1 /* 2 * kdd.h -- Structures, constants and descriptions of the Windows 3 * kd serial debugger protocol, for the kdd debugging stub. 4 * 5 * Tim Deegan <Tim.Deegan@citrix.com> 6 * 7 * Copyright (c) 2007-2010, Citrix Systems Inc. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 * POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #ifndef _KDD_H_ 36 #define _KDD_H_ 37 38 #include <stdint.h> 39 40 #define PACKED __attribute__((packed)) 41 42 /***************************************************************************** 43 * Serial line protocol: Sender sends a 16-byte header with an optional 44 * payload following it. Receiver responds to each packet with an 45 * acknowledgment (16-byte header only). 46 * 47 * Packet headers start with ASCII "0000" and there is a trailing byte 48 * 0xAA after the (optional) payload. Ack headers start with ASCII 49 * "iiii"; no trailing byte). Each packet and ack has a major type in 50 * the packet header; for packets with payload, a minor type is encoded 51 * in ASCII in the first four bytes of the payload. 52 * 53 * Packet IDs seem to start at 0x80800000 and alternate between that and 54 * 0x80800001; not clear whether the client's ID is always the ID of the 55 * last packet from the kernel or whether they're just oscillating in 56 * phase. Either way there's clearly some state machine in the kernel 57 * that requires this exact behaviour from the client. 58 * 59 * All acks have length 0, id = id of the packet they ack. 60 */ 61 62 #define KDD_DIR_PKT 0x30303030 /* "0000" */ 63 #define KDD_DIR_ACK 0x69696969 /* "iiii" */ 64 65 typedef struct { 66 uint32_t dir; /* KDD_DIR_PKT or KDD_DIR_ACK */ 67 uint16_t type; /* Major type. */ 68 uint16_t len; /* Payload length, excl. header and trailing byte */ 69 uint32_t id; /* Echoed in responses */ 70 uint32_t sum; /* Unsigned sum of all payload bytes */ 71 } PACKED kdd_hdr; 72 73 #define KDD_PKT_CMD 0x0002 /* Debugger commands (and replies to them) */ 74 #define KDD_PKT_MSG 0x0003 /* Kernel messages for the user */ 75 #define KDD_PKT_STC 0x0007 /* State change notification */ 76 #define KDD_PKT_REG 0x000b /* Registry change notification (?) */ 77 #define KDD_PKT_MAX 0x000b 78 79 #define KDD_ACK_OK 0x0004 /* Checksum, ID and type all fine */ 80 #define KDD_ACK_BAD 0x0005 /* Something is bogus */ 81 #define KDD_ACK_RST 0x0006 /* Not really an ack; one each way to resync */ 82 83 84 /***************************************************************************** 85 * Debugger commands, carried over the serial line. In this protocol, 86 * we ignore the serial-level acking; when we talk about a response, 87 * it's another packet, sent after the request was acked, and which will 88 * itself be acked. 89 * 90 * The debugger client sends commands to the kernel, all of which have 91 * major type 2 and are 56 bytes long (not including the serial header). 92 * Not all the 56 bytes are used in every command, but the client 93 * doesn't bother to zero unused fields. Most commands are responded to 94 * by a packet with the same subtype, containing at least a status code 95 * to indicate success or failure. 96 */ 97 98 #define KDD_STATUS_SUCCESS 0x00000000 99 #define KDD_STATUS_FAILURE 0xc0000001 100 #define KDD_STATUS_PENDING 0x00000103 101 102 /* Memory access. Read commands are echoed in the response with the 103 * status and length_rsp fields updated, and the read data appended to the 104 * packet. Writes are the same, but with the data appended to the 105 * write command, not the response. */ 106 107 #define KDD_CMD_READ_VA 0x00003130 /* "01" */ 108 #define KDD_CMD_WRITE_VA 0x00003131 /* "11" */ 109 #define KDD_CMD_READ_CTRL 0x00003137 /* "71" */ 110 #define KDD_CMD_WRITE_CTRL 0x00003138 /* "81" */ 111 #define KDD_CMD_READ_PA 0x0000313D /* "=1" */ 112 #define KDD_CMD_WRITE_PA 0x0000313E /* ">1" */ 113 114 /* Not sure what this is, but it doesn't require a response */ 115 #define KDD_CMD_WRITE_Z 0x0000315A /* "Z1" */ 116 117 typedef struct { 118 uint32_t u1; 119 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 120 uint32_t u2; 121 uint64_t addr; /* IN: address of start of read/write */ 122 uint32_t length_req; /* IN: bytes to read/write */ 123 uint32_t length_rsp; /* OUT: bytes successfully read/written */ 124 } PACKED kdd_cmd_mem; 125 126 /* CPU register access. As for memory accesses, but the data is a 127 * fixed-length block of register info. */ 128 129 #define KDD_CMD_READ_REGS 0x00003132 /* "21" */ 130 #define KDD_CMD_WRITE_REGS 0x00003133 /* "31" */ 131 132 typedef struct { 133 uint16_t u1; 134 uint16_t cpu; /* IN: Zero-based processor ID */ 135 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 136 } PACKED kdd_cmd_regs; 137 138 #define KDD_CMD_READ_MSR 0x00003152 /* "R1" */ 139 #define KDD_CMD_WRITE_MSR 0x00003153 /* "S1" */ 140 141 typedef struct { 142 uint32_t u1; 143 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 144 uint32_t u2; 145 uint32_t msr; /* IN/OUT: MSR number */ 146 uint64_t val; /* IN/OUT: MSR contents */ 147 } PACKED kdd_cmd_msr; 148 149 /* Breakpoint commands. */ 150 151 #define KDD_CMD_SOFT_BP 0x00003135 /* "51" */ 152 153 typedef struct { 154 uint32_t u1; 155 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 156 uint32_t u2; 157 uint32_t bp; /* IN: ID of breakpoint to operate on */ 158 } PACKED kdd_cmd_soft_bp; 159 160 #define KDD_CMD_HARD_BP 0x0000315C /* "\1" */ 161 162 typedef struct { 163 uint32_t u1; 164 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 165 uint32_t u2; 166 uint64_t address; /* IN: Address to trap on */ 167 uint64_t u3; 168 uint64_t u4; 169 uint64_t u5; 170 uint64_t u6; 171 } PACKED kdd_cmd_hard_bp; 172 173 /* Flow control commands. These commands are _not_ responded to. */ 174 175 #define KDD_CMD_CONT1 0x00003136 /* "61" */ 176 #define KDD_CMD_CONT2 0x0000313c /* "<1" */ 177 178 #define KDD_DBG_EXCEPTION_HANDLED 0x00010001 179 #define KDD_DBG_CONTINUE 0x00010002 180 181 typedef struct { 182 uint32_t u1; 183 uint32_t reason1; /* IN: KDD_DBG_* */ 184 uint32_t u2; 185 uint64_t reason2; /* IN: always same as reason1 */ 186 } PACKED kdd_cmd_cont; 187 188 /* Handshake command. */ 189 190 #define KDD_CMD_SHAKE 0x00003146 /* "F1" */ 191 192 #define KDD_MACH_x32 0x014c 193 #define KDD_MACH_x64 0x8664 194 195 #define KDD_FLAGS_MP 0x0001 196 #define KDD_FLAGS_64 0x0008 197 198 typedef struct { 199 uint32_t u1; 200 uint32_t status; /* IN: STATUS_PENDING; OUT: result status. */ 201 uint32_t u2; 202 uint16_t v_major; /* OUT: OS major version (0xf for NT) */ 203 uint16_t v_minor; /* OUT: OS minor version (NT build number) */ 204 uint16_t proto; /* OUT: Protocol version (6) */ 205 uint16_t flags; /* OUT: Some flags (at least 0x3) */ 206 uint16_t machine; /* OUT: Machine type */ 207 uint8_t pkts; /* OUT: Number of packet types understood */ 208 uint8_t states; /* OUT: Number of state-change types used */ 209 uint8_t manips; /* OUT: number of "manipulation" types used */ 210 uint8_t u3[3]; 211 int64_t kern_addr; /* OUT: KernBase */ 212 int64_t mods_addr; /* OUT: PsLoadedModuleList */ 213 int64_t data_addr; /* OUT: DebuggerDataList */ 214 } PACKED kdd_cmd_shake; 215 216 /* Change active CPU. This command is _not_ responded to */ 217 218 #define KDD_CMD_SETCPU 0x00003150 /* "P1" */ 219 220 typedef struct { 221 uint16_t u1; 222 uint16_t cpu; /* IN: Zero-based processor ID */ 223 uint32_t status; /* IN: STATUS_PENDING */ 224 } PACKED kdd_cmd_setcpu; 225 226 typedef struct { 227 uint32_t subtype; /* IN: KDD_CMD_x */ 228 union { 229 kdd_cmd_mem mem; 230 kdd_cmd_regs regs; 231 kdd_cmd_msr msr; 232 kdd_cmd_soft_bp sbp; 233 kdd_cmd_hard_bp hbp; 234 kdd_cmd_cont cont; 235 kdd_cmd_shake shake; 236 kdd_cmd_setcpu setcpu; 237 uint8_t pad[52]; 238 }; 239 uint8_t data[0]; 240 } PACKED kdd_cmd; 241 242 243 /***************************************************************************** 244 * Kernel messages to the debugger. The debugger does not respond to these 245 * beyond ACKing them and printing approprate things on the debugger 246 * console. 247 */ 248 249 /* Messages for the console */ 250 251 #define KDD_MSG_PRINT 0x00003230 /* "02" */ 252 253 typedef struct { 254 uint32_t subtype; /* KDD_MSG_PRINT */ 255 uint32_t u1; 256 uint32_t length; /* Length in bytes of trailing string */ 257 uint32_t u2; 258 uint8_t string[0]; /* Non-terminated character string */ 259 } PACKED kdd_msg; 260 261 /* Registry updates (Hive loads?) */ 262 263 #define KDD_REG_CHANGE 0x00003430 /* "04" */ 264 265 typedef struct { 266 uint32_t subtype; /* KDD_REG_CHANGE */ 267 uint32_t u1[15]; 268 uint16_t string[0]; /* Null-terminated wchar string */ 269 } PACKED kdd_reg; 270 271 /* State changes. After sending a state-change message the kernel halts 272 * until it receives a continue command from the debugger. */ 273 274 #define KDD_STC_STOP 0x00003030 /* "00" : Bug-check */ 275 #define KDD_STC_LOAD 0x00003031 /* "01" : Loaded a module */ 276 277 #define KDD_STC_STATUS_BREAKPOINT 0x80000003 278 279 typedef struct { 280 uint16_t u1; 281 uint16_t cpu; /* Zero-based processor ID */ 282 uint32_t ncpus; /* Number of processors */ 283 uint32_t u2; 284 int64_t kthread; /* Kernel thread structure */ 285 int64_t rip1; /* Instruction pointer, sign-extended */ 286 uint64_t status; /* KDD_STC_STATUS_x */ 287 uint64_t u3; 288 int64_t rip2; /* Same as rip1 */ 289 uint64_t nparams; /* Number of stopcode parameters */ 290 uint64_t params[15]; /* Stopcode parameters */ 291 uint64_t first_chance; /* OS exn handlers not yet been run? */ 292 uint32_t u4[2]; 293 uint32_t ilen; /* Number of bytes of instruction following */ 294 uint8_t inst[36]; /* VA contents from %eip onwards */ 295 } PACKED kdd_stc_stop; 296 297 typedef struct { 298 uint32_t u1[3]; 299 uint64_t u2; 300 uint64_t rip; /* Instruction pointer, sign-extended */ 301 uint64_t u3[26]; 302 uint8_t path[0]; /* Null-terminated ASCII path to loaded mod. */ 303 } PACKED kdd_stc_load; 304 305 typedef struct { 306 uint32_t subtype; /* KDD_STC_x */ 307 union { 308 kdd_stc_stop stop; 309 kdd_stc_load load; 310 }; 311 } PACKED kdd_stc; 312 313 314 /***************************************************************************** 315 * Overall packet type 316 */ 317 318 typedef struct { 319 kdd_hdr h; /* Major type disambiguates union below */ 320 union { 321 kdd_cmd cmd; 322 kdd_msg msg; 323 kdd_reg reg; 324 kdd_stc stc; 325 uint8_t payload[65536]; 326 }; 327 } PACKED kdd_pkt; 328 329 330 /***************************************************************************** 331 * Processor state layouts 332 */ 333 334 /* User-visible register files */ 335 typedef union { 336 uint32_t pad[179]; 337 struct { 338 uint32_t u1[7]; /* Flags, DRx?? */ 339 uint8_t fp[112]; /* FP save state (why 112 not 108?) */ 340 int32_t gs; 341 int32_t fs; 342 int32_t es; 343 int32_t ds; 344 int32_t edi; 345 int32_t esi; 346 int32_t ebx; 347 int32_t edx; 348 int32_t ecx; 349 int32_t eax; 350 int32_t ebp; 351 int32_t eip; 352 int32_t cs; 353 int32_t eflags; 354 int32_t esp; 355 int32_t ss; 356 uint32_t sp2[37]; /* More 0x20202020. fp? */ 357 uint32_t sp3; /* 0x00202020 */ 358 }; 359 } PACKED kdd_regs_x86_32; 360 361 typedef union { 362 uint64_t pad[154]; 363 struct { 364 365 uint64_t u1[7]; 366 367 uint16_t cs; //2*1c 368 uint16_t ds; 369 uint16_t es; 370 uint16_t fs; 371 uint16_t gs; 372 uint16_t ss; 373 uint32_t rflags; 374 uint64_t dr0; 375 uint64_t dr1; 376 uint64_t dr2; 377 uint64_t dr3; 378 uint64_t dr6; 379 uint64_t dr7; 380 int64_t rax; 381 int64_t rcx; 382 int64_t rdx; 383 int64_t rbx; 384 int64_t rsp; 385 int64_t rbp; 386 int64_t rsi; 387 int64_t rdi; 388 int64_t r8; 389 int64_t r9; 390 int64_t r10; 391 int64_t r11; 392 int64_t r12; 393 int64_t r13; 394 int64_t r14; 395 int64_t r15; 396 int64_t rip; //2*7c 397 398 uint64_t u2[32]; 399 400 uint8_t fp[512]; // fp @2*100 .. 150 (+ more??) 401 402 uint64_t u3[26]; 403 }; 404 } PACKED kdd_regs_x86_64; 405 406 typedef union { 407 kdd_regs_x86_32 r32; 408 kdd_regs_x86_64 r64; 409 } PACKED kdd_regs; 410 411 /* System registers */ 412 typedef struct { 413 uint32_t cr0; 414 uint32_t cr2; 415 uint32_t cr3; 416 uint32_t cr4; 417 uint32_t dr0; 418 uint32_t dr1; 419 uint32_t dr2; 420 uint32_t dr3; 421 uint32_t dr6; 422 uint32_t dr7; 423 uint16_t gdt_pad; 424 uint16_t gdt_limit; 425 uint32_t gdt_base; 426 uint16_t idt_pad; 427 uint16_t idt_limit; 428 uint32_t idt_base; 429 uint16_t tss_sel; 430 uint16_t ldt_sel; 431 uint8_t u1[24]; 432 } PACKED kdd_ctrl_x86_32; 433 434 typedef struct { 435 uint64_t cr0; 436 uint64_t cr2; 437 uint64_t cr3; 438 uint64_t cr4; 439 uint64_t dr0; 440 uint64_t dr1; 441 uint64_t dr2; 442 uint64_t dr3; 443 uint64_t dr6; 444 uint64_t dr7; 445 uint8_t gdt_pad[6]; 446 uint16_t gdt_limit; 447 uint64_t gdt_base; 448 uint8_t idt_pad[6]; 449 uint16_t idt_limit; 450 uint64_t idt_base; 451 uint16_t tss_sel; 452 uint16_t ldt_sel; 453 uint8_t u1[44]; 454 uint64_t cr8; 455 uint8_t u2[40]; 456 uint64_t efer; // XXX find out where EFER actually goes 457 } PACKED kdd_ctrl_x86_64; 458 459 typedef union { 460 kdd_ctrl_x86_32 c32; 461 kdd_ctrl_x86_64 c64; 462 } kdd_ctrl; 463 464 /***************************************************************************** 465 * Functions required from the emulator/hypervisor for the stub to work. 466 */ 467 468 typedef struct kdd_guest kdd_guest; 469 470 /* Init and teardown guest-specific state */ 471 extern kdd_guest *kdd_guest_init(char *arg, FILE *log, int verbosity); 472 extern void kdd_guest_teardown(kdd_guest *g); 473 extern char *kdd_guest_identify(kdd_guest *g); 474 475 /* Halt and restart the running guest */ 476 extern void kdd_halt(kdd_guest *g); 477 extern void kdd_run(kdd_guest *g); 478 479 /* How many CPUs are there? */ 480 extern int kdd_count_cpus(kdd_guest *g); 481 482 /* Accessor for guest physical memory, returning bytes read/written */ 483 extern uint32_t kdd_access_physical(kdd_guest *g, uint64_t addr, 484 uint32_t len, uint8_t *buf, int write); 485 486 /* Accessors for guest registers, returning 0 for success */ 487 extern int kdd_get_regs(kdd_guest *g, int cpuid, kdd_regs *r, int w64); 488 extern int kdd_set_regs(kdd_guest *g, int cpuid, kdd_regs *r, int w64); 489 490 /* Accessors for guest control registers, returning 0 for success */ 491 extern int kdd_get_ctrl(kdd_guest *g, int cpuid, kdd_ctrl *ctrl, int w64); 492 extern int kdd_set_ctrl(kdd_guest *g, int cpuid, kdd_ctrl *ctrl, int w64); 493 494 /* Accessors for guest MSRs, returning 0 for success */ 495 extern int kdd_wrmsr(kdd_guest *g, int cpuid, uint32_t msr, uint64_t value); 496 extern int kdd_rdmsr(kdd_guest *g, int cpuid, uint32_t msr, uint64_t *value); 497 498 499 /***************************************************************************** 500 * Logfile usefulness 501 */ 502 503 /* Verbosity: 504 * 0: errors (default) 505 * 1: operations 506 * 2: packets 507 * 3: _everything_ */ 508 509 #define KDD_LOG_IF(_v, _s, _fmt, _a...) do { \ 510 if ((_s)->verbosity >= (_v)) { \ 511 fprintf((_s)->log, (_fmt), ##_a); \ 512 (void) fflush((_s)->log); \ 513 } \ 514 } while (0) 515 516 #define KDD_LOG(_s, _fmt, _a...) KDD_LOG_IF(1, (_s), (_fmt), ##_a) 517 #define KDD_DEBUG(_s, _fmt, _a...) KDD_LOG_IF(3, (_s), (_fmt), ##_a) 518 519 #endif /* _KDD_H_ */ 520