学习BluePill源码笔记-3

二、Hvm过程

2.1 newbp.c (116)

  if (!NT_SUCCESS (Status = HvmInit ())) {
    _KdPrint (("NEWBLUEPILL: HvmInit() failed with status 0x%08hX\n", Status));

在吞下“蓝色药丸”之前，还要先初始化一下。HvmInit()函数主要的作用是

1、确定系统构架是否支持HEV 并确定支持哪种HEV技术~VT/SVM SVM暂时忽略吧~毕竟AMD的不多呀

PHVM_DEPENDENT Hvm; (common.h)

PHVM_DEPENDENT的定义

typedef struct
{
  UCHAR Architecture;

  ARCH_IS_HVM_IMPLEMENTED ArchIsHvmImplemented;

  ARCH_INITIALIZE ArchInitialize;
  ARCH_VIRTUALIZE ArchVirtualize;
  ARCH_SHUTDOWN ArchShutdown;

  ARCH_IS_NESTED_EVENT ArchIsNestedEvent;
  ARCH_DISPATCH_NESTED_EVENT ArchDispatchNestedEvent;
  ARCH_DISPATCH_EVENT ArchDispatchEvent;
  ARCH_ADJUST_RIP ArchAdjustRip;
  ARCH_REGISTER_TRAPS ArchRegisterTraps;
  ARCH_IS_TRAP_VALID ArchIsTrapValid;
} HVM_DEPENDENT,
 *PHVM_DEPENDENT;

我去...高端霸气上了个档次啊...

HvmInit函数体

NTSTATUS NTAPI HvmInit (
)
{
  BOOLEAN ArchIsOK = FALSE;

  Hvm = &Svm;

  if (Hvm->ArchIsHvmImplemented ()) {
    ArchIsOK = TRUE;
  } else {
    Hvm = &Vmx;
    if (Hvm->ArchIsHvmImplemented ()) {
      ArchIsOK = TRUE;
    }
  }

  if (ArchIsOK == FALSE) {
    _KdPrint (("HvmInit(): %s is not supported\n",
               Hvm->Architecture == ARCH_SVM ? "SVM" : Hvm->Architecture == ARCH_VMX ? "VMX" : "???"));
    return STATUS_NOT_SUPPORTED;
  } else {
    _KdPrint (("HvmInit(): Running on %s\n",
               Hvm->Architecture == ARCH_SVM ? "SVM" : Hvm->Architecture == ARCH_VMX ? "VMX" : "???"));
  }

  KeInitializeMutex (&g_HvmMutex, 0);

  return STATUS_SUCCESS;
}

Hvm调用了ArchIsHvmImplemented()函数（也可以说方法吧）。ArchIsHvmImplemented是何物？在common.h中查到了定义：

typedef BOOLEAN (
  NTAPI * ARCH_IS_HVM_IMPLEMENTED
) (
);

嗯？函数体在哪里呢。。。

诶。。。函数体在哪呢。。。我去找函数体了。。

这货似乎蛮像的

static BOOLEAN NTAPI VmxIsImplemented (
)
{
  ULONG32 eax, ebx, ecx, edx;
  GetCpuIdInfo (0, &eax, &ebx, &ecx, &edx);
  if (eax < 1) {
    _KdPrint (("VmxIsImplemented(): Extended CPUID functions not implemented\n"));
    return FALSE;
  }
  if (!(ebx == 0x756e6547 && ecx == 0x6c65746e && edx == 0x49656e69)) {
    _KdPrint (("VmxIsImplemented(): Not an INTEL processor\n"));
    return FALSE;
  }
  //intel cpu use fun_0x1 to test VMX.    
  GetCpuIdInfo (0x1, &eax, &ebx, &ecx, &edx);
  return (BOOLEAN) (CmIsBitSet (ecx, 5));
}

咦。。。这货原来是这么定义的...

在vmx.c中

HVM_DEPENDENT Vmx = {
  ARCH_VMX,
  VmxIsImplemented,
  VmxInitialize,
  VmxVirtualize,
  VmxShutdown,
  VmxIsNestedEvent,
  VmxDispatchNestedEvent,
  VmxDispatchEvent,
  VmxAdjustRip,
  VmxRegisterTraps,
  VmxIsTrapVaild
};

哇哦~原来如此~这明显是为了区分Intel和AMD嘛~~

HvmInit ()函数通过cpuid判断当前cpu是否支持vt后，DriverEntry继续调用HvmSwallowBluepill ()函数。至此，DriverEntry已无其他内容。HvmSwallowBluepill ()函数名称取得倒是好形象啊~~