2 * The PCI Library -- PCI config space access using Kernel Local Debugging Driver
4 * Copyright (c) 2022 Pali Rohár <pali@kernel.org>
6 * Can be freely distributed and used under the terms of the GNU GPL v2+.
8 * SPDX-License-Identifier: GPL-2.0-or-later
14 #include <stdio.h> /* for sprintf() */
15 #include <string.h> /* for memset() and memcpy() */
18 #include "i386-io-windows.h"
19 #include "win32-helpers.h"
21 #ifndef ERROR_NOT_FOUND
22 #define ERROR_NOT_FOUND 1168
25 #ifndef LOAD_LIBRARY_AS_IMAGE_RESOURCE
26 #define LOAD_LIBRARY_AS_IMAGE_RESOURCE 0x20
28 #ifndef LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE
29 #define LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE 0x40
33 #define IOCTL_KLDBG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1, METHOD_NEITHER, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
37 #define BUS_DATA_TYPE LONG
39 #ifndef PCIConfiguration
40 #define PCIConfiguration (BUS_DATA_TYPE)4
43 #ifndef SYSDBG_COMMAND
44 #define SYSDBG_COMMAND ULONG
46 #ifndef SysDbgReadBusData
47 #define SysDbgReadBusData (SYSDBG_COMMAND)18
49 #ifndef SysDbgWriteBusData
50 #define SysDbgWriteBusData (SYSDBG_COMMAND)19
53 #ifndef SYSDBG_BUS_DATA
54 typedef struct _SYSDBG_BUS_DATA {
58 BUS_DATA_TYPE BusDataType;
61 } SYSDBG_BUS_DATA, *PSYSDBG_BUS_DATA;
62 #define SYSDBG_BUS_DATA SYSDBG_BUS_DATA
65 #ifndef PCI_SEGMENT_BUS_NUMBER
66 typedef struct _PCI_SEGMENT_BUS_NUMBER {
70 ULONG SegmentNumber:16;
75 } PCI_SEGMENT_BUS_NUMBER, *PPCI_SEGMENT_BUS_NUMBER;
76 #define PCI_SEGMENT_BUS_NUMBER PCI_SEGMENT_BUS_NUMBER
79 #ifndef PCI_SLOT_NUMBER
80 typedef struct _PCI_SLOT_NUMBER {
84 ULONG FunctionNumber:3;
89 } PCI_SLOT_NUMBER, *PPCI_SLOT_NUMBER;
90 #define PCI_SLOT_NUMBER PCI_SLOT_NUMBER
94 typedef struct _KLDBG {
95 SYSDBG_COMMAND Command;
102 static BOOL debug_privilege_enabled;
103 static LUID luid_debug_privilege;
104 static BOOL revert_only_privilege;
105 static HANDLE revert_token;
107 static HANDLE kldbg_dev = INVALID_HANDLE_VALUE;
110 win32_kldbg_pci_bus_data(BOOL WriteBusData, USHORT SegmentNumber, BYTE BusNumber, BYTE DeviceNumber, BYTE FunctionNumber, USHORT Address, PVOID Buffer, ULONG BufferSize, LPDWORD Length);
113 win32_get_current_process_machine(void)
115 IMAGE_DOS_HEADER *dos_header;
116 IMAGE_NT_HEADERS *nt_header;
118 dos_header = (IMAGE_DOS_HEADER *)GetModuleHandle(NULL);
119 if (dos_header->e_magic != IMAGE_DOS_SIGNATURE)
120 return IMAGE_FILE_MACHINE_UNKNOWN;
122 nt_header = (IMAGE_NT_HEADERS *)((BYTE *)dos_header + dos_header->e_lfanew);
123 if (nt_header->Signature != IMAGE_NT_SIGNATURE)
124 return IMAGE_FILE_MACHINE_UNKNOWN;
126 return nt_header->FileHeader.Machine;
130 win32_check_driver(BYTE *driver_data)
132 IMAGE_DOS_HEADER *dos_header;
133 IMAGE_NT_HEADERS *nt_headers;
134 WORD current_machine;
136 current_machine = win32_get_current_process_machine();
137 if (current_machine == IMAGE_FILE_MACHINE_UNKNOWN)
140 dos_header = (IMAGE_DOS_HEADER *)driver_data;
141 if (dos_header->e_magic != IMAGE_DOS_SIGNATURE)
144 nt_headers = (IMAGE_NT_HEADERS *)((BYTE *)dos_header + dos_header->e_lfanew);
145 if (nt_headers->Signature != IMAGE_NT_SIGNATURE)
148 if (nt_headers->FileHeader.Machine != current_machine)
151 if (!(nt_headers->FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE))
155 if (!(nt_headers->FileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE))
159 /* IMAGE_NT_OPTIONAL_HDR_MAGIC is alias for the header magic used on the target compiler architecture. */
160 if (nt_headers->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
163 if (nt_headers->OptionalHeader.Subsystem != IMAGE_SUBSYSTEM_NATIVE)
170 win32_kldbg_unpack_driver(struct pci_access *a, LPTSTR driver_path)
172 BOOL use_kd_exe = FALSE;
173 HMODULE exe_with_driver = NULL;
174 HRSRC driver_resource_info = NULL;
175 HGLOBAL driver_resource = NULL;
176 BYTE *driver_data = NULL;
177 DWORD driver_size = 0;
178 HANDLE driver_handle = INVALID_HANDLE_VALUE;
183 /* Try to find and open windbg.exe or kd.exe file in PATH. */
184 exe_with_driver = LoadLibraryEx(TEXT("windbg.exe"), NULL, LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE | LOAD_LIBRARY_AS_IMAGE_RESOURCE);
185 if (!exe_with_driver)
188 exe_with_driver = LoadLibraryEx(TEXT("kd.exe"), NULL, LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE | LOAD_LIBRARY_AS_IMAGE_RESOURCE);
190 if (!exe_with_driver)
192 error = GetLastError();
193 if (error == ERROR_FILE_NOT_FOUND ||
194 error == ERROR_MOD_NOT_FOUND)
195 a->debug("Cannot find windbg.exe or kd.exe file in PATH");
197 a->debug("Cannot load %s file: %s.", use_kd_exe ? "kd.exe" : "windbg.exe", win32_strerror(error));
201 /* kldbgdrv.sys is embedded in windbg.exe/kd.exe as a resource with name id 0x7777 and type id 0x4444. */
202 driver_resource_info = FindResource(exe_with_driver, MAKEINTRESOURCE(0x7777), MAKEINTRESOURCE(0x4444));
203 if (!driver_resource_info)
205 a->debug("Cannot find kldbgdrv.sys resource in %s file: %s.", use_kd_exe ? "kd.exe" : "windbg.exe", win32_strerror(GetLastError()));
209 driver_resource = LoadResource(exe_with_driver, driver_resource_info);
210 if (!driver_resource)
212 a->debug("Cannot load kldbgdrv.sys resource from %s file: %s.", use_kd_exe ? "kd.exe" : "windbg.exe", win32_strerror(GetLastError()));
216 driver_size = SizeofResource(exe_with_driver, driver_resource_info);
219 a->debug("Cannot determinate size of kldbgdrv.sys resource from %s file: %s.", use_kd_exe ? "kd.exe" : "windbg.exe", win32_strerror(GetLastError()));
223 driver_data = LockResource(driver_resource);
226 a->debug("Cannot load kldbgdrv.sys resouce data from %s file: %s.", use_kd_exe ? "kd.exe" : "windbg.exe", win32_strerror(GetLastError()));
230 if (!win32_check_driver(driver_data))
232 a->debug("Cannot use kldbgdrv.sys driver from %s file: Driver is from different architecture.", use_kd_exe ? "kd.exe" : "windbg.exe");
236 driver_handle = CreateFile(driver_path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
237 if (driver_handle == INVALID_HANDLE_VALUE)
239 error = GetLastError();
240 if (error != ERROR_FILE_EXISTS)
242 a->debug("Cannot create kldbgdrv.sys driver file in system32 directory: %s.", win32_strerror(error));
245 /* If driver file in system32 directory already exists then treat it as successfull unpack. */
250 if (!WriteFile(driver_handle, driver_data, driver_size, &written, NULL) ||
251 written != driver_size)
253 a->debug("Cannot store kldbgdrv.sys driver file to system32 directory: %s.", win32_strerror(GetLastError()));
254 /* On error, delete file from system32 directory to allow another unpack attempt. */
255 CloseHandle(driver_handle);
256 driver_handle = INVALID_HANDLE_VALUE;
257 DeleteFile(driver_path);
261 a->debug("Driver kldbgdrv.sys was successfully unpacked from %s and stored in system32 directory...", use_kd_exe ? "kd.exe" : "windbg.exe");
265 if (driver_handle != INVALID_HANDLE_VALUE)
266 CloseHandle(driver_handle);
269 FreeResource(driver_resource);
272 FreeLibrary(exe_with_driver);
278 win32_kldbg_register_driver(struct pci_access *a, SC_HANDLE manager, SC_HANDLE *service)
282 HANDLE driver_handle;
285 * COM library dbgeng.dll unpacks kldbg driver to file "\\system32\\kldbgdrv.sys"
286 * and register this driver with service name kldbgdrv. Implement same behavior.
287 * GetSystemDirectory() returns path to "\\system32" directory on all Windows versions.
290 system32_len = GetSystemDirectory(NULL, 0); /* Returns number of TCHARs plus 1 for nul-term. */
292 system32_len = sizeof("C:\\Windows\\System32");
294 driver_path = pci_malloc(a, (system32_len + sizeof("\\kldbgdrv.sys")-1) * sizeof(TCHAR));
296 system32_len = GetSystemDirectory(driver_path, system32_len); /* Now it returns number of TCHARs without nul-term. */
299 system32_len = sizeof("C:\\Windows\\System32")-1;
300 memcpy(driver_path, TEXT("C:\\Windows\\System32"), system32_len);
303 /* GetSystemDirectory returns path without backslash unless the system directory is the root directory. */
304 if (driver_path[system32_len-1] != '\\')
305 driver_path[system32_len++] = '\\';
307 memcpy(driver_path + system32_len, TEXT("kldbgdrv.sys"), sizeof(TEXT("kldbgdrv.sys")));
309 driver_handle = CreateFile(driver_path, 0, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
310 if (driver_handle != INVALID_HANDLE_VALUE)
311 CloseHandle(driver_handle);
312 else if (GetLastError() == ERROR_FILE_NOT_FOUND)
314 a->debug("Driver kldbgdrv.sys is missing, trying to unpack it from windbg.exe or kd.exe...");
315 if (!win32_kldbg_unpack_driver(a, driver_path))
317 pci_mfree(driver_path);
322 *service = CreateService(manager, TEXT("kldbgdrv"), TEXT("kldbgdrv"), SERVICE_START, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_path, NULL, NULL, NULL, NULL, NULL);
325 if (GetLastError() != ERROR_SERVICE_EXISTS)
327 a->debug("Cannot create kldbgdrv service: %s.", win32_strerror(GetLastError()));
328 pci_mfree(driver_path);
332 *service = OpenService(manager, TEXT("kldbgdrv"), SERVICE_START);
335 a->debug("Cannot open kldbgdrv service: %s.", win32_strerror(GetLastError()));
336 pci_mfree(driver_path);
341 a->debug("Service kldbgdrv was successfully registered...");
342 pci_mfree(driver_path);
347 win32_kldbg_start_driver(struct pci_access *a)
349 SC_HANDLE manager = NULL;
350 SC_HANDLE service = NULL;
354 manager = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE);
356 manager = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT);
359 a->debug("Cannot open Service Manager: %s.", win32_strerror(GetLastError()));
363 service = OpenService(manager, TEXT("kldbgdrv"), SERVICE_START);
366 error = GetLastError();
367 if (error != ERROR_SERVICE_DOES_NOT_EXIST)
369 a->debug("Cannot open kldbgdrv service: %s.", win32_strerror(error));
373 a->debug("Kernel Local Debugging Driver (kldbgdrv.sys) is not registered, trying to register it...");
375 if (win32_is_32bit_on_64bit_system())
378 a->debug("Registering driver from 32-bit process on 64-bit system is not implemented yet.");
382 if (!win32_kldbg_register_driver(a, manager, &service))
386 if (!StartService(service, 0, NULL))
388 error = GetLastError();
389 if (error != ERROR_SERVICE_ALREADY_RUNNING)
391 a->debug("Cannot start kldbgdrv service: %s.", win32_strerror(error));
396 a->debug("Service kldbgdrv successfully started...");
401 CloseServiceHandle(service);
404 CloseServiceHandle(manager);
410 win32_kldbg_setup(struct pci_access *a)
412 OSVERSIONINFO version;
417 if (kldbg_dev != INVALID_HANDLE_VALUE)
420 /* Check for Windows Vista (NT 6.0). */
421 version.dwOSVersionInfoSize = sizeof(version);
422 if (!GetVersionEx(&version) ||
423 version.dwPlatformId != VER_PLATFORM_WIN32_NT ||
424 version.dwMajorVersion < 6)
426 a->debug("Accessing PCI config space via Kernel Local Debugging Driver requires Windows Vista or higher version.");
430 kldbg_dev = CreateFile(TEXT("\\\\.\\kldbgdrv"), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
431 if (kldbg_dev == INVALID_HANDLE_VALUE)
433 error = GetLastError();
434 if (error != ERROR_FILE_NOT_FOUND)
436 a->debug("Cannot open \"\\\\.\\kldbgdrv\" device: %s.", win32_strerror(error));
440 a->debug("Kernel Local Debugging Driver (kldbgdrv.sys) is not running, trying to start it...");
442 if (!win32_kldbg_start_driver(a))
445 kldbg_dev = CreateFile(TEXT("\\\\.\\kldbgdrv"), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
446 if (kldbg_dev == INVALID_HANDLE_VALUE)
448 error = GetLastError();
449 a->debug("Cannot open \"\\\\.\\kldbgdrv\" device: %s.", win32_strerror(error));
455 * Try to read PCI id register from PCI device 0000:00:00.0.
456 * If this device does not exist and kldbg API is working then
457 * kldbg returns success with read value 0xffffffff.
459 if (win32_kldbg_pci_bus_data(FALSE, 0, 0, 0, 0, 0, &id, sizeof(id), &ret_len) && ret_len == sizeof(id))
462 error = GetLastError();
464 a->debug("Cannot read PCI config space via Kernel Local Debugging Driver: %s.", win32_strerror(error));
466 if (error != ERROR_ACCESS_DENIED)
468 CloseHandle(kldbg_dev);
469 kldbg_dev = INVALID_HANDLE_VALUE;
473 a->debug("..Trying again with Debug privilege...");
475 if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid_debug_privilege))
477 a->debug("Debug privilege is not supported.");
478 CloseHandle(kldbg_dev);
479 kldbg_dev = INVALID_HANDLE_VALUE;
483 if (!enable_privilege(luid_debug_privilege, &revert_token, &revert_only_privilege))
485 a->debug("Process does not have right to enable Debug privilege.");
486 CloseHandle(kldbg_dev);
487 kldbg_dev = INVALID_HANDLE_VALUE;
491 if (win32_kldbg_pci_bus_data(FALSE, 0, 0, 0, 0, 0, &id, sizeof(id), &ret_len) && ret_len == sizeof(id))
493 a->debug("Succeeded.");
494 debug_privilege_enabled = TRUE;
498 error = GetLastError();
500 a->debug("Cannot read PCI config space via Kernel Local Debugging Driver: %s.", win32_strerror(error));
502 CloseHandle(kldbg_dev);
503 kldbg_dev = INVALID_HANDLE_VALUE;
505 revert_privilege(luid_debug_privilege, revert_token, revert_only_privilege);
507 revert_only_privilege = FALSE;
512 win32_kldbg_detect(struct pci_access *a)
514 if (!win32_kldbg_setup(a))
521 win32_kldbg_init(struct pci_access *a)
523 if (!win32_kldbg_setup(a))
526 a->error("PCI config space via Kernel Local Debugging Driver cannot be accessed.");
531 win32_kldbg_cleanup(struct pci_access *a UNUSED)
533 if (kldbg_dev == INVALID_HANDLE_VALUE)
536 CloseHandle(kldbg_dev);
537 kldbg_dev = INVALID_HANDLE_VALUE;
539 if (debug_privilege_enabled)
541 revert_privilege(luid_debug_privilege, revert_token, revert_only_privilege);
543 revert_only_privilege = FALSE;
544 debug_privilege_enabled = FALSE;
554 char oem_table_id[8];
556 char asl_compiler_id[4];
557 u32 asl_compiler_revision;
569 win32_kldbg_scan(struct pci_access *a)
572 * There is no kldbg API to retrieve list of PCI segments. WinDBG pci plugin
573 * kext.dll loads debug symbols from pci.pdb file for kernel module pci.sys.
574 * Then it reads kernel memory which belongs to PciSegmentList local variable
575 * which is the first entry of struct _PCI_SEGMENT linked list. And then it
576 * iterates all entries in linked list and reads SegmentNumber for each entry.
578 * This is extremly ugly hack and does not work on systems without installed
579 * kernel debug symbol files.
581 * Do something less ugly. Retrieve ACPI MCFG table via GetSystemFirmwareTable
582 * and parse all PCI segment numbers from it. ACPI MCFG table contains PCIe
583 * ECAM definitions, so all PCI segment numbers.
586 UINT (*WINAPI MyGetSystemFirmwareTable)(DWORD FirmwareTableProviderSignature, DWORD FirmwareTableID, PVOID pFirmwareTableBuffer, DWORD BufferSize);
587 int i, allocations_count;
588 struct acpi_mcfg *mcfg;
594 /* Always scan PCI segment 0. */
595 pci_generic_scan_domain(a, 0);
597 kernel32 = GetModuleHandle(TEXT("kernel32.dll"));
601 /* Function GetSystemFirmwareTable() is available since Windows Vista. */
602 MyGetSystemFirmwareTable = (void *)GetProcAddress(kernel32, "GetSystemFirmwareTable");
603 if (!MyGetSystemFirmwareTable)
606 /* 0x41435049 = 'ACPI', 0x4746434D = 'MCFG' */
607 size = MyGetSystemFirmwareTable(0x41435049, 0x4746434D, NULL, 0);
610 error = GetLastError();
611 if (error == ERROR_INVALID_FUNCTION) /* ACPI is not present, so only PCI segment 0 is available. */
613 else if (error == ERROR_NOT_FOUND) /* MCFG table is not present, so only PCI segment 0 is available. */
615 a->debug("Cannot retrieve ACPI MCFG table: %s.\n", win32_strerror(error));
619 mcfg = pci_malloc(a, size);
621 if (MyGetSystemFirmwareTable(0x41435049, 0x4746434D, mcfg, size) != size)
623 error = GetLastError();
624 a->debug("Cannot retrieve ACPI MCFG table: %s.\n", win32_strerror(error));
629 if (size < sizeof(*mcfg) || size < mcfg->length)
631 a->debug("ACPI MCFG table is broken.\n");
636 segments = pci_malloc(a, 0xFFFF/8);
637 memset(segments, 0, 0xFFFF/8);
639 /* Scan all MCFG allocations and set available PCI segments into bit field. */
640 allocations_count = (mcfg->length - ((unsigned char *)&mcfg->allocations - (unsigned char *)mcfg)) / sizeof(mcfg->allocations[0]);
641 for (i = 0; i < allocations_count; i++)
642 segments[mcfg->allocations[i].pci_segment / 8] |= 1 << (mcfg->allocations[i].pci_segment % 8);
644 /* Skip PCI segment 0 which was already scanned. */
645 for (i = 1; i < 0xFFFF; i++)
646 if (segments[i / 8] & (1 << (i % 8)))
647 pci_generic_scan_domain(a, i);
654 win32_kldbg_pci_bus_data(BOOL WriteBusData, USHORT SegmentNumber, BYTE BusNumber, BYTE DeviceNumber, BYTE FunctionNumber, USHORT Address, PVOID Buffer, ULONG BufferSize, LPDWORD Length)
657 SYSDBG_BUS_DATA sysdbg_cmd;
658 PCI_SLOT_NUMBER pci_slot;
659 PCI_SEGMENT_BUS_NUMBER pci_seg_bus;
661 memset(&pci_slot, 0, sizeof(pci_slot));
662 memset(&sysdbg_cmd, 0, sizeof(sysdbg_cmd));
663 memset(&pci_seg_bus, 0, sizeof(pci_seg_bus));
665 sysdbg_cmd.Address = Address;
666 sysdbg_cmd.Buffer = Buffer;
667 sysdbg_cmd.Request = BufferSize;
668 sysdbg_cmd.BusDataType = PCIConfiguration;
669 pci_seg_bus.u.bits.BusNumber = BusNumber;
670 pci_seg_bus.u.bits.SegmentNumber = SegmentNumber;
671 sysdbg_cmd.BusNumber = pci_seg_bus.u.AsULONG;
672 pci_slot.u.bits.DeviceNumber = DeviceNumber;
673 pci_slot.u.bits.FunctionNumber = FunctionNumber;
674 sysdbg_cmd.SlotNumber = pci_slot.u.AsULONG;
676 kldbg_cmd.Command = WriteBusData ? SysDbgWriteBusData : SysDbgReadBusData;
677 kldbg_cmd.Buffer = &sysdbg_cmd;
678 kldbg_cmd.BufferLength = sizeof(sysdbg_cmd);
681 return DeviceIoControl(kldbg_dev, IOCTL_KLDBG, &kldbg_cmd, sizeof(kldbg_cmd), &sysdbg_cmd, sizeof(sysdbg_cmd), Length, NULL);
685 win32_kldbg_read(struct pci_dev *d, int pos, byte *buf, int len)
689 if ((unsigned int)d->domain > 0xffff)
692 if (!win32_kldbg_pci_bus_data(FALSE, d->domain, d->bus, d->dev, d->func, pos, buf, len, &ret_len))
695 if (ret_len != (unsigned int)len)
702 win32_kldbg_write(struct pci_dev *d, int pos, byte *buf, int len)
706 if ((unsigned int)d->domain > 0xffff)
709 if (!win32_kldbg_pci_bus_data(TRUE, d->domain, d->bus, d->dev, d->func, pos, buf, len, &ret_len))
712 if (ret_len != (unsigned int)len)
718 struct pci_methods pm_win32_kldbg = {
720 "Win32 PCI config space access using Kernel Local Debugging Driver",
726 pci_generic_fill_info,
731 NULL /* cleanup_dev */