2

I'm currently trying to reverse engineer a program (~30KB, mostly code) that appears to be built for x86 unpaged protected mode. It contains instructions that access physical memory (or memory mapped device registers to be more precise) directly, e.g.:

mov esi, 0FED400000h ; Some device base address
mov eax, [esi+18h]   ; Memory mapped status register of said device

I would like to run said program in QEMU and ideally be able to step through it in a debugger such as gdb.

Now the problem is that the absolute memory addresses encoded in the code result in segmenation faults in any operating system with paging enabled.

I've been thinking of ways to circumvent this:

  • Map physical memory into user space by using mmap on /dev/mem and run the program in user space. While this allows access to physical memory, the hardcoded memory addresses in the analyzed program would need to be patched as the mapped address will not be the same as the physical address. This seems hardly feasible due to the large amount of encoded absolute addresses.
  • Install a segmentation fault handler that tries to fix the illegal memory access by rewriting the address. Then run the program in user space.
  • Write a bootloader that loads the program code from disk into memory, enters protected mode (including setup of the GDT) and jumps to it. As I've never written any comparable code, I'm not even sure this would work.

Are there any other options to run this program I've missed so far? Or do you have any suggestions, additions or experiences with the ideas mentioned above?

4

1 回答 1

1

我见过的少数 SINIT 模块在入口处有一个小的实模式加载器部分,它解析并跳转到嵌入在模块末尾的纯 PE 文件中。因此,如果您不需要调试加载程序,您可以提取 PE,然后使用支持 PE 文件的 DOS 扩展程序之一(例如 HX-DOS、WDOSX)从 DOS 加载和调试它。但是请注意,一旦模块运行并发出 CLOSE-PRIVATE 命令,就无法访​​问私有 TXT 寄存器。

顺便说一句,0xFED40000 范围似乎属于英特尔的内部 TPM (iTPM)。请参阅tpm_tisLinux 中的驱动程序。因此,您可以拦截这些访问(使用信号/异常处理程序)并将它们重定向到实际的 TPM。

于 2013-07-03T23:09:22.480 回答