1 /*
2  * kdd.h -- Structures, constants and descriptions of the Windows
3  *          kd serial debugger protocol, for the kdd debugging stub.
4  *
5  * Tim Deegan <Tim.Deegan@citrix.com>
6  *
7  * Copyright (c) 2007-2010, Citrix Systems Inc.
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  *
14  * Redistributions of source code must retain the above copyright
15  * notice, this list of conditions and the following disclaimer.
16  *
17  * Redistributions in binary form must reproduce the above copyright
18  * notice, this list of conditions and the following disclaimer in the
19  * documentation and/or other materials provided with the distribution.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25  * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
27  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
31  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32  * POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 #ifndef _KDD_H_
36 #define _KDD_H_
37 
38 #include <stdint.h>
39 
40 #define PACKED __attribute__((packed))
41 
42 /*****************************************************************************
43  * Serial line protocol: Sender sends a 16-byte header with an optional
44  * payload following it.  Receiver responds to each packet with an
45  * acknowledgment (16-byte header only).
46  *
47  * Packet headers start with ASCII "0000" and there is a trailing byte
48  * 0xAA after the (optional) payload.  Ack headers start with ASCII
49  * "iiii"; no trailing byte).  Each packet and ack has a major type in
50  * the packet header; for packets with payload, a minor type is encoded
51  * in ASCII in the first four bytes of the payload.
52  *
53  * Packet IDs seem to start at 0x80800000 and alternate between that and
54  * 0x80800001; not clear whether the client's ID is always the ID of the
55  * last packet from the kernel or whether they're just oscillating in
56  * phase.  Either way there's clearly some state machine in the kernel
57  * that requires this exact behaviour from the client.
58  *
59  * All acks have length 0, id = id of the packet they ack.
60  */
61 
62 #define KDD_DIR_PKT 0x30303030   /* "0000" */
63 #define KDD_DIR_ACK 0x69696969   /* "iiii" */
64 
65 typedef struct {
66     uint32_t dir;     /* KDD_DIR_PKT or KDD_DIR_ACK */
67     uint16_t type;    /* Major type. */
68     uint16_t len;     /* Payload length, excl. header and trailing byte */
69     uint32_t id;      /* Echoed in responses */
70     uint32_t sum;     /* Unsigned sum of all payload bytes */
71     uint8_t payload[0];
72 } PACKED kdd_hdr;
73 
74 #define KDD_PKT_CMD 0x0002      /* Debugger commands (and replies to them) */
75 #define KDD_PKT_MSG 0x0003      /* Kernel messages for the user */
76 #define KDD_PKT_STC 0x0007      /* State change notification */
77 #define KDD_PKT_REG 0x000b      /* Registry change notification (?) */
78 #define KDD_PKT_MAX 0x000b
79 
80 #define KDD_ACK_OK  0x0004      /* Checksum, ID and type all fine */
81 #define KDD_ACK_BAD 0x0005      /* Something is bogus */
82 #define KDD_ACK_RST 0x0006      /* Not really an ack; one each way to resync */
83 
84 
85 /*****************************************************************************
86  * Debugger commands, carried over the serial line.  In this protocol,
87  * we ignore the serial-level acking; when we talk about a response,
88  * it's another packet, sent after the request was acked, and which will
89  * itself be acked.
90  *
91  * The debugger client sends commands to the kernel, all of which have
92  * major type 2 and are 56 bytes long (not including the serial header).
93  * Not all the 56 bytes are used in every command, but the client
94  * doesn't bother to zero unused fields.  Most commands are responded to
95  * by a packet with the same subtype, containing at least a status code
96  * to indicate success or failure.
97  */
98 
99 #define KDD_STATUS_SUCCESS  0x00000000
100 #define KDD_STATUS_FAILURE  0xc0000001
101 #define KDD_STATUS_PENDING  0x00000103
102 
103 /* Memory access.  Read commands are echoed in the response with the
104  * status and length_rsp fields updated, and the read data appended to the
105  * packet.  Writes are the same, but with the data appended to the
106  * write command, not the response. */
107 
108 #define KDD_CMD_READ_VA     0x00003130  /* "01" */
109 #define KDD_CMD_WRITE_VA    0x00003131  /* "11" */
110 #define KDD_CMD_READ_CTRL   0x00003137  /* "71" */
111 #define KDD_CMD_WRITE_CTRL  0x00003138  /* "81" */
112 #define KDD_CMD_READ_PA     0x0000313D  /* "=1" */
113 #define KDD_CMD_WRITE_PA    0x0000313E  /* ">1" */
114 
115 /* Not sure what this is, but it doesn't require a response */
116 #define KDD_CMD_WRITE_Z     0x0000315A  /* "Z1" */
117 
118 typedef struct {
119     uint32_t u1;
120     uint32_t status;            /* IN: STATUS_PENDING; OUT: result status. */
121     uint32_t u2;
122     uint64_t addr;              /* IN: address of start of read/write */
123     uint32_t length_req;        /* IN: bytes to read/write */
124     uint32_t length_rsp;        /* OUT: bytes successfully read/written */
125 } PACKED kdd_cmd_mem;
126 
127 /* CPU register access.  As for memory accesses, but the data is a
128  * fixed-length block of register info. */
129 
130 #define KDD_CMD_READ_REGS   0x00003132  /* "21" */
131 #define KDD_CMD_WRITE_REGS  0x00003133  /* "31" */
132 
133 typedef struct {
134     uint16_t u1;
135     uint16_t cpu;               /* IN: Zero-based processor ID */
136     uint32_t status;            /* IN: STATUS_PENDING; OUT: result status. */
137 } PACKED kdd_cmd_regs;
138 
139 #define KDD_CMD_READ_MSR    0x00003152  /* "R1" */
140 #define KDD_CMD_WRITE_MSR   0x00003153  /* "S1" */
141 
142 typedef struct {
143     uint32_t u1;
144     uint32_t status;            /* IN: STATUS_PENDING; OUT: result status. */
145     uint32_t u2;
146     uint32_t msr;               /* IN/OUT: MSR number */
147     uint64_t val;               /* IN/OUT: MSR contents */
148 } PACKED kdd_cmd_msr;
149 
150 /* Breakpoint commands. */
151 
152 #define KDD_CMD_SOFT_BP     0x00003135  /* "51" */
153 
154 typedef struct {
155     uint32_t u1;
156     uint32_t status;            /* IN: STATUS_PENDING; OUT: result status. */
157     uint32_t u2;
158     uint32_t bp;                /* IN: ID of breakpoint to operate on */
159 } PACKED kdd_cmd_soft_bp;
160 
161 #define KDD_CMD_HARD_BP     0x0000315C  /* "\1" */
162 
163 typedef struct {
164     uint32_t u1;
165     uint32_t status;            /* IN: STATUS_PENDING; OUT: result status. */
166     uint32_t u2;
167     uint64_t address;           /* IN: Address to trap on */
168     uint64_t u3;
169     uint64_t u4;
170     uint64_t u5;
171     uint64_t u6;
172 } PACKED kdd_cmd_hard_bp;
173 
174 /* Flow control commands.  These commands are _not_ responded to.  */
175 
176 #define KDD_CMD_CONT1       0x00003136  /* "61" */
177 #define KDD_CMD_CONT2       0x0000313c  /* "<1" */
178 
179 #define KDD_DBG_EXCEPTION_HANDLED    0x00010001
180 #define KDD_DBG_CONTINUE             0x00010002
181 
182 typedef struct {
183     uint32_t u1;
184     uint32_t reason1;           /* IN: KDD_DBG_* */
185     uint32_t u2;
186     uint64_t reason2;           /* IN: always same as reason1 */
187 } PACKED kdd_cmd_cont;
188 
189 /* Handshake command. */
190 
191 #define KDD_CMD_SHAKE       0x00003146 /* "F1" */
192 
193 #define KDD_MACH_x32        0x014c
194 #define KDD_MACH_x64        0x8664
195 
196 #define KDD_FLAGS_MP        0x0001
197 #define KDD_FLAGS_64        0x0008
198 
199 typedef struct {
200     uint32_t u1;
201     uint32_t status;            /* IN: STATUS_PENDING; OUT: result status. */
202     uint32_t u2;
203     uint16_t v_major;           /* OUT: OS major version (0xf for NT) */
204     uint16_t v_minor;           /* OUT: OS minor version (NT build number) */
205     uint16_t proto;             /* OUT: Protocol version (6) */
206     uint16_t flags;             /* OUT: Some flags (at least 0x3) */
207     uint16_t machine;           /* OUT: Machine type */
208     uint8_t pkts;               /* OUT: Number of packet types understood */
209     uint8_t states;             /* OUT: Number of state-change types used */
210     uint8_t manips;             /* OUT: number of "manipulation" types used */
211     uint8_t u3[3];
212     int64_t kern_addr;          /* OUT: KernBase */
213     int64_t mods_addr;          /* OUT: PsLoadedModuleList */
214     int64_t data_addr;          /* OUT: DebuggerDataList */
215 } PACKED kdd_cmd_shake;
216 
217 /* Change active CPU.  This command is _not_ responded to */
218 
219 #define KDD_CMD_SETCPU      0x00003150 /* "P1" */
220 
221 typedef struct {
222     uint16_t u1;
223     uint16_t cpu;               /* IN: Zero-based processor ID */
224     uint32_t status;            /* IN: STATUS_PENDING */
225 } PACKED kdd_cmd_setcpu;
226 
227 typedef struct {
228     uint32_t subtype;           /* IN: KDD_CMD_x */
229     union {
230         kdd_cmd_mem mem;
231         kdd_cmd_regs regs;
232         kdd_cmd_msr msr;
233         kdd_cmd_soft_bp sbp;
234         kdd_cmd_hard_bp hbp;
235         kdd_cmd_cont cont;
236         kdd_cmd_shake shake;
237         kdd_cmd_setcpu setcpu;
238         uint8_t pad[52];
239     };
240     uint8_t data[0];
241 } PACKED kdd_cmd;
242 
243 
244 /*****************************************************************************
245  * Kernel messages to the debugger.  The debugger does not respond to these
246  * beyond ACKing them and printing approprate things on the debugger
247  * console.
248  */
249 
250 /* Messages for the console */
251 
252 #define KDD_MSG_PRINT       0x00003230  /* "02" */
253 
254 typedef struct {
255     uint32_t subtype;           /* KDD_MSG_PRINT */
256     uint32_t u1;
257     uint32_t length;            /* Length in bytes of trailing string */
258     uint32_t u2;
259     uint8_t string[0];          /* Non-terminated character string */
260 } PACKED kdd_msg;
261 
262 /* Registry updates (Hive loads?) */
263 
264 #define KDD_REG_CHANGE      0x00003430  /* "04" */
265 
266 typedef struct {
267     uint32_t subtype;           /* KDD_REG_CHANGE */
268     uint32_t u1[15];
269     uint16_t string[0];         /* Null-terminated wchar string */
270 } PACKED kdd_reg;
271 
272 /* State changes.  After sending a state-change message the kernel halts
273  * until it receives a continue command from the debugger. */
274 
275 #define KDD_STC_STOP        0x00003030  /* "00" : Bug-check */
276 #define KDD_STC_LOAD        0x00003031  /* "01" : Loaded a module */
277 
278 #define KDD_STC_STATUS_BREAKPOINT 0x80000003
279 
280 typedef struct {
281     uint16_t u1;
282     uint16_t cpu;               /* Zero-based processor ID */
283     uint32_t ncpus;             /* Number of processors */
284     uint32_t u2;
285     int64_t kthread;            /* Kernel thread structure */
286     int64_t rip1;               /* Instruction pointer, sign-extended */
287     uint64_t status;            /* KDD_STC_STATUS_x */
288     uint64_t u3;
289     int64_t rip2;               /* Same as rip1 */
290     uint64_t nparams;           /* Number of stopcode parameters */
291     uint64_t params[15];        /* Stopcode parameters */
292     uint64_t first_chance;      /* OS exn handlers not yet been run? */
293     uint32_t u4[2];
294     uint32_t ilen;              /* Number of bytes of instruction following */
295     uint8_t inst[36];           /* VA contents from %eip onwards */
296 } PACKED kdd_stc_stop;
297 
298 typedef struct {
299     uint32_t u1[3];
300     uint64_t u2;
301     uint64_t rip;               /* Instruction pointer, sign-extended */
302     uint64_t u3[26];
303     uint8_t path[0];            /* Null-terminated ASCII path to loaded mod. */
304 } PACKED kdd_stc_load;
305 
306 typedef struct {
307     uint32_t subtype;           /* KDD_STC_x */
308     union {
309         kdd_stc_stop stop;
310         kdd_stc_load load;
311     };
312 } PACKED kdd_stc;
313 
314 
315 /*****************************************************************************
316  * Overall packet type
317  */
318 
319 typedef struct {
320     kdd_hdr h;                  /* Major type disambiguates union below */
321     union {
322         kdd_cmd cmd;
323         kdd_msg msg;
324         kdd_reg reg;
325         kdd_stc stc;
326         uint8_t payload[0];
327     };
328 } PACKED kdd_pkt;
329 
330 
331 /*****************************************************************************
332  * Processor state layouts
333  */
334 
335 /* User-visible register files */
336 typedef union {
337     uint32_t pad[179];
338     struct {
339         uint32_t u1[7];         /* Flags, DRx?? */
340         uint8_t fp[112];        /* FP save state (why 112 not 108?) */
341         int32_t gs;
342         int32_t fs;
343         int32_t es;
344         int32_t ds;
345         int32_t edi;
346         int32_t esi;
347         int32_t ebx;
348         int32_t edx;
349         int32_t ecx;
350         int32_t eax;
351         int32_t ebp;
352         int32_t eip;
353         int32_t cs;
354         int32_t eflags;
355         int32_t esp;
356         int32_t ss;
357         uint32_t sp2[37];       /* More 0x20202020. fp? */
358         uint32_t sp3;           /* 0x00202020 */
359     };
360 } PACKED kdd_regs_x86_32;
361 
362 typedef union {
363     uint64_t pad[154];
364     struct {
365 
366         uint64_t u1[7];
367 
368         uint16_t cs; //2*1c
369         uint16_t ds;
370         uint16_t es;
371         uint16_t fs;
372         uint16_t gs;
373         uint16_t ss;
374         uint32_t rflags;
375         uint64_t dr0;
376         uint64_t dr1;
377         uint64_t dr2;
378         uint64_t dr3;
379         uint64_t dr6;
380         uint64_t dr7;
381         int64_t rax;
382         int64_t rcx;
383         int64_t rdx;
384         int64_t rbx;
385         int64_t rsp;
386         int64_t rbp;
387         int64_t rsi;
388         int64_t rdi;
389         int64_t r8;
390         int64_t r9;
391         int64_t r10;
392         int64_t r11;
393         int64_t r12;
394         int64_t r13;
395         int64_t r14;
396         int64_t r15;
397         int64_t rip; //2*7c
398 
399         uint64_t u2[32];
400 
401         uint8_t fp[512]; // fp @2*100 .. 150 (+ more??)
402 
403         uint64_t u3[26];
404     };
405 } PACKED kdd_regs_x86_64;
406 
407 typedef union {
408     kdd_regs_x86_32 r32;
409     kdd_regs_x86_64 r64;
410 } PACKED kdd_regs;
411 
412 /* System registers */
413 typedef struct {
414     uint32_t cr0;
415     uint32_t cr2;
416     uint32_t cr3;
417     uint32_t cr4;
418     uint32_t dr0;
419     uint32_t dr1;
420     uint32_t dr2;
421     uint32_t dr3;
422     uint32_t dr6;
423     uint32_t dr7;
424     uint16_t gdt_pad;
425     uint16_t gdt_limit;
426     uint32_t gdt_base;
427     uint16_t idt_pad;
428     uint16_t idt_limit;
429     uint32_t idt_base;
430     uint16_t tss_sel;
431     uint16_t ldt_sel;
432     uint8_t u1[24];
433 } PACKED kdd_ctrl_x86_32;
434 
435 typedef struct {
436     uint64_t cr0;
437     uint64_t cr2;
438     uint64_t cr3;
439     uint64_t cr4;
440     uint64_t dr0;
441     uint64_t dr1;
442     uint64_t dr2;
443     uint64_t dr3;
444     uint64_t dr6;
445     uint64_t dr7;
446     uint8_t  gdt_pad[6];
447     uint16_t gdt_limit;
448     uint64_t gdt_base;
449     uint8_t  idt_pad[6];
450     uint16_t idt_limit;
451     uint64_t idt_base;
452     uint16_t tss_sel;
453     uint16_t ldt_sel;
454     uint8_t u1[44];
455     uint64_t cr8;
456     uint8_t u2[40];
457     uint64_t efer; // XXX find out where EFER actually goes
458 } PACKED kdd_ctrl_x86_64;
459 
460 typedef union {
461     kdd_ctrl_x86_32 c32;
462     kdd_ctrl_x86_64 c64;
463 } kdd_ctrl;
464 
465 /*****************************************************************************
466  * Functions required from the emulator/hypervisor for the stub to work.
467  */
468 
469 typedef struct kdd_guest kdd_guest;
470 
471 /* Init and teardown guest-specific state */
472 extern kdd_guest *kdd_guest_init(char *arg, FILE *log, int verbosity);
473 extern void kdd_guest_teardown(kdd_guest *g);
474 extern char *kdd_guest_identify(kdd_guest *g);
475 
476 /* Halt and restart the running guest */
477 extern void kdd_halt(kdd_guest *g);
478 extern void kdd_run(kdd_guest *g);
479 
480 /* How many CPUs are there? */
481 extern int kdd_count_cpus(kdd_guest *g);
482 
483 /* Accessor for guest physical memory, returning bytes read/written */
484 extern uint32_t kdd_access_physical(kdd_guest *g, uint64_t addr,
485                                     uint32_t len, uint8_t *buf, int write);
486 
487 /* Accessors for guest registers, returning 0 for success */
488 extern int kdd_get_regs(kdd_guest *g, int cpuid, kdd_regs *r, int w64);
489 extern int kdd_set_regs(kdd_guest *g, int cpuid, kdd_regs *r, int w64);
490 
491 /* Accessors for guest control registers, returning 0 for success */
492 extern int kdd_get_ctrl(kdd_guest *g, int cpuid, kdd_ctrl *ctrl, int w64);
493 extern int kdd_set_ctrl(kdd_guest *g, int cpuid, kdd_ctrl *ctrl, int w64);
494 
495 /* Accessors for guest MSRs, returning 0 for success */
496 extern int kdd_wrmsr(kdd_guest *g, int cpuid, uint32_t msr, uint64_t value);
497 extern int kdd_rdmsr(kdd_guest *g, int cpuid, uint32_t msr, uint64_t *value);
498 
499 
500 /*****************************************************************************
501  * Logfile usefulness
502  */
503 
504 /* Verbosity:
505  * 0: errors (default)
506  * 1: operations
507  * 2: packets
508  * 3: _everything_ */
509 
510 #define KDD_LOG_IF(_v, _s, _fmt, _a...) do {    \
511         if ((_s)->verbosity >= (_v)) {          \
512         fprintf((_s)->log, (_fmt), ##_a);       \
513         (void) fflush((_s)->log);               \
514     }                                           \
515 } while (0)
516 
517 #define KDD_LOG(_s, _fmt, _a...) KDD_LOG_IF(1, (_s), (_fmt), ##_a)
518 #define KDD_DEBUG(_s, _fmt, _a...) KDD_LOG_IF(3, (_s), (_fmt), ##_a)
519 
520 #endif /* _KDD_H_ */
521