1 /* 2 * kdd.h -- Structures, constants and descriptions of the Windows 3 * kd serial debugger protocol, for the kdd debugging stub. 4 * 5 * Tim Deegan <Tim.Deegan@citrix.com> 6 * 7 * Copyright (c) 2007-2010, Citrix Systems Inc. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 * POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #ifndef _KDD_H_ 36 #define _KDD_H_ 37 38 #include <stdint.h> 39 40 #define PACKED __attribute__((packed)) 41 42 /***************************************************************************** 43 * Serial line protocol: Sender sends a 16-byte header with an optional 44 * payload following it. Receiver responds to each packet with an 45 * acknowledgment (16-byte header only). 46 * 47 * Packet headers start with ASCII "0000" and there is a trailing byte 48 * 0xAA after the (optional) payload. Ack headers start with ASCII 49 * "iiii"; no trailing byte). Each packet and ack has a major type in 50 * the packet header; for packets with payload, a minor type is encoded 51 * in ASCII in the first four bytes of the payload. 52 * 53 * Packet IDs seem to start at 0x80800000 and alternate between that and 54 * 0x80800001; not clear whether the client's ID is always the ID of the 55 * last packet from the kernel or whether they're just oscillating in 56 * phase. Either way there's clearly some state machine in the kernel 57 * that requires this exact behaviour from the client. 58 * 59 * All acks have length 0, id = id of the packet they ack. 60 */ 61 62 #define KDD_DIR_PKT 0x30303030 /* "0000" */ 63 #define KDD_DIR_ACK 0x69696969 /* "iiii" */ 64 65 typedef struct { 66 uint32_t dir; /* KDD_DIR_PKT or KDD_DIR_ACK */ 67 uint16_t type; /* Major type. */ 68 uint16_t len; /* Payload length, excl. header and trailing byte */ 69 uint32_t id; /* Echoed in responses */ 70 uint32_t sum; /* Unsigned sum of all payload bytes */ 71 uint8_t payload[0]; 72 } PACKED kdd_hdr; 73 74 #define KDD_PKT_CMD 0x0002 /* Debugger commands (and replies to them) */ 75 #define KDD_PKT_MSG 0x0003 /* Kernel messages for the user */ 76 #define KDD_PKT_STC 0x0007 /* State change notification */ 77 #define KDD_PKT_REG 0x000b /* Registry change notification (?) */ 78 #define KDD_PKT_MAX 0x000b 79 80 #define KDD_ACK_OK 0x0004 /* Checksum, ID and type all fine */ 81 #define KDD_ACK_BAD 0x0005 /* Something is bogus */ 82 #define KDD_ACK_RST 0x0006 /* Not really an ack; one each way to resync */ 83 84 85 /***************************************************************************** 86 * Debugger commands, carried over the serial line. In this protocol, 87 * we ignore the serial-level acking; when we talk about a response, 88 * it's another packet, sent after the request was acked, and which will 89 * itself be acked. 90 * 91 * The debugger client sends commands to the kernel, all of which have 92 * major type 2 and are 56 bytes long (not including the serial header). 93 * Not all the 56 bytes are used in every command, but the client 94 * doesn't bother to zero unused fields. Most commands are responded to 95 * by a packet with the same subtype, containing at least a status code 96 * to indicate success or failure. 97 */ 98 99 #define KDD_STATUS_SUCCESS 0x00000000 100 #define KDD_STATUS_FAILURE 0xc0000001 101 #define KDD_STATUS_PENDING 0x00000103 102 103 /* Memory access. Read commands are echoed in the response with the 104 * status and length_rsp fields updated, and the read data appended to the 105 * packet. Writes are the same, but with the data appended to the 106 * write command, not the response. */ 107 108 #define KDD_CMD_READ_VA 0x00003130 /* "01" */ 109 #define KDD_CMD_WRITE_VA 0x00003131 /* "11" */ 110 #define KDD_CMD_READ_CTRL 0x00003137 /* "71" */ 111 #define KDD_CMD_WRITE_CTRL 0x00003138 /* "81" */ 112 #define KDD_CMD_READ_PA 0x0000313D /* "=1" */ 113 #define KDD_CMD_WRITE_PA 0x0000313E /* ">1" */ 114 115 /* Not sure what this is, but it doesn't require a response */ 116 #define KDD_CMD_WRITE_Z 0x0000315A /* "Z1" */ 117 118 typedef struct { 119 uint32_t u1; 120 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 121 uint32_t u2; 122 uint64_t addr; /* IN: address of start of read/write */ 123 uint32_t length_req; /* IN: bytes to read/write */ 124 uint32_t length_rsp; /* OUT: bytes successfully read/written */ 125 } PACKED kdd_cmd_mem; 126 127 /* CPU register access. As for memory accesses, but the data is a 128 * fixed-length block of register info. */ 129 130 #define KDD_CMD_READ_REGS 0x00003132 /* "21" */ 131 #define KDD_CMD_WRITE_REGS 0x00003133 /* "31" */ 132 133 typedef struct { 134 uint16_t u1; 135 uint16_t cpu; /* IN: Zero-based processor ID */ 136 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 137 } PACKED kdd_cmd_regs; 138 139 #define KDD_CMD_READ_MSR 0x00003152 /* "R1" */ 140 #define KDD_CMD_WRITE_MSR 0x00003153 /* "S1" */ 141 142 typedef struct { 143 uint32_t u1; 144 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 145 uint32_t u2; 146 uint32_t msr; /* IN/OUT: MSR number */ 147 uint64_t val; /* IN/OUT: MSR contents */ 148 } PACKED kdd_cmd_msr; 149 150 /* Breakpoint commands. */ 151 152 #define KDD_CMD_SOFT_BP 0x00003135 /* "51" */ 153 154 typedef struct { 155 uint32_t u1; 156 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 157 uint32_t u2; 158 uint32_t bp; /* IN: ID of breakpoint to operate on */ 159 } PACKED kdd_cmd_soft_bp; 160 161 #define KDD_CMD_HARD_BP 0x0000315C /* "\1" */ 162 163 typedef struct { 164 uint32_t u1; 165 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 166 uint32_t u2; 167 uint64_t address; /* IN: Address to trap on */ 168 uint64_t u3; 169 uint64_t u4; 170 uint64_t u5; 171 uint64_t u6; 172 } PACKED kdd_cmd_hard_bp; 173 174 /* Flow control commands. These commands are _not_ responded to. */ 175 176 #define KDD_CMD_CONT1 0x00003136 /* "61" */ 177 #define KDD_CMD_CONT2 0x0000313c /* "<1" */ 178 179 #define KDD_DBG_EXCEPTION_HANDLED 0x00010001 180 #define KDD_DBG_CONTINUE 0x00010002 181 182 typedef struct { 183 uint32_t u1; 184 uint32_t reason1; /* IN: KDD_DBG_* */ 185 uint32_t u2; 186 uint64_t reason2; /* IN: always same as reason1 */ 187 } PACKED kdd_cmd_cont; 188 189 /* Handshake command. */ 190 191 #define KDD_CMD_SHAKE 0x00003146 /* "F1" */ 192 193 #define KDD_MACH_x32 0x014c 194 #define KDD_MACH_x64 0x8664 195 196 #define KDD_FLAGS_MP 0x0001 197 #define KDD_FLAGS_64 0x0008 198 199 typedef struct { 200 uint32_t u1; 201 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 202 uint32_t u2; 203 uint16_t v_major; /* OUT: OS major version (0xf for NT) */ 204 uint16_t v_minor; /* OUT: OS minor version (NT build number) */ 205 uint16_t proto; /* OUT: Protocol version (6) */ 206 uint16_t flags; /* OUT: Some flags (at least 0x3) */ 207 uint16_t machine; /* OUT: Machine type */ 208 uint8_t pkts; /* OUT: Number of packet types understood */ 209 uint8_t states; /* OUT: Number of state-change types used */ 210 uint8_t manips; /* OUT: number of "manipulation" types used */ 211 uint8_t u3[3]; 212 int64_t kern_addr; /* OUT: KernBase */ 213 int64_t mods_addr; /* OUT: PsLoadedModuleList */ 214 int64_t data_addr; /* OUT: DebuggerDataList */ 215 } PACKED kdd_cmd_shake; 216 217 /* Change active CPU. This command is _not_ responded to */ 218 219 #define KDD_CMD_SETCPU 0x00003150 /* "P1" */ 220 221 typedef struct { 222 uint16_t u1; 223 uint16_t cpu; /* IN: Zero-based processor ID */ 224 uint32_t status; /* IN: STATUS_PENDING */ 225 } PACKED kdd_cmd_setcpu; 226 227 typedef struct { 228 uint32_t subtype; /* IN: KDD_CMD_x */ 229 union { 230 kdd_cmd_mem mem; 231 kdd_cmd_regs regs; 232 kdd_cmd_msr msr; 233 kdd_cmd_soft_bp sbp; 234 kdd_cmd_hard_bp hbp; 235 kdd_cmd_cont cont; 236 kdd_cmd_shake shake; 237 kdd_cmd_setcpu setcpu; 238 uint8_t pad[52]; 239 }; 240 uint8_t data[0]; 241 } PACKED kdd_cmd; 242 243 244 /***************************************************************************** 245 * Kernel messages to the debugger. The debugger does not respond to these 246 * beyond ACKing them and printing approprate things on the debugger 247 * console. 248 */ 249 250 /* Messages for the console */ 251 252 #define KDD_MSG_PRINT 0x00003230 /* "02" */ 253 254 typedef struct { 255 uint32_t subtype; /* KDD_MSG_PRINT */ 256 uint32_t u1; 257 uint32_t length; /* Length in bytes of trailing string */ 258 uint32_t u2; 259 uint8_t string[0]; /* Non-terminated character string */ 260 } PACKED kdd_msg; 261 262 /* Registry updates (Hive loads?) */ 263 264 #define KDD_REG_CHANGE 0x00003430 /* "04" */ 265 266 typedef struct { 267 uint32_t subtype; /* KDD_REG_CHANGE */ 268 uint32_t u1[15]; 269 uint16_t string[0]; /* Null-terminated wchar string */ 270 } PACKED kdd_reg; 271 272 /* State changes. After sending a state-change message the kernel halts 273 * until it receives a continue command from the debugger. */ 274 275 #define KDD_STC_STOP 0x00003030 /* "00" : Bug-check */ 276 #define KDD_STC_LOAD 0x00003031 /* "01" : Loaded a module */ 277 278 #define KDD_STC_STATUS_BREAKPOINT 0x80000003 279 280 typedef struct { 281 uint16_t u1; 282 uint16_t cpu; /* Zero-based processor ID */ 283 uint32_t ncpus; /* Number of processors */ 284 uint32_t u2; 285 int64_t kthread; /* Kernel thread structure */ 286 int64_t rip1; /* Instruction pointer, sign-extended */ 287 uint64_t status; /* KDD_STC_STATUS_x */ 288 uint64_t u3; 289 int64_t rip2; /* Same as rip1 */ 290 uint64_t nparams; /* Number of stopcode parameters */ 291 uint64_t params[15]; /* Stopcode parameters */ 292 uint64_t first_chance; /* OS exn handlers not yet been run? */ 293 uint32_t u4[2]; 294 uint32_t ilen; /* Number of bytes of instruction following */ 295 uint8_t inst[36]; /* VA contents from %eip onwards */ 296 } PACKED kdd_stc_stop; 297 298 typedef struct { 299 uint32_t u1[3]; 300 uint64_t u2; 301 uint64_t rip; /* Instruction pointer, sign-extended */ 302 uint64_t u3[26]; 303 uint8_t path[0]; /* Null-terminated ASCII path to loaded mod. */ 304 } PACKED kdd_stc_load; 305 306 typedef struct { 307 uint32_t subtype; /* KDD_STC_x */ 308 union { 309 kdd_stc_stop stop; 310 kdd_stc_load load; 311 }; 312 } PACKED kdd_stc; 313 314 315 /***************************************************************************** 316 * Overall packet type 317 */ 318 319 typedef struct { 320 kdd_hdr h; /* Major type disambiguates union below */ 321 union { 322 kdd_cmd cmd; 323 kdd_msg msg; 324 kdd_reg reg; 325 kdd_stc stc; 326 uint8_t payload[0]; 327 }; 328 } PACKED kdd_pkt; 329 330 331 /***************************************************************************** 332 * Processor state layouts 333 */ 334 335 /* User-visible register files */ 336 typedef union { 337 uint32_t pad[179]; 338 struct { 339 uint32_t u1[7]; /* Flags, DRx?? */ 340 uint8_t fp[112]; /* FP save state (why 112 not 108?) */ 341 int32_t gs; 342 int32_t fs; 343 int32_t es; 344 int32_t ds; 345 int32_t edi; 346 int32_t esi; 347 int32_t ebx; 348 int32_t edx; 349 int32_t ecx; 350 int32_t eax; 351 int32_t ebp; 352 int32_t eip; 353 int32_t cs; 354 int32_t eflags; 355 int32_t esp; 356 int32_t ss; 357 uint32_t sp2[37]; /* More 0x20202020. fp? */ 358 uint32_t sp3; /* 0x00202020 */ 359 }; 360 } PACKED kdd_regs_x86_32; 361 362 typedef union { 363 uint64_t pad[154]; 364 struct { 365 366 uint64_t u1[7]; 367 368 uint16_t cs; //2*1c 369 uint16_t ds; 370 uint16_t es; 371 uint16_t fs; 372 uint16_t gs; 373 uint16_t ss; 374 uint32_t rflags; 375 uint64_t dr0; 376 uint64_t dr1; 377 uint64_t dr2; 378 uint64_t dr3; 379 uint64_t dr6; 380 uint64_t dr7; 381 int64_t rax; 382 int64_t rcx; 383 int64_t rdx; 384 int64_t rbx; 385 int64_t rsp; 386 int64_t rbp; 387 int64_t rsi; 388 int64_t rdi; 389 int64_t r8; 390 int64_t r9; 391 int64_t r10; 392 int64_t r11; 393 int64_t r12; 394 int64_t r13; 395 int64_t r14; 396 int64_t r15; 397 int64_t rip; //2*7c 398 399 uint64_t u2[32]; 400 401 uint8_t fp[512]; // fp @2*100 .. 150 (+ more??) 402 403 uint64_t u3[26]; 404 }; 405 } PACKED kdd_regs_x86_64; 406 407 typedef union { 408 kdd_regs_x86_32 r32; 409 kdd_regs_x86_64 r64; 410 } PACKED kdd_regs; 411 412 /* System registers */ 413 typedef struct { 414 uint32_t cr0; 415 uint32_t cr2; 416 uint32_t cr3; 417 uint32_t cr4; 418 uint32_t dr0; 419 uint32_t dr1; 420 uint32_t dr2; 421 uint32_t dr3; 422 uint32_t dr6; 423 uint32_t dr7; 424 uint16_t gdt_pad; 425 uint16_t gdt_limit; 426 uint32_t gdt_base; 427 uint16_t idt_pad; 428 uint16_t idt_limit; 429 uint32_t idt_base; 430 uint16_t tss_sel; 431 uint16_t ldt_sel; 432 uint8_t u1[24]; 433 } PACKED kdd_ctrl_x86_32; 434 435 typedef struct { 436 uint64_t cr0; 437 uint64_t cr2; 438 uint64_t cr3; 439 uint64_t cr4; 440 uint64_t dr0; 441 uint64_t dr1; 442 uint64_t dr2; 443 uint64_t dr3; 444 uint64_t dr6; 445 uint64_t dr7; 446 uint8_t gdt_pad[6]; 447 uint16_t gdt_limit; 448 uint64_t gdt_base; 449 uint8_t idt_pad[6]; 450 uint16_t idt_limit; 451 uint64_t idt_base; 452 uint16_t tss_sel; 453 uint16_t ldt_sel; 454 uint8_t u1[44]; 455 uint64_t cr8; 456 uint8_t u2[40]; 457 uint64_t efer; // XXX find out where EFER actually goes 458 } PACKED kdd_ctrl_x86_64; 459 460 typedef union { 461 kdd_ctrl_x86_32 c32; 462 kdd_ctrl_x86_64 c64; 463 } kdd_ctrl; 464 465 /***************************************************************************** 466 * Functions required from the emulator/hypervisor for the stub to work. 467 */ 468 469 typedef struct kdd_guest kdd_guest; 470 471 /* Init and teardown guest-specific state */ 472 extern kdd_guest *kdd_guest_init(char *arg, FILE *log, int verbosity); 473 extern void kdd_guest_teardown(kdd_guest *g); 474 extern char *kdd_guest_identify(kdd_guest *g); 475 476 /* Halt and restart the running guest */ 477 extern void kdd_halt(kdd_guest *g); 478 extern void kdd_run(kdd_guest *g); 479 480 /* How many CPUs are there? */ 481 extern int kdd_count_cpus(kdd_guest *g); 482 483 /* Accessor for guest physical memory, returning bytes read/written */ 484 extern uint32_t kdd_access_physical(kdd_guest *g, uint64_t addr, 485 uint32_t len, uint8_t *buf, int write); 486 487 /* Accessors for guest registers, returning 0 for success */ 488 extern int kdd_get_regs(kdd_guest *g, int cpuid, kdd_regs *r, int w64); 489 extern int kdd_set_regs(kdd_guest *g, int cpuid, kdd_regs *r, int w64); 490 491 /* Accessors for guest control registers, returning 0 for success */ 492 extern int kdd_get_ctrl(kdd_guest *g, int cpuid, kdd_ctrl *ctrl, int w64); 493 extern int kdd_set_ctrl(kdd_guest *g, int cpuid, kdd_ctrl *ctrl, int w64); 494 495 /* Accessors for guest MSRs, returning 0 for success */ 496 extern int kdd_wrmsr(kdd_guest *g, int cpuid, uint32_t msr, uint64_t value); 497 extern int kdd_rdmsr(kdd_guest *g, int cpuid, uint32_t msr, uint64_t *value); 498 499 500 /***************************************************************************** 501 * Logfile usefulness 502 */ 503 504 /* Verbosity: 505 * 0: errors (default) 506 * 1: operations 507 * 2: packets 508 * 3: _everything_ */ 509 510 #define KDD_LOG_IF(_v, _s, _fmt, _a...) do { \ 511 if ((_s)->verbosity >= (_v)) { \ 512 fprintf((_s)->log, (_fmt), ##_a); \ 513 (void) fflush((_s)->log); \ 514 } \ 515 } while (0) 516 517 #define KDD_LOG(_s, _fmt, _a...) KDD_LOG_IF(1, (_s), (_fmt), ##_a) 518 #define KDD_DEBUG(_s, _fmt, _a...) KDD_LOG_IF(3, (_s), (_fmt), ##_a) 519 520 #endif /* _KDD_H_ */ 521