Implemented many new intrinsics and a periodic worker.

Author: can1357

.gitignore

@@ -20,3 +20,5 @@ x64/Release/
 LuaLib/x64/Release/
 
 LuaLib/x64/Debug/
+
+*.recipe

ActualConsole/main.cpp

@@ -3,23 +3,54 @@
 #include <iostream>
 #include <sstream>
 #include <tuple>
+#include <mutex>
 #include "../KernelLuaVm/driver_io.hpp"
 
+HANDLE device = CreateFileA
+(
+    "\\\\.\\NtLua",
+    GENERIC_READ | GENERIC_WRITE,
+    FILE_SHARE_READ | FILE_SHARE_WRITE,
+    NULL,
+    OPEN_EXISTING,
+    FILE_ATTRIBUTE_NORMAL,
+    NULL
+);
+
+void worker_thread()
+{
+    bool prev_success = false;
+    while ( 1 )
+    {
+        Sleep( prev_success ? 100 : 5000 );
+
+        ntlua_result result = { nullptr, nullptr };
+        char worker_script[] = R"(
+            if worker then 
+                worker() 
+                print("-")
+            end
+        )";
+
+        DWORD discarded = 0;
+        DeviceIoControl(
+            device,
+            NTLUA_RUN,
+            worker_script, sizeof( worker_script ),
+            &result, sizeof( result ),
+            &discarded, nullptr
+        );
+
+        if ( result.outputs ) VirtualFree( result.outputs, 0, MEM_RELEASE );
+        if ( result.errors ) VirtualFree( result.errors, 0, MEM_RELEASE );
+        prev_success = !result.outputs;
+    }
+}
+
 int main()
 {
-    // Create a handle to the device.
-    //
-    HANDLE device = CreateFileA
-    ( 
-        "\\\\.\\NtLua",
-        GENERIC_READ | GENERIC_WRITE,
-        FILE_SHARE_READ | FILE_SHARE_WRITE,
-        NULL,
-        OPEN_EXISTING,
-        FILE_ATTRIBUTE_NORMAL,
-        NULL 
-    );
     if ( device == INVALID_HANDLE_VALUE ) return 1;
+    std::thread thr( &worker_thread );
 
     // Enter REPL:
     //
@@ -42,6 +73,8 @@ int main()
             buffer += "\n" + buffer2;
         }
 
+
+
         // Handle special commands:
         //
         if ( buffer == "clear" )
@@ -53,14 +86,22 @@ int main()
             return system( "cmd" );
         else if ( buffer == "exit" )
             return 0;
+        else if ( buffer == "reset" )
+        {
+            DWORD discarded = 0;
+            DeviceIoControl(
+                device,
+                NTLUA_RESET,
+                &buffer[ 0 ], buffer.size() + 1,
+                &discarded, sizeof( discarded ),
+                &discarded, nullptr
+            );
+            continue;
+        }
 
         // Send IOCTL.
         //
-        ntlua_result result = { 
-            nullptr, 
-            nullptr 
-        };
-
+        ntlua_result result = { nullptr, nullptr };
         DWORD discarded = 0;
         DeviceIoControl( 
             device,

KernelLuaVm/KernelLuaVm.vcxproj

@@ -82,6 +82,7 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
     <IncludePath>$(SolutionDir)LuaLib;$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)</IncludePath>
+    <TimeStampServer>http://timestamp.verisign.com/scripts/timstamp.dll</TimeStampServer>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>

KernelLuaVm/driver_io.hpp

@@ -1,7 +1,8 @@
 #pragma once
 
 // Assuming the platform specific header is included already.
-#define NTLUA_RUN CTL_CODE( 0x13, 0x37, METHOD_BUFFERED, FILE_ANY_ACCESS )
+#define NTLUA_RUN   CTL_CODE( 0x13, 0x37, METHOD_BUFFERED, FILE_ANY_ACCESS )
+#define NTLUA_RESET CTL_CODE( 0x13, 0x38, METHOD_BUFFERED, FILE_ANY_ACCESS )
 
 // Shared structures.
 //

KernelLuaVm/lua/api.cpp

@@ -1,9 +1,11 @@
 #include "api.hpp"
 #include <ntimage.h>
 
-__declspec( dllimport ) extern "C" void RtlPcToFileHeader( void* a1, IMAGE_DOS_HEADER * *a2 );
+extern "C" {
+    __declspec( dllimport ) void RtlPcToFileHeader( void* a1, IMAGE_DOS_HEADER** a2 );
+};
 
-static void export_func( lua_State* L, const char* name, void* ptr )
+static void export_func( lua_State* L, const char* name, const void* ptr )
 {
     native_function* fn = native_function::push( L );
     fn->address = ptr;
@@ -44,18 +46,66 @@ static void writedr3( uint64_t value ) { return __writedr( 3, value ); }
 static void writedr6( uint64_t value ) { return __writedr( 6, value ); }
 static void writedr7( uint64_t value ) { return __writedr( 7, value ); }
 
-static uint8_t inbyte( uint16_t port ) { return __inbyte( port ); }
-static uint16_t inword( uint16_t port ) { return __inword( port ); }
+static uint32_t inbyte( uint16_t port ) { return __inbyte( port ); }
+static uint32_t inword( uint16_t port ) { return __inword( port ); }
 static uint32_t indword( uint16_t port ) { return __indword( port ); }
 static void outbyte( uint16_t port, uint8_t value ) { return __outbyte( port, value ); }
 static void outword( uint16_t port, uint16_t value ) { return __outword( port, value ); }
 static void outdword( uint16_t port, uint32_t value ) { return __outdword( port, value ); }
 
 static uint64_t readtsc() { return __rdtsc(); }
+static uint32_t readtscpa() { uint32_t aux; __rdtscp( &aux ); return aux; }
+static uint32_t readtscp() { uint32_t aux; return __rdtscp( &aux ); }
 static uint64_t readpmc( uint32_t pmc ) { return __readpmc( pmc ); }
 static uint64_t readgsbase() { return _readgsbase_u64(); }
 static uint64_t readfsbase() { return _readfsbase_u64(); }
 
+#pragma section(".stub", execute, read)
+#pragma comment(linker,"/SECTION:.stub,ERW")
+
+template<auto... Ops>
+struct as_code 
+{ 
+    __declspec( allocate( ".stub" ) ) inline static const uint8_t data[] = { Ops..., 0xC3 }; 
+    constexpr operator const uint8_t*() const noexcept { return &data[ 0 ]; }
+};
+static constexpr const uint8_t* writecr2 = as_code<0x0F, 0x22, 0xD1>{};
+static constexpr const uint8_t* syscall = as_code<0x0F, 0x05>{};
+static constexpr const uint8_t* sysretc = as_code<0x0F, 0x07>{};
+static constexpr const uint8_t* sysretq = as_code<0x48, 0x0F, 0x07>{};
+static constexpr const uint8_t* sysenter = as_code<0x0F, 0x34>{};
+static constexpr const uint8_t* sysexit = as_code<0x0F, 0x35>{};
+static constexpr const uint8_t* lmsw = as_code<0x0F, 0x01, 0xF1>{};
+static constexpr const uint8_t* smsw = as_code<0x0F, 0x01, 0xF0, 0x0F, 0xB7, 0xC0>{};
+static constexpr const uint8_t* ltr = as_code<0x0F, 0x00, 0xD9>{};
+static constexpr const uint8_t* str = as_code<0x66, 0x0F, 0x00, 0xC8, 0x48, 0x0F, 0xB7, 0xC0>{};
+static constexpr const uint8_t* lidt = as_code<0x48, 0x89, 0x4C, 0x24, 0x0A, 0x66, 0x89, 0x54, 0x24, 0x08, 0x0F, 0x01, 0x5C, 0x24, 0x08>{}; // void(u64, u16)
+static constexpr const uint8_t* lgdt = as_code<0x48, 0x89, 0x4C, 0x24, 0x0A, 0x66, 0x89, 0x54, 0x24, 0x08, 0x0F, 0x01, 0x54, 0x24, 0x08>{}; // void(u64, u16)
+static constexpr const uint8_t* sidt_b = as_code<0x0F, 0x01, 0x4C, 0x24, 0x08, 0x48, 0x8B, 0x44, 0x24, 0x0A>{}; // u64()
+static constexpr const uint8_t* sidt_l = as_code<0x0F, 0x01, 0x4C, 0x24, 0x08, 0x0F, 0xB7, 0x44, 0x24, 0x08>{}; // u64()
+static constexpr const uint8_t* sgdt_b = as_code<0x0F, 0x01, 0x44, 0x24, 0x08, 0x48, 0x8B, 0x44, 0x24, 0x0A>{}; // u64()
+static constexpr const uint8_t* sgdt_l = as_code<0x0F, 0x01, 0x44, 0x24, 0x08, 0x0F, 0xB7, 0x44, 0x24, 0x08>{}; // u64()
+static constexpr const uint8_t* lldt = as_code<0x0F, 0x00, 0xD1>{};
+static constexpr const uint8_t* sldt = as_code<0x66, 0x0F, 0x00, 0xC0, 0x0F, 0xB7, 0xC0>{};
+static constexpr const uint8_t* invd = as_code<0x0F, 0x08>{};
+static constexpr const uint8_t* wbinvd = as_code<0x0F, 0x09>{};
+static constexpr const uint8_t* cli = as_code<0xFA>{};
+static constexpr const uint8_t* sti = as_code<0xFB>{};
+
+static void hlt() { __halt(); }
+static void invlpg( void* adr ) { __invlpg( adr ); }
+static void xsetbv( uint32_t reg, uint64_t val ) { _xsetbv( reg, val ); }
+static uint64_t xgetbv( uint32_t reg ) { return _xgetbv( reg ); }
+static void monitor( void* adr ) { _mm_monitor( adr, 0, 0 ); }
+static void mwait() { _mm_mwait( 0, 0 ); }
+
+static uint64_t exec( const char* code, size_t length, uint64_t rcx, uint64_t rdx )
+{
+    __declspec( allocate( ".stub" ) ) static uint8_t space[ 0x1000 ];
+    memcpy( space, code, length > 0x1000 ? 0x1000 : length );
+    return ( ( uint64_t( __stdcall* )( uint64_t, uint64_t ) ) & space[ 0 ] )( rcx, rdx );
+}
+
 static void* read_svirt( const void* src, size_t n )
 {
     static auto _MmCopyMemory = [ ] ()
@@ -156,6 +206,12 @@ static void export_all( lua_State* L, uint64_t image_address )
     lua_createtable( L, 0, eat->NumberOfFunctions );
     if ( names )
     {
+        // Insert the base address to the table.
+        //
+        lua_pushstring( L, "base_address" );
+        native_function::push( L )->address = ( void* ) image_address;
+        lua_settable( L, -3 );
+
         // For each named export:
         //
         for ( int i = 0; i < eat->NumberOfNames; i++ )
@@ -171,11 +227,10 @@ static void export_all( lua_State* L, uint64_t image_address )
                  address < ( export_dir.VirtualAddress + export_dir.Size ) )
                 continue;
 
-            // Insert the table.
+            // Insert to the table.
             //
             lua_pushstring( L, name );
-            native_function* fn = native_function::push( L );
-            fn->address = ( void* ) address;
+            native_function::push( L )->address = ( void* ) address;
             lua_settable( L, -3 );
         }
     }
@@ -253,15 +308,45 @@ void lua::expose_api( lua_State* L )
     export_func( L, "outdword", &outdword );
 
     export_func( L, "readtsc", &readtsc );
+    export_func( L, "readtscpa", &readtscpa );
+    export_func( L, "readtscp", &readtscp );
     export_func( L, "readpmc", &readpmc );
     export_func( L, "readgsbase", &readgsbase );
     export_func( L, "readfsbase", &readfsbase );
 
+    export_func( L, "writecr2", writecr2 );
+    export_func( L, "syscall", syscall );
+    export_func( L, "sysretc", sysretc );
+    export_func( L, "sysretq", sysretq );
+    export_func( L, "sysenter", sysenter );
+    export_func( L, "sysexit", sysexit );
+    export_func( L, "lmsw", lmsw );
+    export_func( L, "smsw", smsw );
+    export_func( L, "ltr", ltr );
+    export_func( L, "str", str );
+    export_func( L, "lidt", lidt );
+    export_func( L, "lgdt", lgdt );
+    export_func( L, "lldt", lldt );
+    export_func( L, "sidt_b", sidt_b );
+    export_func( L, "sgdt_b", sgdt_b );
+    export_func( L, "sidt_l", sidt_l );
+    export_func( L, "sgdt_l", sgdt_l );
+    export_func( L, "sldt", sldt );
+    export_func( L, "invd", invd );
+    export_func( L, "wbinvd", wbinvd );
+    export_func( L, "cli", cli );
+    export_func( L, "sti", sti );
+    export_func( L, "invlpg", invlpg );
+    export_func( L, "xsetbv", xsetbv );
+    export_func( L, "xgetbv", xgetbv );
+    export_func( L, "monitor", monitor );
+    export_func( L, "mwait", mwait );
+    export_func( L, "exec", exec );
+
     // Export simpler helpers.
     //
     export_func( L, "readps", &read_sphys );
     export_func( L, "readvs", &read_svirt );
-
     export_func( L, "attach_process", &attach_process );
     export_func( L, "attach_pid", &attach_pid );
     export_func( L, "detach", &detach );