[XBOX] XBE Loader

Four components:

• XBE format loader - the XBE sections are unaligned to page size and contains gaps - MmspPageAlignSegments from MM does not play nice with them. Also they have usually virtual address of 0x10000 with no relocation segment - so a manual relocation seems needed. In order to make them fit the pages and keep the MM happy, gaps are filled with offset data and enlarged in order to cover gaps.  Executable pages are set as writable for the system loader. Preload flags is set but for now ignored - it should be useful when XeLoadSection is reached for overlapping section and for reducing memory occupation
• XBE system loader - it translates the XORed endpoint and kernel image thunk to real address, go through the text segment to adjust the memory addresses by opcodes and construct import data for the thunk snapping.
• Xboxkrnl's subsystem - The XBE imports their ordinals solely from this subsystem and the subsystem forwards them to ntoskrnl, hal or implement / stub Xbox specific  API and externals. As some of the forwarded api are not exported by ntoskrnl's spec, specific exports has been added on ntoskrnl. Some of the structure are also in XDK sdk folder but I haven't understood how to import. The added exports on ntoskrnl are

  • @ stdcall KeBoostPriorityThread(ptr long)

    @ stdcall KeAlertResumeThread(ptr)

    @ stdcall MmCreateKernelStack(long long)

    @ stdcall MmDeleteKernelStack(ptr long)

    @ stdcall NtQuerySymbolicLinkObject(long ptr ptr)

    @ stdcall NtOpenSymbolicLinkObject(ptr long ptr)

    @ stdcall NtProtectVirtualMemory(long ptr long long ptr)

    @ stdcall NtPulseEvent(long ptr)

    @ stdcall NtQueueApcThread(long ptr ptr ptr ptr)

    @ stdcall NtFlushBuffersFile(long ptr)

    @ stdcall NtOpenDirectoryObject(ptr long ptr)

    @ stdcall NtQueryFullAttributesFile(ptr ptr)

    @ stdcall NtQueryVirtualMemory(long ptr long ptr long ptr)

    @ stdcall NtSetSystemTime(ptr ptr)

    @ stdcall KeSetDisableBoostThread(ptr long)

    @ stdcall NtSuspendThread(long ptr)

    @ stdcall NtResumeThread(long ptr)

    @ stdcall NtRemoveIoCompletion(long ptr ptr ptr ptr)

    @ stdcall NtClearEvent(long)

    @ stdcall NtCreateSemaphore(ptr long ptr long long)

    @ stdcall NtCreateMutant(ptr long ptr long)

    @ stdcall NtCreateDirectoryObject(ptr long ptr)

    @ stdcall NtCancelTimer(long ptr)

    @ stdcall NtReleaseSemaphore(long long ptr)

    @ stdcall NtReleaseMutant(long ptr)

    @ extern ExMutantObjectType

    @ stdcall SetRoutineAndContext2(ptr ptr)

    @ stdcall RtlEnterCriticalSection(ptr)

    @ stdcall RtlInitializeCriticalSection(ptr)

    @ stdcall DbgUnLoadImageSymbols(str ptr ptr)

    @ stdcall KeQueryBasePriorityThread(ptr)

    @ stdcall KeResumeThread(ptr)

    @ stdcall KeSuspendThread(ptr)

    @ stdcall NtCreateTimer(ptr long ptr long)

    @ stdcall NtQueryDirectoryObject(long ptr long long long ptr ptr)

    @ stdcall NtQueryEvent(long long ptr long ptr)

    @ stdcall NtQueryIoCompletion(long long ptr long ptr)

    @ stdcall NtQueryMutant(long long ptr long ptr)

    @ stdcall NtQuerySemaphore(long ptr ptr long ptr)

    @ stdcall NtReadFileScatter(long long ptr ptr ptr ptr long ptr ptr)

    @ stdcall NtQueryTimer(long long ptr long ptr)

    @ stdcall NtSetIoCompletion(long ptr ptr long long)

    @ stdcall NtWriteFileGather(long long ptr ptr ptr ptr long ptr ptr)

    @ stdcall NtYieldExecution()

    @ stdcall RtlDowncaseUnicodeChar(long)

    @ stdcall RtlRaiseStatus(long)

    @ stdcall RtlTryEnterCriticalSection(long)

    @ stdcall KeAlertThread(ptr long)

    @ stdcall KeTestAlertThread(ptr)

    @ stdcall NtCreateIoCompletion(ptr long ptr long)@ stdcall NtWaitForMultipleObjects(long ptr long long ptr)

• XBE launcher - It calls the entrypoint of the XBE. Currently mimic sysinfo's loading of win32k.sys for keeping the ring 0 for the XBE. 

Currently:

• Entrypoint is called, set certificate title, set TLS index, calls xboxkrnl's PsSystemCreateThreadEx, relay to ntoskrnl's PsSystemCreateThread and starts the thread routine
• Failing inside the thread on SEH2 access via FS segment register - to be checked if it is due incompatible between GCC's SEH2 and MSVC's SEH2 or the messy relocator. To be tried with MSVC...if I can get one.

To do:

• Try using MSVC build as host to check if the SEH2 issue is the same Tried with a MSVC build, it seems to go further from the SEH2 barrier, so the loader needs SEH provided by MSVC builds
• Relocator needs to be refined to be less raw and more gentler with the text segment..
• Implementing xbox specific key API (when reached) - in particular
  • AvGetSavedDataAddress
  • AvSetSavedDataAddress
  • MmClaimGpuInstanceMemory
  • ...

Tried with dolphin.xbe (from the Xbox XDK 5933) and The Sims iso by putting the file inside the ReactOS's live cd.<