vmware: add legacy text-clipboard backdoor commands (6-9)#1589
Open
felixrieseberg wants to merge 1 commit into
Open
vmware: add legacy text-clipboard backdoor commands (6-9)#1589felixrieseberg wants to merge 1 commit into
felixrieseberg wants to merge 1 commit into
Conversation
Host stages bytes via the vmware-clipboard-host bus event; guest polls GETSELLENGTH/GETNEXTPIECE. Guest pushes via SETSELLENGTH/SETNEXTPIECE and the device emits vmware-clipboard-guest when the buffer fills. Same protocol as open-vm-tools' pre-RPC copy/paste, so a tiny Win9x agent can do IN EAX,DX from ring 3 with no driver.
Contributor
|
Nice PR (same goes for #1542)! Do you have some experience with vmware backdoor support for older guests? I was looking for Windows and found these: I have the absolute mouse positioning working under Windows 3.1, I wonder if I could get the clipboard working, too. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Just like the other VMWare-related PRs, no hard feelings if you don't want them - I just want to upstream stuff I've done for Windows. This one implements the four legacy text-clipboard backdoor commands on VMware port 0x5658:
GETSELLENGTH0xFFFFFFFFif nothing freshGETNEXTPIECESETSELLENGTHSETNEXTPIECEvmware-clipboard-guestwhen fullBus events added:
vmware-clipboard-host– caller stages aUint8Array; the device makes it readable via GETSELLENGTH/GETNEXTPIECEvmware-clipboard-guest– fired when the guest finishes writing, carries the receivedUint8ArrayThis is the pre-RPC clipboard protocol that open-vm-tools and its predecessors use. Because the guest reads and writes directly via
IN/OUTinstructions on port 0x5658, a minimal Win9x agent can syncCF_TEXTwith the host from ring 3 without any kernel driver — just aMOV EAX, 564D5868h/IN EAX, DXloop.The command numbers and wire format match VMware Workstation's implementation as documented in the open-vm-tools source (
lib/backdoor/backdoorGcc32.c,vmtools/src/vmbackdoor.c).Implementation notes
CLIP_MAX(64 KiB) caps both directions to prevent unbounded allocation.clip_out_freshis a one-shot flag:GETSELLENGTHarms it (setsfresh = false) so a second poll before new data arrives returns0xFFFFFFFF.SETNEXTPIECEauto-firesvmware-clipboard-guestonce the cursor reaches the declared length. A zero-lengthSETSELLENGTHfires immediately.get_state/set_state; a save/restore discards any in-flight transfer, matching the behaviour of real VMware Tools.