ALLBIOS injection 1.2

--[[
    ALLBIOS Injection   Trystan Cannon
                        22 February 2013

    This is a test of a method that
    I believe to have found which
    can bypass ALLBIOS' protection
    of OS functions.

    In this particular script,
    I'll be injecting into os.shutdown.

    METHOD:
        Grab script environment -> level 0
        Use 'rawset' on ["os"]["shutdown"]
        PROFIT???!!!
]]--


--=========================================
-- Variables:

local RAW_DATA = { -- This table contains data that is necessary for operation after the BIOS exits.
    ["read"]  = _G["read"],
    ["write"] = _G["write"],
    ["print"] = _G["print"],
    ["os"]    = _G["os"],
    ["sleep"] = _G["sleep"],
    ["term"]  = _G["term"]
}

local SCRIPT_LAYER       = 0
local SCRIPT_ENVIRONMENT = getfenv (SCRIPT_LAYER)

local OS_SHUTDOWN       = SCRIPT_ENVIRONMENT["os"]["shutdown"]
local INFECTED_SHUTDOWN = function()
end

local threadStack = {
    ["shell"] = coroutine.create (function()
        os.run ({}, "rom/programs/shell")
    end)
}
--=========================================


--=========================================
-- Injection:

-- Returns the true size of a table using pairs().
local function getTableSize (myTable)
    local size = 0

    for _, __ in pairs (myTable) do
        size = size + 1
    end

    return size
end

-- Returns the parent shell instance or nil.
local function getParentShell()
    for layer = 0, 5 do
        local environment = getfenv (layer)

        if getTableSize (environment) == 1 then
            local index, value = next (environment)

            if index == "shell" then
                return value
            end
        end
    end
end

-- Infects os.shutdown.
local function infectShutdown()
    rawset (SCRIPT_ENVIRONMENT["os"], "shutdown", INFECTED_SHUTDOWN)
end

-- Executes the thread stack.
local function executeThreadStack()
    local deadThreadIndex = nil -- The index of a thread that must be killed after the next event.
                                -- We cannot kill threads during our use of pairs() because next() will be angry.

    -- Return os.shutdown to its previous state.
    rawset (SCRIPT_ENVIRONMENT["os"], "shutdown", OS_SHUTDOWN)

    -- Init the thread stack by queueing a couple of empty events.
    os.queueEvent ("char", '')
    os.queueEvent ("char", '')

    -- Execute the thread stack.
    while getTableSize (threadStack) > 0 do
        if deadThreadIndex then
            threadStack[deadThreadIndex] = nil
            deadThreadIndex              = nil
        end

        local eventData = { os.pullEvent() }

        if eventData[1] == "key" and eventData[2] == keys["end"] then
            break
        end

        for index, thread in pairs (threadStack) do
            if coroutine.status (thread) ~= "dead" then
                coroutine.resume (thread, unpack (eventData))
            else
                deadThreadIndex = index
            end
        end
    end

    RAW_DATA.term.clear()
    RAW_DATA.term.setCursorPos (1, 1)
    RAW_DATA.term.write ("Bios has exited. Press any key to continue.")
    RAW_DATA.term.setCursorBlink (false)
    RAW_DATA.os.pullEvent ("key")
end
--=========================================


--=========================================
-- Main:

-- Get the parent shell.
local parentShell = getParentShell()

-- Make sure we actually have the parent shell before
-- doing anything else.
if not parentShell then
    print ("Parent shell not retrieved.")
    return
end

-- Inject os.shutdown and kill the parent shell instance.
-- This will trigger the execution of the thread stack.
infectShutdown()
parentShell.exit()
executeThreadStack()
--=========================================