|
|
include intmac.inc public rgw032Stack
dw 64 dup (?) ; DOSX Ring -> Ring 0 transition stack;; Interrupts in the range 0-1fh cause a ring transition and leave; an outer ring IRET frame right here.;Ring0_EH_DS dw ? ; place to put user DSRing0_EH_AX dw ? ; place to put user AXRing0_EH_BX dw ? ; place to put user BXRing0_EH_CX dw ? ; place to put user CXRing0_EH_BP dw ? ; place to put user BPRing0_EH_PEC dw ? ; lsw of error code for 386 page fault ; also near return to PMFaultEntryVectorRing0_EH_EC dw ? ; error code passed to EHRing0_EH_IP dw ? ; interrupted code IP dw ?Ring0_EH_CS dw ? ; interrupted code CS dw ?Ring0_EH_Flags dw ? ; interrupted code flags dw ?Ring0_EH_SP dw ? ; interrupted code SP dw ?Ring0_EH_SS dw ? ; interrupted code SS dw ?rgw032Stack label word
; ------------------------------------------------------------------; PMFaultAnalyzer -- This routine is the entry point for; the protected mode fault/trap/exception handler. It tries; to distinguish between bona fide processor faults and; hardware/software interrupts which use the range of; interrupts that is reserved by Intel. If a fault is; detected, then format the stack for a DPMI fault handler,; then vector to the handler whose address is stored in; PMFaultVector. If it looks more like an interrupt, then; set up the stack for an interrupt handler, jump to the; handler whose address is stored in PMIntelVector.;; Input: none; Output: none
assume ds:NOTHING,es:NOTHING,ss:DGROUP public PMFaultAnalyzer
PMFaultAnalyzer proc near
;; Make sure we are on the right stack. Else, something fishy is going on.; Note that stack faults won't do too well here.; push ax mov ax,ss cmp ax,SEL_DXDATA or STD_RING pop ax je pmfa_stack_passed jmp pmfa_bad_stackpmfa_stack_passed:;; Is the stack pointer pointing at a word error code (minus 2)?; cmp sp,offset DGROUP:Ring0_EH_PEC je pmfa_fault ; Yes, processor fault.
;; Is it pointing to where it is supposed to be for a hardware or; software interrupt?; cmp sp,offset DGROUP:Ring0_EH_EC je pmfa_20 jmp pmfa_bad_stackpmfa_20:jmp pmfa_inspect
pmfa_fault:;; Getting here, we have a known exception with a word error code of some; sort on the stack. Perform an outward ring transition, switch to the; client stack, then vector through the exception handler vector to the; appropriate handler.; push bp push cx push bx push ax push ds lea bp,Ring0_EH_SS mov ax,word ptr [bp] mov cx,selEHStack cmp ax,cx jne pmfa_stack_OK mov bx,[bp-2] jmp pmfa_copy_stackpmfa_stack_OK: mov bx,npEHStackLimitpmfa_copy_stack: mov ds,cx ; DS:BX = user SS:SP mov cx,13 add bp,2 ; put both halves of sspmfa_copy_stack_loop: dec bx dec bx mov ax,word ptr [bp] mov word ptr [bx],ax dec bp dec bp loop pmfa_copy_stack_loop
; DS:BX points to stack on entry to PMFaultReflector
;; Build a far return frame on user stack, switch to user stack, and return; lea bp,Ring0_EH_PEC mov word ptr [bp+6],ds mov word ptr [bp+4],bx
sub bx,2 mov word ptr ds:[bx],SEL_DXPMCODE OR STD_RING; push cs sub bx,2 mov ds:[bx],offset DXPMCODE:PMFaultReflector; push ip lea bp,Ring0_EH_PEC mov ax,Ring0_EH_CX ; get BP value sub bx,2 mov ds:[bx],ax ; push bp mov Ring0_EH_PEC,bx ; sp for lss mov bx,ds mov Ring0_EH_EC,bx ; ss for lss pop ds pop ax pop bx pop cx.386p lss sp,[bp] ; switch stack.286p pop bp retf
pmfa_inspect:;; Stack is set up as for an interrupt or exception without error code.; Adjust the stack pointer and put an error code of zero. Then try to; determine whether we have an exception or an interrupt. First test; is the interrupt number.; push Ring0_EH_EC mov Ring0_EH_EC,0 cmp Ring0_EH_PEC,offset PMFaultEntryVector + ((7 + 1) * 3) ja pfma_50 push Ring0_EH_PEC mov Ring0_EH_PEC,0 jmp pmfa_fault ; Yes, definitely a fault.pfma_50:;; At this point, all valid exceptions have been eliminated except for; exception 9, coprocessor segment overrun, and exception 16, coprocessor; error.;
; **********************************************; * Your code to detect these exceptions here. *; **********************************************
push bp push cx push bx push ax push ds ; SP -> Ring0_EH_DS;; Point to the user's stack.; lea bp,Ring0_EH_SS mov cx,[bp] mov ds,cx mov bx,[bp-2] ; DS:[BX] -> user stack;; Copy the IRET frame to the user stack.; lea bp,Ring0_EH_Flags mov cx,6pmfa_copy_IRET: mov ax,[bp] dec bx dec bx mov [bx],ax dec bp dec bp loop pmfa_copy_IRET;; Point BP at vector entry for this (reserved) interrupt.; mov ax,Ring0_EH_PEC ; fetch near return address sub ax,offset DXPMCODE:PMFaultEntryVector+3 mov cl,3 div cl ; AX = interrupt number shl ax,2 ; AX = vector entry offset lea bp,PMIntelVector add bp,ax ; BP -> interrupt handler address mov ax,[bp] ; AX = IP of handler mov cx,[bp+2] ; CX = CS of handler;; Build a far return frame on user stack, switch to user stack, and return;
sub bx,2 mov ds:[bx],cx ; push cs sub bx,2 mov ds:[bx],ax ; push ip lea bp,Ring0_EH_PEC mov ax,Ring0_EH_BP sub bx,2 mov ds:[bx],ax ; push bp mov Ring0_EH_PEC,bx ; sp for lss mov bx,ds mov Ring0_EH_EC,bx ; ss for lss pop ds pop ax pop bx pop cx.386p lss sp,[bp] ; switch stack.286p pop bp retf ; Out of here.
pmfa_bad_stack:
if DEBUG mov ax,ss mov bx,sp Trace_Out "Fault Handler Aborting with SS:SP = #AX:#BX" pop ax sub ax, (offset DXPMCODE:PMFaultEntryVector) + 3 mov bx,3 div bl Trace_Out "Fault Number #AX" pop ax pop bx pop cx pop dx Trace_Out "First four stack words: #AX #BX #CX #DX."endif push selDgroupPM push offset DGROUP:rgwStack rpushf push SEL_DXPMCODE or STD_RING push offset DXPMCODE:pmfr_death riretpmfr_death: mov ax,cs mov ds,ax mov dx,offset szRing0FaultMessage pmdossvc 09h jmp PMAbort
PMFaultAnalyzer endp
FR_Stack Struc FR_BP dd ? FR_AX dd ? FR_BX dd ? FR_DS dw ? FR_ENTRY dd ? ; SS:[SP] points here on entry ; to PMReservedReflector FR_Toss dd ? ; DPMI return IP FR_Ret_IP dd ? ; actual fault handler gets put FR_Ret_CS dd ? ; here to return to FR_IP dd ? FR_CS dd ? FR_FL dd ? FR_SP dd ? FR_SS dd ?FR_Stack Ends;; Alternate names so the structure above makes more sense to; PMFaultReflector.;FR_Handler_IP equ FR_DSFR_Handler_CS equ FR_ENTRYFR_Handler_Ret_IP equ FR_TossFR_Handler_Ret_CS equ FR_Ret_IPFR_Handler_Entry equ FR_Handler_Ret_CSFR_EC equ FR_Ret_CS
; ------------------------------------------------------------------; PMFaultReflector -- Dispatch a fault to a fault handler installed; in PMFaultVector. When the fault handler returns, return; to the faulting code, using the addresses placed on the; DPMI fault handler stack by the last called fault handler.;; Input:; Entry is by a NEAR call, with an IP within the range; of PMFaultEntryVector on the stack. The stack has been; set up for use by a DPMI fault handler.;; Output:; Controlled by fault handler.;; Uses:; Controlled by fault handler.;; Notes:; Fault handlers are called on a static stack. This routine; is NOT REENTRANT.; public PMFaultReflector public PMFaultReflectorIRETPMFaultReflector proc near assume ss:nothing,ds:nothing,es:nothing
sub sp,6 push bx push eax push bp mov bp,sp push ds mov ax,SEL_DXDATA or STD_RING mov ds,ax assume ds:dgroup mov ax,[bp.FR_Handler_Entry] sub ax,offset DXPMCODE:PMFaultEntryVector+3 mov bl,3 div bl ; AX = interrupt number shl ax,3 ; AX = offset of fault handler
lea bx,PMFaultVector add bx,ax ; SS:[BX] -> fault vector entry mov eax,word ptr ds:[bx] mov [bp.FR_Handler_IP],eax mov ax,word ptr ds:[bx+2] mov [bp.FR_Handler_CS],ax
lea ax,pmfr_cleanup movzx eax,ax mov [bp.FR_Handler_Ret_IP],eax push cs pop [bp.FR_Handler_Ret_CS]
pop ds assume ds:nothing pop bp pop ax pop bx db 066h,0CBh ; This calls the fault handler.
PMFaultReflectorIRETCall: dd (SEL_RZIRET or STD_RING) shl 10h
pmfr_cleanup:;; Unwind the fault handler stack. Return to the faulting code.; This works by calling a Ring 0 procedure to do the actual IRET.; If we do it that way, we can return to the faulting code without; actually touching the faulting code's stack.;PMFaultReflectorIRET:
; BUGBUG Daveh using user stack this way is less robust!!!
.386p add sp,4 ; pop error code push bp mov bp,sp push ebx push ds push eax mov ax,[bp + 18] mov ds,ax mov ebx,[bp + 14] ; ds:bx -> user stack sub ebx,4 mov eax,[bp + 10] mov ds:[ebx],eax ; push flags sub ebx,4 mov eax,[bp + 4] mov ds:[ebx],eax ; push cs sub ebx,4 mov eax,[bp + 2] mov ds:[ebx],eax ; push ip sub ebx,2 mov ax,[bp] mov ds:[ebx],ax ; push bp mov [bp + 8],bx pop eax pop ds pop ebx pop bp
add sp,6 ; point to ss:sp mov bp,sp
lss esp,[bp].286p pop bp ; restore bp riretdendifPMFaultReflector endp;; -------------------------------------------------------; PMReservedReflector -- This routine is for reflecting; exceptions to a protected mode interrupt handler.; The default for exceptions 1, 2, and 3 is to have; a near call to this routine placed in the PMFaultVector.;; This routine strips off the fault handler stack set; up by PMFaultAnalyzer, switches to the stack pointed; to by the pushed SS and SP values, sets up an IRET; frame for use by PMIntrReflector, and jumps to; PMIntrReflector. Eventual return is via an IRET; from PMIntrReflector.;; Input:; Entry is by a NEAR call, with an IP within the range; of PMReservedEntryVector on the stack. The stack has been; set up for use by a DPMI fault handler.;; Output:; Switch to stack registers set up by any previous fault; handler, jump to PMIntrReflector with an IRET frame set up; for direct return to the interrupted code.;; Errors: none;; Uses: Modifies SS, SP. Does not return to caller.;
assume ds:NOTHING,es:NOTHING,ss:NOTHING public PMReservedReflectorPMReservedReflector:
push ds push ebx push eax push ebp mov bp,sp;; BP now points to a stack frame described by the structure; above. This will be copied to a stack frame on the stack pointed to; by FR_SS:FR_SS. In most cases, the destination stack is actually; the same as the present stack, offset by four bytes. The following; block of code is therefore very likely an overlapping copy. Think; carefully before modifying how it works.;
mov bx,[bp.FR_SS] mov ds,bx mov ebx,[bp.FR_SP] ; DS:[BX] -> interrupted code's stack sub bx, (size FR_Stack) - 8 ; (not copying SP or SS) ; DS:[BX] -> place to copy our stack frame
mov eax,[bp.FR_FL] ; Push user IRET frame onto the destination mov [ebx.FR_FL],eax ; stack. mov eax,[bp.FR_CS] mov [ebx.FR_CS],eax mov eax,[bp.FR_IP] mov [ebx.FR_IP],eax
mov eax,[bp.FR_ENTRY] ; Copy our caller's near return. mov [ebx.FR_ENTRY],eax
mov ax,[bp.FR_DS] ; Copy saved registers. mov [ebx.FR_DS],ax mov eax,[bp.FR_BX] mov [ebx.FR_BX],eax mov eax,[bp.FR_AX] mov [ebx.FR_AX],eax mov eax,[bp.FR_BP] mov [ebx.FR_BP],eax
mov ax,ds ; Switch to user stack. mov ss,ax mov esp,ebx mov ebp,esp
mov ax,[ebp.FR_ENTRY] ; AX = offset of caller sub ax,offset DXPMCODE:PMReservedEntryVector + 3 mov bl,3 div bl ; AX = interrupt number shl ax,2 ; AX = offset into PMIntelVector mov ds,SelDgroupPM assume ds:DGROUP lea bx,PMIntelVector add bx,ax ; DS:[BX] -> interrupt handler
mov eax,[bx] ; Place vector entry just below mov [ebp.FR_Ret_IP],eax ; IRET frame. mov eax,[bx+4] mov [ebp.FR_Ret_CS],eax
lea esp,[ebp.FR_BP] ; Point to saved registers. pop ebp ; Pop 'em. pop eax pop ebx pop ds add esp,4 ; Fix up stack.
db 066h,0CBh ; jump to interrupt handler via far return
DXPMCODE ends
; ------------------------------------------------------- subttl Real Mode Interrupt Reflector page; -------------------------------------------------------; REAL MODE INTERRUPT REFLECTOR; -------------------------------------------------------
DXCODE segment assume cs:DXCODE; -------------------------------------------------------; RMIntrEntryVector -- This table contains a vector of; near jump instructions to the real mode interrupt; reflector. Real mode interrupts that have been hooked; by the protected mode application have their vector; set to entry the real mode reflector through this table.
public RMIntrEntryVector
RMIntrEntryVector:
rept 256 call RMIntrReflector endm
; -------------------------------------------------------; RMIntrReflector -- This routine is the entry point for; the real mode interrupt reflector. This routine; is entered when an interrupt occurs (either software; or hardware) that has been hooked by the protected mode; application. It switches the processor to protected mode; and transfers control to the appropriate interrupt; service routine for the interrupt. After the interrupt; service routine completes, it switches back to real; mode and returns control to the originally interrupted; real mode code.; Entry to this routine comes from the RMIntrEntryVector,; which contains a vector of near call instructions, which; all call here. The interrupt number is determined from; the return address of the near call from the interrupt; entry vector.; The address of the protected mode interrupt service routine; to execute is determined from the protected mode interrupt; descriptor tabel and the interrupt number.;; Input: none; Output: none; Errors: none; Uses: The segment registers are explicitly preserved by; this routine. Other registers are as preserved or; modified by the interrutp service routine.
assume ds:NOTHING,es:NOTHING,ss:NOTHING public RMIntrReflector
RMIntrReflector:;; On entry, the stack layout is:; [6] FLAGS - "; [4] CS - "; [2] IP - from original interrupt; [0] IP - from interrupt entry vector call; FCLI cld push dsIFDEF ROM SetRMDataSegELSE mov ds,selDgroupENDIF assume ds:DGROUPif DEBUG;; Are we on a DOSX interrupt reflector stack?; push ax push cx mov ax,ss mov cx,ds cmp ax,cx pop cx jne @F
cmp sp,offset bReflStack jb @F cmp sp,offset pbReflStack jnb @F;; If so, have we overflowed a stacklet?; mov ax,pbReflStack cmp sp,ax ja @F add ax,CB_STKFRAME cmp sp,ax jb @F pop ax Real_Debug_Out "DOSX:RMIntrReflector--Reflector stack overflow." push ax@@: pop axendif ;DEBUG mov regUserAX,ax ;save user AX for later push bp ;stack -> BP DS IP IP CS FL mov bp,sp ; [0] [2] [4] [6] [8] [A] mov ax,[bp+0Ah] ;get the interrupted routine's flags and ax,NOT 4100h ;clear the trace flag in case we got ; an interrupt on an instruction about ; to be single stepped mov regUserFL,ax ;and save for later mov ax,es xchg ax,[bp+4] ;save ES and get entry vector address pop bp
; Some software (like older versions of Smartdrv.sys) may enable A20 on; their own, and get very 'suprised' to find it turned off by our PM->RM; mode switch. If they used Himem.sys, this wouldn't be necessary, but...
if VCPI cmp fVCPI,0 jnz @fendif push ax ;get/save current A20 state on stack push bx xmssvc 7 mov regUserSP,ax ;use regUserSP as a temp var pop bx pop ax@@: push regUserSP
; The state that we want to save on the user's stack has been set up.; Convert the entry vector return address into an interrupt number.
sub ax,offset RMIntrEntryVector+3 push cx mov cl,3 div cl pop cx
if DEBUG mov PMIntNo,axendif
; Allocate a new stack frame, and then switch to the reflector stack; frame.
mov regUserSP,sp ;save entry stack pointer so we can mov regUSerSS,ss ; switch to our own stackIFDEF ROM push ds pop ssELSE mov ss,selDgroup ;switch to the reflector stack frameENDIF mov sp,pbReflStack push pbReflStack ;save stack frame ptr on stack sub pbReflStack,CB_STKFRAME ;adjust pointer to next stack frame
; We are now running on our own stack, so we can switch into protected mode.
push ax ;save interrupt vector table offset SwitchToProtectedMode pop ax
if DEBUG ;--------------------------------------------------------
push 0DEADh ;debugging id & interrupt number push PMIntNo
cmp fTraceReflect,0 jz @f push ax mov ax,PMIntNo Trace_Out "(rp#AL)",x pop ax@@:
; Perform a too-late-to-save-us-now-but-we-want-to-know check on the; reflector stack.
cmp StackGuard,1022h jz @f Debug_Out "DOSX:RMIntrReflector--Global reflector stack overflow."@@:endif ;DEBUG ---------------------------------------------------------
; Build an IRET frame on the stack so that the protected mode interrupt service; routine will return to us when it is finished.
push regUserSS ;save user stack address on our own stack push regUserSP ; frame so we can restore it later push ds push regUserFL push cs push offset rmrf50
; Build an IRET frame on the stack to use to transfer control to the; protected mode ISR
and byte ptr regUserFL+1,not 02h ;use entry flags less the push 0 ; high half esp push regUserFL ; interrupt flag (IF)
xchg bx,ax ;interrupt vector offset to BX, preserve BX cmp bx,CRESERVED ;Interrupt in reserved range? jc rmrf_reserved shl bx,3 mov es,selIDT jmp rmrf_setISRrmrf_reserved: shl bx,2 mov es,SelDgroupPM add bx,offset DGROUP:PMIntelVectorrmrf_setISR: push dword ptr es:[bx+4] ;push segment of isr push dword ptr es:[bx] ;push offset of isr xchg bx,ax mov ax,regUserAX ;restore entry value of AX push ds pop es
; At this point the interrupt reflector stack looks like this:;; [18] previous stack frame pointer; [16] stack segment of original stack; [14] stack pointer of original stack; [12] protected mode dos extender data segment; [10] dos extender flags; [8] segment of return address back to interupt reflector; [6] offset of return address back to interrupt reflector; [4] user flags as on entry from original interrupt; [2] segment of protected mode ISR; [0] offset of protected mode ISR;; Execute the protected mode interrupt service routine
iretd
; The protected mode ISR will return here after it is finsished.
rmrf50: pop ds pushf ;save flags as returned by PM Int routine
FCLI ;We have to clear interrupts here, because cld ; the interrupt routine may have returned ; with interrupts on and our code that uses ; static variables must be protected. We ; turn them off after to pushf instruction so ; that we can preserve the state of the ; interrupt flag as returned by the ISR. mov regUserAX,ax pop ax pop regUserSP pop regUserSS
if DEBUG add sp,4 ;'pop' off debugging infoendif
pop pbReflStack ;deallocate stack frame(s)
; Switch back to real mode.
push ax ;preserve AX SwitchToRealMode pop ax
; Switch back to the original stack.
mov ss,regUserSS mov sp,regUserSP
; Make sure the A20 line matches whatever state it was when the int occured.; This is for the benefit of any software that diddles A20 without using; an XMS driver
pop regUserSP ;A20 state at time of interrupt to temp varif VCPI cmp fVCPI,0 jnz rmrf75endif push ax ;save current ax mov ax,regUserSP ;ax = A20 state at time of interrupt or ax,ax ;if it was off, don't sweat it jz rmrf70 push bx ;save bx (XMS calls destroy bl) push ax xmssvc 7 ;ax = current A20 state pop bx ;bx = old A20 state cmp ax,bx ;if A20 is still on, don't need to diddle jz @f xmssvc 5 ;force A20 back on inc A20EnableCount ; and remember that we did thisif DEBUG or fA20,04hendif@@: pop bxrmrf70: pop axrmrf75:
; Put the flags returned by the real mode interrupt routine back into; the caller's stack so that they will be returned properly.
push bp ;stack -> BP DS ES IP CS FL mov bp,sp ; [0] [2] [4] [6] [8] [10] and [bp+10],0300h ;clear all but the interrupt and trace flags ; in the caller's original flags or [bp+10],ax ;combine in the flags returned by the ; interrupt service routine. This will cause ; us to return to the original routine with ; interrupts on if they were on when the ; interrupt occured, or if the ISR returned ; with them on. pop bp
; And return to the original interrupted program.
mov ax,regUserAX pop ds pop es iret
DXCODE ends
WowIntr3216 proc
FCLI push ebp mov ebp,esp mov regUserAX,eax mov regUserBX,ebx mov regUserDS,ds mov regUserES,es mov regUserFlags,[ebp + 16] mov ax,SEL_DXDATA OR STD_RING mov ds,ax assume ds:dgroup mov ebx,esp mov regUserSp,eax mov ax,ss mov regUserSs,ax mov bx,pbReflStack ; get pointer to new frame sub bpReflStack,CB_STKFRAME
;; put user stack pointer on new stack; sub bx,4 mov [bx],regUserSs sub bx,4 mov [bx],dword ptr regUserSp
mov ax,[ebp + 4]
;; switch to new stack;
push ds pop ss movzx esp,bx
;; Save ss:esp for lss esp; push regUserSs push regUserSp;; Create an int frame; pushf push cs push offset wi30
;; Put handler address on stack;
shl ax,3 mov es,selDgroupPM add bx,offset DGROUP:Intr16Vector push [bx + 2] push [bx]
;; Restore Registers; mov eax,regUserAx mov ebx,regUserBX mov es,regUserES mov ds,regUserDS assume ds:nothing;; call handler; retf
wi30:;; handler will return here;
;; Switch stacks; mov ebp,esp lss esp,[ebp] mov ebp,esp
push eax push ds mov ds,SEL_DXDATA OR STD_RING assume ds:DGROUP
;; Deallocate stack frame; add pbReflStack,CB_STKFRAME pop eax pop ds
;; Return flags from int handler; pushf pop [ebp + 16]
;; Return to interrupted code; pop ebp riretd
WowIntr3216 endp
|
