Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27

Thread: XP on modern systems

  1. #16
    Quote Originally Posted by Elenil View Post
    deroko/crazyserb wrote a tool what breaks for the cpuid command, since 2016 i didnt see him anymore before he worked for esl.tv to improve their anti debug technics helping in software protection
    Are you saying deroko's tool can break out of the VM to other parts of the host?
    I remember deroko, got some good advice from him re SI right here on RCE. Isn't/wasn't he with ARTeam?....
    Both of following sites marked clean by virustotal except for 4 on deroko's site. However, deroko has an interest in writing viruses which he explains in a tab on the site. Kaspersky marks his site as clean.

    http://deroko.phearless.org/
    http://www.accessroot.com/

    Quote Originally Posted by Elenil View Post
    ...can you show me more about this ?
    yes...if you can wait till I get windbg going again. Blabberer is the expert and I think there are examples from him in my thread on USB.

    Just found this page in my USB thread. See post# 112, marked at end of blue bars.

    It shows an example of !devnode, which is a node between drivers in a driver stack. The PDO is a physical device object which loads an FDO, a functional device object.

    http://www.woodmann.com/forum/showthread.php?15764-USB-drivers-for-Win-7-on-8th-generation-Intel-chipset/page8


    Quote Originally Posted by Elenil View Post
    if you can set it up i would look into how softice handle the video frame buffer ...
    I plan to try windbg on XP soon, still working on stability issues. I have USB running on XP on the new mobo on a VIA external card but it's a bit flaky. Currently using an OS/2 mouse and keyboard.
    Last edited by WaxfordSqueers; November 13th, 2019 at 19:42.

  2. #17
    Quote Originally Posted by WaxfordSqueers View Post
    Are you saying deroko's tool can break out of the VM to other parts of the host?
    http://deroko.phearless.org/
    http://www.accessroot.com/
    .
    on accessroot it wont let me open the website (even tho i clicked ignore the warning and continue)

    but deroko.phearless.org opens without any warnings (unlike woodmann)

    he actually give command to the VM host to make a trigger for softice that lets the VM deliver any event for the CPUID command
    so whenever the cpuid command apears softice comes up (he calls it cpuid break)

    this safes a lot of work of instead using a tracer like from iceext to trace for the cpuid command



    a command could be added to iceext like "kd> dt _handle_table" after that maybe a dumpscreen and you good to go

  3. #18
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Quote Originally Posted by Elenil View Post
    on accessroot it wont let me open the website (even tho i clicked ignore the warning and continue)
    Try
    http://woodmann.com/accessroot/arteam/site/news.php

    The forum isn't functional but the downloads/tuts/ezine are. However, Avast blocks all downloads with URL:Blacklist. How rude.

  4. #19
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Quote Originally Posted by Elenil View Post
    a command could be added to iceext like "kd> dt _handle_table" after that maybe a dumpscreen and you good to go
    Hi Elenil, you might remember this option of using a KDExtension as well

    http://www.woodmann.com/forum/showthread.php?7097-Guide-to-creating-a-Softice-Kernel-Debugger-Extension-(KDExtension)
    http://www.woodmann.com/forum/showthread.php?11995-SoftICE-and-KDExtensions

  5. #20
    Quote Originally Posted by Kayaker View Post
    ...you might remember this option
    Kayaker...speaking of remembering, with your vast knowledge of this site, maybe you can recall a tute or thread that might help me. I am looking at adding functions to a version of certain exe and sys file which exists in XP but lacks certain functions that are available in W7. Rather than re-invent the wheel, I am not averse to reading on people who may have done it already.

    It's to do with a driver that seems aimed at a W7 utilization that I'd like to use in XP. When I use dependency walker on the driver in a folder with all the drivers and dlls from system32 and drivers from XP, it marks certain crucial files as lacking those functions. I have thought of doing a file compare to see how different the different OS versions might be. I know that XP in general will startup on a newer motherboard provided it has AHCI and provisions are made for ACPI. XP will happily run on newer SATA drivers and it just as happily uses the AHCI implementation in the driver package. So I'm thinking the system drivers between XP and W7 can't be that far apart.

    I have done some work on exe files that have the import table scrambled. So, I am not completely dumb about working with import tables. I am just not clear (very rusty) on the procedure used by a driver calling another executable or driver file to get at the functions they have. In the link you provided above you mentioned calling the DriverEntry function.

    I am familiar with such calls through tracing code but normally they push the address of the function required then call the exe or dll that contains those functions. Obviously the exe or dll must already be loaded into memory and the address called is a memory address within the image of the exe or dll in memory. Does the call go straight to that memory address within the exe/dll or does it have to go via the DriverEntry you mentioned?

    In other words, if I simply tacked a missing function onto the end of the exe/dll, it would not be found. How is it found? I recall seeing the base address of the called exe/dll pushed, then that exe/dll is loaded. Knowing the base address of the called exe/dll/sys it would appear an offset is required to reach the tacked on function. Or, would the offset of the added function have to be added to the import table...if it has one? Do all exe/dll/sys files have one?

    I am not looking for a full explanation of this, just a hint as to how I could research it from someone who has done it. I'll do my own research on the last question since I have the tools to do it.

  6. #21
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Wow, you're really taxing my brain. There's a difference between vaguely recalling something and remembering how the hell I did that stuff 15 years ago.

    You could start with searching 'code caves', code injection, adding functionality, that sort of thing. When doing any kind of word searching here I'd strongly recommend using the Archive chm file I made of the entire site. The MS chm file reader has a much better search index than this vbulletin forum, that's how I find all these obscure posts. If you select View Full Version in the search result it will open the link directly in the hh.exe browser window.

    http://www.woodmann.com/kayaker/chmfile/RCEArchive_May1_2016.zip


    If the code you're trying to emulate is simple enough and you can reverse the functions, it might be easiest to code your own dll or kernel mode dll and have them loaded by the XP versions, your imports should be visible to call by name from injected code. Probably a few techniques for doing that.

    Chances are however you'd like to be able to call the functions in the existing (possibly renamed) W7 exe and sys files, by name directly, from injected code in the XP versions. Slightly different issue.

    Going that route, your executable files are presumably .exe and .sys, they'll have to be loaded as a dll essentially. In the case of a dll the usual injected code is LoadLibraryA, GetProcAddress to call your functions.


    In the case of the sys file it could be a kernel mode dll. I did write such a beast, Sysdasm, here's a few lines from my intro text of the source code:

    In this type of export module, the DriverEntry routine is never called but exists so the file is compiled correctly as a .sys driver. If you want to design such a Kernel Mode DLL with functional entry/exit routines, you can add PRIVATE exports declared as DllInitialize/DllUnload.

    The easiest way to use such a kernel mode DLL is to include its .LIB file when compiling the driver which will communicate with it, and to declare the functions you want to import with EXTERN_C DECLSPEC_IMPORT. When the driver is loaded by the system, this second module is loaded as a required kernel DLL and the functions can then be called directly by name. The DLL is unloaded by the system when the driver closes.

    The second method to make use of a kernel mode DLL is to load and unload it with ZwSetSystemInformation and the SystemLoadImage and SystemUnloadImage classes. You can then "walk" the returned IMAGE_EXPORT_DIRECTORY of the module to retrieve the function address(es).



    One approach might be to code your own kmode dll that you get to load from the XP version, essentially to use it as a wrapper for calling functions in the unaltered W7 file. I'm thinking it might be easier to call and control functions from a wrapper than having the W7 file loaded directly and having to write gobs of asm code. Or not, depends on what works I guess.

    Or maybe you could change the PE structure of the W7 .sys file so it's recognized as a kernel mode dll by the system, and by the XP version as a default import.


    Another idea might be to have both the exe and sys file loaded in system memory, and have your code access the functions from there. There should be tuts for that, I think Arteam did a lot of "loaders".


    What just came to mind, you should play with loading and calling these W7 files with Windbg if you can, SDbgExt might help. (And somebody else we know...)

    !remotecall, !remotecall64: Call a function in the target, using the currently active thread (symbols are not required, unlike “.call”).
    !loaddll, !unloaddll: Load or unload a .dll within the address space of the target, using the currently active thread.


    As for the other ideas, here's some user/kernel loading examples using your own dlls

    http://www.woodmann.com/collaborative/tools/index.php/SysDasm
    http://www.woodmann.com/fravia/kayaker_RegmonPlus.htm

    Kayaker

  7. #22
    Quote Originally Posted by Kayaker View Post
    Wow, you're really taxing my brain. There's a difference between vaguely recalling something and remembering how the hell I did that stuff 15 years ago.

    You could start with searching 'code caves', code injection, adding functionality, that sort of thing. When doing any kind of word searching here I'd strongly recommend using the Archive chm file I made of the entire site. The MS chm file reader has a much better search index than this vbulletin forum, that's how I find all these obscure posts. If you select View Full Version in the search result it will open the link directly in the hh.exe browser window.

    http://www.woodmann.com/kayaker/chmfile/RCEArchive_May1_2016.zip


    If the code you're trying to emulate is simple enough and you can reverse the functions, it might be easiest to code your own dll or kernel mode dll and have them loaded by the XP versions, your imports should be visible to call by name from injected code. Probably a few techniques for doing that.

    Chances are however you'd like to be able to call the functions in the existing (possibly renamed) W7 exe and sys files, by name directly, from injected code in the XP versions. Slightly different issue.

    Going that route, your executable files are presumably .exe and .sys, they'll have to be loaded as a dll essentially. In the case of a dll the usual injected code is LoadLibraryA, GetProcAddress to call your functions.


    In the case of the sys file it could be a kernel mode dll. I did write such a beast, Sysdasm, here's a few lines from my intro text of the source code:

    In this type of export module, the DriverEntry routine is never called but exists so the file is compiled correctly as a .sys driver. If you want to design such a Kernel Mode DLL with functional entry/exit routines, you can add PRIVATE exports declared as DllInitialize/DllUnload.

    The easiest way to use such a kernel mode DLL is to include its .LIB file when compiling the driver which will communicate with it, and to declare the functions you want to import with EXTERN_C DECLSPEC_IMPORT. When the driver is loaded by the system, this second module is loaded as a required kernel DLL and the functions can then be called directly by name. The DLL is unloaded by the system when the driver closes.

    The second method to make use of a kernel mode DLL is to load and unload it with ZwSetSystemInformation and the SystemLoadImage and SystemUnloadImage classes. You can then "walk" the returned IMAGE_EXPORT_DIRECTORY of the module to retrieve the function address(es).



    One approach might be to code your own kmode dll that you get to load from the XP version, essentially to use it as a wrapper for calling functions in the unaltered W7 file. I'm thinking it might be easier to call and control functions from a wrapper than having the W7 file loaded directly and having to write gobs of asm code. Or not, depends on what works I guess.

    Or maybe you could change the PE structure of the W7 .sys file so it's recognized as a kernel mode dll by the system, and by the XP version as a default import.


    Another idea might be to have both the exe and sys file loaded in system memory, and have your code access the functions from there. There should be tuts for that, I think Arteam did a lot of "loaders".


    What just came to mind, you should play with loading and calling these W7 files with Windbg if you can, SDbgExt might help. (And somebody else we know...)

    !remotecall, !remotecall64: Call a function in the target, using the currently active thread (symbols are not required, unlike “.call”).
    !loaddll, !unloaddll: Load or unload a .dll within the address space of the target, using the currently active thread.


    As for the other ideas, here's some user/kernel loading examples using your own dlls

    http://www.woodmann.com/collaborative/tools/index.php/SysDasm
    http://www.woodmann.com/fravia/kayaker_RegmonPlus.htm

    Kayaker

    i also have thought about this, the question is where you want to add this

    for example there is a function what was supported up to windows 8.1
    KeAddSystemServiceTable
    this allow you to add SDT table functions from vista,7,8.1 and windows 10

    doing something like this is pretty common for example i remember some1 wrote a extension for win98 in the past what had a fat32 limit
    he added the requied functions to the driver after that win98 worked excellent with exfat32
    a other project i could think of is kernelex for 98 (http://kernelex.sourceforge.net/)

    vista/7/8.1/10 got a few more exports in kernel but as blabberer told the most of those are just renamed and redirected
    (https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-81-api-sets)

    about adding some exports to existing dll/exe like kernel32.dll or something thats not a problem at all
    you just have to increase the file size with space where you can place the missing functions
    then you add the export name and its offset
    the the functions you replaced you add the relocs
    (to your question if its a export the searching executable search for that export name this leads to the offset)
    there was a third way in doing this like you redirect the exports 1 example would be you write a kernel.dll
    where you from your kernel.dll redirect partly into the orginal kernel.dll and the missing functions in a different dll (call it waxford.dll or something :-) )
    windows search this in a 4 way but im uncertain here so i dont start a talk about this way


    for a vtable, that 1 is just useally exported from a export function
    this function export a pointer to the vtable
    you replace that pointer with your "new pointer" where you got the missing functions
    they have to fit to the distances its going like pointer + 14, pointer +3c , pointer +4c ect.

    on other hand the driver object replacements are very simple if they are missing
    you just have to put them into the driver_object



    thinking of the softice a there is a other thing i reconized with the ice compared to the 98 version, that is that ice no longer can freeze all the threads
    there is 1 for a single thread but that is already plugin (iceext) based

  8. #23
    @kayaker ... @elenil

    Thanks for the replies. I am a bit under the weather right now with a bug of some kind and my brain is not functioning well. That's a blow since it's not operating at much more than 50% these days. Both of you have given me lots to think about and I'll get back soon.

  9. #24
    @kayaker ...checking through the RCE archive chm file. I seemed to be a lot smarter back in 2007 with a heck of a lot more knowledge about softice. Is it possible to get dumber, or is it just rust and the ravages of aging? There is some very good stuff in the archives, thanks for reminding me and re-posting link.

  10. #25
    Quote Originally Posted by Elenil View Post
    ...about adding some exports to existing dll/exe like kernel32.dll or something thats not a problem at all ...
    Check your PM box.

    Saw a method using the kernelex extension genpatch by Xeno86. The Relyze disassembler was used to disassemble the binary, some mods were made before applying it to genpatch. I have not gotten this method completely straight yet but apparently a cpp file can be generated that can be recompiled using Visual C++.

    Not sure what kernelex is about other than allowing XP apps to run on a w98 system. How would that translate to adding exports from a W7 system to system files for XP, to get XP running well on a newer generation motherboard?

    I have heard of the hex-rays plugin for IDA but had not realized the significance. Apparently it can accurately take an IDA disasm and convert it to C++ source code. I'll just have to wait till the price comes down so I can afford it. Come on, Ilfak, all of us westerners are not rolling in that kind of money. If it was a critical situation...maybe...but many of us are just hobbyists with too much time on our hands.

    Till then, I'll have to explore Elenil's method of manually adding exports and adjusting the relocs. If I ever get the time!!! Every time I get going on a project something intervenes to lead me astray. As it stands, I have about 5 projects going, some on hold for a year or so.

  11. #26
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    A couple of threads to check out in case you missed them. Nacho_dj had created a novel export table program I enjoyed adding a test export with.

    http://www.woodmann.com/forum/showthread.php?15720-Export-Table-Tester

    http://www.woodmann.com/forum/showthread.php?15715-How-to-add-Function-to-Various-System-DLL


    You might check this out too in looking for an alternative for getting pseudocode

    https://reverseengineering.stackexchange.com/questions/13089/are-there-any-interactive-decompilers-besides-hexrays

    K

  12. #27
    Quote Originally Posted by Kayaker View Post
    A couple of threads to check out in case you missed them.
    Thanks Kayaker, this stuff is gold. I'd forgotten about Iczelion's tutes and Aimless offered several links in one of your links, listing several ways to create code caves, etc. I got a laugh out of Blabs asking why we don't just port W10 code back to W31. Well...why not????

Similar Threads

  1. Embembeded systems
    By tazBRC in forum Off Topic
    Replies: 2
    Last Post: April 26th, 2010, 21:29
  2. dr7.gd on mp systems running sice
    By deroko in forum Blogs Forum
    Replies: 5
    Last Post: February 11th, 2008, 10:16
  3. Realtime systems and OS dependency
    By Hero in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 17th, 2006, 12:34
  4. keyboard problem with SoftICE on NT systems
    By quasar in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: March 31st, 2004, 03:40
  5. Replies: 6
    Last Post: August 25th, 2003, 13:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •