VirtualBox

source: vbox/trunk/src/VBox/Debugger/DBGPlugInWinNt.cpp@ 86159

Last change on this file since 86159 was 86159, checked in by vboxsync, 4 years ago

DBGF,DBGPlugInWinNt: Extract NtBuildNumber and make it available through the query versions callback

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 53.8 KB
Line 
1/* $Id: DBGPlugInWinNt.cpp 86159 2020-09-17 17:09:30Z vboxsync $ */
2/** @file
3 * DBGPlugInWindows - Debugger and Guest OS Digger Plugin For Windows NT.
4 */
5
6/*
7 * Copyright (C) 2009-2020 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18
19/*********************************************************************************************************************************
20* Header Files *
21*********************************************************************************************************************************/
22#define LOG_GROUP LOG_GROUP_DBGF /// @todo add new log group.
23#include "DBGPlugIns.h"
24#include <VBox/vmm/dbgf.h>
25#include <VBox/vmm/cpumctx.h>
26#include <VBox/vmm/mm.h>
27#include <VBox/err.h>
28#include <VBox/param.h>
29#include <iprt/ctype.h>
30#include <iprt/ldr.h>
31#include <iprt/mem.h>
32#include <iprt/path.h>
33#include <iprt/stream.h>
34#include <iprt/string.h>
35#include <iprt/utf16.h>
36#include <iprt/formats/pecoff.h>
37#include <iprt/formats/mz.h>
38#include <iprt/nt/nt-structures.h>
39
40
41/*********************************************************************************************************************************
42* Structures and Typedefs *
43*********************************************************************************************************************************/
44
45/** @name Internal WinNT structures
46 * @{ */
47/**
48 * PsLoadedModuleList entry for 32-bit NT aka LDR_DATA_TABLE_ENTRY.
49 * Tested with XP.
50 */
51typedef struct NTMTE32
52{
53 struct
54 {
55 uint32_t Flink;
56 uint32_t Blink;
57 } InLoadOrderLinks,
58 InMemoryOrderModuleList,
59 InInitializationOrderModuleList;
60 uint32_t DllBase;
61 uint32_t EntryPoint;
62 /** @note This field is not a size in NT 3.1. It's NULL for images loaded by the
63 * boot loader, for other images it looks like some kind of pointer. */
64 uint32_t SizeOfImage;
65 struct
66 {
67 uint16_t Length;
68 uint16_t MaximumLength;
69 uint32_t Buffer;
70 } FullDllName,
71 BaseDllName;
72 uint32_t Flags;
73 uint16_t LoadCount;
74 uint16_t TlsIndex;
75 /* ... there is more ... */
76} NTMTE32;
77typedef NTMTE32 *PNTMTE32;
78
79/**
80 * PsLoadedModuleList entry for 64-bit NT aka LDR_DATA_TABLE_ENTRY.
81 */
82typedef struct NTMTE64
83{
84 struct
85 {
86 uint64_t Flink;
87 uint64_t Blink;
88 } InLoadOrderLinks, /**< 0x00 */
89 InMemoryOrderModuleList, /**< 0x10 */
90 InInitializationOrderModuleList; /**< 0x20 */
91 uint64_t DllBase; /**< 0x30 */
92 uint64_t EntryPoint; /**< 0x38 */
93 uint32_t SizeOfImage; /**< 0x40 */
94 uint32_t Alignment; /**< 0x44 */
95 struct
96 {
97 uint16_t Length; /**< 0x48,0x58 */
98 uint16_t MaximumLength; /**< 0x4a,0x5a */
99 uint32_t Alignment; /**< 0x4c,0x5c */
100 uint64_t Buffer; /**< 0x50,0x60 */
101 } FullDllName, /**< 0x48 */
102 BaseDllName; /**< 0x58 */
103 uint32_t Flags; /**< 0x68 */
104 uint16_t LoadCount; /**< 0x6c */
105 uint16_t TlsIndex; /**< 0x6e */
106 /* ... there is more ... */
107} NTMTE64;
108typedef NTMTE64 *PNTMTE64;
109
110/** MTE union. */
111typedef union NTMTE
112{
113 NTMTE32 vX_32;
114 NTMTE64 vX_64;
115} NTMTE;
116typedef NTMTE *PNTMTE;
117
118
119/**
120 * The essential bits of the KUSER_SHARED_DATA structure.
121 */
122typedef struct NTKUSERSHAREDDATA
123{
124 uint32_t TickCountLowDeprecated;
125 uint32_t TickCountMultiplier;
126 struct
127 {
128 uint32_t LowPart;
129 int32_t High1Time;
130 int32_t High2Time;
131
132 } InterruptTime,
133 SystemTime,
134 TimeZoneBias;
135 uint16_t ImageNumberLow;
136 uint16_t ImageNumberHigh;
137 RTUTF16 NtSystemRoot[260];
138 uint32_t MaxStackTraceDepth;
139 uint32_t CryptoExponent;
140 uint32_t TimeZoneId;
141 uint32_t LargePageMinimum;
142 uint32_t Reserved2[6];
143 uint32_t NtBuildNumber;
144 uint32_t NtProductType;
145 uint8_t ProductTypeIsValid;
146 uint8_t abPadding[3];
147 uint32_t NtMajorVersion;
148 uint32_t NtMinorVersion;
149 /* uint8_t ProcessorFeatures[64];
150 ...
151 */
152} NTKUSERSHAREDDATA;
153typedef NTKUSERSHAREDDATA *PNTKUSERSHAREDDATA;
154
155/** KI_USER_SHARED_DATA for i386 */
156#define NTKUSERSHAREDDATA_WINNT32 UINT32_C(0xffdf0000)
157/** KI_USER_SHARED_DATA for AMD64 */
158#define NTKUSERSHAREDDATA_WINNT64 UINT64_C(0xfffff78000000000)
159
160/** NTKUSERSHAREDDATA::NtProductType */
161typedef enum NTPRODUCTTYPE
162{
163 kNtProductType_Invalid = 0,
164 kNtProductType_WinNt = 1,
165 kNtProductType_LanManNt,
166 kNtProductType_Server
167} NTPRODUCTTYPE;
168
169
170/** NT image header union. */
171typedef union NTHDRSU
172{
173 IMAGE_NT_HEADERS32 vX_32;
174 IMAGE_NT_HEADERS64 vX_64;
175} NTHDRS;
176/** Pointer to NT image header union. */
177typedef NTHDRS *PNTHDRS;
178/** Pointer to const NT image header union. */
179typedef NTHDRS const *PCNTHDRS;
180
181/** @} */
182
183
184
185typedef enum DBGDIGGERWINNTVER
186{
187 DBGDIGGERWINNTVER_UNKNOWN,
188 DBGDIGGERWINNTVER_3_1,
189 DBGDIGGERWINNTVER_3_5,
190 DBGDIGGERWINNTVER_4_0,
191 DBGDIGGERWINNTVER_5_0,
192 DBGDIGGERWINNTVER_5_1,
193 DBGDIGGERWINNTVER_6_0
194} DBGDIGGERWINNTVER;
195
196/**
197 * WinNT guest OS digger instance data.
198 */
199typedef struct DBGDIGGERWINNT
200{
201 /** Whether the information is valid or not.
202 * (For fending off illegal interface method calls.) */
203 bool fValid;
204 /** 32-bit (true) or 64-bit (false) */
205 bool f32Bit;
206 /** Set if NT 3.1 was detected.
207 * This implies both Misc.VirtualSize and NTMTE32::SizeOfImage are zero. */
208 bool fNt31;
209
210 /** The NT version. */
211 DBGDIGGERWINNTVER enmVer;
212 /** NTKUSERSHAREDDATA::NtProductType */
213 NTPRODUCTTYPE NtProductType;
214 /** NTKUSERSHAREDDATA::NtMajorVersion */
215 uint32_t NtMajorVersion;
216 /** NTKUSERSHAREDDATA::NtMinorVersion */
217 uint32_t NtMinorVersion;
218 /** NTKUSERSHAREDDATA::NtBuildNumber */
219 uint32_t NtBuildNumber;
220
221 /** The address of the ntoskrnl.exe image. */
222 DBGFADDRESS KernelAddr;
223 /** The address of the ntoskrnl.exe module table entry. */
224 DBGFADDRESS KernelMteAddr;
225 /** The address of PsLoadedModuleList. */
226 DBGFADDRESS PsLoadedModuleListAddr;
227
228 /** Array of detected KPCR addresses for each vCPU. */
229 PDBGFADDRESS paKpcrAddr;
230 /** Array of detected KPCRB addresses for each vCPU. */
231 PDBGFADDRESS paKpcrbAddr;
232
233 /** The Windows NT specifics interface. */
234 DBGFOSIWINNT IWinNt;
235} DBGDIGGERWINNT;
236/** Pointer to the linux guest OS digger instance data. */
237typedef DBGDIGGERWINNT *PDBGDIGGERWINNT;
238
239
240/**
241 * The WinNT digger's loader reader instance data.
242 */
243typedef struct DBGDIGGERWINNTRDR
244{
245 /** The VM handle (referenced). */
246 PUVM pUVM;
247 /** The image base. */
248 DBGFADDRESS ImageAddr;
249 /** The image size. */
250 uint32_t cbImage;
251 /** The file offset of the SizeOfImage field in the optional header if it
252 * needs patching, otherwise set to UINT32_MAX. */
253 uint32_t offSizeOfImage;
254 /** The correct image size. */
255 uint32_t cbCorrectImageSize;
256 /** Number of entries in the aMappings table. */
257 uint32_t cMappings;
258 /** Mapping hint. */
259 uint32_t iHint;
260 /** Mapping file offset to memory offsets, ordered by file offset. */
261 struct
262 {
263 /** The file offset. */
264 uint32_t offFile;
265 /** The size of this mapping. */
266 uint32_t cbMem;
267 /** The offset to the memory from the start of the image. */
268 uint32_t offMem;
269 } aMappings[1];
270} DBGDIGGERWINNTRDR;
271/** Pointer a WinNT loader reader instance data. */
272typedef DBGDIGGERWINNTRDR *PDBGDIGGERWINNTRDR;
273
274
275/*********************************************************************************************************************************
276* Defined Constants And Macros *
277*********************************************************************************************************************************/
278/** Validates a 32-bit Windows NT kernel address */
279#define WINNT32_VALID_ADDRESS(Addr) ((Addr) > UINT32_C(0x80000000) && (Addr) < UINT32_C(0xfffff000))
280/** Validates a 64-bit Windows NT kernel address */
281#define WINNT64_VALID_ADDRESS(Addr) ((Addr) > UINT64_C(0xffff800000000000) && (Addr) < UINT64_C(0xfffffffffffff000))
282/** Validates a kernel address. */
283#define WINNT_VALID_ADDRESS(pThis, Addr) ((pThis)->f32Bit ? WINNT32_VALID_ADDRESS(Addr) : WINNT64_VALID_ADDRESS(Addr))
284/** Versioned and bitness wrapper. */
285#define WINNT_UNION(pThis, pUnion, Member) ((pThis)->f32Bit ? (pUnion)->vX_32. Member : (pUnion)->vX_64. Member )
286
287/** The length (in chars) of the kernel file name (no path). */
288#define WINNT_KERNEL_BASE_NAME_LEN 12
289
290/** WindowsNT on little endian ASCII systems. */
291#define DIG_WINNT_MOD_TAG UINT64_C(0x54696e646f774e54)
292
293
294/*********************************************************************************************************************************
295* Internal Functions *
296*********************************************************************************************************************************/
297static DECLCALLBACK(int) dbgDiggerWinNtInit(PUVM pUVM, void *pvData);
298
299
300/*********************************************************************************************************************************
301* Global Variables *
302*********************************************************************************************************************************/
303/** Kernel names. */
304static const RTUTF16 g_wszKernelNames[][WINNT_KERNEL_BASE_NAME_LEN + 1] =
305{
306 { 'n', 't', 'o', 's', 'k', 'r', 'n', 'l', '.', 'e', 'x', 'e' }
307};
308
309
310
311/**
312 * Tries to resolve the KPCR and KPCRB addresses for each vCPU.
313 *
314 * @returns nothing.
315 * @param pThis The instance data.
316 * @param pUVM The user mode VM handle.
317 */
318static void dbgDiggerWinNtResolveKpcr(PDBGDIGGERWINNT pThis, PUVM pUVM)
319{
320 if (pThis->f32Bit)
321 { /** @todo */ }
322 else
323 {
324 /*
325 * Getting at the KPCR and KPCRB is explained here:
326 * https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kprcb/amd64.htm
327 * Together with the available offsets from:
328 * https://github.com/tpn/winsdk-10/blob/master/Include/10.0.16299.0/shared/ksamd64.inc#L883
329 * we can verify that the found addresses are valid by cross checking that the GDTR and self reference
330 * match what we expect.
331 */
332 VMCPUID cCpus = DBGFR3CpuGetCount(pUVM);
333 pThis->paKpcrAddr = (PDBGFADDRESS)RTMemAllocZ(cCpus * 2 * sizeof(DBGFADDRESS));
334 if (RT_LIKELY(pThis->paKpcrAddr))
335 {
336 pThis->paKpcrbAddr = &pThis->paKpcrAddr[cCpus];
337
338 /* Work each CPU, unexpected values in each CPU make the whole thing fail to play safe. */
339 int rc = VINF_SUCCESS;
340 for (VMCPUID idCpu = 0; (idCpu < cCpus) && RT_SUCCESS(rc); idCpu++)
341 {
342 PDBGFADDRESS pKpcrAddr = &pThis->paKpcrAddr[idCpu];
343 PDBGFADDRESS pKpcrbAddr = &pThis->paKpcrbAddr[idCpu];
344
345 /* Read GS base which points to the base of the KPCR for each CPU. */
346 RTGCUINTPTR GCPtrTmp = 0;
347 rc = DBGFR3RegCpuQueryU64(pUVM, idCpu, DBGFREG_GS_BASE, &GCPtrTmp);
348 if (RT_SUCCESS(rc))
349 {
350 LogFlow(("DigWinNt/KPCR[%u]: GS Base %RGv\n", idCpu, GCPtrTmp));
351 DBGFR3AddrFromFlat(pUVM, pKpcrAddr, GCPtrTmp);
352
353 rc = DBGFR3RegCpuQueryU64(pUVM, idCpu, DBGFREG_GDTR_BASE, &GCPtrTmp);
354 if (RT_SUCCESS(rc))
355 {
356 /*
357 * Read the start of the KPCR (@todo Probably move this to a global header)
358 * and verify its content.
359 */
360 struct
361 {
362 RTGCUINTPTR GCPtrGdt;
363 RTGCUINTPTR GCPtrTss;
364 RTGCUINTPTR GCPtrUserRsp;
365 RTGCUINTPTR GCPtrSelf;
366 RTGCUINTPTR GCPtrCurrentPrcb;
367 } Kpcr;
368
369 rc = DBGFR3MemRead(pUVM, idCpu, pKpcrAddr, &Kpcr, sizeof(Kpcr));
370 if (RT_SUCCESS(rc))
371 {
372 if ( Kpcr.GCPtrGdt == GCPtrTmp
373 && Kpcr.GCPtrSelf == pKpcrAddr->FlatPtr
374 /** @todo && TSS */ )
375 {
376 DBGFR3AddrFromFlat(pUVM, pKpcrbAddr, Kpcr.GCPtrCurrentPrcb);
377 LogRel(("DigWinNt/KPCR[%u]: KPCR=%RGv KPCRB=%RGv\n", idCpu, pKpcrAddr->FlatPtr, pKpcrbAddr->FlatPtr));
378 }
379 else
380 LogRel(("DigWinNt/KPCR[%u]: KPCR validation error GDT=(%RGv vs %RGv) KPCRB=(%RGv vs %RGv)\n", idCpu,
381 Kpcr.GCPtrGdt, GCPtrTmp, Kpcr.GCPtrSelf, pKpcrAddr->FlatPtr));
382 }
383 else
384 LogRel(("DigWinNt/KPCR[%u]: Reading KPCR start at %RGv failed with %Rrc\n", idCpu, pKpcrAddr->FlatPtr, rc));
385 }
386 else
387 LogRel(("DigWinNt/KPCR[%u]: Getting GDT base register failed with %Rrc\n", idCpu, rc));
388 }
389 else
390 LogRel(("DigWinNt/KPCR[%u]: Getting GS base register failed with %Rrc\n", idCpu, rc));
391 }
392
393 if (RT_FAILURE(rc))
394 {
395 LogRel(("DigWinNt/KPCR: Failed to detmine KPCR and KPCRB rc=%Rrc\n", rc));
396 RTMemFree(pThis->paKpcrAddr);
397 pThis->paKpcrAddr = NULL;
398 pThis->paKpcrbAddr = NULL;
399 }
400 }
401 else
402 LogRel(("DigWinNt/KPCR: Failed to allocate %u entries for the KPCR/KPCRB addresses\n", cCpus * 2));
403 }
404}
405
406
407/**
408 * Process a PE image found in guest memory.
409 *
410 * @param pThis The instance data.
411 * @param pUVM The user mode VM handle.
412 * @param pszName The module name.
413 * @param pszFilename The image filename.
414 * @param pImageAddr The image address.
415 * @param cbImage The size of the image.
416 */
417static void dbgDiggerWinNtProcessImage(PDBGDIGGERWINNT pThis, PUVM pUVM, const char *pszName, const char *pszFilename,
418 PCDBGFADDRESS pImageAddr, uint32_t cbImage)
419{
420 LogFlow(("DigWinNt: %RGp %#x %s\n", pImageAddr->FlatPtr, cbImage, pszName));
421
422 /*
423 * Do some basic validation first.
424 */
425 if ( (cbImage < sizeof(IMAGE_NT_HEADERS64) && !pThis->fNt31)
426 || cbImage >= _1M * 256)
427 {
428 Log(("DigWinNt: %s: Bad image size: %#x\n", pszName, cbImage));
429 return;
430 }
431
432 /*
433 * Use the common in-memory module reader to create a debug module.
434 */
435 RTERRINFOSTATIC ErrInfo;
436 RTDBGMOD hDbgMod = NIL_RTDBGMOD;
437 int rc = DBGFR3ModInMem(pUVM, pImageAddr, pThis->fNt31 ? DBGFMODINMEM_F_PE_NT31 : 0, pszName, pszFilename,
438 pThis->f32Bit ? RTLDRARCH_X86_32 : RTLDRARCH_AMD64, cbImage,
439 &hDbgMod, RTErrInfoInitStatic(&ErrInfo));
440 if (RT_SUCCESS(rc))
441 {
442 /*
443 * Tag the module.
444 */
445 rc = RTDbgModSetTag(hDbgMod, DIG_WINNT_MOD_TAG);
446 AssertRC(rc);
447
448 /*
449 * Link the module.
450 */
451 RTDBGAS hAs = DBGFR3AsResolveAndRetain(pUVM, DBGF_AS_KERNEL);
452 if (hAs != NIL_RTDBGAS)
453 rc = RTDbgAsModuleLink(hAs, hDbgMod, pImageAddr->FlatPtr, RTDBGASLINK_FLAGS_REPLACE /*fFlags*/);
454 else
455 rc = VERR_INTERNAL_ERROR;
456 RTDbgModRelease(hDbgMod);
457 RTDbgAsRelease(hAs);
458 }
459 else if (RTErrInfoIsSet(&ErrInfo.Core))
460 Log(("DigWinNt: %s: DBGFR3ModInMem failed: %Rrc - %s\n", pszName, rc, ErrInfo.Core.pszMsg));
461 else
462 Log(("DigWinNt: %s: DBGFR3ModInMem failed: %Rrc\n", pszName, rc));
463}
464
465
466/**
467 * Generate a debugger compatible module name from a filename.
468 *
469 * @returns Pointer to module name (doesn't need to be pszName).
470 * @param pszFilename The source filename.
471 * @param pszName Buffer to put the module name in.
472 * @param cbName Buffer size.
473 */
474static const char *dbgDiggerWintNtFilenameToModuleName(const char *pszFilename, char *pszName, size_t cbName)
475{
476 /* Skip to the filename part of the filename. :-) */
477 pszFilename = RTPathFilenameEx(pszFilename, RTPATH_STR_F_STYLE_DOS);
478
479 /* We try use 'nt' for the kernel. */
480 if ( RTStrICmpAscii(pszFilename, "ntoskrnl.exe") == 0
481 || RTStrICmpAscii(pszFilename, "ntkrnlmp.exe") == 0)
482 return "nt";
483
484
485 /* Drop the extension if .dll or .sys. */
486 size_t cchFilename = strlen(pszFilename);
487 if ( cchFilename > 4
488 && pszFilename[cchFilename - 4] == '.')
489 {
490 if ( RTStrICmpAscii(&pszFilename[cchFilename - 4], ".sys") == 0
491 || RTStrICmpAscii(&pszFilename[cchFilename - 4], ".dll") == 0)
492 cchFilename -= 4;
493 }
494
495 /* Copy and do replacements. */
496 if (cchFilename >= cbName)
497 cchFilename = cbName - 1;
498 size_t off;
499 for (off = 0; off < cchFilename; off++)
500 {
501 char ch = pszFilename[off];
502 if (!RT_C_IS_ALNUM(ch))
503 ch = '_';
504 pszName[off] = ch;
505 }
506 pszName[off] = '\0';
507 return pszName;
508}
509
510
511/**
512 * @interface_method_impl{DBGFOSIWINNT,pfnQueryVersion}
513 */
514static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryVersion(struct DBGFOSIWINNT *pThis, PUVM pUVM,
515 uint32_t *puVersMajor, uint32_t *puVersMinor,
516 uint32_t *puBuildNumber, bool *pf32Bit)
517{
518 RT_NOREF(pUVM);
519 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
520
521 if (puVersMajor)
522 *puVersMajor = pData->NtMajorVersion;
523 if (puVersMinor)
524 *puVersMinor = pData->NtMinorVersion;
525 if (puBuildNumber)
526 *puBuildNumber = pData->NtBuildNumber;
527 if (pf32Bit)
528 *pf32Bit = pData->f32Bit;
529 return VINF_SUCCESS;
530}
531
532
533/**
534 * @interface_method_impl{DBGFOSIWINNT,pfnQueryKernelPtrs}
535 */
536static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryKernelPtrs(struct DBGFOSIWINNT *pThis, PUVM pUVM,
537 PRTGCUINTPTR pGCPtrKernBase, PRTGCUINTPTR pGCPtrPsLoadedModuleList)
538{
539 RT_NOREF(pUVM);
540 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
541
542 *pGCPtrKernBase = pData->KernelAddr.FlatPtr;
543 *pGCPtrPsLoadedModuleList = pData->PsLoadedModuleListAddr.FlatPtr;
544 return VINF_SUCCESS;
545}
546
547
548/**
549 * @interface_method_impl{DBGFOSIWINNT,pfnQueryKpcrForVCpu}
550 */
551static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryKpcrForVCpu(struct DBGFOSIWINNT *pThis, PUVM pUVM, VMCPUID idCpu,
552 PRTGCUINTPTR pKpcr, PRTGCUINTPTR pKpcrb)
553{
554 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
555
556 if (!pData->paKpcrAddr)
557 return VERR_NOT_SUPPORTED;
558
559 AssertReturn(idCpu < DBGFR3CpuGetCount(pUVM), VERR_INVALID_PARAMETER);
560
561 if (pKpcr)
562 *pKpcr = pData->paKpcrAddr[idCpu].FlatPtr;
563 if (pKpcrb)
564 *pKpcrb = pData->paKpcrbAddr[idCpu].FlatPtr;
565 return VINF_SUCCESS;
566}
567
568
569/**
570 * @interface_method_impl{DBGFOSIWINNT,pfnQueryCurThrdForVCpu}
571 */
572static DECLCALLBACK(int) dbgDiggerWinNtIWinNt_QueryCurThrdForVCpu(struct DBGFOSIWINNT *pThis, PUVM pUVM, VMCPUID idCpu,
573 PRTGCUINTPTR pCurThrd)
574{
575 PDBGDIGGERWINNT pData = RT_FROM_MEMBER(pThis, DBGDIGGERWINNT, IWinNt);
576
577 if (!pData->paKpcrAddr)
578 return VERR_NOT_SUPPORTED;
579
580 AssertReturn(idCpu < DBGFR3CpuGetCount(pUVM), VERR_INVALID_PARAMETER);
581
582 DBGFADDRESS AddrCurThrdPtr = pData->paKpcrbAddr[idCpu];
583 DBGFR3AddrAdd(&AddrCurThrdPtr, 0x08); /** @todo Make this prettier. */
584 return DBGFR3MemRead(pUVM, idCpu, &AddrCurThrdPtr, pCurThrd, sizeof(*pCurThrd));
585}
586
587
588/**
589 * @copydoc DBGFOSREG::pfnStackUnwindAssist
590 */
591static DECLCALLBACK(int) dbgDiggerWinNtStackUnwindAssist(PUVM pUVM, void *pvData, VMCPUID idCpu, PDBGFSTACKFRAME pFrame,
592 PRTDBGUNWINDSTATE pState, PCCPUMCTX pInitialCtx, RTDBGAS hAs,
593 uint64_t *puScratch)
594{
595 Assert(pInitialCtx);
596
597 /*
598 * We want to locate trap frames here. The trap frame structure contains
599 * the 64-bit IRET frame, so given unwind information it's easy to identify
600 * using the return type and frame address.
601 */
602 if (pFrame->fFlags & DBGFSTACKFRAME_FLAGS_64BIT)
603 {
604 /*
605 * Is this a trap frame? If so, try read the trap frame.
606 */
607 if ( pFrame->enmReturnType == RTDBGRETURNTYPE_IRET64
608 && !(pFrame->AddrFrame.FlatPtr & 0x7)
609 && WINNT64_VALID_ADDRESS(pFrame->AddrFrame.FlatPtr) )
610 {
611 KTRAP_FRAME_AMD64 TrapFrame;
612 RT_ZERO(TrapFrame);
613 uint64_t const uTrapFrameAddr = pFrame->AddrFrame.FlatPtr
614 - RT_UOFFSETOF(KTRAP_FRAME_AMD64, ErrCdOrXcptFrameOrS);
615 int rc = pState->pfnReadStack(pState, uTrapFrameAddr, sizeof(TrapFrame), &TrapFrame);
616 if (RT_SUCCESS(rc))
617 {
618 /* Valid? Not too much else we can check here (EFlags isn't
619 reliable in manually construct frames). */
620 if (TrapFrame.ExceptionActive <= 2)
621 {
622 pFrame->fFlags |= DBGFSTACKFRAME_FLAGS_TRAP_FRAME;
623
624 /*
625 * Add sure 'register' information from the frame to the frame.
626 *
627 * To avoid code duplication, we do this in two steps in a loop.
628 * The first iteration only figures out how many registers we're
629 * going to save and allocates room for them. The second iteration
630 * does the actual adding.
631 */
632 uint32_t cRegs = pFrame->cSureRegs;
633 PDBGFREGVALEX paSureRegs = NULL;
634#define ADD_REG_NAMED(a_Type, a_ValMemb, a_Value, a_pszName) do { \
635 if (paSureRegs) \
636 { \
637 paSureRegs[iReg].pszName = a_pszName;\
638 paSureRegs[iReg].enmReg = DBGFREG_END; \
639 paSureRegs[iReg].enmType = a_Type; \
640 paSureRegs[iReg].Value.a_ValMemb = (a_Value); \
641 } \
642 iReg++; \
643 } while (0)
644#define MAYBE_ADD_GREG(a_Value, a_enmReg, a_idxReg) do { \
645 if (!(pState->u.x86.Loaded.s.fRegs & RT_BIT(a_idxReg))) \
646 { \
647 if (paSureRegs) \
648 { \
649 pState->u.x86.Loaded.s.fRegs |= RT_BIT(a_idxReg); \
650 pState->u.x86.auRegs[a_idxReg] = (a_Value); \
651 paSureRegs[iReg].Value.u64 = (a_Value); \
652 paSureRegs[iReg].enmReg = a_enmReg; \
653 paSureRegs[iReg].enmType = DBGFREGVALTYPE_U64; \
654 paSureRegs[iReg].pszName = NULL; \
655 } \
656 iReg++; \
657 } \
658 } while (0)
659 for (unsigned iLoop = 0; iLoop < 2; iLoop++)
660 {
661 uint32_t iReg = pFrame->cSureRegs;
662 ADD_REG_NAMED(DBGFREGVALTYPE_U64, u64, uTrapFrameAddr, "TrapFrame");
663 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, TrapFrame.ExceptionActive, "ExceptionActive");
664 if (TrapFrame.ExceptionActive == 0)
665 {
666 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, TrapFrame.PreviousIrql, "PrevIrql");
667 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, (uint8_t)TrapFrame.ErrCdOrXcptFrameOrS, "IntNo");
668 }
669 else if ( TrapFrame.ExceptionActive == 1
670 && TrapFrame.FaultIndicator == ((TrapFrame.ErrCdOrXcptFrameOrS >> 1) & 0x9))
671 ADD_REG_NAMED(DBGFREGVALTYPE_U64, u64, TrapFrame.FaultAddrOrCtxRecOrTS, "cr2-probably");
672 if (TrapFrame.SegCs & X86_SEL_RPL)
673 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, 1, "UserMode");
674 else
675 ADD_REG_NAMED(DBGFREGVALTYPE_U8, u8, 1, "KernelMode");
676 if (TrapFrame.ExceptionActive <= 1)
677 {
678 MAYBE_ADD_GREG(TrapFrame.Rax, DBGFREG_RAX, X86_GREG_xAX);
679 MAYBE_ADD_GREG(TrapFrame.Rcx, DBGFREG_RCX, X86_GREG_xCX);
680 MAYBE_ADD_GREG(TrapFrame.Rdx, DBGFREG_RDX, X86_GREG_xDX);
681 MAYBE_ADD_GREG(TrapFrame.R8, DBGFREG_R8, X86_GREG_x8);
682 MAYBE_ADD_GREG(TrapFrame.R9, DBGFREG_R9, X86_GREG_x9);
683 MAYBE_ADD_GREG(TrapFrame.R10, DBGFREG_R10, X86_GREG_x10);
684 MAYBE_ADD_GREG(TrapFrame.R11, DBGFREG_R11, X86_GREG_x11);
685 }
686 else if (TrapFrame.ExceptionActive == 2)
687 {
688 MAYBE_ADD_GREG(TrapFrame.Rbx, DBGFREG_RBX, X86_GREG_xBX);
689 MAYBE_ADD_GREG(TrapFrame.Rsi, DBGFREG_RSI, X86_GREG_xSI);
690 MAYBE_ADD_GREG(TrapFrame.Rdi, DBGFREG_RDI, X86_GREG_xDI);
691 }
692 // MAYBE_ADD_GREG(TrapFrame.Rbp, DBGFREG_RBP, X86_GREG_xBP); - KiInterrupt[Sub]Dispatch* may leave this invalid.
693
694 /* Done? */
695 if (iLoop > 0)
696 {
697 Assert(cRegs == iReg);
698 break;
699 }
700
701 /* Resize the array, zeroing the extension. */
702 if (pFrame->cSureRegs)
703 paSureRegs = (PDBGFREGVALEX)MMR3HeapRealloc(pFrame->paSureRegs, iReg * sizeof(paSureRegs[0]));
704 else
705 paSureRegs = (PDBGFREGVALEX)MMR3HeapAllocU(pUVM, MM_TAG_DBGF_STACK, iReg * sizeof(paSureRegs[0]));
706 AssertReturn(paSureRegs, VERR_NO_MEMORY);
707
708 pFrame->paSureRegs = paSureRegs;
709 RT_BZERO(&paSureRegs[pFrame->cSureRegs], (iReg - pFrame->cSureRegs) * sizeof(paSureRegs[0]));
710 cRegs = iReg;
711 }
712#undef ADD_REG_NAMED
713#undef MAYBE_ADD_GREG
714
715 /* Commit the register update. */
716 pFrame->cSureRegs = cRegs;
717 }
718 }
719 }
720 }
721
722 RT_NOREF(pUVM, pvData, idCpu, hAs, pInitialCtx, puScratch);
723 return VINF_SUCCESS;
724}
725
726
727/**
728 * @copydoc DBGFOSREG::pfnQueryInterface
729 */
730static DECLCALLBACK(void *) dbgDiggerWinNtQueryInterface(PUVM pUVM, void *pvData, DBGFOSINTERFACE enmIf)
731{
732 RT_NOREF(pUVM);
733 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
734
735 switch (enmIf)
736 {
737 case DBGFOSINTERFACE_WINNT:
738 return &pThis->IWinNt;
739 default:
740 return NULL;
741 }
742}
743
744
745/**
746 * @copydoc DBGFOSREG::pfnQueryVersion
747 */
748static DECLCALLBACK(int) dbgDiggerWinNtQueryVersion(PUVM pUVM, void *pvData, char *pszVersion, size_t cchVersion)
749{
750 RT_NOREF1(pUVM);
751 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
752 Assert(pThis->fValid);
753 const char *pszNtProductType;
754 switch (pThis->NtProductType)
755 {
756 case kNtProductType_WinNt: pszNtProductType = "-WinNT"; break;
757 case kNtProductType_LanManNt: pszNtProductType = "-LanManNT"; break;
758 case kNtProductType_Server: pszNtProductType = "-Server"; break;
759 default: pszNtProductType = ""; break;
760 }
761 RTStrPrintf(pszVersion, cchVersion, "%u.%u-%s%s (BuildNumber %u)", pThis->NtMajorVersion, pThis->NtMinorVersion,
762 pThis->f32Bit ? "x86" : "AMD64", pszNtProductType, pThis->NtBuildNumber);
763 return VINF_SUCCESS;
764}
765
766
767/**
768 * @copydoc DBGFOSREG::pfnTerm
769 */
770static DECLCALLBACK(void) dbgDiggerWinNtTerm(PUVM pUVM, void *pvData)
771{
772 RT_NOREF1(pUVM);
773 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
774 Assert(pThis->fValid);
775
776 /*
777 * As long as we're using our private LDR reader implementation,
778 * we must unlink and ditch the modules we created.
779 */
780 RTDBGAS hDbgAs = DBGFR3AsResolveAndRetain(pUVM, DBGF_AS_KERNEL);
781 if (hDbgAs != NIL_RTDBGAS)
782 {
783 uint32_t iMod = RTDbgAsModuleCount(hDbgAs);
784 while (iMod-- > 0)
785 {
786 RTDBGMOD hMod = RTDbgAsModuleByIndex(hDbgAs, iMod);
787 if (hMod != NIL_RTDBGMOD)
788 {
789 if (RTDbgModGetTag(hMod) == DIG_WINNT_MOD_TAG)
790 {
791 int rc = RTDbgAsModuleUnlink(hDbgAs, hMod);
792 AssertRC(rc);
793 }
794 RTDbgModRelease(hMod);
795 }
796 }
797 RTDbgAsRelease(hDbgAs);
798 }
799
800 if (pThis->paKpcrAddr)
801 RTMemFree(pThis->paKpcrAddr);
802 /* pThis->paKpcrbAddr comes from the same allocation as pThis->paKpcrAddr. */
803
804 pThis->paKpcrAddr = NULL;
805 pThis->paKpcrbAddr = NULL;
806
807 pThis->fValid = false;
808}
809
810
811/**
812 * @copydoc DBGFOSREG::pfnRefresh
813 */
814static DECLCALLBACK(int) dbgDiggerWinNtRefresh(PUVM pUVM, void *pvData)
815{
816 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
817 NOREF(pThis);
818 Assert(pThis->fValid);
819
820 /*
821 * For now we'll flush and reload everything.
822 */
823 dbgDiggerWinNtTerm(pUVM, pvData);
824
825 return dbgDiggerWinNtInit(pUVM, pvData);
826}
827
828
829/**
830 * @copydoc DBGFOSREG::pfnInit
831 */
832static DECLCALLBACK(int) dbgDiggerWinNtInit(PUVM pUVM, void *pvData)
833{
834 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
835 Assert(!pThis->fValid);
836
837 union
838 {
839 uint8_t au8[0x2000];
840 RTUTF16 wsz[0x2000/2];
841 NTKUSERSHAREDDATA UserSharedData;
842 } u;
843 DBGFADDRESS Addr;
844 int rc;
845
846 /*
847 * Figure the NT version.
848 */
849 DBGFR3AddrFromFlat(pUVM, &Addr, pThis->f32Bit ? NTKUSERSHAREDDATA_WINNT32 : NTKUSERSHAREDDATA_WINNT64);
850 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &Addr, &u, PAGE_SIZE);
851 if (RT_SUCCESS(rc))
852 {
853 pThis->NtProductType = u.UserSharedData.ProductTypeIsValid && u.UserSharedData.NtProductType <= kNtProductType_Server
854 ? (NTPRODUCTTYPE)u.UserSharedData.NtProductType
855 : kNtProductType_Invalid;
856 pThis->NtMajorVersion = u.UserSharedData.NtMajorVersion;
857 pThis->NtMinorVersion = u.UserSharedData.NtMinorVersion;
858 pThis->NtBuildNumber = u.UserSharedData.NtBuildNumber;
859 }
860 else if (pThis->fNt31)
861 {
862 pThis->NtProductType = kNtProductType_WinNt;
863 pThis->NtMajorVersion = 3;
864 pThis->NtMinorVersion = 1;
865 pThis->NtBuildNumber = 0;
866 }
867 else
868 {
869 Log(("DigWinNt: Error reading KUSER_SHARED_DATA: %Rrc\n", rc));
870 return rc;
871 }
872
873 /*
874 * Dig out the module chain.
875 */
876 DBGFADDRESS AddrPrev = pThis->PsLoadedModuleListAddr;
877 Addr = pThis->KernelMteAddr;
878 do
879 {
880 /* Read the validate the MTE. */
881 NTMTE Mte;
882 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &Addr, &Mte, pThis->f32Bit ? sizeof(Mte.vX_32) : sizeof(Mte.vX_64));
883 if (RT_FAILURE(rc))
884 break;
885 if (WINNT_UNION(pThis, &Mte, InLoadOrderLinks.Blink) != AddrPrev.FlatPtr)
886 {
887 Log(("DigWinNt: Bad Mte At %RGv - backpointer\n", Addr.FlatPtr));
888 break;
889 }
890 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, InLoadOrderLinks.Flink)) )
891 {
892 Log(("DigWinNt: Bad Mte at %RGv - forward pointer\n", Addr.FlatPtr));
893 break;
894 }
895 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, BaseDllName.Buffer)))
896 {
897 Log(("DigWinNt: Bad Mte at %RGv - BaseDllName=%llx\n", Addr.FlatPtr, WINNT_UNION(pThis, &Mte, BaseDllName.Buffer)));
898 break;
899 }
900 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, FullDllName.Buffer)))
901 {
902 Log(("DigWinNt: Bad Mte at %RGv - FullDllName=%llx\n", Addr.FlatPtr, WINNT_UNION(pThis, &Mte, FullDllName.Buffer)));
903 break;
904 }
905 if (!WINNT_VALID_ADDRESS(pThis, WINNT_UNION(pThis, &Mte, DllBase)))
906 {
907 Log(("DigWinNt: Bad Mte at %RGv - DllBase=%llx\n", Addr.FlatPtr, WINNT_UNION(pThis, &Mte, DllBase) ));
908 break;
909 }
910
911 uint32_t const cbImageMte = !pThis->fNt31 ? WINNT_UNION(pThis, &Mte, SizeOfImage) : 0;
912 if ( !pThis->fNt31
913 && ( cbImageMte > _256M
914 || WINNT_UNION(pThis, &Mte, EntryPoint) - WINNT_UNION(pThis, &Mte, DllBase) > cbImageMte) )
915 {
916 Log(("DigWinNt: Bad Mte at %RGv - EntryPoint=%llx SizeOfImage=%x DllBase=%llx\n",
917 Addr.FlatPtr, WINNT_UNION(pThis, &Mte, EntryPoint), cbImageMte, WINNT_UNION(pThis, &Mte, DllBase)));
918 break;
919 }
920
921 /* Read the full name. */
922 DBGFADDRESS AddrName;
923 DBGFR3AddrFromFlat(pUVM, &AddrName, WINNT_UNION(pThis, &Mte, FullDllName.Buffer));
924 uint16_t cbName = WINNT_UNION(pThis, &Mte, FullDllName.Length);
925 if (cbName < sizeof(u))
926 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &AddrName, &u, cbName);
927 else
928 rc = VERR_OUT_OF_RANGE;
929 if (RT_FAILURE(rc))
930 {
931 DBGFR3AddrFromFlat(pUVM, &AddrName, WINNT_UNION(pThis, &Mte, BaseDllName.Buffer));
932 cbName = WINNT_UNION(pThis, &Mte, BaseDllName.Length);
933 if (cbName < sizeof(u))
934 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &AddrName, &u, cbName);
935 else
936 rc = VERR_OUT_OF_RANGE;
937 }
938 if (RT_SUCCESS(rc))
939 {
940 u.wsz[cbName / 2] = '\0';
941
942 char *pszFilename;
943 rc = RTUtf16ToUtf8(u.wsz, &pszFilename);
944 if (RT_SUCCESS(rc))
945 {
946 char szModName[128];
947 const char *pszModName = dbgDiggerWintNtFilenameToModuleName(pszFilename, szModName, sizeof(szModName));
948
949 /* Read the start of the PE image and pass it along to a worker. */
950 DBGFADDRESS ImageAddr;
951 DBGFR3AddrFromFlat(pUVM, &ImageAddr, WINNT_UNION(pThis, &Mte, DllBase));
952 dbgDiggerWinNtProcessImage(pThis, pUVM, pszModName, pszFilename, &ImageAddr, cbImageMte);
953 RTStrFree(pszFilename);
954 }
955 }
956
957 /* next */
958 AddrPrev = Addr;
959 DBGFR3AddrFromFlat(pUVM, &Addr, WINNT_UNION(pThis, &Mte, InLoadOrderLinks.Flink));
960 } while ( Addr.FlatPtr != pThis->KernelMteAddr.FlatPtr
961 && Addr.FlatPtr != pThis->PsLoadedModuleListAddr.FlatPtr);
962
963 /* Try resolving the KPCR and KPCRB addresses for each vCPU. */
964 dbgDiggerWinNtResolveKpcr(pThis, pUVM);
965
966 pThis->fValid = true;
967 return VINF_SUCCESS;
968}
969
970
971/**
972 * @copydoc DBGFOSREG::pfnProbe
973 */
974static DECLCALLBACK(bool) dbgDiggerWinNtProbe(PUVM pUVM, void *pvData)
975{
976 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
977 DBGFADDRESS Addr;
978 union
979 {
980 uint8_t au8[8192];
981 uint16_t au16[8192/2];
982 uint32_t au32[8192/4];
983 IMAGE_DOS_HEADER MzHdr;
984 RTUTF16 wsz[8192/2];
985 X86DESCGATE a32Gates[X86_XCPT_PF + 1];
986 X86DESC64GATE a64Gates[X86_XCPT_PF + 1];
987 } u;
988
989 union
990 {
991 NTMTE32 v32;
992 NTMTE64 v64;
993 } uMte, uMte2, uMte3;
994
995 /*
996 * NT only runs in protected or long mode.
997 */
998 CPUMMODE const enmMode = DBGFR3CpuGetMode(pUVM, 0 /*idCpu*/);
999 if (enmMode != CPUMMODE_PROTECTED && enmMode != CPUMMODE_LONG)
1000 return false;
1001 bool const f64Bit = enmMode == CPUMMODE_LONG;
1002 uint64_t const uStart = f64Bit ? UINT64_C(0xffff080000000000) : UINT32_C(0x80001000);
1003 uint64_t const uEnd = f64Bit ? UINT64_C(0xffffffffffff0000) : UINT32_C(0xffff0000);
1004
1005 /*
1006 * To approximately locate the kernel we examine the IDTR handlers.
1007 *
1008 * The exception/trap/fault handlers are all in NT kernel image, we pick
1009 * KiPageFault here.
1010 */
1011 uint64_t uIdtrBase = 0;
1012 uint16_t uIdtrLimit = 0;
1013 int rc = DBGFR3RegCpuQueryXdtr(pUVM, 0, DBGFREG_IDTR, &uIdtrBase, &uIdtrLimit);
1014 AssertRCReturn(rc, false);
1015
1016 const uint16_t cbMinIdtr = (X86_XCPT_PF + 1) * (f64Bit ? sizeof(X86DESC64GATE) : sizeof(X86DESCGATE));
1017 if (uIdtrLimit < cbMinIdtr)
1018 return false;
1019
1020 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &Addr, uIdtrBase), &u, cbMinIdtr);
1021 if (RT_FAILURE(rc))
1022 return false;
1023
1024 uint64_t uKrnlStart = uStart;
1025 uint64_t uKrnlEnd = uEnd;
1026 if (f64Bit)
1027 {
1028 uint64_t uHandler = u.a64Gates[X86_XCPT_PF].u16OffsetLow
1029 | ((uint32_t)u.a64Gates[X86_XCPT_PF].u16OffsetHigh << 16)
1030 | ((uint64_t)u.a64Gates[X86_XCPT_PF].u32OffsetTop << 32);
1031 if (uHandler < uStart || uHandler > uEnd)
1032 return false;
1033 uKrnlStart = (uHandler & ~(uint64_t)_4M) - _512M;
1034 uKrnlEnd = (uHandler + (uint64_t)_4M) & ~(uint64_t)_4M;
1035 }
1036 else
1037 {
1038 uint32_t uHandler = RT_MAKE_U32(u.a32Gates[X86_XCPT_PF].u16OffsetLow, u.a32Gates[X86_XCPT_PF].u16OffsetHigh);
1039 if (uHandler < uStart || uHandler > uEnd)
1040 return false;
1041 uKrnlStart = (uHandler & ~(uint64_t)_4M) - _64M;
1042 uKrnlEnd = (uHandler + (uint64_t)_4M) & ~(uint64_t)_4M;
1043 }
1044
1045 /*
1046 * Look for the PAGELK section name that seems to be a part of all kernels.
1047 * Then try find the module table entry for it. Since it's the first entry
1048 * in the PsLoadedModuleList we can easily validate the list head and report
1049 * success.
1050 *
1051 * Note! We ASSUME the section name is 8 byte aligned.
1052 */
1053 DBGFADDRESS KernelAddr;
1054 for (DBGFR3AddrFromFlat(pUVM, &KernelAddr, uKrnlStart);
1055 KernelAddr.FlatPtr < uKrnlEnd;
1056 KernelAddr.FlatPtr += PAGE_SIZE)
1057 {
1058 bool fNt31 = false;
1059 DBGFADDRESS const RetryAddress = KernelAddr;
1060 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &KernelAddr, uEnd - KernelAddr.FlatPtr,
1061 8, "PAGELK\0", sizeof("PAGELK\0"), &KernelAddr);
1062 if ( rc == VERR_DBGF_MEM_NOT_FOUND
1063 && enmMode != CPUMMODE_LONG)
1064 {
1065 /* NT3.1 didn't have a PAGELK section, so look for _TEXT instead. The
1066 following VirtualSize is zero, so check for that too. */
1067 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &RetryAddress, uEnd - RetryAddress.FlatPtr,
1068 8, "_TEXT\0\0\0\0\0\0", sizeof("_TEXT\0\0\0\0\0\0"), &KernelAddr);
1069 fNt31 = true;
1070 }
1071 if (RT_FAILURE(rc))
1072 break;
1073 DBGFR3AddrSub(&KernelAddr, KernelAddr.FlatPtr & PAGE_OFFSET_MASK);
1074
1075 /* MZ + PE header. */
1076 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, &KernelAddr, &u, sizeof(u));
1077 if ( RT_SUCCESS(rc)
1078 && u.MzHdr.e_magic == IMAGE_DOS_SIGNATURE
1079 && !(u.MzHdr.e_lfanew & 0x7)
1080 && u.MzHdr.e_lfanew >= 0x080
1081 && u.MzHdr.e_lfanew <= 0x400) /* W8 is at 0x288*/
1082 {
1083 if (enmMode != CPUMMODE_LONG)
1084 {
1085 IMAGE_NT_HEADERS32 const *pHdrs = (IMAGE_NT_HEADERS32 const *)&u.au8[u.MzHdr.e_lfanew];
1086 if ( pHdrs->Signature == IMAGE_NT_SIGNATURE
1087 && pHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_I386
1088 && pHdrs->FileHeader.SizeOfOptionalHeader == sizeof(pHdrs->OptionalHeader)
1089 && pHdrs->FileHeader.NumberOfSections >= 10 /* the kernel has lots */
1090 && (pHdrs->FileHeader.Characteristics & (IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_DLL)) == IMAGE_FILE_EXECUTABLE_IMAGE
1091 && pHdrs->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC
1092 && pHdrs->OptionalHeader.NumberOfRvaAndSizes == IMAGE_NUMBEROF_DIRECTORY_ENTRIES
1093 )
1094 {
1095 /* Find the MTE. */
1096 RT_ZERO(uMte);
1097 uMte.v32.DllBase = KernelAddr.FlatPtr;
1098 uMte.v32.EntryPoint = KernelAddr.FlatPtr + pHdrs->OptionalHeader.AddressOfEntryPoint;
1099 uMte.v32.SizeOfImage = !fNt31 ? pHdrs->OptionalHeader.SizeOfImage : 0; /* NT 3.1 didn't set the size. */
1100 DBGFADDRESS HitAddr;
1101 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &KernelAddr, uEnd - KernelAddr.FlatPtr,
1102 4 /*align*/, &uMte.v32.DllBase, 3 * sizeof(uint32_t), &HitAddr);
1103 while (RT_SUCCESS(rc))
1104 {
1105 /* check the name. */
1106 DBGFADDRESS MteAddr = HitAddr;
1107 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrSub(&MteAddr, RT_OFFSETOF(NTMTE32, DllBase)),
1108 &uMte2.v32, sizeof(uMte2.v32));
1109 if ( RT_SUCCESS(rc)
1110 && uMte2.v32.DllBase == uMte.v32.DllBase
1111 && uMte2.v32.EntryPoint == uMte.v32.EntryPoint
1112 && uMte2.v32.SizeOfImage == uMte.v32.SizeOfImage
1113 && WINNT32_VALID_ADDRESS(uMte2.v32.InLoadOrderLinks.Flink)
1114 && WINNT32_VALID_ADDRESS(uMte2.v32.BaseDllName.Buffer)
1115 && WINNT32_VALID_ADDRESS(uMte2.v32.FullDllName.Buffer)
1116 && uMte2.v32.BaseDllName.Length <= 128
1117 && uMte2.v32.FullDllName.Length <= 260
1118 )
1119 {
1120 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v32.BaseDllName.Buffer),
1121 u.wsz, uMte2.v32.BaseDllName.Length);
1122 u.wsz[uMte2.v32.BaseDllName.Length / 2] = '\0';
1123 if ( RT_SUCCESS(rc)
1124 && ( !RTUtf16ICmp(u.wsz, g_wszKernelNames[0])
1125 /* || !RTUtf16ICmp(u.wsz, g_wszKernelNames[1]) */
1126 )
1127 )
1128 {
1129 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/,
1130 DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v32.InLoadOrderLinks.Blink),
1131 &uMte3.v32, RT_SIZEOFMEMB(NTMTE32, InLoadOrderLinks));
1132 if ( RT_SUCCESS(rc)
1133 && uMte3.v32.InLoadOrderLinks.Flink == MteAddr.FlatPtr
1134 && WINNT32_VALID_ADDRESS(uMte3.v32.InLoadOrderLinks.Blink) )
1135 {
1136 Log(("DigWinNt: MteAddr=%RGv KernelAddr=%RGv SizeOfImage=%x &PsLoadedModuleList=%RGv (32-bit)\n",
1137 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v32.SizeOfImage, Addr.FlatPtr));
1138 pThis->KernelAddr = KernelAddr;
1139 pThis->KernelMteAddr = MteAddr;
1140 pThis->PsLoadedModuleListAddr = Addr;
1141 pThis->f32Bit = true;
1142 pThis->fNt31 = fNt31;
1143 return true;
1144 }
1145 }
1146 else if (RT_SUCCESS(rc))
1147 {
1148 Log2(("DigWinNt: Wrong module: MteAddr=%RGv ImageAddr=%RGv SizeOfImage=%#x '%ls'\n",
1149 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v32.SizeOfImage, u.wsz));
1150 break; /* Not NT kernel */
1151 }
1152 }
1153
1154 /* next */
1155 DBGFR3AddrAdd(&HitAddr, 4);
1156 if (HitAddr.FlatPtr < uEnd)
1157 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &HitAddr, uEnd - HitAddr.FlatPtr,
1158 4 /*align*/, &uMte.v32.DllBase, 3 * sizeof(uint32_t), &HitAddr);
1159 else
1160 rc = VERR_DBGF_MEM_NOT_FOUND;
1161 }
1162 }
1163 }
1164 else
1165 {
1166 IMAGE_NT_HEADERS64 const *pHdrs = (IMAGE_NT_HEADERS64 const *)&u.au8[u.MzHdr.e_lfanew];
1167 if ( pHdrs->Signature == IMAGE_NT_SIGNATURE
1168 && pHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64
1169 && pHdrs->FileHeader.SizeOfOptionalHeader == sizeof(pHdrs->OptionalHeader)
1170 && pHdrs->FileHeader.NumberOfSections >= 10 /* the kernel has lots */
1171 && (pHdrs->FileHeader.Characteristics & (IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_DLL))
1172 == IMAGE_FILE_EXECUTABLE_IMAGE
1173 && pHdrs->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC
1174 && pHdrs->OptionalHeader.NumberOfRvaAndSizes == IMAGE_NUMBEROF_DIRECTORY_ENTRIES
1175 )
1176 {
1177 /* Find the MTE. */
1178 RT_ZERO(uMte.v64);
1179 uMte.v64.DllBase = KernelAddr.FlatPtr;
1180 uMte.v64.EntryPoint = KernelAddr.FlatPtr + pHdrs->OptionalHeader.AddressOfEntryPoint;
1181 uMte.v64.SizeOfImage = pHdrs->OptionalHeader.SizeOfImage;
1182 DBGFADDRESS ScanAddr;
1183 DBGFADDRESS HitAddr;
1184 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &ScanAddr, uStart),
1185 uEnd - uStart, 8 /*align*/, &uMte.v64.DllBase, 5 * sizeof(uint32_t), &HitAddr);
1186 while (RT_SUCCESS(rc))
1187 {
1188 /* Read the start of the MTE and check some basic members. */
1189 DBGFADDRESS MteAddr = HitAddr;
1190 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrSub(&MteAddr, RT_OFFSETOF(NTMTE64, DllBase)),
1191 &uMte2.v64, sizeof(uMte2.v64));
1192 if ( RT_SUCCESS(rc)
1193 && uMte2.v64.DllBase == uMte.v64.DllBase
1194 && uMte2.v64.EntryPoint == uMte.v64.EntryPoint
1195 && uMte2.v64.SizeOfImage == uMte.v64.SizeOfImage
1196 && WINNT64_VALID_ADDRESS(uMte2.v64.InLoadOrderLinks.Flink)
1197 && WINNT64_VALID_ADDRESS(uMte2.v64.BaseDllName.Buffer)
1198 && WINNT64_VALID_ADDRESS(uMte2.v64.FullDllName.Buffer)
1199 && uMte2.v64.BaseDllName.Length <= 128
1200 && uMte2.v64.FullDllName.Length <= 260
1201 )
1202 {
1203 /* Try read the base name and compare with known NT kernel names. */
1204 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v64.BaseDllName.Buffer),
1205 u.wsz, uMte2.v64.BaseDllName.Length);
1206 u.wsz[uMte2.v64.BaseDllName.Length / 2] = '\0';
1207 if ( RT_SUCCESS(rc)
1208 && ( !RTUtf16ICmp(u.wsz, g_wszKernelNames[0])
1209 /* || !RTUtf16ICmp(u.wsz, g_wszKernelNames[1]) */
1210 )
1211 )
1212 {
1213 /* Read the link entry of the previous entry in the list and check that its
1214 forward pointer points at the MTE we've found. */
1215 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/,
1216 DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v64.InLoadOrderLinks.Blink),
1217 &uMte3.v64, RT_SIZEOFMEMB(NTMTE64, InLoadOrderLinks));
1218 if ( RT_SUCCESS(rc)
1219 && uMte3.v64.InLoadOrderLinks.Flink == MteAddr.FlatPtr
1220 && WINNT64_VALID_ADDRESS(uMte3.v64.InLoadOrderLinks.Blink) )
1221 {
1222 Log(("DigWinNt: MteAddr=%RGv KernelAddr=%RGv SizeOfImage=%x &PsLoadedModuleList=%RGv (32-bit)\n",
1223 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v64.SizeOfImage, Addr.FlatPtr));
1224 pThis->KernelAddr = KernelAddr;
1225 pThis->KernelMteAddr = MteAddr;
1226 pThis->PsLoadedModuleListAddr = Addr;
1227 pThis->f32Bit = false;
1228 pThis->fNt31 = false;
1229 return true;
1230 }
1231 }
1232 else if (RT_SUCCESS(rc))
1233 {
1234 Log2(("DigWinNt: Wrong module: MteAddr=%RGv ImageAddr=%RGv SizeOfImage=%#x '%ls'\n",
1235 MteAddr.FlatPtr, KernelAddr.FlatPtr, uMte2.v64.SizeOfImage, u.wsz));
1236 break; /* Not NT kernel */
1237 }
1238 }
1239
1240 /* next */
1241 DBGFR3AddrAdd(&HitAddr, 8);
1242 if (HitAddr.FlatPtr < uEnd)
1243 rc = DBGFR3MemScan(pUVM, 0 /*idCpu*/, &HitAddr, uEnd - HitAddr.FlatPtr,
1244 8 /*align*/, &uMte.v64.DllBase, 3 * sizeof(uint32_t), &HitAddr);
1245 else
1246 rc = VERR_DBGF_MEM_NOT_FOUND;
1247 }
1248 }
1249 }
1250 }
1251 }
1252 return false;
1253}
1254
1255
1256/**
1257 * @copydoc DBGFOSREG::pfnDestruct
1258 */
1259static DECLCALLBACK(void) dbgDiggerWinNtDestruct(PUVM pUVM, void *pvData)
1260{
1261 RT_NOREF2(pUVM, pvData);
1262}
1263
1264
1265/**
1266 * @copydoc DBGFOSREG::pfnConstruct
1267 */
1268static DECLCALLBACK(int) dbgDiggerWinNtConstruct(PUVM pUVM, void *pvData)
1269{
1270 RT_NOREF1(pUVM);
1271 PDBGDIGGERWINNT pThis = (PDBGDIGGERWINNT)pvData;
1272 pThis->fValid = false;
1273 pThis->f32Bit = false;
1274 pThis->enmVer = DBGDIGGERWINNTVER_UNKNOWN;
1275
1276 pThis->IWinNt.u32Magic = DBGFOSIWINNT_MAGIC;
1277 pThis->IWinNt.pfnQueryVersion = dbgDiggerWinNtIWinNt_QueryVersion;
1278 pThis->IWinNt.pfnQueryKernelPtrs = dbgDiggerWinNtIWinNt_QueryKernelPtrs;
1279 pThis->IWinNt.pfnQueryKpcrForVCpu = dbgDiggerWinNtIWinNt_QueryKpcrForVCpu;
1280 pThis->IWinNt.pfnQueryCurThrdForVCpu = dbgDiggerWinNtIWinNt_QueryCurThrdForVCpu;
1281 pThis->IWinNt.u32EndMagic = DBGFOSIWINNT_MAGIC;
1282
1283 return VINF_SUCCESS;
1284}
1285
1286
1287const DBGFOSREG g_DBGDiggerWinNt =
1288{
1289 /* .u32Magic = */ DBGFOSREG_MAGIC,
1290 /* .fFlags = */ 0,
1291 /* .cbData = */ sizeof(DBGDIGGERWINNT),
1292 /* .szName = */ "WinNT",
1293 /* .pfnConstruct = */ dbgDiggerWinNtConstruct,
1294 /* .pfnDestruct = */ dbgDiggerWinNtDestruct,
1295 /* .pfnProbe = */ dbgDiggerWinNtProbe,
1296 /* .pfnInit = */ dbgDiggerWinNtInit,
1297 /* .pfnRefresh = */ dbgDiggerWinNtRefresh,
1298 /* .pfnTerm = */ dbgDiggerWinNtTerm,
1299 /* .pfnQueryVersion = */ dbgDiggerWinNtQueryVersion,
1300 /* .pfnQueryInterface = */ dbgDiggerWinNtQueryInterface,
1301 /* .pfnStackUnwindAssist = */ dbgDiggerWinNtStackUnwindAssist,
1302 /* .u32EndMagic = */ DBGFOSREG_MAGIC
1303};
1304
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette