在前面一篇文章中,已經定位到了變量HalpWakeVector,我也說過這是開啓OS S3大門的鑰匙,那這篇文章就應該是登堂入室了。
1.從HalpWakeVector過度到HalpLowStubPhysicalAddress:
hal模塊對HalpWakeVector的引用不多,只有4處:
但是現階段只用到HalpSetupRealModeResume函數。
.text:00000001C003D320 HalpSetupRealModeResume proc near ; CODE XREF: HaliAcpiSleep+139↑p
.text:00000001C003D320 ; DATA XREF: .pdata:00000001C0054240↓o
.text:00000001C003D320
.text:00000001C003D320 arg_0 = qword ptr 8
.text:00000001C003D320
.text:00000001C003D320 mov [rsp+arg_0], rcx
.text:00000001C003D325 sub rsp, 28h
.text:00000001C003D329 mov rax, cs:HalpWakeVector
.text:00000001C003D330 test rax, rax
.text:00000001C003D333 jnz short loc_1C003D336
.text:00000001C003D335 int 3 ; Trap to Debugger
.text:00000001C003D336
.text:00000001C003D336 loc_1C003D336: ; CODE XREF: HalpSetupRealModeResume+13↑j
.text:00000001C003D336 mov [rax], edx ; store HalpLowStubPhysicalAddress to HalpWakeVector
HalpSetupRealModeResume入口處先獲得HalpWakeVector的地址,如果地址非空,則向其中寫入HaliAcpiSleep調用HalpSetupRealModeResume時傳入的參數edx。跳轉到HaliAcpiSleep,將看到如下代碼段:
.text:00000001C003C963 mov edx, dword ptr cs:HalpLowStubPhysicalAddress
.text:00000001C003C969 call HalpSetupRealModeResume
.text:00000001C003C96E test al, al
.text:00000001C003C970 jnz loc_1C003CCA2
HaliAcpiSleep傳入的值是HalpLowStubPhysicalAddress。
2.Hal對HalpLowStubPhysicalAddress的引用:
查找Hal模塊對HalpLowStubPhysicalAddress的引用:
在xrefs窗口會看到一些熟悉的字眼,比如SetupAcpiPhase0。記得Windows啓動過程也分Phase0/Phase1兩個階段,所以,我猜想下面的w xrefs(注意是Write引用)是在OS初始化階段,對HalpLowStubPhysicalAddress進行初始化:
Down w HalpSetupAcpiPhase0+EC mov cs:HalpLowStubPhysicalAddress, rax
跳轉到HalpSetupAcpiPhase0+0xEC處果真如此,它調用HalpAllocPhysicalMemory分配物理頁面並將返回值寫入HalpLowStubPhysicalAddress:
INIT:00000001C0071E1B mov edx, 100000h
INIT:00000001C0071E20 mov rcx, rbx
INIT:00000001C0071E23 call HalpAllocPhysicalMemory
INIT:00000001C0071E28 mov cs:HalpLowStubPhysicalAddress, rax
INIT:00000001C0071E2F test rax, rax
INIT:00000001C0071E32 jz short loc_1C0071E53
由此可見,雙機調試時需要在HalpSetupAcpiPhase0函數上下斷點,觀察HalpLowStubPhysicalAddress的值是否和UEFI S3Resume時訪問的Facs->XFirmwareWakingVector相同。下一篇就動手驗證一下。