support for DBVM 11 and improve launching DBVM to be more stable

maithanhduyan · Feb 20, 2018 · 336071c · 336071c
1 parent 76c363c
commit 336071c
Show file tree

Hide file tree

Showing 8 changed files with 570 additions and 502 deletions.
diff --git a/DBKKernel/DBKFunc.c b/DBKKernel/DBKFunc.c
@@ -90,6 +90,18 @@ calls a specific function for each cpu that runs in passive mode
 #endif
 }
 
+void forOneCpu(CCHAR cpunr, PKDEFERRED_ROUTINE dpcfunction, PVOID DeferredContext, PVOID  SystemArgument1, PVOID  SystemArgument2)
+{
+	PKDPC dpc;
+	dpc = ExAllocatePool(NonPagedPool, sizeof(KDPC));
+	KeInitializeDpc(dpc, dpcfunction, DeferredContext);
+	KeSetTargetProcessorDpc(dpc, cpunr);
+	KeInsertQueueDpc(dpc, SystemArgument1, SystemArgument2);
+	KeFlushQueuedDpcs();
+
+	ExFreePool(dpc);
+}
+
 void forEachCpu(PKDEFERRED_ROUTINE dpcfunction,  PVOID DeferredContext, PVOID  SystemArgument1, PVOID  SystemArgument2)
 /*
 calls a specified dpcfunction for each cpu on the system
@@ -203,24 +215,16 @@ calls a specified dpcfunction for each cpu on the system
 //own critical section implementation for use when the os is pretty much useless (dbvm tech)
 void spinlock(volatile int *lockvar)
 {
-	DWORD a[4];
-
-
 	while (1)
 	{
-		while (*(volatile int *)lockvar!=0)		
-		{
-			__nop();
-			__nop();
-			__cpuid(a,0); //serialize cpu's		
-			__nop();
-			__nop();
-		}
+
 		//it was 0, let's see if we can set it to 1
 		//race who can set it to 1:
 		if (_InterlockedExchange((volatile int *)lockvar, 1)==0)
 			return; //lock aquired, else continue loop
 
+		_mm_pause();
+
 	}
 
 }

diff --git a/DBKKernel/DBKFunc.h b/DBKKernel/DBKFunc.h
@@ -235,6 +235,9 @@ extern UINT64 getR13(void);
 extern UINT64 getR14(void);
 extern UINT64 getR15(void);
 
+extern UINT64 getAccessRights(UINT64 segment);
+extern UINT64 getSegmentLimit(UINT64 segment);
+
 
 int getCpuCount(void);
 
@@ -264,6 +267,7 @@ void enableInterrupts(void);
 void csEnter(PcriticalSection CS);
 void csLeave(PcriticalSection CS);
 
+void forOneCpu(CCHAR cpunr, PKDEFERRED_ROUTINE dpcfunction, PVOID DeferredContext, PVOID  SystemArgument1, PVOID  SystemArgument2);
 void forEachCpu(PKDEFERRED_ROUTINE dpcfunction,  PVOID DeferredContext, PVOID  SystemArgument1, PVOID  SystemArgument2);
 void forEachCpuAsync(PKDEFERRED_ROUTINE dpcfunction, PVOID DeferredContext, PVOID  SystemArgument1, PVOID  SystemArgument2);
 void forEachCpuPassive(PF f, UINT_PTR param);

diff --git a/DBKKernel/IOPLDispatcher.c b/DBKKernel/IOPLDispatcher.c
@@ -959,42 +959,12 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 				pinp=Irp->AssociatedIrp.SystemBuffer;
 				DbgPrint("IOCTL_CE_LAUNCHDBVM\n");
 
+				initializeDBVM((PCWSTR)pinp->dbvmimgpath);
+
 				if (pinp->cpuid == 0xffffffff)
-				{
-					DbgPrint("cpuid=0xffffffff\n");
-					forEachCpuPassive(vmxoffload_passive, (UINT_PTR)pinp->dbvmimgpath);
-				}
+					forEachCpu(vmxoffload_dpc, NULL, NULL, NULL);
 				else
-				{					
-					KAFFINITY newaffinity=(KAFFINITY)(1 << pinp->cpuid);					
-					//offload just for this cpu
-
-#if (NTDDI_VERSION >= NTDDI_VISTA)					
-					KAFFINITY oldaffinity;
-					oldaffinity = KeSetSystemAffinityThreadEx(newaffinity);
-#else
-					//XP and earlier (this routine is not called often, only when the user asks explicitly
-					{
-						LARGE_INTEGER delay;
-						delay.QuadPart = -50; //short wait just to be sure... (the docs do not say that a switch happens imeadiatly for the no Ex version)
-
-						KeSetSystemAffinityThread(newaffinity);
-						KeDelayExecutionThread(UserMode, FALSE, &delay);
-					}
-#endif
-
-					DbgPrint("cpuid=%d\n", pinp->cpuid);
-
-					vmxoffload_passive((UINT_PTR)pinp->dbvmimgpath);
-#if (NTDDI_VERSION >= NTDDI_VISTA)
-					KeRevertToUserAffinityThreadEx(oldaffinity);
-#endif
-				}
-				//vmxoffload_passive((UINT_PTR)pinp->dbvmimgpath);
-
-
-
-				//vmxoffload((PCWSTR)pinp->dbvmimgpath);
+					forOneCpu(pinp->cpuid, vmxoffload_dpc, NULL, NULL, NULL);					
 
 				DbgPrint("Returned from vmxoffload()\n");
 				break;

diff --git a/DBKKernel/amd64/dbkfunca.asm b/DBKKernel/amd64/dbkfunca.asm
@@ -135,9 +135,27 @@ getR14:
 PUBLIC getR15
 getR15:
 	mov rax,r15
-	ret														
+	ret				
+	
+PUBLIC getAccessRights										
+getAccessRights:
+  xor rax,rax
+  lar rax,rcx
+  jnz getAccessRights_invalid
+  shr rax,8
+  and rax,0f0ffh
+  ret
+  getAccessRights_invalid:
+  mov rax,010000h
+  ret
 
 
+PUBLIC getSegmentLimit										
+getSegmentLimit:
+  xor rax,rax
+  lsl rax,rcx
+  ret
+
 _TEXT   ENDS
         END
 
diff --git a/DBKKernel/amd64/vmxoffloada.asm b/DBKKernel/amd64/vmxoffloada.asm
@@ -47,6 +47,18 @@ _fs				QWORD ?
 _gs				QWORD ?
 _tr				QWORD ?
 _ldt			QWORD ?	
+_cs_AccessRights	QWORD ?	
+_ss_AccessRights	QWORD ?	
+_ds_AccessRights	QWORD ?	
+_es_AccessRights	QWORD ?	
+_fs_AccessRights	QWORD ?	
+_gs_AccessRights	QWORD ?	
+_cs_Limit	QWORD ?	
+_ss_Limit	QWORD ?	
+_ds_Limit	QWORD ?	
+_es_Limit	QWORD ?	
+_fs_Limit	QWORD ?	
+_gs_Limit	QWORD ?	
 _fsbase			QWORD ?
 _gsbase			QWORD ?
 S_ORIGINALSTATE ENDS
@@ -55,7 +67,7 @@ PS_ORIGNALSTATE TYPEDEF PTR S_ORIGINALSTATE
 
 EXTERN NewGDTDescriptor: GDTDesc
 EXTERN NewGDTDescriptorVA: QWORD
-EXTERN pagedirptrbasePA: QWORD
+EXTERN DBVMPML4PA: QWORD
 EXTERN TemporaryPagingSetupPA: QWORD
 EXTERN enterVMM2PA: QWORD
 EXTERN originalstatePA: QWORD
@@ -66,29 +78,21 @@ EXTERN vmmPA: QWORD
 
 _TEXT SEGMENT 'CODE'
 
-
+PUBLIC JTAGBP
+JTAGBP:
+db 0f1h
+ret
 
 PUBLIC enterVMM
 enterVMM:
 begin:
-	xchg bx,bx ;trigger bochs breakpoint
-	
-
-	;setup the GDT
-	nop
-	nop
-	nop
-	nop
-	nop
-	nop	
-
 	;switch to identity mapped pagetable
+
 	mov cr3,rdx
 	jmp short weee
 weee:
-
-
-
+	nop
+	nop
 
 	
 	;now jump to the physical address (identity mapped to the same virtual address)
@@ -121,21 +125,21 @@ secondentry:
 	;enable PAE and PSE (just to make sure)
 	mov eax,30h
 	mov cr4,rax	
-	
+
 	mov cr3,rcx
+	nop
+	nop
 	jmp short weee2
 weee2:
+    nop
+	nop
 
-
-	
-	mov rax,007ffff0h
 	mov rbx,0
 	mov ds,bx
 	mov es,bx
 	mov fs,bx
 	mov gs,bx
 	mov ss,bx
-	mov rsp,rax
 	
 	mov rax,cr0
 	or eax,10000h
@@ -145,7 +149,11 @@ weee2:
 	nop
 	nop
 	nop
+	;db 0f1h  ;jtag
+	nop
+	nop
 	nop	
+
 	
 	jmp fword ptr [vmmjump]
 	;jmp fword ptr [vmmjump] ;one thing that I don't mind about x64, relative addressing, so no need to change it by me
@@ -210,7 +218,7 @@ enterVMMPrologue:
 	mov rbx,NewGDTDescriptorVA
 	lgdt fword ptr [rbx]
 	
-	mov rcx,pagedirptrbasePA
+	mov rcx,DBVMPML4PA
 	mov rdx,TemporaryPagingSetupPA 
 	mov rsi,enterVMM2PA
 	

diff --git a/DBKKernel/ce.bat b/DBKKernel/ce.bat
@@ -22,6 +22,8 @@ goto error
 
 :x86success:
 	copy .\obj%BUILD_ALT_DIR%\amd64\dbk.sys "..\Cheat Engine\bin\dbk64.sys"
+        copy .\obj%BUILD_ALT_DIR%\amd64\dbk.sys .\obj%BUILD_ALT_DIR%\amd64\dbk64.sys
+        copy .\obj%BUILD_ALT_DIR%\amd64\dbk.pdb .\obj%BUILD_ALT_DIR%\amd64\dbk64.pdb
 	goto successend