1. fix hook: paging_init with pac 2. fix hook: modify pgtable with PTE_CONT 3. fix kptools: base_cand num error and workflow 4. fix some struct offset resolver

Signed-off-by: Admirepowered <[email protected]>
Co-authored-by: NepXIN <[email protected]>

Author: Admirepowered

.github/workflows/build.yml

@@ -219,6 +219,66 @@ jobs:
           allowUpdates: true
           replacesArtifacts: true
 
+  Build-kptools-windows-msys2:
+    runs-on: windows-2022
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Generate version
+        shell: pwsh
+        run: |
+          $MAJOR = (Select-String -Path version -Pattern '#define MAJOR').Line.Split(' ')[2]
+          $MINOR = (Select-String -Path version -Pattern '#define MINOR').Line.Split(' ')[2]
+          $PATCH = (Select-String -Path version -Pattern '#define PATCH').Line.Split(' ')[2]
+          $VERSION = "$MAJOR.$MINOR.$PATCH"
+          Write-Output "Generated Version: $VERSION"
+          "VERSION=$VERSION" | Out-File -FilePath $env:GITHUB_ENV -Append
+          Add-Content -Path $env:GITHUB_OUTPUT -Value "VERSION=$VERSION"
+      - uses: msys2/setup-msys2@v2
+        with:
+          update: true
+          msystem: ucrt64
+          path-type: inherit
+          install: >-
+            msys/make
+            msys/gcc
+            msys/zlib-devel
+      - name: Copyfile
+        shell: pwsh
+        run: |
+          cp .\kernel\include\preset.h .\tools\
+          cd tools
+          (Get-Content -Path "Makefile") -replace '\$\(CC\)', " x86_64-pc-msys-gcc.exe" | Set-Content -Path "Makefile"
+          (Get-Content -Path "Makefile") -replace '\${CC}', "x86_64-pc-msys-gcc.exe" | Set-Content -Path "Makefile"
+      - name: build
+        shell: cmd
+        run: |
+          cd tools
+          msys2 -c 'make'
+      - name: Showinfo
+        shell: cmd
+        run: |
+          ls C:\a\_temp\
+
+      - name: Copyfile2
+        shell: pwsh
+        run: |
+          mkdir .\win
+          cp .\tools\kptools.exe .\win\kptools-msys2.exe
+          cp C:\a\_temp\msys64\usr\bin\msys-2.0.dll .\win
+          cp C:\a\_temp\msys64\usr\bin\msys-z.dll .\win
+          7z a kptools-msys2-win .\win 
+      - name: Release
+        uses: ncipollo/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ env.VERSION }}
+          artifacts: |
+            kptools-msys2-win.7z
+          allowUpdates: true
+          replacesArtifacts: true
 
   Build-kptools-mac:
     runs-on: macos-latest

kernel/base/fphook.c

@@ -221,28 +221,25 @@ void fp_hook(uintptr_t fp_addr, void *replace, void **backup)
 {
     uint64_t *entry = pgtable_entry_kernel(fp_addr);
     uint64_t ori_prot = *entry;
-    *entry = (ori_prot | PTE_DBM) & ~PTE_RDONLY;
+    modify_entry_kernel(fp_addr, entry, (ori_prot | PTE_DBM) & ~PTE_RDONLY);
     flush_tlb_kernel_page(fp_addr);
     *(uintptr_t *)backup = *(uintptr_t *)fp_addr;
     *(uintptr_t *)fp_addr = (uintptr_t)replace;
     dsb(ish);
-    *entry = ori_prot;
-    flush_tlb_kernel_page(fp_addr);
+    modify_entry_kernel(fp_addr, entry, ori_prot);
 }
 KP_EXPORT_SYMBOL(fp_hook);
 
 void fp_unhook(uintptr_t fp_addr, void *backup)
 {
     uint64_t *entry = pgtable_entry_kernel(fp_addr);
     uint64_t ori_prot = *entry;
-    *entry = (ori_prot | PTE_DBM) & ~PTE_RDONLY;
-    flush_tlb_kernel_page(fp_addr);
+    modify_entry_kernel(fp_addr, entry, (ori_prot | PTE_DBM) & ~PTE_RDONLY);
     *(uintptr_t *)fp_addr = (uintptr_t)backup;
     dsb(ish);
     isb();
     flush_icache_all();
-    *entry = ori_prot;
-    flush_tlb_kernel_page(fp_addr);
+    modify_entry_kernel(fp_addr, entry, ori_prot);
 }
 KP_EXPORT_SYMBOL(fp_unhook);
 

kernel/base/hook.c

@@ -606,16 +606,14 @@ void hook_install(hook_t *hook)
     uint64_t va = hook->origin_addr;
     uint64_t *entry = pgtable_entry_kernel(va);
     uint64_t ori_prot = *entry;
-    *entry = (ori_prot | PTE_DBM) & ~PTE_RDONLY;
-    flush_tlb_kernel_page(va);
+    modify_entry_kernel(va, entry, (ori_prot | PTE_DBM) & ~PTE_RDONLY);
     // todo: cpu_stop_machine
     // todo: can use aarch64_insn_patch_text_nosync, aarch64_insn_patch_text directly?
     for (int32_t i = 0; i < hook->tramp_insts_num; i++) {
         *((uint32_t *)hook->origin_addr + i) = hook->tramp_insts[i];
     }
     flush_icache_all();
-    *entry = ori_prot;
-    flush_tlb_kernel_page(va);
+    modify_entry_kernel(va, entry, ori_prot);
 }
 KP_EXPORT_SYMBOL(hook_install);
 
@@ -624,14 +622,13 @@ void hook_uninstall(hook_t *hook)
     uint64_t va = hook->origin_addr;
     uint64_t *entry = pgtable_entry_kernel(va);
     uint64_t ori_prot = *entry;
-    *entry = (ori_prot | PTE_DBM) & ~PTE_RDONLY;
+    modify_entry_kernel(va, entry, (ori_prot | PTE_DBM) & ~PTE_RDONLY);
     flush_tlb_kernel_page(va);
     for (int32_t i = 0; i < hook->tramp_insts_num; i++) {
         *((uint32_t *)hook->origin_addr + i) = hook->origin_insts[i];
     }
     flush_icache_all();
-    *entry = ori_prot;
-    flush_tlb_kernel_page(va);
+    modify_entry_kernel(va, entry, ori_prot);
 }
 KP_EXPORT_SYMBOL(hook_uninstall);
 

kernel/base/setup1.S

@@ -223,6 +223,29 @@ map_prepare:
     add x13, x15, x19
     // map_data.paging_init_backup = *(uint32_t *)(paging_init_pa);
     ldr w12, [x13]
+
+    mov w3, #0x201F
+    movk w3, #0xD503, lsl#16
+    orr w1, w3, #0x100
+    mov w2, #0xFFFFFD1F
+    and w0, w12, w2
+    // if ((map_data.paging_init_backup & 0xFFFFFD1F) == 0xD503211F)
+    cmp w0, w1
+    b.ne .backup
+    // map_data.paging_init_backup = NOP
+    mov w12, w3
+    // uint32_t *p = (uint32_t *)paging_init_pa + 1;
+    add x11, x13, #4
+.cmp_auti:
+    // while ((*p & 0xFFFFFD1F) != 0xD503211F) ++p;
+    ldr w0, [x11], #4
+    and w0, w0, w2
+    cmp w0, w1
+    b.ne .cmp_auti
+    // *p = NOP
+    stur w3, [x11, #-4]
+
+.backup:
     str w12, [x9, #map_paging_init_backup_offset]
     dsb ish
 

kernel/base/start.c

@@ -174,6 +174,25 @@ uint64_t *pgtable_entry(uint64_t pgd, uint64_t va)
 }
 KP_EXPORT_SYMBOL(pgtable_entry);
 
+void modify_entry_kernel(uint64_t va, uint64_t *entry, uint64_t value)
+{
+    if (!pte_valid_cont(*entry) && !pte_valid_cont(value)) {
+        *entry = value;
+        flush_tlb_kernel_page(va);
+        return;
+    }
+
+    uint64_t table_pa_mask = (((1ul << (48 - page_shift)) - 1) << page_shift);
+    uint64_t prot = value & ~table_pa_mask;
+    uint64_t *p = (uint64_t *)((uintptr_t)entry & ~(sizeof(entry) * CONT_PTES - 1));
+    for (int i = 0; i < CONT_PTES; ++i, ++p)
+        *p = (*p & table_pa_mask) | prot;
+
+    *entry = value;
+    va &= CONT_PTE_MASK;
+    flush_tlb_kernel_range(va, va + CONT_PTES * page_size);
+}
+
 static void prot_myself()
 {
     uint64_t *kpte = pgtable_entry_kernel(kernel_stext_va);

kernel/include/pgtable.h

@@ -47,6 +47,13 @@
 #define PTATTR_RDONLY (1ul << 62) /* AP[2], write note permited at any exception level*/
 #define PTATTR_NS (1ul << 63) /* Indicates whether the table identifier is located in Secure PA space */
 
+#define pte_valid_cont(pte)	(((pte) & (PTE_VALID | PTE_TABLE_BIT | PTE_CONT)) == (PTE_VALID | PTE_TABLE_BIT | PTE_CONT))
+
+#define CONT_PTE_SHIFT (4 + page_shift)
+#define CONT_PTES (1 << (CONT_PTE_SHIFT - page_shift))
+#define CONT_PTE_SIZE (CONT_PTES * page_size)
+#define CONT_PTE_MASK (~(CONT_PTE_SIZE - 1))
+
 #define mask_ul(h, l) (((~0ul) << (l)) & (~0ul >> (63 - (h))))
 
 #define sev() asm volatile("sev" : : : "memory")
@@ -169,4 +176,6 @@ static inline uint64_t *pgtable_entry_kernel(uint64_t va)
     return pgtable_entry(pgd_va, va);
 }
 
+void modify_entry_kernel(uint64_t va, uint64_t *entry, uint64_t value);
+
 #endif

kernel/patch/ksyms/execv.c

@@ -38,7 +38,7 @@ static void before_execve(hook_fargs3_t *args, void *udata)
     unsigned long stack = (unsigned long)get_stack(current);
     uintptr_t addr = (uintptr_t)(thread_size + stack);
 
-    for (uintptr_t i = addr - sizeof(struct pt_regs) - 0x40; i < addr - 32 * 8; i += 0x10) {
+    for (uintptr_t i = addr - sizeof(struct pt_regs) - 0x40; i < addr - 32 * 8; i += sizeof(uint32_t)) {
         uintptr_t val0 = *(uintptr_t *)i;
         uintptr_t val1 = *(uintptr_t *)(i + 0x8);
         uintptr_t val2 = *(uintptr_t *)(i + 0x10);

kernel/patch/ksyms/task_cred.c

@@ -203,7 +203,7 @@ int resolve_cred_offset()
     kernel_cap_t new_cap_e = { 0xff }, new_cap_i = { 0xf }, new_cap_p = { 0xfff };
     cap_capset(cred1, cred, &new_cap_e, &new_cap_i, &new_cap_p);
 
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(kernel_cap_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         kernel_cap_t cap = *(kernel_cap_t *)((uintptr_t)cred + i);
         kernel_cap_t cap1 = *(kernel_cap_t *)((uintptr_t)cred1 + i);
@@ -225,7 +225,7 @@ int resolve_cred_offset()
     }
 
     // cap_bset
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(kernel_cap_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         kernel_cap_t cap1 = *(kernel_cap_t *)((uintptr_t)cred1 + i);
         if (cap1.val == effective.val) {
@@ -239,7 +239,7 @@ int resolve_cred_offset()
     log_boot("    cap_bset offset: %x\n", cred_offset.cap_bset_offset);
 
     // securebits
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(unsigned)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         unsigned *sbitsp = (unsigned *)((uintptr_t)cred + i);
         unsigned oribits = *sbitsp;
@@ -257,7 +257,7 @@ int resolve_cred_offset()
     log_boot("    securebits offset: %x\n", cred_offset.securebits_offset);
 
     // euid, uid, egid, gid
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uid_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         uid_t *uidp = (uid_t *)((uintptr_t)cred + i);
         if (*uidp) continue;
@@ -283,7 +283,7 @@ int resolve_cred_offset()
     log_boot("    egid offset: %x\n", cred_offset.egid_offset);
 
     // fsuid
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uid_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         uid_t *uidp = (uid_t *)((uintptr_t)cred + i);
         uid_t backup = *uidp;
@@ -300,7 +300,7 @@ int resolve_cred_offset()
 
     // fsgid
     struct cred *new_cred = *(struct cred **)((uintptr_t)task + task_struct_offset.cred_offset);
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(gid_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         gid_t *gidp = (gid_t *)((uintptr_t)new_cred + i);
         gid_t backup = *gidp;
@@ -318,7 +318,7 @@ int resolve_cred_offset()
     // suid
     raw_syscall3(__NR_setresuid, 0, 0, 1158);
     new_cred = *(struct cred **)((uintptr_t)task + task_struct_offset.cred_offset);
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uid_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         uid_t *uidp = (uid_t *)((uintptr_t)new_cred + i);
         if (*uidp == 1158) {
@@ -333,7 +333,7 @@ int resolve_cred_offset()
     // sgid
     raw_syscall3(__NR_setresgid, 0, 0, 1158);
     new_cred = *(struct cred **)((uintptr_t)task + task_struct_offset.cred_offset);
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(gid_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         gid_t *uidp = (gid_t *)((uintptr_t)new_cred + i);
         if (*uidp == 1158) {
@@ -353,7 +353,7 @@ int resolve_cred_offset()
     *(unsigned *)((uintptr_t)new_cred + cred_offset.securebits_offset) = 0;
     cap_task_prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, 0xf, 0, 0);
     new_cred = *(struct cred **)((uintptr_t)task + task_struct_offset.cred_offset);
-    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(kernel_cap_t)) {
+    for (int i = 0; i < CRED_MAX_SIZE; i += sizeof(uint32_t)) {
         if (is_bl(i)) continue;
         kernel_cap_t cap = *(kernel_cap_t *)((uintptr_t)cred + i);
         kernel_cap_t new_cap = *(kernel_cap_t *)((uintptr_t)new_cred + i);
@@ -379,7 +379,7 @@ static int find_swapper_comm_offset(uint64_t start, int size)
     if (!is_kimg_range(start) || !is_kimg_range(start + size)) return -1;
     char swapper_comm[TASK_COMM_LEN] = "swapper";
     char swapper_comm_1[TASK_COMM_LEN] = "swapper/0";
-    for (uint64_t i = start; i < start + size; i += 8) {
+    for (uint64_t i = start; i < start + size; i += sizeof(uint32_t)) {
         if (!lib_strcmp(swapper_comm, (char *)i) || !lib_strcmp(swapper_comm_1, (char *)i)) {
             return i - start;
         }
@@ -401,7 +401,7 @@ int resolve_task_offset()
     int cred_offset_idx = 0;
     init_cred = get_task_cred(init_task); // todo: get_task_cred not export
     log_boot("    init_cred addr: %llx\n", init_cred);
-    for (uintptr_t i = (uintptr_t)init_task; i < (uintptr_t)init_task + TASK_STRUCT_MAX_SIZE; i += sizeof(uintptr_t)) {
+    for (uintptr_t i = (uintptr_t)init_task; i < (uintptr_t)init_task + TASK_STRUCT_MAX_SIZE; i += sizeof(uint32_t)) {
         uintptr_t val = *(uintptr_t *)i;
         if (val == (uintptr_t)init_cred) {
             cred_offset[cred_offset_idx++] = i - (uintptr_t)init_task;
@@ -426,7 +426,7 @@ int resolve_task_offset()
 
     // seccomp
     if (kfunc(prctl_get_seccomp)) {
-        for (uintptr_t i = (uintptr_t)task; i < (uintptr_t)task + TASK_STRUCT_MAX_SIZE; i += sizeof(uintptr_t)) {
+        for (uintptr_t i = (uintptr_t)task; i < (uintptr_t)task + TASK_STRUCT_MAX_SIZE; i += sizeof(uint32_t)) {
             int *modep = (int *)i;
             int mode_back = *modep;
             if (mode_back) continue;
@@ -443,7 +443,7 @@ int resolve_task_offset()
     // active_mm
     init_mm = (struct mm_struct *)kallsyms_lookup_name("init_mm");
     if (init_mm) {
-        for (uintptr_t i = (uintptr_t)task; i < (uintptr_t)task + TASK_STRUCT_MAX_SIZE; i += sizeof(uintptr_t)) {
+        for (uintptr_t i = (uintptr_t)task; i < (uintptr_t)task + TASK_STRUCT_MAX_SIZE; i += sizeof(uint32_t)) {
             uintptr_t active_mm = *(uintptr_t *)i;
             if (active_mm == (uintptr_t)init_mm) {
                 task_struct_offset.active_mm_offset = i - (uintptr_t)task;
@@ -516,7 +516,7 @@ int resolve_current()
         uint64_t sp_low = sp & ~(tsz - 1);
         // uint64_t sp_high = sp_low + tsz; // user_stack_pointer
         uint64_t psp = sp_low;
-        for (; psp < sp_low + THREAD_INFO_MAX_SIZE; psp += 8) {
+        for (; psp < sp_low + THREAD_INFO_MAX_SIZE; psp += sizeof(uint32_t)) {
             if (*(uint64_t *)psp == STACK_END_MAGIC) {
                 if (psp == sp_low) {
                     thread_size = tsz;
@@ -544,15 +544,15 @@ int resolve_current()
     if (!thread_info_in_task) {
         uint64_t thread_info_addr = (uint64_t)current_thread_info_sp();
         if (init_task) {
-            for (uint64_t ptr = thread_info_addr; ptr < thread_info_addr + stack_end_offset; ptr += sizeof(uint64_t)) {
+            for (uint64_t ptr = thread_info_addr; ptr < thread_info_addr + stack_end_offset; ptr += sizeof(uint32_t)) {
                 uint64_t pv = *(uint64_t *)ptr;
                 if (pv == (uint64_t)init_task) {
                     task_in_thread_info_offset = ptr - thread_info_addr;
                     break;
                 }
             }
         } else { // unlikely
-            for (uint64_t ptr = thread_info_addr; ptr < thread_info_addr + stack_end_offset; ptr += sizeof(uint64_t)) {
+            for (uint64_t ptr = thread_info_addr; ptr < thread_info_addr + stack_end_offset; ptr += sizeof(uint32_t)) {
                 uint64_t pv = *(uint64_t *)ptr;
                 task_struct_offset.comm_offset = find_swapper_comm_offset(pv, TASK_STRUCT_MAX_SIZE);
                 if (task_struct_offset.comm_offset > 0) {
@@ -573,7 +573,7 @@ int resolve_current()
 
     // stack,
     uint64_t stack_base = (sp & ~(thread_size - 1));
-    for (uintptr_t i = (uintptr_t)init_task; i < (uintptr_t)init_task + TASK_STRUCT_MAX_SIZE; i += sizeof(uintptr_t)) {
+    for (uintptr_t i = (uintptr_t)init_task; i < (uintptr_t)init_task + TASK_STRUCT_MAX_SIZE; i += sizeof(uint32_t)) {
         uintptr_t val = *(uintptr_t *)i;
         if (stack_base == val) {
             stack_in_task_offset = i - (uintptr_t)init_task;
@@ -599,7 +599,7 @@ int resolve_mm_struct_offset()
     uintptr_t init_mm_addr = (uintptr_t)init_mm;
     if (!init_mm_addr) return 0;
 
-    for (uintptr_t i = init_mm_addr; i < init_mm_addr + MM_STRUCT_MAX_SIZE; i += sizeof(uintptr_t)) {
+    for (uintptr_t i = init_mm_addr; i < init_mm_addr + MM_STRUCT_MAX_SIZE; i += sizeof(uint32_t)) {
         uint64_t pgd = *(uintptr_t *)i;
         if (pgd == phys_to_kimg(pgd_pa)) {
             mm_struct_offset.pgd_offset = i - init_mm_addr;

tools/kallsym.c

@@ -668,10 +668,10 @@ static int correct_addresses_or_offsets_by_vectors(kallsym_t *info, char *img, i
         uint64_t base = uint_unpack(img + info->_approx_addresses_or_offsets_offset, elem_size, info->is_be);
         base_cand[0] = base;
         if (info->kernel_base) {
-            base_cand[++base_cand_num] = info->kernel_base;
+            base_cand[base_cand_num++] = info->kernel_base;
         }
         if (info->kernel_base != ELF64_KERNEL_MIN_VA) {
-            base_cand[++base_cand_num] = ELF64_KERNEL_MIN_VA;
+            base_cand[base_cand_num++] = ELF64_KERNEL_MIN_VA;
         }
     }