From patchwork Tue Mar 21 13:20:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 665550 Delivered-To: patch@linaro.org Received: by 2002:a5d:5602:0:0:0:0:0 with SMTP id l2csp1637259wrv; Tue, 21 Mar 2023 06:22:48 -0700 (PDT) X-Google-Smtp-Source: AK7set+HPM18OekXSlsYa72I5sgVCFTS/VsuivWxnbdSlUPPUNFcEwRUTCCg7mYoVfYvEb+wwQJB X-Received: by 2002:ad4:5ce9:0:b0:5af:3a13:2042 with SMTP id iv9-20020ad45ce9000000b005af3a132042mr3831683qvb.8.1679404968579; Tue, 21 Mar 2023 06:22:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679404968; cv=none; d=google.com; s=arc-20160816; b=P09i4aR27KSSP0um4cTbq3fq7m3dSJoB0aq0eFM45m2q8wft3pQfFWCdpt51rDCza2 ogK38bGeZBXMB/XpfoTeh3iIW+gO7xsfSTaWD6ZSlaYCGRKGpysAr7XgS1/dWrHELYZ3 fYSfLVani7qr052vuHJn+f2ICTT8q1PJbv/JVXnciT4VJIv7lUXln6c/x9WE/stcYOuI UpMuZlAaA/AQaawlbyFl5QEAhKcZ+Fedr5QmGXKcVXZZHoj3PLV/xwBG+yz36gyW2c3r GWl9Pnn3ZIOu6RUEPGQ82leQugcjBf4iUC2rPICimsSslRn3bNVAaEaV9CDKs3Yirdut dtYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=7k/7Hxrdjupf5zq7nWkwxPkwQ/tKKC42EfTMP4iP9ag=; b=XTWqqdgXQWznsitWNW4ZjfhKOxV8FHOLL0XyB9mfDBNO8U9flD/EDQUWEvgyrlsRvc lXps8KLUwAqtPPIIM/5Wy68t4+dn+uYkWilydEjHIPbTMMBRDsr6y/cyG8LEikZ2cJo3 YeYl24mJbL2KwoA5WUDaLGJvE3/94H2aae7KUJfcp8j8RS5bpN1d1uCERg90lSSsjMyb onBclDuzRwQjO6wIFf66CXQp2ZZkO12nrqshu3bfmjqw7+j96qlYPLd3FOQm3qcMbaSp 6L+5BjJRwWzWKA6M1voACNOLTI8zo052E8Dw9jG+v5zQjjv7ducH1zJ93XfCMDdYHtEI mLwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HXSXgSbR; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id cw13-20020ad44dcd000000b005a115056019si8104111qvb.288.2023.03.21.06.22.48 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 21 Mar 2023 06:22:48 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HXSXgSbR; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pebuz-00009s-1E; Tue, 21 Mar 2023 09:20:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pebux-00007G-5z for qemu-devel@nongnu.org; Tue, 21 Mar 2023 09:20:47 -0400 Received: from mail-wm1-x32a.google.com ([2a00:1450:4864:20::32a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pebuv-0006eb-5N for qemu-devel@nongnu.org; Tue, 21 Mar 2023 09:20:46 -0400 Received: by mail-wm1-x32a.google.com with SMTP id o40-20020a05600c512800b003eddedc47aeso3991193wms.3 for ; Tue, 21 Mar 2023 06:20:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1679404843; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7k/7Hxrdjupf5zq7nWkwxPkwQ/tKKC42EfTMP4iP9ag=; b=HXSXgSbR5QnhNgKNwSjZJ/RosXNaCcdJyrJGC6VSdBxHJ4mrZ5wUXpS6O1FWtJSw+Y tKFqqWxLVQKzuQLhOw+3dtIGUYULR/HopwXJUApm8iHZ1HS+qLf9zMfUSl34g0rF53aC RUbvIueFafxWDs6OB79ZSziVYLln4NMqws3mVDA7wFm4oaWWvC/Ou7RoLICtjcdzn/vr APDd+zD5qZFbBtFA1M4+TJOn84lCHZnV52QjyPZaA0vOlflEuXUVd7oy2ZHkXMKA/I4M R/HGotAmdE/TBt+5O4BV3poYeoLtBperCPtt5Uj4PNcjDshQjyhgsYFYQs93lOh/C6Fw wTDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679404843; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7k/7Hxrdjupf5zq7nWkwxPkwQ/tKKC42EfTMP4iP9ag=; b=q2gzyjr2nDEB340tabOfXs1Lj/1+I57P+JpUdWkTTWTYeA31Hzi9+WzzfpXIaQCrld 3GwO6htxuv9P44AdbMIuXOWOnZOwSv83P7HYyd59IzeyevaT4HM5rjftEzSFb+4mZUHF DjMDbZe9thnpOrvADQHz5ZyZstu475ejqKyFtu9pNGAQYih/H1CFjqAEde5y2oHeXA16 VdMfBDp/LFiuxTWQmZUcPu9z2ymeyPG/DytmZv6bJ8XVErQSyipBZYsL02Bpt+h7OgDM DNPEY3SRWdqeaYB/aQc0M+YQR/p5kvPXGwT7vTS1LJbLhbHqD27DgYzeVXIUAGbEoNnU 9BHg== X-Gm-Message-State: AO0yUKUkdYyvaP2Fxkq2gsiAeUEKJyh4DuPidpKKHgqCg+iUE3h0aK8T ZJC8NBlmgbDRzj5Pcu00LrYxJXZGudgqXqSqrtM= X-Received: by 2002:a05:600c:2199:b0:3ed:1fa1:9030 with SMTP id e25-20020a05600c219900b003ed1fa19030mr2170478wme.29.1679404843660; Tue, 21 Mar 2023 06:20:43 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id j19-20020a05600c191300b003eddc6aa5fasm7897918wmq.39.2023.03.21.06.20.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Mar 2023 06:20:43 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 5/8] contrib/elf2dmp: add PE name check and Windows Server 2022 support Date: Tue, 21 Mar 2023 13:20:33 +0000 Message-Id: <20230321132036.1836617-6-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230321132036.1836617-1-peter.maydell@linaro.org> References: <20230321132036.1836617-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::32a; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Viktor Prutyanov Since its inception elf2dmp has checked MZ signatures within an address space above IDT[0] interrupt vector and took first PE image found as Windows Kernel. But in Windows Server 2022 memory dump this address space range is full of invalid PE fragments and the tool must check that PE image is 'ntoskrnl.exe' actually. So, introduce additional validation by checking image name from Export Directory against 'ntoskrnl.exe'. Signed-off-by: Viktor Prutyanov Tested-by: Yuri Benditovich Reviewed-by: Annie Li Message-id: 20230222211246.883679-4-viktor@daynix.com Signed-off-by: Peter Maydell --- contrib/elf2dmp/pe.h | 15 +++++++++++++++ contrib/elf2dmp/main.c | 28 ++++++++++++++++++++++++++-- 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/contrib/elf2dmp/pe.h b/contrib/elf2dmp/pe.h index 807d0063649..71126af1aca 100644 --- a/contrib/elf2dmp/pe.h +++ b/contrib/elf2dmp/pe.h @@ -88,6 +88,20 @@ typedef struct IMAGE_NT_HEADERS64 { IMAGE_OPTIONAL_HEADER64 OptionalHeader; } __attribute__ ((packed)) IMAGE_NT_HEADERS64; +typedef struct IMAGE_EXPORT_DIRECTORY { + uint32_t Characteristics; + uint32_t TimeDateStamp; + uint16_t MajorVersion; + uint16_t MinorVersion; + uint32_t Name; + uint32_t Base; + uint32_t NumberOfFunctions; + uint32_t NumberOfNames; + uint32_t AddressOfFunctions; + uint32_t AddressOfNames; + uint32_t AddressOfNameOrdinals; +} __attribute__ ((packed)) IMAGE_EXPORT_DIRECTORY; + typedef struct IMAGE_DEBUG_DIRECTORY { uint32_t Characteristics; uint32_t TimeDateStamp; @@ -102,6 +116,7 @@ typedef struct IMAGE_DEBUG_DIRECTORY { #define IMAGE_DEBUG_TYPE_CODEVIEW 2 #endif +#define IMAGE_FILE_EXPORT_DIRECTORY 0 #define IMAGE_FILE_DEBUG_DIRECTORY 6 typedef struct guid_t { diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c index 2f6028d8eb3..89f0c69ab0f 100644 --- a/contrib/elf2dmp/main.c +++ b/contrib/elf2dmp/main.c @@ -17,6 +17,7 @@ #define SYM_URL_BASE "https://msdl.microsoft.com/download/symbols/" #define PDB_NAME "ntkrnlmp.pdb" +#define PE_NAME "ntoskrnl.exe" #define INITIAL_MXCSR 0x1f80 @@ -405,6 +406,25 @@ static int write_dump(struct pa_space *ps, return fclose(dmp_file); } +static bool pe_check_export_name(uint64_t base, void *start_addr, + struct va_space *vs) +{ + IMAGE_EXPORT_DIRECTORY export_dir; + const char *pe_name; + + if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_EXPORT_DIRECTORY, + &export_dir, sizeof(export_dir), vs)) { + return false; + } + + pe_name = va_space_resolve(vs, base + export_dir.Name); + if (!pe_name) { + return false; + } + + return !strcmp(pe_name, PE_NAME); +} + static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr, char *hash, struct va_space *vs) { @@ -489,6 +509,7 @@ int main(int argc, char *argv[]) uint64_t KdDebuggerDataBlock; KDDEBUGGER_DATA64 *kdbg; uint64_t KdVersionBlock; + bool kernel_found = false; if (argc != 3) { eprintf("usage:\n\t%s elf_file dmp_file\n", argv[0]); @@ -536,11 +557,14 @@ int main(int argc, char *argv[]) } if (*(uint16_t *)nt_start_addr == 0x5a4d) { /* MZ */ - break; + if (pe_check_export_name(KernBase, nt_start_addr, &vs)) { + kernel_found = true; + break; + } } } - if (!nt_start_addr) { + if (!kernel_found) { eprintf("Failed to find NT kernel image\n"); err = 1; goto out_ps;