1 #include <palacios/vmm_mem.h>
2 #include <palacios/vmm.h>
3 #include <palacios/vmcb.h>
4 #include <palacios/vmm_decoder.h>
5 #include <palacios/vm_guest_mem.h>
6 #include <palacios/vmm_ctrl_regs.h>
10 extern void SerialMemDump(unsigned char *start, int n);
13 /* Segmentation is a problem here...
15 * When we get a memory operand, presumably we use the default segment (which is?)
16 * unless an alternate segment was specfied in the prefix...
20 int handle_cr0_write(struct guest_info * info) {
24 switch (info->cpu_mode) {
30 PrintDebug("Real Mode write to CR0 at linear guest pa 0x%x\n",get_addr_linear(info,info->rip,&(info->segments.cs)));
32 //PrintV3Segments(info);
34 // The real rip address is actually a combination of the rip + CS base
35 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
37 // I think we should inject a GPF into the guest
38 PrintDebug("Could not read instruction (ret=%d)\n", ret);
42 while (is_prefix_byte(instr[index])) {
43 switch(instr[index]) {
44 case PREFIX_CS_OVERRIDE:
45 case PREFIX_SS_OVERRIDE:
46 case PREFIX_DS_OVERRIDE:
47 case PREFIX_ES_OVERRIDE:
48 case PREFIX_FS_OVERRIDE:
49 case PREFIX_GS_OVERRIDE:
50 PrintDebug("Segment Override!!\n");
59 if ((instr[index] == cr_access_byte) &&
60 (instr[index + 1] == lmsw_byte) &&
61 (MODRM_REG(instr[index + 2]) == lmsw_reg_byte)) {
64 addr_t second_operand;
65 struct cr0_real *real_cr0;
66 struct cr0_real *new_cr0;
67 operand_type_t addr_type;
73 real_cr0 = (struct cr0_real*)&(info->ctrl_regs.cr0);
75 addr_type = decode_operands16(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG16);
78 if (addr_type == REG_OPERAND) {
79 new_cr0 = (struct cr0_real *)first_operand;
80 } else if (addr_type == MEM_OPERAND) {
83 if (guest_pa_to_host_va(info, first_operand + (info->segments.ds.base << 4), &host_addr) == -1) {
88 new_cr0 = (struct cr0_real *)host_addr;
91 // error... don't know what to do
95 if ((new_cr0->pe == 1) && (real_cr0->pe == 0)) {
96 info->cpu_mode = PROTECTED;
97 } else if ((new_cr0->pe == 0) && (real_cr0->pe == 1)) {
98 info->cpu_mode = REAL;
101 new_cr0_val = (*(char*)(new_cr0)) & 0x0f;
104 if (info->shdw_pg_mode == SHADOW_PAGING) {
105 struct cr0_real * shadow_cr0 = (struct cr0_real*)&(info->shdw_pg_state.guest_cr0);
107 PrintDebug("Old CR0=%x, Old Shadow CR0=%x\n", *real_cr0, *shadow_cr0);
108 /* struct cr0_real is only 4 bits wide,
109 * so we can overwrite the real_cr0 without worrying about the shadow fields
111 *(char*)real_cr0 &= 0xf0;
112 *(char*)real_cr0 |= new_cr0_val;
114 *(char*)shadow_cr0 &= 0xf0;
115 *(char*)shadow_cr0 |= new_cr0_val;
118 PrintDebug("New CR0=%x, New Shadow CR0=%x\n", *real_cr0, *shadow_cr0);
120 PrintDebug("Old CR0=%x\n", *real_cr0);
121 // for now we just pass through....
122 *(char*)real_cr0 &= 0xf0;
123 *(char*)real_cr0 |= new_cr0_val;
125 PrintDebug("New CR0=%x\n", *real_cr0);
131 } else if ((instr[index] == cr_access_byte) &&
132 (instr[index + 1] == clts_byte)) {
134 PrintDebug("CLTS unhandled in CR0 write\n");
137 } else if ((instr[index] == cr_access_byte) &&
138 (instr[index + 1] = mov_to_cr_byte)) {
139 addr_t first_operand;
140 addr_t second_operand;
141 struct cr0_32 *real_cr0;
142 struct cr0_32 *new_cr0;
143 operand_type_t addr_type;
148 real_cr0 = (struct cr0_32*)&(info->ctrl_regs.cr0);
150 addr_type = decode_operands16(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
152 if (addr_type != REG_OPERAND) {
153 PrintDebug("Moving to CR0 from non-register operand in CR0 write\n");
154 /* Mov to CR0 Can only be a 32 bit register */
159 new_cr0 = (struct cr0_32 *)first_operand;
161 if (new_cr0->pe == 1) {
162 PrintDebug("Entering Protected Mode\n");
163 info->cpu_mode = PROTECTED;
166 if (new_cr0->pe == 0) {
167 PrintDebug("Entering Real Mode\n");
168 info->cpu_mode = REAL;
173 if ((new_cr0->pg == 1) && (new_cr0->pe == 1)) {
174 PrintDebug("Paging is already turned on in switch to protected mode in CR0 write\n");
176 // Actually This appears to be Ok.
177 // Why shouldn't windows be allowed to switch to real mode whenever it wants to modify its page tables?
179 info->mem_mode = VIRTUAL_MEM;
183 } else if ((new_cr0->pg == 1) && (new_cr0->pe == 0)) {
184 PrintDebug("Will the madness Never End??\n");
189 if (info->shdw_pg_mode == SHADOW_PAGING) {
190 struct cr0_32 * shadow_cr0 = (struct cr0_32 *)&(info->shdw_pg_state.guest_cr0);
192 PrintDebug("Old CR0=%x, Old Shadow CR0=%x\n", *real_cr0, *shadow_cr0);
193 *real_cr0 = *new_cr0;
197 *shadow_cr0 = *new_cr0;
200 // Setup the page tables...???
201 if (info->mem_mode == VIRTUAL_MEM) {
202 // If we aren't in paged mode then we have to preserve the identity mapped CR3
203 info->ctrl_regs.cr3 = *(addr_t*)&(info->shdw_pg_state.shadow_cr3);
206 PrintDebug("New CR0=%x, New Shadow CR0=%x\n", *real_cr0, *shadow_cr0);
208 PrintDebug("Old CR0=%x\n", *real_cr0);
209 *real_cr0 = *new_cr0;
210 PrintDebug("New CR0=%x\n", *real_cr0);
216 PrintDebug("Unsupported Instruction\n");
217 // unsupported instruction, UD the guest
230 PrintDebug("Protected %s Mode write to CR0 at guest %s linear rip 0x%x\n",
231 info->mem_mode == VIRTUAL_MEM ? "Paged" : "",
232 info->mem_mode == VIRTUAL_MEM ? "virtual" : "",
233 get_addr_linear(info, info->rip, &(info->segments.cs)));
235 // OK, now we will read the instruction
236 // The only difference between PROTECTED and PROTECTED_PG is whether we read
237 // from guest_pa or guest_va
238 if (info->mem_mode == PHYSICAL_MEM) {
239 // The real rip address is actually a combination of the rip + CS base
240 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
242 ret = read_guest_va_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
247 // I think we should inject a GPF into the guest
248 PrintDebug("Could not read instruction (ret=%d)\n", ret);
253 while (is_prefix_byte(instr[index])) {
254 switch(instr[index]) {
255 case PREFIX_CS_OVERRIDE:
256 case PREFIX_SS_OVERRIDE:
257 case PREFIX_DS_OVERRIDE:
258 case PREFIX_ES_OVERRIDE:
259 case PREFIX_FS_OVERRIDE:
260 case PREFIX_GS_OVERRIDE:
261 PrintDebug("Segment Override!!\n");
271 while (is_prefix_byte(instr[index])) {
276 struct cr0_32 * shadow_cr0 = (struct cr0_32 *)&(info->shdw_pg_state.guest_cr0);
278 struct cr0_32 * real_cr0 = (struct cr0_32*)&(info->ctrl_regs.cr0);
280 if ((instr[index] == cr_access_byte) &&
281 (instr[index + 1] == mov_to_cr_byte)) {
285 addr_t first_operand;
286 addr_t second_operand;
287 struct cr0_32 *new_cr0;
288 operand_type_t addr_type;
293 PrintDebug("MovToCR0 instr:\n");
294 PrintTraceMemDump(instr, 15);
295 PrintDebug("EAX=%x\n", *(uint_t*)&(info->vm_regs.rax));
297 addr_type = decode_operands32(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
299 if (addr_type != REG_OPERAND) {
300 PrintDebug("Non-register operand in write to CR0\n");
304 new_cr0 = (struct cr0_32 *)first_operand;
306 //PrintDebug("first operand=%x\n", *(uint_t *)first_operand);
308 if (info->shdw_pg_mode == SHADOW_PAGING) {
309 struct cr0_32 * shadow_cr0 = (struct cr0_32 *)&(info->shdw_pg_state.guest_cr0);
311 if (new_cr0->pg == 1){
312 // This should be new_cr0->pg && !(old_cr->pg), right?
313 // and then a case for turning paging off?
315 struct cr3_32 * shadow_cr3 = (struct cr3_32 *)&(info->shdw_pg_state.shadow_cr3);
317 info->mem_mode = VIRTUAL_MEM;
319 *shadow_cr0 = *new_cr0;
320 *real_cr0 = *new_cr0;
325 // Activate Shadow Paging
327 PrintDebug("Turning on paging in the guest\n");
329 info->ctrl_regs.cr3 = *(addr_t*)shadow_cr3;
332 } else if (new_cr0->pe == 0) {
333 info->cpu_mode = REAL;
334 info->mem_mode = PHYSICAL_MEM;
335 PrintDebug("Entering Real Mode\n");
337 //PrintV3CtrlRegs(info);
338 // reinstate the identity mapped paged tables
339 // But keep the shadow tables around to handle TLB issues.... UGH...
340 //info->shdw_pg_state.shadow_cr3 &= 0x00000fff;
341 //info->shdw_pg_state.shadow_cr3 |= ((addr_t)create_passthrough_pde32_pts(info) & ~0xfff);
343 //info->ctrl_regs.cr3 = info->shdw_pg_state.shadow_cr3;
344 info->ctrl_regs.cr3 = *(addr_t*)&(info->direct_map_pt);
346 *shadow_cr0 = *new_cr0;
347 *real_cr0 = *new_cr0;
352 //PrintV3CtrlRegs(info);
358 if (new_cr0->pg == 1) {
359 info->mem_mode = VIRTUAL_MEM;
360 } else if (new_cr0->pg == 0) {
361 info->cpu_mode = REAL;
362 info->mem_mode = PHYSICAL_MEM;
365 *real_cr0 = *new_cr0;
369 } else if ((instr[index] == cr_access_byte) &&
370 (instr[index + 1] == lmsw_byte) &&
371 (MODRM_REG(instr[index + 2]) == lmsw_reg_byte)) {
372 addr_t first_operand;
373 addr_t second_operand;
374 struct cr0_real *real_cr0;
375 struct cr0_real *new_cr0;
376 operand_type_t addr_type;
377 char new_cr0_val = 0;
381 real_cr0 = (struct cr0_real*)&(info->ctrl_regs.cr0);
383 addr_type = decode_operands16(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG16);
385 if (addr_type == REG_OPERAND) {
386 new_cr0 = (struct cr0_real *)first_operand;
387 } else if (addr_type == MEM_OPERAND) {
389 // check segment descriptors....
391 /* TODO, TODO, TODO: Lookup segment overrides */
392 struct v3_segment *lmsw_segment = &(info->segments.ds);
394 if (info->mem_mode == PHYSICAL_MEM) {
395 if (guest_pa_to_host_va(info, get_addr_linear(info, first_operand, lmsw_segment), &host_addr) == -1) {
399 if (guest_va_to_host_va(info, get_addr_linear(info, first_operand, lmsw_segment), &host_addr) == -1) {
404 new_cr0 = (struct cr0_real *)host_addr;
410 if (new_cr0->pe == 0) {
411 // According to the intel manual this it is illegal to use
412 // lmsw to turn _off_ Protected mode
413 PrintDebug("Cannot switch to real mode with LMSW, unclear what to do\n");
417 new_cr0_val = (*(char *)(new_cr0)) & 0x0f;
420 if (info->shdw_pg_mode == SHADOW_PAGING) {
421 struct cr0_real * shadow_cr0 = (struct cr0_real*)&(info->shdw_pg_state.guest_cr0);
423 PrintDebug("Old CR0=%x, Old Shadow CR0=%x\n", *real_cr0, *shadow_cr0);
424 /* struct cr0_real is only 4 bits wide,
425 * so we can overwrite the real_cr0 without worrying about the shadow fields
427 *(char*)real_cr0 &= 0xf0;
428 *(char*)real_cr0 |= new_cr0_val;
430 *(char*)shadow_cr0 &= 0xf0;
431 *(char*)shadow_cr0 |= new_cr0_val;
434 PrintDebug("New CR0=%x, New Shadow CR0=%x\n", *real_cr0, *shadow_cr0);
436 PrintDebug("Old CR0=%x\n", *real_cr0);
437 // for now we just pass through....
438 *(char*)real_cr0 &= 0xf0;
439 *(char*)real_cr0 |= new_cr0_val;
441 PrintDebug("New CR0=%x\n", *real_cr0);
447 } else if ((instr[index] == 0x0f) &&
448 (instr[index + 1] == 0x06)) {
450 PrintDebug("CLTS instruction - clearing TS flag of real and shadow CR0\n");
459 PrintDebug("Unkown instruction: \n");
460 SerialMemDump(instr,15);
467 PrintDebug("Protected PAE Mode write to CR0 is UNIMPLEMENTED\n");
471 PrintDebug("Protected Long Mode write to CR0 is UNIMPLEMENTED\n");
476 PrintDebug("Unknown Mode write to CR0 (info->cpu_mode=0x%x\n)",info->cpu_mode);
487 int handle_cr0_read(struct guest_info * info) {
490 switch (info->cpu_mode) {
498 PrintDebug("Real Mode read from CR0 at linear guest pa 0x%x\n",get_addr_linear(info,info->rip,&(info->segments.cs)));
499 //PrintV3Segments(info);
501 // The real rip address is actually a combination of the rip + CS base
502 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
504 // I think we should inject a GPF into the guest
505 PrintDebug("Could not read Real Mode instruction (ret=%d)\n", ret);
510 while (is_prefix_byte(instr[index])) {
511 switch(instr[index]) {
512 case PREFIX_CS_OVERRIDE:
513 case PREFIX_SS_OVERRIDE:
514 case PREFIX_DS_OVERRIDE:
515 case PREFIX_ES_OVERRIDE:
516 case PREFIX_FS_OVERRIDE:
517 case PREFIX_GS_OVERRIDE:
518 PrintDebug("Segment Override!!\n");
528 while (is_prefix_byte(instr[index])) {
533 if ((instr[index] == cr_access_byte) &&
534 (instr[index + 1] == smsw_byte) &&
535 (MODRM_REG(instr[index + 2]) == smsw_reg_byte)) {
537 // SMSW (store machine status word)
539 addr_t first_operand;
540 addr_t second_operand;
541 struct cr0_real *cr0;
542 operand_type_t addr_type;
547 cr0 = (struct cr0_real*)&(info->ctrl_regs.cr0);
550 addr_type = decode_operands16(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG16);
552 if (addr_type == MEM_OPERAND) {
555 if (guest_pa_to_host_va(info, first_operand + (info->segments.ds.base << 4), &host_addr) == -1) {
557 PrintDebug("Could not convert guest physical address to host virtual address\n");
561 first_operand = host_addr;
567 cr0_val = *(char*)cr0 & 0x0f;
569 *(char *)first_operand &= 0xf0;
570 *(char *)first_operand |= cr0_val;
572 PrintDebug("index = %d, rip = %x\n", index, (ulong_t)(info->rip));
574 PrintDebug("new_rip = %x\n", (ulong_t)(info->rip));
577 } else if ((instr[index] == cr_access_byte) &&
578 (instr[index+1] == mov_from_cr_byte)) {
580 * This can only take a 32 bit register argument in anything less than 64 bit mode.
582 addr_t first_operand;
583 addr_t second_operand;
584 operand_type_t addr_type;
586 struct cr0_32 * real_cr0 = (struct cr0_32 *)&(info->ctrl_regs.cr0);
590 addr_type = decode_operands16(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
592 struct cr0_32 * virt_cr0 = (struct cr0_32 *)first_operand;
594 if (addr_type != REG_OPERAND) {
595 // invalid opcode to guest
596 PrintDebug("Invalid operand type in mov from CR0\n");
600 if (info->shdw_pg_mode == SHADOW_PAGING) {
601 *virt_cr0 = *(struct cr0_32 *)&(info->shdw_pg_state.guest_cr0);
603 *virt_cr0 = *real_cr0;
609 PrintDebug("Unknown read instr from CR0\n");
623 PrintDebug("Protected %s Mode read from CR0 at guest %s linear rip 0x%x\n",
624 info->mem_mode == VIRTUAL_MEM ? "Paged" : "",
625 info->mem_mode == VIRTUAL_MEM ? "virtual" : "",
626 get_addr_linear(info, info->rip, &(info->segments.cs)));
628 // We need to read the instruction, which is at CS:IP, but that
629 // linear address is guest physical without PG and guest virtual with PG
630 if (info->cpu_mode == PHYSICAL_MEM) {
631 // The real rip address is actually a combination of the rip + CS base
632 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
634 // The real rip address is actually a combination of the rip + CS base
635 ret = read_guest_va_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
640 PrintDebug("Instr (15 bytes) at %x:\n", instr);
641 PrintTraceMemDump((char*)instr, 15);
645 // I think we should inject a GPF into the guest
646 PrintDebug("Could not read Protected %s mode instruction (ret=%d)\n",
647 info->cpu_mode == VIRTUAL_MEM ? "Paged" : "", ret);
652 while (is_prefix_byte(instr[index])) {
653 switch(instr[index]) {
654 case PREFIX_CS_OVERRIDE:
655 case PREFIX_SS_OVERRIDE:
656 case PREFIX_DS_OVERRIDE:
657 case PREFIX_ES_OVERRIDE:
658 case PREFIX_FS_OVERRIDE:
659 case PREFIX_GS_OVERRIDE:
660 PrintDebug("Segment Override!!\n");
671 while (is_prefix_byte(instr[index])) {
676 if ((instr[index] == cr_access_byte) &&
677 (instr[index+1] == mov_from_cr_byte)) {
679 // MOV from CR0 to register
681 addr_t first_operand;
682 addr_t second_operand;
683 operand_type_t addr_type;
684 struct cr0_32 * virt_cr0;
685 struct cr0_32 * real_cr0 = (struct cr0_32 *)&(info->ctrl_regs.cr0);
689 addr_type = decode_operands32(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
691 if (addr_type != REG_OPERAND) {
692 PrintDebug("Invalid operand type in mov from CR0\n");
696 virt_cr0 = (struct cr0_32 *)first_operand;
698 if (info->shdw_pg_mode == SHADOW_PAGING) {
699 *virt_cr0 = *(struct cr0_32 *)&(info->shdw_pg_state.guest_cr0);
701 if (info->mem_mode == PHYSICAL_MEM) {
702 virt_cr0->pg = 0; // clear the pg bit because guest doesn't think it's on
706 *virt_cr0 = *real_cr0;
709 PrintDebug("real CR0: %x\n", *(uint_t*)real_cr0);
710 PrintDebug("returned CR0: %x\n", *(uint_t*)virt_cr0);
715 PrintDebug("Unknown read instruction from CR0\n");
722 PrintDebug("Protected PAE Mode read to CR0 is UNIMPLEMENTED\n");
726 PrintDebug("Protected Long Mode read to CR0 is UNIMPLEMENTED\n");
732 PrintDebug("Unknown Mode read from CR0 (info->cpu_mode=0x%x)\n",info->cpu_mode);
745 int handle_cr3_write(struct guest_info * info) {
746 if (info->cpu_mode == REAL) {
747 // WHAT THE HELL DOES THIS EVEN MEAN?????
753 PrintDebug("Real Mode Write to CR3.\n");
754 // We need to read the instruction, which is at CS:IP, but that
755 // linear address is guest physical without PG and guest virtual with PG
757 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
760 PrintDebug("Could not read instruction (ret=%d)\n", ret);
764 while (is_prefix_byte(instr[index])) {
765 switch(instr[index]) {
766 case PREFIX_CS_OVERRIDE:
767 case PREFIX_SS_OVERRIDE:
768 case PREFIX_DS_OVERRIDE:
769 case PREFIX_ES_OVERRIDE:
770 case PREFIX_FS_OVERRIDE:
771 case PREFIX_GS_OVERRIDE:
772 PrintDebug("Segment Override!!\n");
782 if ((instr[index] == cr_access_byte) &&
783 (instr[index + 1] == mov_to_cr_byte)) {
785 addr_t first_operand;
786 addr_t second_operand;
787 struct cr3_32 * new_cr3;
788 // struct cr3_32 * real_cr3;
789 operand_type_t addr_type;
793 addr_type = decode_operands16(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
795 if (addr_type != REG_OPERAND) {
796 /* Mov to CR3 can only be a 32 bit register */
800 new_cr3 = (struct cr3_32 *)first_operand;
802 if (info->shdw_pg_mode == SHADOW_PAGING) {
804 struct cr3_32 * shadow_cr3 = (struct cr3_32 *)&(info->shdw_pg_state.shadow_cr3);
805 struct cr3_32 * guest_cr3 = (struct cr3_32 *)&(info->shdw_pg_state.guest_cr3);
809 if (CR3_TO_PDE32(*(uint_t*)shadow_cr3) != 0) {
810 PrintDebug("Shadow Page Table\n");
811 PrintDebugPageTables((pde32_t *)CR3_TO_PDE32(*(uint_t*)shadow_cr3));
815 /* Delete the current Page Tables */
816 delete_page_tables_pde32((pde32_t *)CR3_TO_PDE32(*(uint_t*)shadow_cr3));
818 PrintDebug("Old Shadow CR3=%x; Old Guest CR3=%x\n",
819 *(uint_t*)shadow_cr3, *(uint_t*)guest_cr3);
822 *guest_cr3 = *new_cr3;
826 // Something like this
827 shadow_pt = create_new_shadow_pt32(info);
828 //shadow_pt = setup_shadow_pt32(info, CR3_TO_PDE32(*(addr_t *)new_cr3));
830 /* Copy Various flags */
831 *shadow_cr3 = *new_cr3;
836 guest_pa_to_host_va(info, ((*(uint_t*)guest_cr3) & 0xfffff000), &tmp_addr);
837 PrintDebug("Guest PD\n");
838 PrintPD32((pde32_t *)tmp_addr);
844 shadow_cr3->pdt_base_addr = PD32_BASE_ADDR(shadow_pt);
846 PrintDebug("New Shadow CR3=%x; New Guest CR3=%x\n",
847 *(uint_t*)shadow_cr3, *(uint_t*)guest_cr3);
856 PrintDebug("Unknown Instruction\n");
857 SerialMemDump(instr,15);
863 } else if (info->cpu_mode == PROTECTED) {
868 PrintDebug("Protected %s mode write to CR3 at %s 0x%x\n",
869 info->cpu_mode==PROTECTED ? "" : "Paged",
870 info->cpu_mode==PROTECTED ? "guest physical" : "guest virtual",
871 get_addr_linear(info,info->rip,&(info->segments.cs)));
873 // We need to read the instruction, which is at CS:IP, but that
874 // linear address is guest physical without PG and guest virtual with PG
875 if (info->mem_mode == PHYSICAL_MEM) {
876 // The real rip address is actually a combination of the rip + CS base
877 //PrintDebug("Writing Guest CR3 Write (Physical Address)\n");
878 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
880 //PrintDebug("Writing Guest CR3 Write (Virtual Address)\n");
881 // The real rip address is actually a combination of the rip + CS base
882 ret = read_guest_va_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
886 PrintDebug("Could not read instruction (ret=%d)\n", ret);
890 while (is_prefix_byte(instr[index])) {
891 switch(instr[index]) {
892 case PREFIX_CS_OVERRIDE:
893 case PREFIX_SS_OVERRIDE:
894 case PREFIX_DS_OVERRIDE:
895 case PREFIX_ES_OVERRIDE:
896 case PREFIX_FS_OVERRIDE:
897 case PREFIX_GS_OVERRIDE:
898 PrintDebug("Segment Override!!\n");
908 while (is_prefix_byte(instr[index])) {
913 if ((instr[index] == cr_access_byte) &&
914 (instr[index + 1] == mov_to_cr_byte)) {
916 addr_t first_operand;
917 addr_t second_operand;
918 struct cr3_32 * new_cr3;
919 // struct cr3_32 * real_cr3;
920 operand_type_t addr_type;
924 addr_type = decode_operands32(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
926 if (addr_type != REG_OPERAND) {
927 /* Mov to CR3 can only be a 32 bit register */
931 new_cr3 = (struct cr3_32 *)first_operand;
933 if (info->shdw_pg_mode == SHADOW_PAGING) {
935 struct cr3_32 * shadow_cr3 = (struct cr3_32 *)&(info->shdw_pg_state.shadow_cr3);
936 struct cr3_32 * guest_cr3 = (struct cr3_32 *)&(info->shdw_pg_state.guest_cr3);
940 if (CR3_TO_PDE32(*(uint_t*)shadow_cr3) != 0) {
941 PrintDebug("Shadow Page Table\n");
942 PrintDebugPageTables((pde32_t *)CR3_TO_PDE32(*(uint_t*)shadow_cr3));
946 /* Delete the current Page Tables */
947 delete_page_tables_pde32((pde32_t *)CR3_TO_PDE32(*(uint_t*)shadow_cr3));
949 PrintDebug("Old Shadow CR3=%x; Old Guest CR3=%x\n",
950 *(uint_t*)shadow_cr3, *(uint_t*)guest_cr3);
953 *guest_cr3 = *new_cr3;
957 // Something like this
958 shadow_pt = create_new_shadow_pt32(info);
959 //shadow_pt = setup_shadow_pt32(info, CR3_TO_PDE32(*(addr_t *)new_cr3));
961 /* Copy Various flags */
962 *shadow_cr3 = *new_cr3;
967 guest_pa_to_host_va(info, ((*(uint_t*)guest_cr3) & 0xfffff000), &tmp_addr);
968 PrintDebug("Guest PD\n");
969 PrintPD32((pde32_t *)tmp_addr);
975 shadow_cr3->pdt_base_addr = PD32_BASE_ADDR(shadow_pt);
977 PrintDebug("New Shadow CR3=%x; New Guest CR3=%x\n",
978 *(uint_t*)shadow_cr3, *(uint_t*)guest_cr3);
982 if (info->mem_mode == VIRTUAL_MEM) {
983 // If we aren't in paged mode then we have to preserve the identity mapped CR3
984 info->ctrl_regs.cr3 = *(addr_t*)shadow_cr3;
991 PrintDebug("Unknown Instruction\n");
992 SerialMemDump(instr,15);
996 PrintDebug("Invalid operating Mode (0x%x)\n", info->cpu_mode);
1006 int handle_cr3_read(struct guest_info * info) {
1008 if (info->cpu_mode == REAL) {
1012 addr_t linear_addr = 0;
1014 linear_addr = get_addr_linear(info, info->rip, &(info->segments.cs));
1017 //PrintDebug("RIP Linear: %x\n", linear_addr);
1018 //PrintV3Segments(info);
1020 ret = read_guest_pa_memory(info, linear_addr, 15, instr);
1023 PrintDebug("Could not read instruction (ret=%d)\n", ret);
1027 while (is_prefix_byte(instr[index])) {
1028 switch(instr[index]) {
1029 case PREFIX_CS_OVERRIDE:
1030 case PREFIX_SS_OVERRIDE:
1031 case PREFIX_DS_OVERRIDE:
1032 case PREFIX_ES_OVERRIDE:
1033 case PREFIX_FS_OVERRIDE:
1034 case PREFIX_GS_OVERRIDE:
1035 PrintDebug("Segment Override!!\n");
1045 if ((instr[index] == cr_access_byte) &&
1046 (instr[index + 1] == mov_from_cr_byte)) {
1047 addr_t first_operand;
1048 addr_t second_operand;
1049 struct cr3_32 * virt_cr3;
1050 struct cr3_32 * real_cr3 = (struct cr3_32 *)&(info->ctrl_regs.cr3);
1051 operand_type_t addr_type;
1055 addr_type = decode_operands16(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
1057 if (addr_type != REG_OPERAND) {
1058 /* Mov to CR3 can only be a 32 bit register */
1062 virt_cr3 = (struct cr3_32 *)first_operand;
1064 if (info->shdw_pg_mode == SHADOW_PAGING) {
1065 *virt_cr3 = *(struct cr3_32 *)&(info->shdw_pg_state.guest_cr3);
1067 *virt_cr3 = *real_cr3;
1072 PrintDebug("Unknown Instruction\n");
1073 SerialMemDump(instr,15);
1079 } else if (info->cpu_mode == PROTECTED) {
1086 // We need to read the instruction, which is at CS:IP, but that
1087 // linear address is guest physical without PG and guest virtual with PG
1088 if (info->cpu_mode == PHYSICAL_MEM) {
1089 // The real rip address is actually a combination of the rip + CS base
1090 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
1092 // The real rip address is actually a combination of the rip + CS base
1093 ret = read_guest_va_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
1097 PrintDebug("Could not read instruction (ret=%d)\n", ret);
1101 while (is_prefix_byte(instr[index])) {
1102 switch(instr[index]) {
1103 case PREFIX_CS_OVERRIDE:
1104 case PREFIX_SS_OVERRIDE:
1105 case PREFIX_DS_OVERRIDE:
1106 case PREFIX_ES_OVERRIDE:
1107 case PREFIX_FS_OVERRIDE:
1108 case PREFIX_GS_OVERRIDE:
1109 PrintDebug("Segment Override!!\n");
1119 while (is_prefix_byte(instr[index])) {
1124 if ((instr[index] == cr_access_byte) &&
1125 (instr[index + 1] == mov_from_cr_byte)) {
1126 addr_t first_operand;
1127 addr_t second_operand;
1128 struct cr3_32 * virt_cr3;
1129 struct cr3_32 * real_cr3 = (struct cr3_32 *)&(info->ctrl_regs.cr3);
1130 operand_type_t addr_type;
1134 addr_type = decode_operands32(&(info->vm_regs), instr + index, &index, &first_operand, &second_operand, REG32);
1136 if (addr_type != REG_OPERAND) {
1137 /* Mov to CR3 can only be a 32 bit register */
1141 virt_cr3 = (struct cr3_32 *)first_operand;
1143 if (info->shdw_pg_mode == SHADOW_PAGING) {
1144 *virt_cr3 = *(struct cr3_32 *)&(info->shdw_pg_state.guest_cr3);
1146 *virt_cr3 = *real_cr3;
1151 PrintDebug("Unknown Instruction\n");
1152 SerialMemDump(instr,15);
1156 PrintDebug("Invalid operating Mode (0x%x), control registers follow\n", info->cpu_mode);
1157 PrintV3CtrlRegs(info);
