|
|
title "Vdm Instuction Emulation";++;; Copyright (c) 1989 Microsoft Corporation;; Module Name:;; instemul.asm;; Abstract:;; This module contains the routines for emulating instructions and; faults to a VDM.;; Author:;; Dave Hastings (daveh) 29-March-1991;; Environment:;; Kernel mode only.;; Notes:;;;sudeepb 09-Dec-1992 Very Sonn this file will be deleted and protected; mode instruction emulation will be merged in; emv86.asm. Particularly following routines will; simply become OpcodeInvalid.; OpcodeIret; OpcodePushf; OpcodePopf; OpcodeHlt; Other routines such as; OpcodeCli; OpcodeSti; OpcodeIN/OUT/SB/Immb etc; will map exactly like emv86.asm; OpcodeInt will be the main differeing routine.;; OpcodeDispatch Table will be deleted.;; So before making any major changes in this file please see; Sudeepb or Daveh.;;neilsa 19-Oct-1993 Size and performance enhancements;jonle 15-Nov-1993 - The Debug messages for each opcode may no longer work; correctly, because interrupts may not have been enabled;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Revision History:;;--.386p .xlistinclude ks386.incinclude i386\kimacro.incinclude mac386.incinclude i386\mi.incinclude callconv.incinclude ..\..\vdm\i386\vdm.incinclude vdmtib.incinclude irqli386.inc .list
extrn VdmOpcode0f:proc extrn OpcodeNPXV86:proc extrn VdmDispatchIntAck:proc ;; only OpcodeSti uses thisifdef VDMDBG EXTRNP _VdmTraceEvent,4endif extrn CommonDispatchException:proc ;; trap.asm extrn _DbgPrint:proc extrn _KeI386VirtualIntExtensions:dword extrn _MmHighestUserAddress:dword EXTRNP _Ki386GetSelectorParameters,4 EXTRNP _Ki386VdmDispatchIo,5 EXTRNP _Ki386VdmDispatchStringIo,8 EXTRNP _KiDispatchException,5 EXTRNP _VdmPrinterStatus,3 EXTRNP _VdmPrinterWriteData, 3 EXTRNP _VdmClearPMCliTimeStamp, 0 EXTRNP _VdmSetPMCliTimeStamp, 1 extrn _MmUserProbeAddress:DWORD EXTRNP _VdmFetchULONG,1 EXTRNP _Ki386AdjustEsp0,1
page ,132
ifdef VDMDBG%out Debugging version
endif
;; Force assume into place;
_PAGE SEGMENT DWORD PUBLIC 'CODE' ASSUME DS:NOTHING, ES:NOTHING, SS:NOTHING, FS:NOTHING, GS:NOTHING_PAGE ENDS
_TEXT$00 SEGMENT DWORD PUBLIC 'CODE' ASSUME DS:NOTHING, ES:NOTHING, SS:NOTHING, FS:NOTHING, GS:NOTHING_TEXT$00 ENDS
PAGECONST SEGMENT DWORD PUBLIC 'DATA'
;; Instruction emulation emulates the following instructions.; The emulation affects the noted user mode registers.;; In protected mode, the following instructions are emulated in the kernel;; Registers (E)Flags (E)SP SS CS; INTnn X X X X; INTO X X X X; CLI X; STI X;; The following instructions are always emulated by reflection to the; Usermode VDM monitor;; INSB; INSW; OUTSB; OUTSW; INBimm; INWimm; OUTBimm; OUTWimm; INB; INW; OUTB; OUTW;; WARNING What do we do about 32 bit io instructions??
;; OpcodeIndex - packed 1st level table to index OpcodeDispatch table; public OpcodeIndexdiBEGIN OpcodeIndex,VDM_INDEX_Invalid dtI 0fh, VDM_INDEX_0F dtI 26h, VDM_INDEX_ESPrefix dtI 2eh, VDM_INDEX_CSPrefix dtI 36h, VDM_INDEX_SSPrefix dtI 3eh, VDM_INDEX_DSPrefix dtI 64h, VDM_INDEX_FSPrefix dtI 65h, VDM_INDEX_GSPrefix dtI 66h, VDM_INDEX_OPER32Prefix dtI 67h, VDM_INDEX_ADDR32Prefix dtI 6ch, VDM_INDEX_INSB dtI 6dh, VDM_INDEX_INSW dtI 6eh, VDM_INDEX_OUTSB dtI 6fh, VDM_INDEX_OUTSW dtI 9bh, VDM_INDEX_NPX dtI 9ch, VDM_INDEX_PUSHF dtI 9dh, VDM_INDEX_POPF dtI 0cdh, VDM_INDEX_INTnn dtI 0ceh, VDM_INDEX_INTO dtI 0cfh, VDM_INDEX_IRET dtI 0d8h, VDM_INDEX_NPX dtI 0d9h, VDM_INDEX_NPX dtI 0dah, VDM_INDEX_NPX dtI 0dbh, VDM_INDEX_NPX dtI 0dch, VDM_INDEX_NPX dtI 0ddh, VDM_INDEX_NPX dtI 0deh, VDM_INDEX_NPX dtI 0dfh, VDM_INDEX_NPX dtI 0e4h, VDM_INDEX_INBimm dtI 0e5h, VDM_INDEX_INWimm dtI 0e6h, VDM_INDEX_OUTBimm dtI 0e7h, VDM_INDEX_OUTWimm dtI 0ech, VDM_INDEX_INB dtI 0edh, VDM_INDEX_INW dtI 0eeh, VDM_INDEX_OUTB dtI 0efh, VDM_INDEX_OUTW dtI 0f0h, VDM_INDEX_LOCKPrefix dtI 0f2h, VDM_INDEX_REPNEPrefix dtI 0f3h, VDM_INDEX_REPPrefix dtI 0f4h, VDM_INDEX_HLT dtI 0fah, VDM_INDEX_CLI dtI 0fbh, VDM_INDEX_STIdiEND NUM_OPCODE
;; OpcodeDispatch - table of routines used to emulate instructions;
public OpcodeDispatchdtBEGIN OpcodeDispatch,OpcodeInvalid dtS VDM_INDEX_0F , Opcode0F dtS VDM_INDEX_ESPrefix , OpcodeESPrefix dtS VDM_INDEX_CSPrefix , OpcodeCSPrefix dtS VDM_INDEX_SSPrefix , OpcodeSSPrefix dtS VDM_INDEX_DSPrefix , OpcodeDSPrefix dtS VDM_INDEX_FSPrefix , OpcodeFSPrefix dtS VDM_INDEX_GSPrefix , OpcodeGSPrefix dtS VDM_INDEX_OPER32Prefix, OpcodeOPER32Prefix dtS VDM_INDEX_ADDR32Prefix, OpcodeADDR32Prefix dtS VDM_INDEX_INSB , OpcodeINSB dtS VDM_INDEX_INSW , OpcodeINSW dtS VDM_INDEX_OUTSB , OpcodeOUTSB dtS VDM_INDEX_OUTSW , OpcodeOUTSW dtS VDM_INDEX_INTnn , OpcodeINTnn dtS VDM_INDEX_INTO , OpcodeINTO dtS VDM_INDEX_INBimm , OpcodeINBimm dtS VDM_INDEX_INWimm , OpcodeINWimm dtS VDM_INDEX_OUTBimm , OpcodeOUTBimm dtS VDM_INDEX_OUTWimm , OpcodeOUTWimm dtS VDM_INDEX_INB , OpcodeINB dtS VDM_INDEX_INW , OpcodeINW dtS VDM_INDEX_OUTB , OpcodeOUTB dtS VDM_INDEX_OUTW , OpcodeOUTW dtS VDM_INDEX_LOCKPrefix , OpcodeLOCKPrefix dtS VDM_INDEX_REPNEPrefix , OpcodeREPNEPrefix dtS VDM_INDEX_REPPrefix , OpcodeREPPrefix dtS VDM_INDEX_CLI , OpcodeCLI dtS VDM_INDEX_STI , OpcodeSTIdtEND MAX_VDM_INDEX
PAGECONST ENDS
PAGEDATA SEGMENT DWORD PUBLIC 'DATA'
public _ExVdmOpcodeDispatchCounts,_ExVdmSegmentNotPresent_ExVdmOpcodeDispatchCounts dd MAX_VDM_INDEX dup(0)_ExVdmSegmentNotPresent dd 0
PAGEDATA ENDS
_PAGE SEGMENT DWORD PUBLIC 'CODE' ASSUME DS:NOTHING, ES:NOTHING, SS:FLAT, FS:NOTHING, GS:NOTHING
page ,132 subttl "Overide Prefix Macro";++;; Routine Description:;; This macro generates the code for handling override prefixes; The routine name generated is OpcodeXXXXPrefix, where XXXX is; the name used in the macro invocation. The code will set the; PREFIX_XXXX bit in the Prefix flags.;; Arguments; name = name of prefix; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns; user mode Eip advanced; eax advanced; edx contains next byte of opcode;; NOTE: This routine exits by dispatching through the table again.;--opPrefix macro name public Opcode&name&PrefixOpcode&name&Prefix proc
or [esi].RiPrefixFlags,PREFIX_&name jmp OpcodeGenericPrefix ; dispatch to next handler
Opcode&name&Prefix endpendm
irp prefix, <ES, CS, SS, DS, FS, GS, OPER32, ADDR32, LOCK, REPNE, REP>
opPrefix prefix
endm
page ,132 subttl "Instruction Emulation Dispatcher";++;; Routine Description:;; This routine dispatches to the opcode specific emulation routine,; based on the first byte of the opcode. Two byte opcodes, and prefixes; result in another level of dispatching, from the handling routine.;; Arguments:;; [esp+4] = pointer to trap frame;; Returns:;; Nothing;;
cPublicProc _Ki386DispatchOpcode,1
push ebp mov ebp, [esp+8] sub esp,REGINFOSIZE mov esi, esp ; scratch area
CsToLinearPM [ebp].TsSegCs, doerr ; initialize reginfo
mov edi,[ebp].TsEip ; get fault instruction address cmp edi,[esi].RiCsLimit ; check eip ja doerr
add edi,[esi].RiCsBase cmp edi, _MmUserProbeAddress ja doerr
movzx ecx,byte ptr [edi] ; get faulting opcode
mov eax,ecx and eax,0F8h ; check for npx instr cmp eax,0D8h je do30 ; dispatch
movzx eax, OpcodeIndex[ecx] mov ebx,1 ; length count, flags
; All handler routines will get the following on entry ; ebp -> trap frame ; ebx -> prefix flags, instruction length count ; ecx -> byte at the faulting address ; edx -> pointer to vdm state in DOS arena ; interrupts enabled and Irql at APC level ; edi -> address of faulting instruction ; esi -> reginfo struct ; All handler routines will return ; EAX = 0 for failure ; EAX = 1 for successif DEVL inc _ExVdmOpcodeDispatchCounts[eax * type _ExVdmOpcodeDispatchCounts]endififdef VDMDBG pushad stdCall _VdmTraceEvent, <VDMTR_KERNEL_OP_PM,ecx,0,ebp> popadendif
call OpcodeDispatch[eax * type OpcodeDispatch]do20: add esp,REGINFOSIZE pop ebp stdRET _Ki386DispatchOpcode
doerr: xor eax,eax jmp do20
; ; If we get here, we have executed an NPX instruction in user mode ; with the emulator installed. If the EM bit was not set in CR0, the ; app really wanted to execute the instruction for detection purposes. ; In this case, we need to clear the TS bit, and restart the instruction. ; Otherwise we need to reflect the exception ;do30: call OpcodeNPXV86 jmp short do20
stdENDP _Ki386DispatchOpcode
page ,132 subttl "Invalid Opcode Handler";++;; Routine Description:;; This routine causes a GP fault to be reflected to the vdm;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeInvalidOpcodeInvalid proc xor eax,eax ; ret fail ret
OpcodeInvalid endp
page ,132 subttl "Generic Prefix Handler";++;; Routine Description:;; This routine handles the generic portion of all of the prefixes,; and dispatches the next byte of the opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; user mode Eip advanced; edx contains next byte of opcode;
public OpcodeGenericPrefixOpcodeGenericPrefix proc
inc edi ; increment eip inc ebx ; increment size cmp bl, 128 ; set arbitrary inst size limit ja ogperr ; in case of pointless prefixes
mov eax,edi ; current linear address sub eax,[esi].RiCsBase ; make address eip cmp eax,[esi].RiCsLimit ; check eip ja ogperr
cmp edi, [_MmHighestUserAddress] ja ogperr
mov cl,byte ptr [edi] ; get next opcode
movzx eax, OpcodeIndex[ecx]if DEVL inc _ExVdmOpcodeDispatchCounts[eax * type _ExVdmOpcodeDispatchCounts]endif jmp OpcodeDispatch[eax * type OpcodeDispatch]
ogperr: xor eax,eax ; opcode was NOT handled ret
OpcodeGenericPrefix endp
page ,132 subttl "0F Opcode Handler";++;; Routine Description:;; This routine emulates a 0Fh opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public Opcode0FOpcode0F proc
mov eax,[ebp].TsEip ; get fault instruction address mov [esi].RiEip,eax mov [esi].RiTrapFrame,ebp mov [esi].RiPrefixFlags,ebx mov eax,dword ptr [ebp].TsEFlags mov [esi].RiEFlags,eax
call VdmOpcode0F ; enables interrupts test eax,0FFFFh jz o0f20
mov eax,[esi].RiEip mov [ebp].TsEip,eax mov eax,1o0f20: ret
Opcode0F endp
page ,132 subttl "Byte string in Opcode Handler";++;; Routine Description:;; This routine emulates an INSB opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;; WARNING what to do about size override? ds override?
public OpcodeINSBOpcodeINSB proc
push ebp ; Trap Frame push ebx ; size of insb
movzx eax,word ptr [ebp].TsSegEs shl eax,16 ; WARNING no support for 32bit edi mov ax,word ptr [ebp].TsEdi ; don't support 32bit'ness push eax ; address
xor eax, eax mov ecx,1 test ebx,PREFIX_REP jz @f
mov eax, 1 ; WARNING no support for 32bit ecx movzx ecx,word ptr [ebp].TsEcx@@:
push ecx ; number of io ops push TRUE ; read op push eax ; REP prefix push 1 ; byte op movzx edx,word ptr [ebp].TsEdx push edx ; port number call _Ki386VdmDispatchStringIo@32 ; use retval
ret
OpcodeINSB endp
page ,132 subttl "Word String In Opcode Handler";++;; Routine Description:;; This routine emulates an INSW opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeINSWOpcodeINSW proc
push ebp ; Trap frame push ebx ; sizeof insw
movzx eax,word ptr [ebp].TsSegEs shl eax,16 ; WARNING no support for 32bit edi mov ax,word ptr [ebp].TsEdi push eax ; address
xor eax, eax mov ecx,1 test ebx,PREFIX_REP jz @f
mov eax, 1 ; WARNING no support for 32bit ecx movzx ecx,word ptr [ebp].TsEcx@@: movzx edx,word ptr [ebp].TsEdx push ecx ; number of io ops push TRUE ; read op push eax ; REP prefix push 2 ; word size push edx ; port number call _Ki386VdmDispatchStringIo@32 ; use retval
ret
OpcodeINSW endp
page ,132 subttl "Byte String Out Opcode Handler";++;; Routine Description:;; This routine emulates an OUTSB opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeOUTSBOpcodeOUTSB proc
push ebp ; Trap Frame push ebx ; size of outsb
movzx eax,word ptr [ebp].TsSegDs shl eax,16 ; WARNING don't support 32bit'ness, esi mov ax,word ptr [ebp].TsEsi push eax ; address
xor eax, eax mov ecx,1 test ebx,PREFIX_REP jz @f
mov eax, 1 ; WARNING don't support 32bit'ness ecx movzx ecx,word ptr [ebp].TsEcx@@: movzx edx,word ptr [ebp].TsEdx push ecx ; number of io ops push FALSE ; write op push eax ; REP prefix push 1 ; byte op push edx ; port number call _Ki386VdmDispatchStringIo@32 ; use retval
ret
OpcodeOUTSB endp
page ,132 subttl "Word String Out Opcode Handler";++;; Routine Description:;; This routine emulates an OUTSW opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeOUTSWOpcodeOUTSW proc
push ebp ; Trap Frame push ebx ; size of outsb
movzx eax,word ptr [ebp].TsSegDs shl eax,16 ; WARNING don't support 32bit'ness esi mov ax,word ptr [ebp].TsEsi push eax ; address
xor eax, eax mov ecx,1 test ebx,PREFIX_REP jz @f
mov eax, 1 ; WARNING don't support 32bit'ness ecx movzx ecx,word ptr [ebp].TsEcx@@: movzx edx,word ptr [ebp].TsEdx
push ecx ; number of io ops push FALSE ; write op push eax ; REP prefix push 2 ; byte op push edx ; port number call _Ki386VdmDispatchStringIo@32 ; use retval
ret
OpcodeOUTSW endp
page ,132 subttl "INTnn Opcode Handler";++;; Routine Description:;; This routine emulates an INTnn opcode. It retrieves the handler; from the IVT, pushes the current cs:ip and flags on the stack,; and dispatches to the handler.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; Current CS:IP on user stack; RiCs:RiEip -> handler from IVT;
public OpcodeINTnnOpcodeINTnn proc
mov eax, ds:FIXED_NTVDMSTATE_LINEAR and eax, (VDM_INTERRUPT_PENDING + VDM_VIRTUAL_INTERRUPTS) cmp eax, (VDM_INTERRUPT_PENDING + VDM_VIRTUAL_INTERRUPTS) jnz short oi10
call VdmDispatchIntAck jmp oi99
oi10: mov eax,dword ptr [ebp].TsEFlags call GetVirtualBits ; set interrupt flag mov [esi].RiEFlags,eax movzx eax,word ptr [ebp].TsHardwareSegSs call SsToLinear test al,0FFh jz oinerr
inc edi ; point to int # mov eax,edi ; current linear address sub eax,[esi].RiCsBase ; make address eip cmp eax,[esi].RiCsLimit ; check eip ja oinerr
cmp edi, [_MmHighestUserAddress] ja oinerr
movzx ecx,byte ptr [edi] ; get int # inc eax ; inc past end of instruction mov [esi].RiEip,eax ; save for pushint's benefit call PushInt ; will return retcode in al test al,0FFh jz oinerr ; error!
mov eax,[esi].RiEsp mov [ebp].TsHardwareEsp,eax mov ax,word ptr [esi].RiSegCs or ax, 7 ; R3 LDT selectors only cmp ax, 8 jge short @f
test dword ptr [ebp]+TsEFlags, EFLAGS_V86_MASK jnz short @f
mov ax, KGDT_R3_DATA OR RPL_MASK@@: mov word ptr [ebp].TsSegCs,ax mov eax,[esi].RiEFlags push [ebp].TsEFlags mov [ebp].TsEFlags,eax or [ebp].TsEFlags, EFLAGS_INTERRUPT_MASK xor eax, [esp] test eax, EFLAGS_V86_MASK pop eax je short @f
stdCall _Ki386AdjustEsp0, <ebp>@@: mov eax,[esi].RiEip mov [ebp].TsEip,eaxoi99: mov eax,1 ret
oinerr: xor eax,eax ret
OpcodeINTnn endp
page ,132 subttl "INTO Opcode Handler";++;; Routine Description:;; This routine emulates an INTO opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeINTOOpcodeINTO proc
xor eax,eax ret
OpcodeINTO endp
page ,132 subttl "In Byte Immediate Opcode Handler";++;; Routine Description:;; This routine emulates an in byte immediate opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeINBimmOpcodeINBimm proc
inc ebx ; length count inc edi mov eax,edi ; current linear address sub eax,[esi].RiCsBase ; make address eip cmp eax,[esi].RiCsLimit ; check eip ja oibi20
cmp edi, [_MmHighestUserAddress] ja oibi20
movzx ecx,byte ptr [edi]
; (eax) = inst. size; read op; I/O size = 1; (ecx) = port number
stdCall _Ki386VdmDispatchIo, <ecx, 1, TRUE, ebx, ebp> retoibi20: xor eax, eax ; not handled ret
OpcodeINBimm endp
page ,132 subttl "Word In Immediate Opcode Handler";++;; Routine Description:;; This routine emulates an in word immediate opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeINWimmOpcodeINWimm proc
inc ebx ; length count inc edi mov eax,edi ; current linear address sub eax,[esi].RiCsBase ; make address eip cmp eax,[esi].RiCsLimit ; check eip ja oiwi20
cmp edi, [_MmHighestUserAddress] ja oiwi20
movzx ecx,byte ptr [edi]
; TRUE - read op; 2 - word op; ecx - port number stdCall _Ki386VdmDispatchIo, <ecx, 2, TRUE, ebx, ebp> retoiwi20: xor eax, eax ; not handled ret
OpcodeINWimm endp
page ,132 subttl "Out Byte Immediate Opcode Handler";++;; Routine Description:;; This routine emulates an invalid opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeOUTBimmOpcodeOUTBimm proc
inc ebx ; length count inc edi mov eax,edi ; current linear address sub eax,[esi].RiCsBase ; make address eip cmp eax,[esi].RiCsLimit ; check eip ja oobi20
cmp edi, [_MmHighestUserAddress] ja oobi20
movzx ecx,byte ptr [edi]
; FALSE - write op; 1 - byte op; ecx - port #
stdCall _Ki386VdmDispatchIo, <ecx, 1, FALSE, ebx, ebp> retoobi20: xor eax, eax ; not handled ret
OpcodeOUTBimm endp
page ,132 subttl "Out Word Immediate Opcode Handler";++;; Routine Description:;; This routine emulates an out word immediate opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeOUTWimmOpcodeOUTWimm proc
inc ebx ; length count inc edi mov eax,edi ; current linear address sub eax,[esi].RiCsBase ; make address eip cmp eax,[esi].RiCsLimit ; check eip ja oowi20
cmp edi, [_MmHighestUserAddress] ja oowi20
movzx ecx,byte ptr [edi]
; FALSE - write op; 2 - word op; ecx - port number stdCall _Ki386VdmDispatchIo, <ecx, 2, FALSE, ebx, ebp> ret
oowi20: xor eax, eax ; not handled ret
OpcodeOUTWimm endp
page ,132 subttl "INB Opcode Handler";++;; Routine Description:;; This routine emulates an INB opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeINBOpcodeINB proc
movzx eax,word ptr [ebp].TsEdx
; TRUE - read op; 1 - byte op; eax - port number
cmp eax, 3bdh jz oib_prt1 cmp eax, 379h jz oib_prt1 cmp eax, 279h jz oib_prt1
oib_reflect: stdCall _Ki386VdmDispatchIo, <eax, 1, TRUE, ebx, ebp> ret
oib_prt1: ; call printer status routine with port number, size, trap frame movzx ebx, bl ;clear prefix flags push eax stdCall _VdmPrinterStatus, <eax, ebx, ebp> or al,al pop eax jz short oib_reflect mov al, 1 ret
OpcodeINB endp
page ,132 subttl "INW Opcode Handler";++;; Routine Description:;; This routine emulates an INW opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeINWOpcodeINW proc
movzx eax,word ptr [ebp].TsEdx
; TRUE - read operation; 2 - word op; eax - port number stdCall _Ki386VdmDispatchIo, <eax, 2, TRUE, ebx, ebp> ret
OpcodeINW endp
page ,132 subttl "OUTB Opcode Handler";++;; Routine Description:;; This routine emulates an OUTB opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeOUTBOpcodeOUTB proc
movzx eax,word ptr [ebp].TsEdx
cmp eax, 03BCh je short oob_printerVDD cmp eax, 0378h je short oob_printerVDD cmp eax, 0278h jz short oob_printerVDD
oob_reflect:; FALSE - write op; 1 - byte op; eax - port number stdCall _Ki386VdmDispatchIo, <eax, 1, FALSE, ebx, ebp> ret
oob_printerVDD: movzx ebx, bl ; instruction size push eax ; save port address stdCall _VdmPrinterWriteData, <eax, ebx, ebp> or al,al ; pop eax jz short oob_reflect mov al, 1 ret
OpcodeOUTB endp
page ,132 subttl "OUTW Opcode Handler";++;; Routine Description:;; This routine emulates an OUTW opcode.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeOUTWOpcodeOUTW proc
movzx eax,word ptr [ebp].TsEdx
; FALSE - write op; 2 - word op; edi - port # stdCall _Ki386VdmDispatchIo, <eax, 2, FALSE, ebx, ebp> ret
OpcodeOUTW endp
page ,132 subttl "CLI Opcode Handler";++;; Routine Description:;; This routine emulates an CLI opcode. It clears the virtual; interrupt flag in the VdmTeb.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeCLIOpcodeCLI proc
mov eax, ds:FIXED_NTVDMSTATE_LINEAR and eax, (VDM_INTERRUPT_PENDING + VDM_VIRTUAL_INTERRUPTS) cmp eax, (VDM_INTERRUPT_PENDING + VDM_VIRTUAL_INTERRUPTS) jnz short oc50
call VdmDispatchIntAck jmp short oc99
oc50: mov eax,[ebp].TsEFlags and eax,NOT EFLAGS_INTERRUPT_MASK call SetVirtualBits inc dword ptr [ebp].TsEip stdCall _VdmSetPMCliTimeStamp, <0>oc99: mov eax,1 ret
OpcodeCLI endp
page ,132 subttl "STI Opcode Handler";++;; Routine Description:;; This routine emulates an STI opcode. It sets the virtual; interrupt flag in the VDM teb.;; Arguments:; EBP -> trap frame; EBX -> prefix flags, BL = instruction length count; ECX -> byte at the faulting address; EDX -> pointer to vdm state in DOS arena; ESI -> Reginfo struct; EDI -> address of faulting instruction;; Returns:;; nothing;
public OpcodeSTIOpcodeSTI proc
stdCall _VdmClearPMCliTimeStamp mov eax,[ebp].TsEFlags or eax,EFLAGS_INTERRUPT_MASK call SetVirtualBits inc dword ptr [ebp].TsEip mov eax, ds:FIXED_NTVDMSTATE_LINEAR test eax,VDM_INTERRUPT_PENDING jz os10
call VdmDispatchIntAckos10: mov eax,1 ret
OpcodeSTI endp
page ,132 subttl "Check Vdm Flags";++;; Routine Description:;; This routine checks the flags that are going to be used for the; dos or windows application.;; Arguments:;; ecx = EFlags to be set; esi = address of reg info;; Returns:;; ecx = fixed flags;
CheckVdmFlags proc
mov eax,[esi].RiEFlags and eax,EFLAGS_V86_MASK
; ; [eax] = V86 mode bit ; [ecx] = Flags to be fixed ;
test eax,EFLAGS_V86_MASK ; Is V86 Mode? jz short cvf10 ; No, enable IF
test _KeI386VirtualIntExtensions, V86_VIRTUAL_INT_EXTENSIONS jz short cvf10
; ; Convert EFLAGS_INTERRUPT_MASK to VIF flags ;
mov edx, ecx and edx,EFLAGS_INTERRUPT_MASK shl edx,0ah or eax,edx
cvf10: or ecx,EFLAGS_INTERRUPT_MASKcvf20: and ecx,NOT (EFLAGS_IOPL_MASK OR EFLAGS_NT_MASK OR EFLAGS_V86_MASK OR EFLAGS_VIF OR EFLAGS_VIP) or ecx,eax ; restore original v86 bit ret
CheckVdmFlags endp
page ,132 subttl "Get Virtual Interrupt Flag";++;; Routine Description:;; This routine correctly gets the VDMs virtual interrupt flag and; puts it into an EFlags image to be put on the stack.;; Arguments:;; eax = EFlags value;; Returns:;; eax = EFlags value with correct setting for IF;; Uses:; ecx; public GetVirtualBitsGetVirtualBits proc
push ebp push edx push ebx push esi push edi
test eax, EFLAGS_V86_MASK jz short gvb10
test _KeI386VirtualIntExtensions, V86_VIRTUAL_INT_EXTENSIONS jz short gvb10
mov ecx,eax and ecx,EFLAGS_VIF shr ecx,0ah ; mov vif to if posn and eax,NOT EFLAGS_INTERRUPT_MASK or eax,ecx
call gvbGetFixedStateLinear ; after return [ecx] = content of 0x417 and ecx,VDM_VIRTUAL_AC and eax,NOT EFLAGS_ALIGN_CHECK or eax,ecx jmp short gbvexit
gvb10: and eax,NOT EFLAGS_INTERRUPT_MASK call gvbGetFixedStateLinear ; after return [ecx] = content of 0x417 and ecx,VDM_VIRTUAL_INTERRUPTS OR VDM_VIRTUAL_AC or eax,ecx ; put virtual int flag into flagsgbvexit: or eax,EFLAGS_IOPL_MASK ; make it look like a 386
pop edi pop esi pop ebx pop edx pop ebp ret
gvbGetFixedStateLinear: push eax push offset GetVirtualBits_Handler push PCR[PcExceptionList] mov PCR[PcExceptionList], esp mov ecx, ds:FIXED_NTVDMSTATE_LINEAR
gvbexit1: pop PCR[PcExceptionList] add esp, 4 ; pop out except handler pop eax retGetVirtualBits endp
GetVirtualBits_Handler proc mov esp, [esp+8] ; (esp)-> ExceptionList xor ecx, ecx jmp gvbexit1GetVirtualBits_Handler endp
page ,132 subttl "Set Virtual Interrupt Flag";++;; Routine Description:;; This routine correctly sets the VDMs virtual interrupt flag.;; Arguments:;; eax = EFlags value;; Returns:;; Virtual interrupt flag set;
SetVirtualBits procFlags equ [ebp - 4]
; ; IMPORTANT: shielint - save ALL the non-volatile registers in case of exception ;
push ebp push edx push ebx push esi push edi
push offset SetVirtualBits_Handler push PCR[PcExceptionList] mov PCR[PcExceptionList], esp mov ebp,esp sub esp,4
mov Flags,eax lea edx,ds:FIXED_NTVDMSTATE_LINEAR and eax,EFLAGS_INTERRUPT_MASK ; isolate int flag MPLOCK and [edx],NOT VDM_VIRTUAL_INTERRUPTS MPLOCK or [edx],eax ; place virtual int flag value
svb20: ; WARNING 32 bit support! test ebx,PREFIX_OPER32 jz short svb30 ; 16 bit instr
mov eax,Flags and eax,EFLAGS_ALIGN_CHECK MPLOCK and dword ptr [edx],NOT EFLAGS_ALIGN_CHECK MPLOCK or [edx],eaxsvb30: mov esp,ebpsvbexit: pop PCR[PcExceptionList] ; Remove handler lea esp, [esp+4] pop edi pop esi pop ebx pop edx pop ebp retSetVirtualBits endp
SetVirtualBits_Handler proc mov esp, [esp+8] ; (esp)-> ExceptionList jmp svbexitSetVirtualBits_Handler endp
page ,132 subttl "Reflect Exception to a Vdm";++;; Routine Description:;; This routine reflects an exception to a VDM. It uses the information; in the trap frame to determine what exception to reflect, and updates; the trap frame with the new CS, EIP, SS, and SP values;; Arguments:;; ebp -> Trap frame; ss:esp + 4 = trap number;; Returns;; Nothing;; Notes:; Interrupts are enabled upon entry, Irql is at APC level; This routine may not preserve all of the non-volatile registers if; a fault occurs.;cPublicProc _Ki386VdmReflectException,1
RI equ [ebp - REGINFOSIZE]
; ; First make sure this is for us to handle ;
mov eax,PCR[PcPrcbData+PbCurrentThread] mov eax,[eax]+ThApcState+AsProcess cmp dword ptr [eax]+PrVdmObjects,0 ; is this a vdm process? jne short @f
xor eax, eax ; not handled
stdRET _Ki386VdmReflectException
@@: push ebp mov ebp,esp sub esp,REGINFOSIZE
pushad
lea esi,ds:FIXED_NTVDMSTATE_LINEAR
; ; Look to see if the debugger wants exceptions ; stdCall _VdmFetchULONG, <esi> test eax,VDM_BREAK_EXCEPTIONS jz vredbg ; no, check for debug events
mov ebx,DBG_STACKFAULT cmp word ptr [ebp + 8],0ch ; stack fault? jz @f ; yes, check dbg flag mov ebx,DBG_GPFAULT cmp word ptr [ebp + 8],0dh ; gp fault? jne vredbg ; no, continue
@@: test eax,VDM_USE_DBG_VDMEVENT jnz vrexc_event jmp vrexcd ; reflect the exception to 32
; ; Look to see if the debugger wants debug events ;vredbg: test eax,VDM_BREAK_DEBUGGER jz vrevdm ; no debug events, reflect to vdm
mov ebx,DBG_SINGLESTEP cmp word ptr [ebp + 8],1 jnz @f test eax,VDM_USE_DBG_VDMEVENT jnz vrexc_event jmp vrexc1
@@: mov ebx,DBG_BREAK cmp word ptr [ebp + 8],3 jnz vrevdm test eax,VDM_USE_DBG_VDMEVENT jnz vrexc_event jmp vrexc3
; ; Reflect the exception to the VDM ;vrevdm: mov esi,[ebp] cmp word ptr [esi].TsSegCs, KGDT_R3_CODE OR RPL_MASK ; int sim after fault? je vre28if DEVL cmp word ptr [ebp + 8],11 jne @f inc _ExVdmSegmentNotPresent@@:endif
if DBG CurrentIrql cmp al, APC_LEVEL jge @f int 3@@:endif
mov RI.RiTrapFrame,esi mov eax,[esi].TsHardwareSegSs mov RI.RiSegSs,eax mov eax,[esi].TsHardwareEsp mov RI.RiEsp,eax mov eax,[esi].TsEFlags mov RI.RiEFlags,eax mov eax,[esi].TsEip mov RI.RiEip,eax mov eax,[esi].TsSegCs mov RI.RiSegCs,eax lea esi,RI call CsToLinear ; uses eax as selector test al,0FFh jz vrerr
mov eax,[esi].RiSegSs call SsToLinear test al,0FFh jz vrerr
mov ecx,[ebp + 8] call PushException test al,0FFh jz vrerr
mov esi,RI.RiTrapFrame mov eax,RI.RiEsp mov [esi].TsHardwareEsp,eax xor bl, bl ; R3 mask. 0 on V86 mode test dword ptr [esi].TsEFlags, EFLAGS_V86_MASK ; jnz @F ; mov bl, 7 ; protected mode, R3 LDT selectors only@@: mov eax,RI.RiSegSs or al, bl mov [esi].TsHardwareSegSs,eax mov eax,RI.RiEFlags push [esi].TsEFlags mov [esi].TsEFlags,eax xor eax, [esp] test eax, EFLAGS_V86_MASK ; pop eax je @f stdCall _Ki386AdjustEsp0, <esi>@@:
mov eax,RI.RiSegCs or al, bl cmp eax, 8 jae @f test dword ptr [esi].TsEFlags, EFLAGS_V86_MASK ; jnz @f ; mov eax, KGDT_R3_CODE OR RPL_MASK@@: mov [esi].TsSegCs,eax mov eax,RI.RiEip mov [esi].TsEip,eax cmp word ptr [ebp + 8],1 jne vre28 and dword ptr [esi].TsEFlags, NOT EFLAGS_TF_MASK
vre28: popad mov eax,1 ; handled
vre30: mov esp,ebp pop ebp stdRET _Ki386VdmReflectException
vrerr: popad xor eax,eax jmp vre30
vrexc1: mov eax, [ebp] and dword ptr [eax]+TsEflags, not EFLAGS_TF_MASK mov eax, [ebp]+TsEip ; (eax)-> faulting instruction stdCall _VdmDispatchException <[ebp],STATUS_SINGLE_STEP,eax,0,0,0,0> jmp vre28
vrexc3: mov eax,BREAKPOINT_BREAK mov ebx, [ebp] mov ebx, [ebx]+TsEip dec ebx ; (eax)-> int3 instruction stdCall _VdmDispatchException <[ebp],STATUS_BREAKPOINT,ebx,3,eax,ecx,edx> jmp vre28
vrexcd: mov eax, [ebp] mov eax, [eax]+TsEip stdCall _VdmDispatchException <[ebp],STATUS_ACCESS_VIOLATION,eax,2,0,-1,0> jmp vre28
vrexc_event: mov eax, [ebp] cmp ebx, DBG_SINGLESTEP jnz vrexc_event2 and dword ptr [eax]+TsEflags, not EFLAGS_TF_MASKvrexc_event2: mov eax, [eax]+TsEip stdCall _VdmDispatchException <[ebp],STATUS_VDM_EVENT,eax,1,ebx,0,0> jmp vre28
stdENDP _Ki386VdmReflectException
page ,132 subttl "Reflect Segment Not Present Exception to a Vdm";++;; Routine Description:;; This routine reflects an TRAP B to a VDM. It uses the information; in the trap frame to determine what exception to reflect, and updates; the trap frame with the new CS, EIP, SS, and SP values;; Arguments:;; ebp -> Trap frame;; Returns;; 0 is returned if the reflection fails.;
cPublicProc _Ki386VdmSegmentNotPresent,0
mov edi,PCR[PcTeb] mov ecx,VDM_FAULT_HANDLER_SIZE * 0Bh
; ; Set up an exception handler in case we fault ; during the user-space accesses below. ;
push ebp push offset FLAT:VdmSegNotPres_ExceptionHandler ; set up exception registration record push PCR[PcExceptionList] mov PCR[PcExceptionList], esp
mov edi,[edi].TeVdm xor ebx, ebx cmp edi, _MmUserProbeAddress ; probe the TeVdm jae short reflect
lea esi,[edi].VtDpmiInfo ; (esi)->dpmi info struct mov edi, [edi].VtFaultTable ; lea edi,[edi+ecx] ; (edi)->FaultHandler cmp edi, _MmUserProbeAddress ; probe the table address jae short reflect
cmp word ptr [esi].VpLockCount, 0 ; switching stacks? jz short seg_not_pres ; yes, we can handle it ; no, let normal code check ; for stack faults
reflect:
; ; WARNING: Here we directly unlink the exception handler from the ; exception registration chain. NO unwind is performed. ;
pop PCR[PcExceptionList]
add esp, 4 ; pop out except handler pop ebp
; ; Reflect the failure (or exception) back to the usermode ntvdm ; to handle. ;
pop eax ; (eax) = return addr push 0bh push eax jmp _Ki386VdmReflectException
reflect_1:
add esp, REGINFOSIZE + 4 ; plus the "push esi" 4 bytes jmp short reflect
seg_not_pres:if DEVL inc _ExVdmSegmentNotPresentendif inc word ptr [esi].VpLockCount
; ; (esi)->dpmi info struct ; (edi)->FaultHandler ; (ebp)->TrapFrame ; ; save stuff just like SwitchToHandlerStack does ;
mov eax, [ebp].TsEip mov [esi].VpSaveEip, eax mov eax, [ebp].TsHardwareEsp mov [esi].VpSaveEsp, eax mov ax, [ebp].TsHardwareSegSs mov [esi].VpSaveSsSelector, ax
movzx eax,word ptr [esi].VpSsSelector ; (eax) = PM stack selector sub esp, REGINFOSIZE ; allocate reginfo table on stack push esi ; save dpmi info mov esi, esp add esi, 4 ; (esi)->RegInfo mov ecx, dword ptr [ebp].TsEFlags mov [esi].RiEFlags,ecx ; initialize the reginfo table call SsToLinear ; with eax and esi test al,0FFh ; is al == 0? jz short reflect_1 ; yes, failed
mov ebx, [esi].RiSsBase ; (ebx) = Base of PM Stack pop esi ; (esi)->dpmi info add esp, REGINFOSIZE ; remove RegInfo from stack cmp ebx, _MmUserProbeAddress ; probe the PM stack base addr jae short reflect ; make sure it is not Kmode addr
mov eax, [ebp].TsEFlags call GetVirtualBits ; (eax) = app's eflags push esi mov edx, 0fe0h ; dpmistack offset (per win31) test word ptr [esi].VpFlags, 1 ; 32-bit frame? jz short @f
sub edx, 8 * 4 add edx, ebx mov esi, [ebp].TsHardwareEsp mov ecx, [ebp].TsHardwareSegSs mov [edx + 20], eax ; push flags mov [edx + 24], esi ; put esp on new stack mov [edx + 28], ecx ; put ss on new stack mov ecx, [ebp].TsSegCs mov eax, [ebp].TsEip mov esi, [ebp].TsErrCode mov [edx + 16], ecx ; push cs mov [edx + 12], eax ; push ip mov [edx + 8], esi ; push error code pop esi mov ecx, [esi].VpDosxFaultIretD mov eax, ecx shr eax, 16 and ecx, 0ffffh mov [edx + 4], eax ; push fault iret seg mov [edx], ecx ; push fault iret offset jmp short vsnp_update@@: sub edx, 8 * 2 add edx, ebx mov esi, [ebp].TsHardwareEsp mov ecx, [ebp].TsHardwareSegSs mov [edx + 10], ax ; push flags mov [edx + 12], si ; put esp on new stack mov [edx + 14], cx ; put ss on new stack mov ecx, [ebp].TsSegCs mov eax, [ebp].TsEip mov esi, [ebp].TsErrCode mov [edx + 8], cx ; push cs mov [edx + 6], ax ; push ip mov [edx + 4], si ; push error code pop esi mov ecx, [esi].VpDosxFaultIret mov eax, ecx shr eax, 16 mov [edx + 2], ax ; push fault iret seg mov [edx], cx ; push fault iret offset
vsnp_update: mov eax,[edi].VfEip sub edx, ebx mov cx, word ptr [edi].VfCsSelector mov bx, word ptr [esi].VpSsSelector test dword ptr [edi].VfFlags, VDM_INT_INT_GATE jz short @f
lea esi,ds:FIXED_NTVDMSTATE_LINEAR MPLOCK and [esi],NOT VDM_VIRTUAL_INTERRUPTS and dword ptr [ebp].TsEflags, 0FFF7FFFFH ; clear VIF@@: or cx, 7 ; R3 LDT selectors only or bx, 7 ; R3 LDT selectors only test dword ptr [ebp]+TsEFlags,EFLAGS_V86_MASK jnz short @f
cmp cx, 8 jge short @f
mov cx, KGDT_R3_CODE OR RPL_MASK@@: mov [ebp].TsSegCs, cx mov [ebp].TsEip, eax mov [ebp].TsHardwareEsp,edx mov [ebp].TsHardwareSegSs,bx
; ; WARNING: Here we directly unlink the exception handler from the ; exception registration chain. NO unwind is performed. ;
pop PCR[PcExceptionList]
add esp, 4 ; pop out except handler pop ebp
mov eax, 1 stdRET _Ki386VdmSegmentNotPresent
stdENDP _Ki386VdmSegmentNotPresent
; ; Error and exception blocks for Ki386VdmSegmentNoPresent ;
VdmSegNotPres_ExceptionHandler proc ; ; WARNING: Here we directly unlink the exception handler from the ; exception registration chain. NO unwind is performed. ;
mov esp, [esp+8] ; (esp)-> ExceptionList jmp reflectVdmSegNotPres_ExceptionHandler endp
page ,132 subttl "Dispatch UserMode Exception to a Vdm";++;; Routine Description:;; Dispatches exception for vdm from in the kernel, by invoking; CommonDispatchException.;; Arguments: See CommonDispatchException for parameter description;; VOID; VdmDispatchException(; PKTRAP_FRAME TrapFrame,; NTSTATUS ExcepCode,; PVOID ExcepAddr,; ULONG NumParms,; ULONG Parm1,; ULONG Parm2,; ULONG Parm3; );; Returns;; Nothing;; Notes:;; This routine may not preserve all of the non-volatile registers if; a fault occurs.;cPublicProc _VdmDispatchException,7
TrapFrame equ [ebp+8]ExcepCode equ [ebp+12]ExcepAddr equ [ebp+16]NumParms equ [ebp+20]Parm1 equ [ebp+24]Parm2 equ [ebp+28]Parm3 equ [ebp+32]
push ebp mov ebp,esp pushad
LowerIrql 0 ; lower irql to 0 ; allow APCs and debuggers in!
mov eax, ExcepCode mov ebx, ExcepAddr mov ecx, NumParms mov edx, Parm1 mov esi, Parm2 mov edi, Parm3 mov ebp, TrapFrame call CommonDispatchException
popad pop ebp
stdRET _VdmDispatchException
stdENDP _VdmDispatchException
page ,132 subttl "Push Interrupt frame on user stack";++;; Routine Description:;; This routine pushes an interrupt frame on the user stack;; Arguments:;; ecx = interrupt #; esi = address of reg info; Returns:;; interrupt frame pushed on stack; reg info updated; public PushIntPushInt proc
push ebx push edi
;; Handle dispatching interrupts directly to the handler, rather than; to the dos extender; ; ; Get the information on the interrupt handler ; .errnz (VDM_INTERRUPT_HANDLER_SIZE - 8) mov eax,PCR[PcTeb]
; ; Set up an exception handler in case we fault ; during the user-space accesses below. ; Note, we must preserve esi if exception does occur, all non-volatile registers are destroyed ;
push esi push ebp push offset FLAT:PushIntExceptionHandler ; set up exception registration record push PCR[PcExceptionList] mov PCR[PcExceptionList], esp
mov eax,[eax].TbVdm cmp eax, _MmUserProbeAddress jae pierr
mov eax, [eax].VtInterruptTable lea eax,[eax + ecx*8] cmp eax, _MmUserProbeAddress jae pierr
; ; Get SP ; mov edi,[ebp].TsHardwareEsp test [esi].RiSsFlags,SEL_TYPE_BIG jnz short @f
movzx edi,di ; zero high bits for 64k stack
; ; Update SP ;@@: test [eax].ViFlags,dword ptr VDM_INT_32 jz short @f
; ; 32 bit iret frame ; cmp edi,12 ; enough space on stack? jb pierr ; no, go fault
sub edi,12 mov [esi].RiEsp,edi jmp short pi130
; ; 16 bit iret frame ;@@: cmp edi,6 ; enough space on stack? jb pierr ; no, go fault
sub edi,6 mov [esi].RiEsp,edi
; ; Check limit ;pi130: test [esi].RiSsFlags,SEL_TYPE_ED jz short pi140
; ; Expand down, Sp must be above limit ; cmp edi,[esi].RiSsLimit jna pierr
jmp short pi150
; ; Normal, Sp must be below limit ;pi140: cmp edi,[esi].RiSsLimit jnb pierr
; ; Get base of ss ;pi150: mov ebx,[esi].RiSsBase test [eax].ViFlags,dword ptr VDM_INT_32 jz short pi160
; ; "push" 32 bit iret frame ; mov edx,[esi].RiEip mov [edi + ebx],edx mov dx,word ptr [ebp].TsSegCs mov [edi + ebx] + 4,edx push eax mov eax,[esi].RiEFlags call GetVirtualBits
mov [edi + ebx] + 8,eax pop eax jmp short pi170
; ; push 16 bit iret frame ;pi160: mov dx,word ptr [esi].RiEip mov [edi + ebx],dx mov dx,word ptr [ebp].TsSegCs mov [edi + ebx] + 2,dx push eax mov eax,[esi].RiEFlags call GetVirtualBits
mov [edi + ebx] + 4,ax pop eax
; ; Update CS and IP ;pi170: mov ebx,eax ; save int info mov dx,[eax].ViCsSelector mov word ptr [esi].RiSegCs,dx mov edx,[eax].ViEip mov [esi].RiEip,edx
movzx eax, word ptr [esi].RiSegCs call CsToLinear ; uses eax as selector
test al,0ffh jnz short pi175
; ; Check for destination not present ; test [esi].RiCsFlags,SEL_TYPE_NP jz pierr
mov al,0ffh ; succeeded jmp short pi180
; ; Check handler address ;pi175: mov edx,[esi].RiEip cmp edx,[esi].RiCsLimit jnb short pierr
; ; Turn off the trap flag ;pi180: and [esi].RiEFlags,NOT EFLAGS_TF_MASK
; ; Turn off virtual interrupts if necessary ; test [ebx].ViFlags,dword ptr VDM_INT_INT_GATE ; n.b. We know al is non-zero, because we succeeded in cstolinear jz short pi80
pi75: lea ebx,ds:FIXED_NTVDMSTATE_LINEAR MPLOCK and [ebx], NOT EFLAGS_INTERRUPT_MASK
pi80: and [esi].RiEFlags,NOT (EFLAGS_IOPL_MASK OR EFLAGS_NT_MASK OR EFLAGS_V86_MASK) or [esi].RiEFlags,EFLAGS_INTERRUPT_MASK
pi90:
; ; WARNING: Here we directly unlink the exception handler from the ; exception registration chain. NO unwind is performed. ;
pop PCR[PcExceptionList] add esp, 4 ; pop out except handler pop ebp pop esi
pop edi pop ebx ret
pierr: xor eax,eax jmp short pi90
PushInt endp
PushIntExceptionHandler proc mov esp, [esp+8] ; (esp)-> ExceptionList xor eax,eax jmp pi90PushIntExceptionHandler endp
page ,132 subttl "Convert CS Segment or selector to linear address";++;; Routine Description:;; Convert CS segment or selector to linear address as appropriate; for the current user mode processor mode.;; Arguments:;; esi = reg info;; Returns:;; reg info updated; public CsToLinearCsToLinear proc
test [esi].RiEFlags,EFLAGS_V86_MASK jz ctl10
shl eax,4 mov [esi].RiCsBase,eax mov [esi].RiCsLimit,0FFFFh mov [esi].RiCsFlags,0 mov eax,1 ret
ctl10: push edx ; WARNING volatile regs!!! lea edx,[esi].RiCsLimit push edx lea edx,[esi].RiCsBase push edx lea edx,[esi].RiCsFlags push edx push eax ; push selector
call _Ki386GetSelectorParameters@16 pop edx
or al,al jz ctlerr
test [esi].RiCsFlags,SEL_TYPE_EXECUTE jz ctlerr
test [esi].RiCsFlags,SEL_TYPE_2GIG jz ctl30
; Correct limit value for granularity shl [esi].RiCsLimit,12 or [esi].RiCsLimit,0FFFhctl30: mov eax,1 ret
ctlerr: xor eax,eax ret
CsToLinear endp
page ,132 subttl "Verify that EIP is still valid";++;; Routine Description:;; Verify that Eip is still valid and put it into the trap frame;; Arguments:;; esi = address of reg info;; Returns:;; public CheckEipCheckEip proc mov eax,[esi].RiEip test [esi].RiEFlags,EFLAGS_V86_MASK jz ce20
and eax,[esi].RiCsLimit mov [esi].RiEip,eax jmp ce40
ce20: cmp eax,[esi].RiCsLimit ja ceerrce40: mov eax,1ce50: ret
ceerr: xor eax,eax jmp ce50
CheckEip endp
page ,132 subttl "Convert Ss Segment or selector to linear address";++;; Routine Description:;; Convert Ss segment or selector to linear address as appropriate; for the current user mode processor mode.;; Arguments:;; eax = selector to convert; esi = address of reg info;; Returns:;; reg info updated; public SsToLinearSsToLinear proc
test [esi].RiEFlags,EFLAGS_V86_MASK jz stl10
shl eax,4 mov [esi].RiSsBase,eax mov [esi].RiSsLimit,0FFFFh mov [esi].RiSsFlags,0 mov eax,1 ret
stl10: push ecx lea ecx,[esi].RiSsLimit push ecx lea ecx,[esi].RiSsBase push ecx lea ecx,[esi].RiSsFlags push ecx push eax ;selector
call _Ki386GetSelectorParameters@16 pop ecx
or al,al jz stlerr
test [esi].RiSsFlags,SEL_TYPE_WRITE jz stlerr
test [esi].RiSsFlags,SEL_TYPE_2GIG jz stl30
; Correct limit value for granularity
mov eax,[esi].RiSsLimit shl eax,12 or eax,0FFFh mov [esi].RiSsLimit,eaxstl30: mov eax,1stl40: ret
stlerr: xor eax,eax jmp stl40
SsToLinear endp
page ,132 subttl "Verify that Esp is still valid";++;; Routine Description:;; Verify that Esp is still valid;; Arguments:;; ecx = # of bytes needed for stack frame; esi = address of reg info;; Returns:;;; public CheckEspCheckEsp proc mov eax,[esi].RiEsp test [esi].RiEFlags,EFLAGS_V86_MASK jz cs20
and eax,[esi].RiSsLimit mov [esi].RiEsp,eax jmp cs40
cs20: test [esi].RiSsFlags,SEL_TYPE_BIG jnz cs25
and eax,0FFFFh ; only use 16 bit for 16 bitcs25: cmp ecx, eax ; StackOffset > SP? ja cserr ; yes error dec eax ; make limit checks work test [esi].RiSsFlags,SEL_TYPE_ED ; Expand down? jz cs30 ; jif no
;; Expand Down; sub eax, ecx ; New SP cmp eax,[esi].RiSsLimit ; NewSp < Limit? jb cserr jmp cs40
;; Not Expand Down;cs30: cmp eax,[esi].RiSsLimit ja cserr
cs40: mov eax,1cs50: ret
cserr: xor eax,eax jmp cs50
CheckEsp endp
page ,132 subttl "Switch to protected mode interrupt stack";++;; Routine Description:;; Switch to protected mode interrupt handler stack;; Arguments:;; ecx = interrupt number; esi = address of reg info; edi = address of PM Stack info;; Returns:;; reg info updated; public SwitchToHandlerStackSwitchToHandlerStack proc
;; We must preserve non-volatile registers across exception;
push ebx push esi push edi
;; Install exception handler;
push ebp push offset SwitchToHandlerStack_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
cmp word ptr [edi].VpLockCount, 0 ; already switched? jnz short @f ; yes
mov eax, [esi].RiEip mov [edi].VpSaveEip, eax mov eax, [esi].RiEsp mov [edi].VpSaveEsp, eax mov eax, [esi].RiSegSs mov [edi].VpSaveSsSelector, ax
movzx eax,word ptr [edi].VpSsSelector
pop PCR[PcExceptionList] ; Remove our exception handle add esp, 4 ; clear stack pop ebp
mov [esi].RiSegSs,eax mov dword ptr [esi].RiEsp,1000h ; dpmi stack offset
movzx eax, word ptr [esi].RiSegSs push ecx call SsToLinear ; compute new base pop ecx test al,0FFh jz short shserr
push ebp push offset SwitchToHandlerStack_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
@@: inc word ptr [edi].VpLockCount ; maintain lock count
pop PCR[PcExceptionList] ; Remove our exception handle add esp, 4 ; clear stack pop ebp
mov eax,1 jmp short shsexit
shserr: xor eax,eaxshsexit: pop edi pop esi pop ebx retSwitchToHandlerStack endp
SwitchToHandlerStack_fault proc mov esp, [esp+8] pop PCR[PcExceptionList] ; Remove our exception handle add esp, 4 ; clear stack pop ebp jmp short shserrSwitchToHandlerStack_fault endp
page ,132 subttl "Get protected mode interrupt handler address";++;; Routine Description:;; Get the address of the interrupt handler for the specified interrupt;; Arguments:;; ecx = interrupt number; esi = address of reg info;; Returns:;; reg info updated; public GetHandlerAddressGetHandlerAddress proc
push ebp push ebx push esi push edi push ecx push edx
push offset GetHandlerAddress_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov eax,VDM_FAULT_HANDLER_SIZE mul ecx mov edi,PCR[PcTeb] mov edi,[edi].TeVdm cmp edi, _MmUserProbeAddress ; Probe the VMD structure jae short GetHandlerAddress_fault_resume
mov edi,[edi].VtFaultTable cmp edi, _MmUserProbeAddress jae short GetHandlerAddress_fault_resume
movzx ecx,word ptr [edi + eax].VfCsSelector mov [esi].RiSegCs,ecx mov ecx,[edi + eax].VfEip mov [esi].RiEip,ecx mov eax,1
jmp short GetHandlerAddress_Exit
GetHandlerAddress_fault_resume: xor eax, eaxGethandlerAddress_Exit: pop PCR[PcExceptionList] ; Remove our exception handle
add esp, 4 ; clear stack
pop edx pop ecx pop edi pop esi pop ebx pop ebp ret GetHandlerAddress endp
GetHandlerAddress_fault proc mov esp, [esp+8] jmp short GetHandlerAddress_fault_resumeGetHandlerAddress_fault endp
page ,132 subttl "Push processor exception";++;; Routine Description:;; Update the stack and registers to emulate the specified exception;; Arguments:;; ecx = interrupt number; esi = address of reg info;; Returns:;; reg info updated; public PushExceptionPushException Proc
push ebx push edi push esi
test [esi].RiEflags,EFLAGS_V86_MASK jz pe40
;; Push V86 mode exception; cmp ecx, 7 ; device not available fault ja peerr ; per win3.1, no exceptions ; above 7 for v86 mode mov edx,[esi].RiEsp mov ebx,[esi].RiSsBase and edx,0FFFFh ; only use a 16 bit sp sub dx,2 mov eax,[esi].RiEFlags push ecx call GetVirtualBits pop ecx;; Install exception handler; push ebp push esp ; Pass current Esp to handler push offset perr_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov [ebx+edx],ax ; push flags sub dx,2 mov ax,word ptr [esi].RiSegCs mov [ebx+edx],ax ; push cs sub dx,2 mov ax,word ptr [esi].RiEip mov [ebx+edx],ax ; push ip
mov eax,[ecx*4] ; get new cs:ip value pop PCR[PcExceptionList] ; Remove our exception handle add esp, 8 ; clear stack pop ebp
push eax movzx eax,ax mov [esi].RiEip,eax pop eax shr eax,16 mov [esi].RiSegCs,eax mov word ptr [esi].RiEsp,dx jmp pe60
;; Push PM exception;pe40: push [esi].RiEsp ; save for stack frame push [esi].RiSegSs
;; Install exception handler; push ebp push esp ; Pass current Esp to handler push offset perr1_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov edi,PCR[PcTeb] mov edi, [edi].TeVdm
pop PCR[PcExceptionList] ; Remove our exception handle add esp, 8 ; clear stack pop ebp
cmp edi, _MmUserProbeAddress jae peerr1 lea edi,[edi].VtDpmiInfo call SwitchToHandlerStack test al,0FFh jz peerr1 ; pop off stack and exit
sub [esi].RiEsp, 20h ; win31 undocumented feature
mov ebx,[esi].RiSsBase mov edx,[esi].RiEsp test [esi].RiSsFlags,SEL_TYPE_BIG jnz short @f movzx edx,dx ; zero high bits for 64k stack@@:
;; Install exception handler; push ebp push esp ; Pass current Esp to handler push offset perr1_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
test word ptr [edi].VpFlags, 1 ; 32 bit app?
pop PCR[PcExceptionList] ; Remove our exception handle
lea esp, [esp+8] ; clear stack pop ebp
jnz pe45 ; yes
;; push 16-bit frame; push ecx mov ecx, 8*2 ; room for 8 words? call CheckEsp pop ecx test al,0FFh jz peerr1 ; pop off stack and exit
sub edx,8*2 mov [esi].RiEsp,edx
;; Install exception handler; push ebp push esp ; Pass current Esp to handler push offset perr1_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov eax, [esp+4*4] mov [ebx+edx+14], ax mov eax, [esp+4*5] mov [ebx+edx+12], ax
pop PCR[PcExceptionList] ; Remove our exception handle lea esp, [esp+8] ; clear stack pop ebp lea esp, [esp+8] ; clear stack
mov eax,[esi].RiEFlags push ecx call GetVirtualBits pop ecx
;; Install exception handler; push ebp push esp ; Pass current Esp to handler push offset perr_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov [ebx+edx+10],ax ; push flags movzx eax,word ptr [esi].RiSegCs mov [ebx+edx+8],ax ; push cs mov eax,[esi].RiEip mov [ebx+edx+6],ax ; push ip mov eax,RI.RiTrapFrame mov eax,[eax].TsErrCode mov [ebx+edx+4],ax ; push error code mov eax,[edi].VpDosxFaultIret mov [ebx+edx],eax ; push iret address
pop PCR[PcExceptionList] ; Remove our exception handle
add esp, 8 ; clear stack pop ebp
jmp pe50pe45:;; push 32-bit frame; push ecx mov ecx, 8*4 ; room for 8 dwords? call CheckEsp pop ecx test al,0FFh jz peerr1 ; pop off stack and exit
sub edx,8*4 mov [esi].RiEsp,edx
push ebp push esp ; Pass current Esp to handler push offset perr1_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov eax, [esp+4*4] mov [ebx+edx+28], eax mov eax, [esp+4*5] mov [ebx+edx+24], eax
pop PCR[PcExceptionList] ; Remove our exception handle
add esp, 8 ; clear stack pop ebp lea esp, [esp+8] ; drop ss etc
mov eax,[esi].RiEFlags push ecx call GetVirtualBits pop ecx
push ebp push esp ; Pass current Esp to handler push offset perr_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov [ebx+edx+20],eax ; push flags movzx eax,word ptr [esi].RiSegCs mov [ebx+edx+16],eax ; push cs mov eax,[esi].RiEip mov [ebx+edx+12],eax ; push ip mov eax,RI.RiTrapFrame mov eax,[eax].TsErrCode mov [ebx+edx+8],eax ; push error code mov eax,[edi].VpDosxFaultIretD shr eax, 16 mov [ebx+edx+4],eax ; push iret seg mov eax,[edi].VpDosxFaultIretD and eax, 0ffffh mov [ebx+edx],eax ; push iret offset
pop PCR[PcExceptionList] ; Remove our exception handle
add esp, 8 ; clear stack pop ebp
pe50: call GetHandlerAddress test al,0FFh jz peerr
pe60: push ecx movzx eax,word ptr [esi].RiSegCs call CsToLinear ; uses eax as selector pop ecx test al,0FFh jz peerr
mov eax,[esi].RiEip cmp eax,[esi].RiCsLimit ja peerr
mov eax,VDM_FAULT_HANDLER_SIZE push edx mul ecx pop edx
push ebp push esp ; Pass current Esp to handler push offset perr_fault ; Set Handler address push PCR[PcExceptionList] ; Set next pointer mov PCR[PcExceptionList],esp ; Link us on
mov edi,PCR[PcTeb] mov edi,[edi].TbVdm
cmp edi, _MmUserProbeAddress jb @f mov edi, _MmUserProbeAddress@@: mov edi,[edi].VtFaultTable add edi,eax cmp edi, _MmUserProbeAddress jb @f mov edi, _MmUserProbeAddress@@: mov eax,[esi].RiEFlags ;WARNING 16 vs 32 test dword ptr [edi].VfFlags,VDM_INT_INT_GATE
pop PCR[PcExceptionList] ; Remove our exception handle
lea esp, [esp+8] ; clear stack pop ebp
jz pe70
and eax,NOT (EFLAGS_INTERRUPT_MASK OR EFLAGS_TF_MASK) push eax xor ebx, ebx ; clear prefix flags call SetVirtualBits pop eaxpe70: push ecx mov ecx,eax call CheckVdmFlags and ecx,NOT EFLAGS_TF_MASK mov [esi].RiEFlags,ecx pop ecx mov eax,1 ; successpe80: pop esi pop edi pop ebx ret
peerr1: add esp, 8 ;throw away esp, sspeerr: xor eax,eax jmp pe80
PushException endp
perr1_fault proc mov esp, [esp+8] ; (esp)-> ExceptionList pop PCR[PcExceptionList] ; Remove our exception handle add esp, 8 ; clear stack pop ebp jmp peerr1perr1_fault endp
perr_fault proc mov esp, [esp+8] ; (esp)-> ExceptionList pop PCR[PcExceptionList] ; Remove our exception handle add esp, 8 ; clear stack pop ebp jmp peerrperr_fault endp
_PAGE ends
_TEXT$00 SEGMENT DWORD PUBLIC 'CODE' ASSUME DS:NOTHING, ES:NOTHING, SS:FLAT, FS:NOTHING, GS:NOTHING
;; Non-pagable code;
page ,132 subttl "Ipi worker for enabling Pentium extensions";++;; Routine Description:;; This routine sets or resets the VME bit in CR4 for each processor;; Arguments:;; [esp + 4] -- 1 if VME is to be set, 0 if it is to be reset; Returns:;; 0;cPublicProc _Ki386VdmEnablePentiumExtentions, 1
Enable equ [ebp + 8] push ebp mov ebp,esp;; Insure we do not get an interrupt in here. We may; be called at IPI_LEVEL - 1 by KiIpiGenericCall.; pushf cli
; mov eax,cr4 db 0fh, 020h,0e0h
test Enable,1 je vepe20
or eax,CR4_VME jmp vepe30
vepe20: and eax,NOT CR4_VME
; mov cr4,eaxvepe30: db 0fh,022h,0e0h
popf xor eax,eax
mov esp,ebp pop ebp stdRET _Ki386VdmEnablePentiumExtentionsstdENDP _Ki386VdmEnablePentiumExtentions
_TEXT$00 ends end
|
