char *name, kdd_pkt *p)
241 {
242 uint32_t sum = 0;
243 unsigned int i, j;
244 uint8_t ascii[17] = {0};
245 FILE *f = s->log;
246
247 if (s->verbosity < 2)
248 return;
249
250 /* Re-check the checksum */
251 for (i = 0; i < p->h.len; i++)
252 sum += p->payload[i];
253
254 fprintf(f, "\n"
255 "%s: %s type 0x%4.4"PRIx16" len 0x%4.4"PRIx16
256 " id 0x%8.8"PRIx32" sum 0x%"PRIx32" (%s: 0x%"PRIx32")\n",
257 name,
258 p->h.dir == KDD_DIR_PKT ? "pkt" :
259 p->h.dir == KDD_DIR_ACK ? "ack" : "???",
260 (unsigned) p->h.type, p->h.len, p->h.id, p->h.sum,
261 sum == p->h.sum ? "OK" : "BAD", sum);
262
263 /* Hexdump the payload in "canonical" format*/
264 for (i = 0; i < p->h.len; i ++) {
265 if (i % 16 == 0) {
266 memset(ascii, 0, 17);
267 fprintf(f, "%8.8x ", i);
268 } else if (i % 8 == 0)
269 fprintf(f, " ");
270 fprintf(f, " %2.2x", p->payload[i]);
271 ascii[i % 16] = (isprint(((int)p->payload[i])) ? p->payload[i] : 0x2e);
272 if (i % 16 == 15)
273 fprintf(f, " |%s|\n", ascii);
274 }
275 if (i % 16 != 0) {
276 for (j = i % 16 ; j < 16; j++) {
277 fprintf(f, "%s", (j == 8) ? " " : " ");
278 }
279 fprintf(f, " |%s|\n%8.8x\n", ascii, i);
280 }
281
282 fprintf(f, "\n");
283 (void) fflush(f);
284 }
285
286
287 /*****************************************************************************
288 * Memory access: virtual addresses and syntactic sugar.
289 */
290
291 #define PAGE_SHIFT (12)
292 #define PAGE_SIZE (1ULL << PAGE_SHIFT)
293
kdd_read_physical(kdd_state * s,uint64_t addr,uint32_t len,void * buf)294 static uint32_t kdd_read_physical(kdd_state *s, uint64_t addr,
295 uint32_t len, void *buf)
296 {
297 return kdd_access_physical(s->guest, addr, len, buf, 0);
298 }
299
kdd_write_physical(kdd_state * s,uint64_t addr,uint32_t len,void * buf)300 static uint32_t kdd_write_physical(kdd_state *s, uint64_t addr,
301 uint32_t len, void *buf)
302 {
303 return kdd_access_physical(s->guest, addr, len, buf, 1);
304 }
305
306
307 /* VA->PA conversion. Returns -1ULL for failure. */
v2p(kdd_state * s,int cpuid,uint64_t va)308 static uint64_t v2p(kdd_state *s, int cpuid, uint64_t va)
309 {
310 int pg, pae, pse, lma;
311 int levels, width, bits, shift, offset, i;
312 uint64_t efer, entry = 0, mask, pa;
313 kdd_ctrl ctrl;
314
315 if (kdd_get_ctrl(s->guest, cpuid, &ctrl, s->os.w64) != 0
316 || kdd_rdmsr(s->guest, cpuid, 0xc0000080, &efer) != 0)
317 return -1ULL;
318
319 if (s->os.w64) {
320 pg = !!(ctrl.c64.cr0 & 0x80000000);
321 lma = !!(efer & 0x00000400);
322 pae = !!(ctrl.c64.cr4 & 0x00000020);
323 pse = !!(ctrl.c64.cr4 & 0x00000010) || pae || lma;
324 pa = ctrl.c64.cr3 & ~0x0fULL;
325 } else {
326 pg = !!(ctrl.c32.cr0 & 0x80000000);
327 pae = !!(ctrl.c32.cr4 & 0x00000020);
328 lma = 0;
329 pse = !!(ctrl.c32.cr4 & 0x00000010) || pae;
330 pa = ctrl.c32.cr3 & ~0x0fULL;
331 }
332 KDD_DEBUG(s, "w64 = %u, pg = %u, pae = %u, pse = %u, lma = %u\n",
333 s->os.w64, pg, pae, pse, lma);
334
335 /* Paging disabled? */
336 if (!pg)
337 return va;
338
339 /* 32/PAE64? */
340 if (lma) {
341 va &= (1ULL<<48) - 1;
342 width = 8; levels = 4; bits = 9;
343 } else {
344 va &= (1ULL<<32) - 1;
345 if (pae) {
346 width = 8; levels = 3; bits = 9;
347 } else {
348 width = 4; levels = 2; bits = 10;
349 }
350 }
351 KDD_DEBUG(s, "%i levels, va 0x%16.16"PRIx64"\n", levels, va);
352
353 /* Walk the appropriate number of levels */
354 for (i = levels; i > 0; i--) {
355 shift = PAGE_SHIFT + bits * (i-1);
356 mask = ((1ULL << bits) - 1) << shift;
357 offset = ((va & mask) >> shift) * width;
358 KDD_DEBUG(s, "level %i: mask 0x%16.16"PRIx64" pa 0x%16.16"PRIx64
359 " offset %i\n",i, mask, pa, offset);
360 if (kdd_read_physical(s, pa + offset, width, &entry) != width)
361 return -1ULL; // Bad entry PA
362 KDD_DEBUG(s, "level %i: entry 0x%16.16"PRIx64"\n", i, entry);
363 if (!(entry & 0x1))
364 return -1ULL; // Not present
365 pa = entry & 0x000ffffffffff000ULL;
366 if (pse && (i == 2) && (entry & 0x80)) { // Superpage
367 mask = ((1ULL << (PAGE_SHIFT + bits)) - 1);
368 return (pa & ~mask) + (va & mask);
369 }
370 }
371
372 return pa + (va & (PAGE_SIZE - 1));
373 }
374
kdd_access_virtual(kdd_state * s,int cpuid,uint64_t addr,uint32_t len,void * buf,int write)375 static uint32_t kdd_access_virtual(kdd_state *s, int cpuid, uint64_t addr,
376 uint32_t len, void *buf, int write)
377 {
378 uint64_t pa;
379 uint32_t chunk, rv, done = 0;
380
381 /* Process one page at a time */
382 while (len > 0) {
383 chunk = PAGE_SIZE - (addr & (PAGE_SIZE - 1));
384 if (chunk > len)
385 chunk = len;
386 pa = v2p(s, cpuid, addr);
387 KDD_DEBUG(s, "va 0x%"PRIx64" -> pa 0x%"PRIx64"\n", addr, pa);
388 if (pa == (uint64_t) -1ULL)
389 return done;
390 rv = kdd_access_physical(s->guest, pa, chunk, buf, write);
391 done += rv;
392 if (rv != chunk)
393 return done;
394 addr += chunk;
395 buf += chunk;
396 len -= chunk;
397 }
398 return done;
399 }
400
kdd_read_virtual(kdd_state * s,int cpuid,uint64_t addr,uint32_t len,void * buf)401 static uint32_t kdd_read_virtual(kdd_state *s, int cpuid, uint64_t addr,
402 uint32_t len, void *buf)
403 {
404 return kdd_access_virtual(s, cpuid, addr, len, buf, 0);
405 }
406
kdd_write_virtual(kdd_state * s,int cpuid,uint64_t addr,uint32_t len,void * buf)407 static uint32_t kdd_write_virtual(kdd_state *s, int cpuid, uint64_t addr,
408 uint32_t len, void *buf)
409 {
410 return kdd_access_virtual(s, cpuid, addr, len, buf, 1);
411 }
412
413
414 /*****************************************************************************
415 * Version information and related runes for different Windows flavours
416 */
417
418 static kdd_os os[] = {
419 /* Build 64 MP Name &Kernel search base Range +Version +Modules +PRCBs (64b) +KDDL */
420 {2195, 0, 0, "w2k sp4 x32 UP", 0xffffffff80400000ULL, 0x00000000, 0x0006d57c, 0x0006e1b8, 0x0, 0},
421 {2195, 0, 1, "w2k sp4 x32 SMP", 0xffffffff80400000ULL, 0x00000000, 0x0006fa1c, 0x00084520, 0x0, 0},
422 // PAE/UP, PAE/SMP
423
424 {2600, 0, 0, "xp sp2 x32 UP", 0xffffffff804d7000ULL, 0x00000000, 0x00075568, 0x00083b20, 0x0, 0},
425 {2600, 0, 1, "xp sp2 x32 SMP", 0xffffffff804d7000ULL, 0x00000000, 0x0007d0e8, 0x0008d4a0, 0x0, 0},
426 // PAE/UP, PAE/SMP
427
428 {2600, 0, 0, "xp sp3 x32 UP", 0xffffffff804d7000ULL, 0x00000000, 0x00075be8, 0x000841c0, 0x0, 0},
429 {2600, 0, 1, "xp sp3 x32 SMP", 0xffffffff804d7000ULL, 0x00000000, 0x0007c0e8, 0x0008c4c0, 0x0, 0},
430 {2600, 0, 0, "xp sp3 x32p UP", 0xffffffff804d7000ULL, 0x00000000, 0x0006e8e8, 0x0007cfc0, 0x0, 0},
431 {2600, 0, 1, "xp sp3 x32p SMP", 0xffffffff804d7000ULL, 0x00000000, 0x000760e8, 0x00086720, 0x0, 0},
432
433 {3790, 0, 0, "w2k3 sp2 x32 UP", 0xffffffff80800000ULL, 0x00000000, 0x00097128, 0x000a8e48, 0x0, 0},
434 {3790, 0, 1, "w2k3 sp2 x32 SMP", 0xffffffff80800000ULL, 0x00000000, 0x0009d128, 0x000af9c8, 0x0, 0},
435 {3790, 0, 0, "w2k3 sp2 x32p UP", 0xffffffff80800000ULL, 0x00000000, 0x0008e128, 0x0009ffa8, 0x0, 0},
436 {3790, 0, 1, "w2k3 sp2 x32p SMP", 0xffffffff80800000ULL, 0x00000000, 0x00094128, 0x000a6ea8, 0x0, 0},
437 {3790, 1, 0, "w2k3 sp2 x64 UP", 0xfffff80001000000ULL, 0x00000000, 0x001765d0, 0x0019aae0, 0x0017b100, 0},
438 {3790, 1, 1, "w2k3 sp2 x64 SMP", 0xfffff80001000000ULL, 0x00000000, 0x001b05e0, 0x001d5100, 0x001b5300, 0},
439
440 {6000, 0, 1, "vista sp0 x32p", 0xffffffff81800000ULL, 0x00000000, 0x000a4de4, 0x00111db0, 0x0, 0},
441 {6001, 0, 1, "vista sp1 x32p", 0xffffffff81000000ULL, 0x0f000000, 0x000af0c4, 0x00117c70, 0x0, 0},
442
443 {6001, 1, 1, "w2k8 sp0 x64", 0xfffff80001000000ULL, 0x0f000000, 0x00140bf0, 0x001c5db0, 0x00229640, 0},
444
445 {7600, 1, 1, "win7 sp0 x64", 0xfffff80001000000ULL, 0x0f000000, 0x001af770, 0x0023de50, 0x002a8900, 0},
446
447 {7601, 0, 1, "win7 sp1 x32p", 0xffffffff81800000ULL, 0x0f000000, 0x000524c4, 0x00149850, 0x0, 0},
448 {7601, 1, 1, "win7 sp1 x64", 0xfffff80001000000ULL, 0x0f000000, 0x001b2770, 0x00240e90, 0x002ab900, 0},
449 };
450
451 // 1381, 0, 0, "NT4 sp?", 0xffffffff80100000, ?, ?
452
453 static kdd_os unknown_os = {0, 0, 0, "unknown OS", 0, 0, 0, 0, 0, 0};
454
check_os(kdd_state * s)455 static int check_os(kdd_state *s)
456 {
457 kdd_os *v = &s->os;
458 uint64_t addr, val;
459 uint32_t width;
460 int i;
461
462 /* Kernel address must be a DOS executable */
463 val = 0;
464 if (kdd_read_virtual(s, 0, v->base, 2, &val) != 2 || val != 0x5a4d) {
465 KDD_DEBUG(s, "not %s: krnl 0x%"PRIx64"\n", v->name, val);
466 return 0;
467 }
468
469 /* OS version must match. */
470 val = 0;
471 if (kdd_read_virtual(s, 0, v->base + v->version, 4, &val) != 4
472 || val != (v->build | 0xf0000000) ) {
473 KDD_DEBUG(s, "not %s: version 0x%"PRIx64"\n", v->name, val);
474 return 0;
475 }
476
477 /* Module list address must be a circular linked list */
478 addr = v->base + v->modules;
479 val = 0;
480 width = v->w64 ? 8 : 4;
481 for (i = 0; val != v->base + v->modules && i < 250; i++) {
482 val = 0;
483 if (kdd_read_virtual(s, 0, addr, width, &val) != width) {
484 KDD_DEBUG(s, "not %s: bad module list\n", v->name);
485 return 0;
486 }
487 addr = val;
488 }
489
490 return 1;
491 }
492
493 /**
494 * @brief Parse the memory at \a filebase as a valid DOS header and get virtual
495 * address offset and size for any given section name (if it exists)
496 *
497 * @param s Pointer to the kdd_state structure
498 * @param filebase Base address of the file structure
499 * @param sectname Pointer to the section name c-string to look for
500 * @param vaddr Pointer to write the virtual address of section start to
501 * (if found)
502 * @param visze Pointer to write the section size to (if found)
503 *
504 * @return -1 on failure to find the section name
505 * @return 0 on success
506 */
get_pe64_sections(kdd_state * s,uint64_t filebase,char * sectname,uint64_t * vaddr,uint32_t * vsize)507 static int get_pe64_sections(kdd_state *s, uint64_t filebase, char *sectname,
508 uint64_t *vaddr, uint32_t *vsize)
509 {
510 uint64_t pe_hdr = 0;
511 uint64_t sect_start = 0;
512 uint16_t num_sections = 0;
513 uint16_t opt_hdr_sz = 0;
514 PE_SECTION_ENTRY pe_sect;
515
516 if (!s->os.w64)
517 return -1;
518
519 /* read PE header offset */
520 if (kdd_read_virtual(s, s->cpuid, filebase + DOS_HDR_PE_OFF, DOS_HDR_PE_SZ,
521 &pe_hdr) != DOS_HDR_PE_SZ)
522 return -1;
523
524 pe_hdr += filebase;
525
526 /* read number of sections */
527 if (kdd_read_virtual(s, s->cpuid, pe_hdr + PE_NUM_SECTION_OFF,
528 PE_NUM_SECTION_SZ, &num_sections) != PE_NUM_SECTION_SZ)
529 return -1;
530
531 /* read number of section upto a limit */
532 if (num_sections > NUM_SECT_LIMIT)
533 num_sections = NUM_SECT_LIMIT;
534
535 /* read size of optional header */
536 if (kdd_read_virtual(s, s->cpuid, pe_hdr + PE_OPT_HDR_SZ_OFF,
537 PE_OPT_HDR_SZ_SZ, &opt_hdr_sz) != PE_OPT_HDR_SZ_SZ)
538 return -1;
539
540 /* 0x18 is the size of PE header */
541 sect_start = pe_hdr + PE_HDR_SZ + opt_hdr_sz;
542
543 for (int i = 0; i < num_sections; i++) {
544 if (kdd_read_virtual(s, s->cpuid, sect_start + (i * sizeof(pe_sect)),
545 sizeof(pe_sect), &pe_sect) != sizeof(pe_sect))
546 return -1;
547
548 if (!strncmp(sectname, (char *)pe_sect.Name, sizeof(pe_sect.Name))) {
549 *vaddr = filebase + pe_sect.VirtualAddr;
550 *vsize = pe_sect.VirtualSize;
551 return 0;
552 }
553 }
554
555 return -1;
556 }
557
558 /**
559 * @brief Get the OS information like base address, minor version,
560 * PsLoadedModuleList and DebuggerDataList (basically the fields of
561 * DBGKD_GET_VERSION64 struture required to do handshake?).
562 *
563 * This is done by reading the IDT entry for divide-by-zero exception and
564 * searching back into the memory for DOS header (which is our kernel base).
565 * Once we have the kernel base, we parse the PE header and look for kernel
566 * base address in the .data section. Once we have possible values, we look for
567 * DBGKD_GET_VERSION64 block by using following heuristics on the address which
568 * has the kernel base:
569 *
570 * - at address [-0x10], it should have 0xf as the MajorVersion
571 * - at address [+0x8], it should have a valid kernel memory address pointing
572 * in .data
573 * - at address [+0x10], it should have a valid kernel memory address pointing
574 * in .data
575 *
576 * @param s Pointer to the kdd state
577 */
get_os_info_64(kdd_state * s)578 static void get_os_info_64(kdd_state *s)
579 {
580 kdd_ctrl ctrl;
581 int ret;
582 uint64_t buf;
583 uint64_t idt0_addr;
584 uint64_t base;
585 uint64_t caddr;
586 uint64_t data_base;
587 uint32_t data_size;
588 uint64_t modptr = 0;
589 uint64_t kddl = 0;
590 uint16_t minor = 0;
591 uint64_t dbgkd_addr;
592 DBGKD_GET_VERSION64 dbgkd_get_version64;
593 /* Maybe 1GB is too big for the limit to search? */
594 uint32_t search_limit = (1024 * 1024 * 1024) / PAGE_SIZE; /*1GB/PageSize*/
595 uint64_t efer;
596
597 /* if we are not in 64-bit mode, fail */
598 if (kdd_rdmsr(s->guest, s->cpuid, 0xc0000080, &efer) || !(efer & (1 << 8)))
599 goto fail;
600
601 s->os.w64 = 1;
602
603 /* get control registers for our os */
604 ret = kdd_get_ctrl(s->guest, s->cpuid, &ctrl, s->os.w64);
605 if (ret)
606 goto fail;
607
608 /* read the div-by-zero handler function address */
609 kdd_read_virtual(s, s->cpuid, ctrl.c64.idt_base + 8, 8, &buf);
610 idt0_addr = ((uint64_t)buf << 32) & 0xffffffff00000000;
611
612 kdd_read_virtual(s, s->cpuid, ctrl.c64.idt_base, 8, &buf);
613 idt0_addr |= ((buf >> 32) & 0xffff0000);
614 idt0_addr |= (buf & 0xffff);
615
616 KDD_LOG(s, "idt0 addr: 0x%"PRIx64"\n", idt0_addr);
617
618 /*
619 * get the page start and look for "MZ" file header - we limit the search
620 * in 1GB range above the current page base address
621 */
622
623 base = idt0_addr & ~(PAGE_SIZE - 1);
624
625 while (search_limit) {
626 uint16_t val;
627 if (kdd_read_virtual(s, s->cpuid, base, 2, &val) != 2) {
628 /* just move going back?? this is bad though */
629 KDD_LOG(s, "ran into unmapped region without finding PE header\n");
630 goto fail;
631 }
632
633 if (val == MZ_HEADER) // MZ
634 break;
635
636 base -= PAGE_SIZE;
637 search_limit -= 1;
638 }
639
640 KDD_LOG(s, "base: 0x%"PRIx64"\n", base);
641
642 /* found the data section start */
643 if (get_pe64_sections(s, base, ".data", &data_base, &data_size))
644 goto fail;
645
646 /* look for addresses which has kernel base written into it */
647 caddr = data_base;
648
649 search_limit = (1024 * 1024 * 512) / SIZE_PTR64;
650 while (caddr < data_base + data_size && search_limit) {
651 if (kdd_read_virtual(s, s->cpuid, caddr, SIZE_PTR64, &buf) !=
652 SIZE_PTR64)
653 goto fail; /* reached end and found nothing */
654
655 /* if we found base in the memory addresses */
656 if (buf == base) {
657 /* read the DBGKD_GET_VERSION64 struct */
658 dbgkd_addr = caddr - offsetof(DBGKD_GET_VERSION64, KernBase);
659 if (kdd_read_virtual(s, s->cpuid, dbgkd_addr,
660 sizeof(DBGKD_GET_VERSION64), &dbgkd_get_version64) ==
661 sizeof(DBGKD_GET_VERSION64)) {
662 /* check if major version is 0xf */
663 if (dbgkd_get_version64.MajorVersion == NT_MAJOR_VERSION) {
664
665 /* read minor version, PsLoadedModuleList pointer and
666 * DebuggerDataList
667 */
668 modptr = dbgkd_get_version64.PsLoadedModuleList;
669 kddl = dbgkd_get_version64.DebuggerDataList;
670 minor = dbgkd_get_version64.MinorVersion;
671
672 /* do heuristic check */
673 if (modptr && kddl && modptr != kddl && kddl != base &&
674 base != modptr && modptr >= data_base &&
675 modptr < (data_base + data_size) &&
676 kddl >= data_base &&
677 kddl < (data_base + data_size))
678 break;
679 }
680 }
681
682 }
683
684 caddr += SIZE_PTR64;
685 search_limit -= 1;
686 }
687
688 if (caddr < data_base + data_size) {
689 /* if found, set the field and return */
690
691 KDD_LOG(s, "base: 0x%"PRIx64"\n", base);
692 KDD_LOG(s, "modules list: 0x%"PRIx64"\n", modptr);
693 KDD_LOG(s, "kddl: 0x%"PRIx64"\n", kddl);
694 KDD_LOG(s, "minor version: 0x%hx\n", minor);
695
696 s->os.base = base;
697 s->os.modules = modptr - base;
698 s->os.kddl = kddl - base;
699 s->os.build = (uint32_t) minor;
700 return;
701 }
702
703 fail:
704 s->os = unknown_os;
705 }
706
707 /* Figure out what OS we're dealing with */
find_os(kdd_state * s)708 static void find_os(kdd_state *s)
709 {
710 int i;
711 uint64_t limit;
712
713 /* We may already have the right one */
714 if (check_os(s))
715 return;
716
717 /* Try each OS we know about */
718 for (i = 0; i < (sizeof os / sizeof os[0]); i++) {
719 s->os = os[i];
720 /* Try each page in the potential range of kernel load addresses */
721 for (limit = s->os.base + s->os.range;
722 s->os.base <= limit;
723 s->os.base += PAGE_SIZE)
724 if (check_os(s))
725 return;
726 }
727
728 get_os_info_64(s);
729 }
730
731
732 /*****************************************************************************
733 * How to send packets and acks.
734 */
735
736
737 /* Send a serial packet */
kdd_tx(kdd_state * s)738 static void kdd_tx(kdd_state *s)
739 {
740 uint32_t sum = 0;
741 size_t len;
742 int i;
743
744 /* Fix up the checksum before we send */
745 for (i = 0; i < s->txp.h.len; i++)
746 sum += s->txp.payload[i];
747 s->txp.h.sum = sum;
748
749 kdd_log_pkt(s, "TX", &s->txp);
750
751 len = s->txp.h.len + sizeof (kdd_hdr);
752 if (s->txp.h.dir == KDD_DIR_PKT)
753 /* Append the mysterious 0xaa byte to each packet */
754 s->txb[len++] = 0xaa;
755
756 (void) blocking_write(s->fd, s->txb, len);
757 }
758
759
760 /* Send an acknowledgement to the client */
kdd_send_ack(kdd_state * s,uint32_t id,uint16_t type)761 static void kdd_send_ack(kdd_state *s, uint32_t id, uint16_t type)
762 {
763 s->txp.h.dir = KDD_DIR_ACK;
764 s->txp.h.type = type;
765 s->txp.h.len = 0;
766 s->txp.h.id = id;
767 s->txp.h.sum = 0;
768 kdd_tx(s);
769 }
770
771 /* Send a command_packet to the client */
kdd_send_cmd(kdd_state * s,uint32_t subtype,size_t extra)772 static void kdd_send_cmd(kdd_state *s, uint32_t subtype, size_t extra)
773 {
774 s->txp.h.dir = KDD_DIR_PKT;
775 s->txp.h.type = KDD_PKT_CMD;
776 s->txp.h.len = sizeof (kdd_cmd) + extra;
777 s->txp.h.id = (s->next_id ^= 1);
778 s->txp.h.sum = 0;
779 s->txp.cmd.subtype = subtype;
780 kdd_tx(s);
781 }
782
783 /* Cause the client to print a string */
kdd_send_string(kdd_state * s,char * fmt,...)784 static void kdd_send_string(kdd_state *s, char *fmt, ...)
785 {
786 uint32_t len = 0xffff - sizeof (kdd_msg);
787 char *buf = (char *) s->txb + sizeof (kdd_hdr) + sizeof (kdd_msg);
788 va_list ap;
789
790 va_start(ap, fmt);
791 len = vsnprintf(buf, len, fmt, ap);
792 va_end(ap);
793
794 s->txp.h.dir = KDD_DIR_PKT;
795 s->txp.h.type = KDD_PKT_MSG;
796 s->txp.h.len = sizeof (kdd_msg) + len;
797 s->txp.h.id = (s->next_id ^= 1);
798 s->txp.h.sum = 0;
799 s->txp.msg.subtype = KDD_MSG_PRINT;
800 s->txp.msg.length = len;
801 kdd_tx(s);
802 }
803
804
805 /* Stop the guest and prepare for debugging */
kdd_break(kdd_state * s)806 static void kdd_break(kdd_state *s)
807 {
808 uint16_t ilen;
809 KDD_LOG(s, "Break\n");
810
811 if (s->running)
812 kdd_halt(s->guest);
813 s->running = 0;
814
815 {
816 unsigned int i;
817 /* XXX debug pattern */
818 for (i = 0; i < 0x100 ; i++)
819 s->txb[sizeof (kdd_hdr) + i] = i;
820 }
821
822 /* Send a state-change message to the client so it knows we've stopped */
823 s->txp.h.dir = KDD_DIR_PKT;
824 s->txp.h.type = KDD_PKT_STC;
825 s->txp.h.len = sizeof (kdd_stc);
826 s->txp.h.id = (s->next_id ^= 1);
827 s->txp.stc.subtype = KDD_STC_STOP;
828 s->txp.stc.stop.cpu = s->cpuid;
829 s->txp.stc.stop.ncpus = kdd_count_cpus(s->guest);
830 s->txp.stc.stop.kthread = 0; /* Let the debugger figure it out */
831 s->txp.stc.stop.status = KDD_STC_STATUS_BREAKPOINT;
832 s->txp.stc.stop.rip1 = s->txp.stc.stop.rip2 = kdd_get_ip(s);
833 s->txp.stc.stop.nparams = 0;
834 s->txp.stc.stop.first_chance = 1;
835 ilen = kdd_read_virtual(s, s->cpuid, s->txp.stc.stop.rip1,
836 sizeof s->txp.stc.stop.inst, s->txp.stc.stop.inst);
837 s->txp.stc.stop.ilen = ilen;
838 /* XXX other fields */
839
840 kdd_tx(s);
841 }
842
843 /* Handle an acknowledgement received from the client */
kdd_handle_ack(kdd_state * s,uint32_t id,uint16_t type)844 static void kdd_handle_ack(kdd_state *s, uint32_t id, uint16_t type)
845 {
846 switch (type) {
847 case KDD_ACK_OK:
848 case KDD_ACK_BAD:
849 break;
850 case KDD_ACK_RST:
851 if (id == 0) {
852 KDD_LOG(s, "Client requests a reset\n");
853 kdd_send_ack(s, 0xdeadbeef, KDD_ACK_RST);
854 kdd_send_string(s, "[kdd: connected to %s]\r\n",
855 kdd_guest_identify(s->guest));
856 kdd_break(s);
857 }
858 break;
859 default:
860 KDD_LOG(s, "Unhandled ACK type 0x%4.4x\n", type);
861 break;
862 }
863 }
864
865 /*****************************************************************************
866 * Handlers for each kind of client packet
867 */
868
869
870 /* Handle the initial handshake */
kdd_handle_handshake(kdd_state * s)871 static void kdd_handle_handshake(kdd_state *s)
872 {
873 /* Figure out what we're looking at */
874 find_os(s);
875
876 kdd_send_string(s, "[kdd: %s @0x%"PRIx64"]\r\n", s->os.name, s->os.base);
877
878 /* Respond with some details about the debugger stub we simulate */
879 s->txp.cmd.shake.u1 = 0x01010101;
880 s->txp.cmd.shake.status = KDD_STATUS_SUCCESS;
881 s->txp.cmd.shake.u2 = 0x02020202;
882 s->txp.cmd.shake.v_major = NT_MAJOR_VERSION;
883 s->txp.cmd.shake.v_minor = s->os.build;
884 s->txp.cmd.shake.proto = 6;
885 s->txp.cmd.shake.flags = (0x02 /* ??? */
886 | (s->os.mp ? KDD_FLAGS_MP : 0)
887 | (s->os.w64 ? KDD_FLAGS_64 : 0));
888 s->txp.cmd.shake.machine = s->os.w64 ? KDD_MACH_x64 : KDD_MACH_x32;
889 s->txp.cmd.shake.pkts = KDD_PKT_MAX;
890 s->txp.cmd.shake.states = 0xc; /* ??? */
891 s->txp.cmd.shake.manips = 0x2e; /* ??? */
892 s->txp.cmd.shake.u3[0] = 0x33;
893 s->txp.cmd.shake.u3[1] = 0x44;
894 s->txp.cmd.shake.u3[2] = 0x55;
895 s->txp.cmd.shake.kern_addr = s->os.base;
896 s->txp.cmd.shake.mods_addr = s->os.base + s->os.modules;
897 s->txp.cmd.shake.data_addr = s->os.kddl ? s->os.base + s->os.kddl : 0;
898
899 KDD_LOG(s, "Client initial handshake: %s\n", s->os.name);
900 kdd_send_cmd(s, KDD_CMD_SHAKE, 0);
901 }
902
903 /* Handle set-cpu command */
kdd_handle_setcpu(kdd_state * s)904 static void kdd_handle_setcpu(kdd_state *s)
905 {
906 KDD_LOG(s, "Switch to CPU %u\n", s->rxp.cmd.setcpu.cpu);
907
908 /* This command doesn't get a direct response; instead we send a STOP. */
909 s->cpuid = s->rxp.cmd.setcpu.cpu;
910 kdd_break(s);
911
912 /* XXX find out whether kd will be happier if we respond to this command after the break. */
913 }
914
915 /* Handle breakpoint commands */
kdd_handle_soft_breakpoint(kdd_state * s)916 static void kdd_handle_soft_breakpoint(kdd_state *s)
917 {
918 KDD_LOG(s, "Soft breakpoint %#"PRIx32" op %#"PRIx32"/%#"PRIx32"\n",
919 s->rxp.cmd.sbp.bp, s->rxp.cmd.sbp.u1, s->rxp.cmd.sbp.u2);
920
921 /* Pretend we did something */
922 s->txp.cmd.sbp.u1 = s->rxp.cmd.sbp.u1;
923 s->txp.cmd.sbp.status = KDD_STATUS_SUCCESS;
924 s->txp.cmd.sbp.u2 = s->rxp.cmd.sbp.u2;
925 s->txp.cmd.sbp.bp = s->rxp.cmd.sbp.bp;
926 kdd_send_cmd(s, KDD_CMD_SOFT_BP, 0);
927 }
928
kdd_handle_hard_breakpoint(kdd_state * s)929 static void kdd_handle_hard_breakpoint(kdd_state *s)
930 {
931 KDD_LOG(s, "Hard breakpoint @%#"PRIx64"\n", s->rxp.cmd.hbp.address);
932
933 kdd_send_string(s, "[kdd: breakpoints aren't implemented yet]\r\n");
934
935 s->txp.cmd.hbp.status = KDD_STATUS_FAILURE;
936 s->txp.cmd.hbp.address = s->rxp.cmd.hbp.address;
937 kdd_send_cmd(s, KDD_CMD_HARD_BP, 0);
938 }
939
940 /* Register access */
kdd_handle_read_regs(kdd_state * s)941 static void kdd_handle_read_regs(kdd_state *s)
942 {
943 kdd_regs regs;
944 uint32_t len = s->os.w64 ? sizeof regs.r64 : sizeof regs.r32;
945 int cpuid = s->rxp.cmd.regs.cpu;
946
947 KDD_LOG(s, "Read CPU %i register state\n", cpuid);
948 if (kdd_get_regs(s->guest, cpuid, ®s, s->os.w64) == 0) {
949 memcpy(s->txb + sizeof (kdd_hdr) + sizeof (kdd_cmd), ®s, len);
950 s->txp.cmd.regs.status = KDD_STATUS_SUCCESS;
951 } else {
952 len = 0;
953 s->txp.cmd.regs.status = KDD_STATUS_FAILURE;
954 }
955 s->txp.cmd.regs.cpu = cpuid;
956 kdd_send_cmd(s, KDD_CMD_READ_REGS, len);
957 }
958
kdd_handle_write_regs(kdd_state * s)959 static void kdd_handle_write_regs(kdd_state *s)
960 {
961 kdd_regs regs;
962 uint32_t len = s->rxp.h.len - sizeof (kdd_cmd);
963 uint32_t regsz = s->os.w64 ? sizeof regs.r64 : sizeof regs.r32;
964 int cpuid = s->rxp.cmd.regs.cpu;
965
966 KDD_LOG(s, "Write CPU %i register state\n", cpuid);
967 s->txp.cmd.regs.status = KDD_STATUS_FAILURE;
968 if (len >= regsz) {
969 memcpy(®s, s->rxb + sizeof (kdd_hdr) + sizeof (kdd_cmd), regsz);
970 if (kdd_set_regs(s->guest, cpuid, ®s, s->os.w64) == 0)
971 s->txp.cmd.regs.status = KDD_STATUS_SUCCESS;
972 }
973 s->txp.cmd.regs.cpu = cpuid;
974 kdd_send_cmd(s, KDD_CMD_WRITE_REGS, 0);
975 }
976
977 /* Report control state to the guest */
kdd_handle_read_ctrl(kdd_state * s)978 static void kdd_handle_read_ctrl(kdd_state *s)
979 {
980 int i;
981 kdd_ctrl ctrl;
982 uint8_t *buf = s->txb + sizeof (kdd_hdr) + sizeof (kdd_cmd);
983 uint32_t len = s->rxp.cmd.mem.length_req;
984 uint64_t val, addr = s->rxp.cmd.mem.addr;
985 KDD_LOG(s, "Read control state: %"PRIu32" bytes @ 0x%"PRIx64"\n",
986 len, addr);
987
988 if (len > (65536 - sizeof(kdd_cmd)))
989 len = 65536 - sizeof(kdd_cmd);
990
991 /* Default contents: a debug-friendly pattern */
992 for (i = 0; i < len; i++)
993 ((uint8_t*)buf)[i] = (uint8_t) (addr + i);
994
995 if (kdd_get_ctrl(s->guest, s->cpuid, &ctrl, s->os.w64)) {
996 len = 0;
997 } else if (s->os.w64) {
998 /* Annoyingly, 64-bit kd relies on the kernel to point it at
999 * datastructures it could easily find itself with VA reads. */
1000 switch (addr) {
1001 case 0x0: /* KPCR */
1002 case 0x1: /* KPRCB */
1003 case 0x3: /* KTHREAD */
1004 /* First find the PCRB's address */
1005 len = kdd_read_virtual(s, s->cpuid,
1006 s->os.base + s->os.prcbs + 8 * s->cpuid,
1007 8, &val);
1008 if (len != 8)
1009 break;
1010 /* The PCR lives 0x180 bytes before the PRCB */
1011 if (addr == 0)
1012 val -= 0x180;
1013 /* The current thread's address is at offset 0x8 into the PRCB. */
1014 else if (addr == 3)
1015 len = kdd_read_virtual(s, s->cpuid, val + 8, 8, &val);
1016 *(uint64_t *)buf = val;
1017 break;
1018 case 0x2: /* Control registers */
1019 if (len > sizeof ctrl.c64)
1020 len = sizeof ctrl.c64;
1021 memcpy(buf, (uint8_t *)&ctrl, len);
1022 break;
1023 default:
1024 KDD_LOG(s, "Unknown control space 0x%"PRIx64"\n", addr);
1025 len = 0;
1026 }
1027 } else {
1028 /* 32-bit control-register space starts at 0x[2]cc, for 84 bytes */
1029 uint32_t offset = addr - 0xcc;
1030 if (offset > sizeof ctrl.c32)
1031 offset -= 0x2cc;
1032 if (offset > sizeof ctrl.c32 || len > sizeof ctrl.c32 - offset) {
1033 KDD_LOG(s, "Request outside of known control space\n");
1034 len = 0;
1035 } else {
1036 memcpy(buf, ((uint8_t *)&ctrl.c32) + offset, len);
1037 }
1038 }
1039
1040 s->txp.cmd.mem.addr = addr;
1041 s->txp.cmd.mem.length_req = s->rxp.cmd.mem.length_req;
1042 s->txp.cmd.mem.length_rsp = len;
1043 s->txp.cmd.mem.status = ((len) ? KDD_STATUS_SUCCESS : KDD_STATUS_FAILURE);
1044 kdd_send_cmd(s, KDD_CMD_READ_CTRL, len);
1045 }
1046
1047 /* MSR access */
kdd_handle_read_msr(kdd_state * s)1048 static void kdd_handle_read_msr(kdd_state *s)
1049 {
1050 uint32_t msr = s->rxp.cmd.msr.msr;
1051 uint64_t val;
1052 int ok;
1053 KDD_LOG(s, "Read MSR 0x%"PRIx32"\n", msr);
1054
1055 ok = (kdd_rdmsr(s->guest, s->cpuid, msr, &val) == 0);
1056 s->txp.cmd.msr.msr = msr;
1057 s->txp.cmd.msr.val = val;
1058 s->txp.cmd.msr.status = (ok ? KDD_STATUS_SUCCESS : KDD_STATUS_FAILURE);
1059 kdd_send_cmd(s, KDD_CMD_READ_MSR, 0);
1060 }
1061
kdd_handle_write_msr(kdd_state * s)1062 static void kdd_handle_write_msr(kdd_state *s)
1063 {
1064 uint32_t msr = s->rxp.cmd.msr.msr;
1065 uint64_t val = s->rxp.cmd.msr.val;
1066 int ok;
1067 KDD_LOG(s, "Write MSR 0x%"PRIx32" = 0x%"PRIx64"\n", msr, val);
1068
1069 ok = (kdd_wrmsr(s->guest, s->cpuid, msr, val) == 0);
1070 s->txp.cmd.msr.msr = msr;
1071 s->txp.cmd.msr.status = (ok ? KDD_STATUS_SUCCESS : KDD_STATUS_FAILURE);
1072 kdd_send_cmd(s, KDD_CMD_WRITE_MSR, 0);
1073 }
1074
1075 /* Read and write guest memory */
kdd_handle_memory_access(kdd_state * s)1076 static void kdd_handle_memory_access(kdd_state *s)
1077 {
1078 uint32_t len = s->rxp.cmd.mem.length_req;
1079 uint64_t addr = s->rxp.cmd.mem.addr;
1080 uint8_t *buf;
1081
1082 KDD_LOG(s, "Memory access \"%c%c\" (%s): %"PRIu32" bytes"
1083 " @ 0x%"PRIx64"\n",
1084 s->rxp.cmd.subtype & 0xff, (s->rxp.cmd.subtype >>8) & 0xff,
1085 s->rxp.cmd.subtype == KDD_CMD_READ_VA ? "read virt" :
1086 s->rxp.cmd.subtype == KDD_CMD_WRITE_VA ? "write virt" :
1087 s->rxp.cmd.subtype == KDD_CMD_READ_PA ? "read phys" :
1088 s->rxp.cmd.subtype == KDD_CMD_WRITE_PA ? "write phys" : "unknown",
1089 len, addr);
1090
1091 if (len > (65536 - sizeof(kdd_cmd)))
1092 len = 65536 - sizeof(kdd_cmd);
1093
1094 switch(s->rxp.cmd.subtype) {
1095 case KDD_CMD_READ_VA:
1096 buf = s->txb + sizeof (kdd_hdr) + sizeof (kdd_cmd);
1097 len = kdd_read_virtual(s, s->cpuid, addr, len, buf);
1098 break;
1099 case KDD_CMD_WRITE_VA:
1100 buf = s->rxb + sizeof (kdd_hdr) + sizeof (kdd_cmd);
1101 len = kdd_write_virtual(s, s->cpuid, addr, len, buf);
1102 break;
1103 case KDD_CMD_READ_PA:
1104 buf = s->txb + sizeof (kdd_hdr) + sizeof (kdd_cmd);
1105 len = kdd_read_physical(s, addr, len, buf);
1106 break;
1107 case KDD_CMD_WRITE_PA:
1108 buf = s->rxb + sizeof (kdd_hdr) + sizeof (kdd_cmd);
1109 len = kdd_write_physical(s, addr, len, buf);
1110 break;
1111 }
1112 KDD_DEBUG(s, "access returned %"PRIu32"\n", len);
1113
1114 s->txp.cmd.mem.addr = addr;
1115 s->txp.cmd.mem.length_req = s->rxp.cmd.mem.length_req;
1116 s->txp.cmd.mem.length_rsp = len;
1117 s->txp.cmd.mem.status = (len) ? KDD_STATUS_SUCCESS : KDD_STATUS_FAILURE;
1118 kdd_send_cmd(s, s->rxp.cmd.subtype, len);
1119 }
1120
1121
1122 /* Handle a packet received from the client */
kdd_handle_pkt(kdd_state * s,kdd_pkt * p)1123 static void kdd_handle_pkt(kdd_state *s, kdd_pkt *p)
1124 {
1125 uint32_t sum = 0;
1126 int i;
1127
1128 /* Simple checksum: add all the bytes */
1129 for (i = 0; i < p->h.len; i++)
1130 sum += p->payload[i];
1131 if (p->h.sum != sum) {
1132 kdd_send_ack(s, p->h.id, KDD_ACK_BAD);
1133 return;
1134 }
1135
1136 /* We only understand one kind of packet from the client */
1137 if (p->h.type != KDD_PKT_CMD) {
1138 KDD_LOG(s, "Unhandled PKT type 0x%4.4x\n", p->h.type);
1139 kdd_send_ack(s, p->h.id, KDD_ACK_BAD);
1140 return;
1141 }
1142
1143 /* Ack the packet */
1144 kdd_send_ack(s, p->h.id, KDD_ACK_OK);
1145
1146 /* Clear the TX buffer just for sanity */
1147 memset(s->txb, 0, sizeof(s->txb));
1148
1149 switch (p->cmd.subtype) {
1150 case KDD_CMD_CONT1:
1151 case KDD_CMD_CONT2:
1152 KDD_LOG(s, "Continue: 0x%8.8"PRIx32"\n", p->cmd.cont.reason1);
1153 if (!s->running)
1154 kdd_run(s->guest);
1155 s->running = 1;
1156 /* No reply, just carry on running */
1157 break;
1158 case KDD_CMD_SHAKE:
1159 kdd_handle_handshake(s);
1160 break;
1161 case KDD_CMD_SOFT_BP:
1162 kdd_handle_soft_breakpoint(s);
1163 break;
1164 case KDD_CMD_HARD_BP:
1165 kdd_handle_hard_breakpoint(s);
1166 break;
1167 case KDD_CMD_READ_REGS:
1168 kdd_handle_read_regs(s);
1169 break;
1170 case KDD_CMD_WRITE_REGS:
1171 kdd_handle_write_regs(s);
1172 break;
1173 case KDD_CMD_READ_CTRL:
1174 kdd_handle_read_ctrl(s);
1175 break;
1176 case KDD_CMD_READ_MSR:
1177 kdd_handle_read_msr(s);
1178 break;
1179 case KDD_CMD_WRITE_MSR:
1180 kdd_handle_write_msr(s);
1181 break;
1182 case KDD_CMD_READ_VA:
1183 case KDD_CMD_WRITE_VA:
1184 case KDD_CMD_READ_PA:
1185 case KDD_CMD_WRITE_PA:
1186 kdd_handle_memory_access(s);
1187 break;
1188 case KDD_CMD_WRITE_Z:
1189 /* No response */
1190 break;
1191 case KDD_CMD_SETCPU:
1192 kdd_handle_setcpu(s);
1193 break;
1194 case KDD_CMD_WRITE_CTRL:
1195 default:
1196 KDD_LOG(s, "Unhandled CMD subtype 0x%8.8x\n", p->cmd.subtype);
1197 /* Send back a mirror of the request saying we failed to do
1198 * whatever it was. */
1199 memcpy(s->txb, p, sizeof (kdd_hdr) + sizeof (kdd_cmd));
1200 s->txp.h.len = sizeof (kdd_cmd);
1201 s->txp.cmd.mem.status = KDD_STATUS_FAILURE;
1202 s->txp.h.id = (s->next_id ^= 1);
1203 kdd_tx(s);
1204 break;
1205 }
1206 }
1207
1208
1209 /*****************************************************************************
1210 * Scaffolding to get packets from the client.
1211 */
1212
1213
1214 /* Set up the debugger state ready for use. Returns a file descriptor and
1215 * a state pointer for use in select() loops. */
kdd_init(kdd_state ** sp,struct addrinfo * addr,kdd_guest * guest,FILE * log,int verbosity)1216 static int kdd_init(kdd_state **sp, struct addrinfo *addr,
1217 kdd_guest *guest, FILE *log, int verbosity)
1218 {
1219 kdd_state *s = NULL;
1220 int opt, fd = -1;
1221
1222 s = malloc(sizeof *s);
1223 if (s == NULL) {
1224 fprintf(stderr, "Could not allocate state for kdd: %s\n",
1225 strerror(errno));
1226 goto fail;
1227 }
1228 memset(s, 0, sizeof *s);
1229 s->log = log;
1230 s->verbosity = verbosity;
1231
1232 fd = socket(PF_INET, SOCK_STREAM, 0);
1233 if (fd < 0) {
1234 KDD_LOG(s, "Could not open a socket for kdd: %s\n",
1235 strerror(errno));
1236 goto fail;
1237 }
1238
1239 /* Try to connect to the tcp/serial gateway. */
1240 again:
1241 if (connect(fd, addr->ai_addr, sizeof *addr) != 0) {
1242 if (errno == EINTR)
1243 goto again;
1244 if (addr->ai_next) {
1245 addr = addr->ai_next;
1246 goto again;
1247 }
1248 KDD_LOG(s, "Could not connect TCP stream for kdd: %s\n",
1249 strerror(errno));
1250 goto fail;
1251 }
1252
1253 opt = 1;
1254 setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof(opt));
1255
1256 s->next_id = 0x80800001;
1257 s->fd = fd;
1258 s->running = 1;
1259 s->cpuid = 0;
1260 s->guest = guest;
1261 s->os = unknown_os;
1262
1263 *sp = s;
1264 KDD_LOG(s, "KDD starts\n");
1265
1266 kdd_break(s);
1267
1268 return fd;
1269
1270 fail:
1271 if (fd >= 0)
1272 close(fd);
1273 free(s);
1274 return -1;
1275 }
1276
1277 /* Callback when the fd is readable, to parse packet data from the byte
1278 * stream. When a complete packet is seen, handle it. The packet can
1279 * then be read in the marshalling buffer, but only until the next call
1280 * to kdd_parse_byte(). */
kdd_select_callback(kdd_state * s)1281 void kdd_select_callback(kdd_state *s)
1282 {
1283 kdd_pkt *p = &s->rxp;
1284 unsigned int pkt_len = (unsigned) -1;
1285 ssize_t rc, to_read;
1286
1287 /* For easy parsing, read single bytes until we can check the packet
1288 * length, then read in one go to the end. */
1289 if (s->cur < 8
1290 || (p->h.dir != KDD_DIR_PKT && p->h.dir != KDD_DIR_ACK))
1291 to_read = 1;
1292 else {
1293 /* Extract payload length from the header */
1294 pkt_len = p->h.len + sizeof (kdd_hdr);
1295
1296 /* For some reason, packets always have a trailing 0xAA byte */
1297 if (p->h.dir == KDD_DIR_PKT)
1298 pkt_len++;
1299
1300 to_read = pkt_len - s->cur;
1301 }
1302
1303 rc = read(s->fd, s->rxb + s->cur, to_read);
1304
1305 KDD_DEBUG(s, "read(%i) returns %i\n", (int) to_read, (int) rc);
1306
1307 if (rc <= 0)
1308 /* XXX ignoring failures for now */
1309 return;
1310
1311 /* Break command comes as a single byte */
1312 if (s->cur == 0 && s->rxb[0] == 'b') {
1313 kdd_break(s);
1314 return;
1315 }
1316
1317 /* Remember the bytes we just read */
1318 s->cur += rc;
1319
1320 /* Sync to packet start, which will be "0000" or "iiii" */
1321 if (s->cur < 4)
1322 return;
1323 if (p->h.dir != KDD_DIR_PKT && p->h.dir != KDD_DIR_ACK) {
1324 KDD_LOG(s, "Bad hdr 0x%8.8x: resyncing\n", p->h.dir);
1325 memmove(s->rxb, s->rxb + 1, --s->cur);
1326 return;
1327 }
1328
1329 /* Process complete packets/acks */
1330 if (s->cur >= pkt_len) {
1331 kdd_log_pkt(s, "RX", p);
1332 if (p->h.dir == KDD_DIR_PKT)
1333 kdd_handle_pkt(s, p);
1334 else
1335 kdd_handle_ack(s, p->h.id, p->h.type);
1336 s->cur = 0;
1337 }
1338 }
1339
1340
usage(void)1341 static void __attribute__((noreturn)) usage(void)
1342 {
1343 fprintf(stderr,
1344 " usage: kdd [-v] <domid> <address> <port>\n"
1345 " \n"
1346 " Makes a TCP connection to <address>:<port> and speaks the kd serial\n"
1347 " protocol over it, to debug Xen domain <domid>.\n"
1348 " To connect a debugger, set up a Windows VM with it serial port confgured\n"
1349 " as \"serial='tcp:<address>:<port>,server,nodelay,nowait'\". Run\n"
1350 " windbg or kd in that VM, connecting to COM1; then run kdd.\n\n");
1351 exit(1);
1352 }
1353
1354
main(int argc,char ** argv)1355 int main(int argc, char **argv)
1356 {
1357 int fd;
1358 int verbosity = 0;
1359 kdd_state *s;
1360 kdd_guest *g;
1361 struct addrinfo *addr;
1362 fd_set fds;
1363
1364 while (argc > 4)
1365 if (!strcmp(argv[1], "-v")) {
1366 verbosity++;
1367 argc--;
1368 argv++;
1369 }
1370
1371 if (argc != 4
1372 || !(g = kdd_guest_init(argv[1], stdout, verbosity))
1373 || getaddrinfo(argv[2], argv[3], NULL, &addr) != 0
1374 || (fd = kdd_init(&s, addr, g, stdout, verbosity)) < 0)
1375 usage();
1376
1377 while (1) {
1378 FD_ZERO(&fds);
1379 FD_SET(fd, &fds);
1380 if (select(fd + 1, &fds, NULL, NULL, NULL) > 0)
1381 kdd_select_callback(s);
1382 }
1383
1384 return 0;
1385 }
1386