Results 1 to 15 of 15

Thread: TRW2000 internal

  1. #1
    dion
    Guest

    TRW2000 internal

    have anyone could explain to me trw2000 internals, about bpx concept, idt/gdt/ldt thingy, vxdcallhook, blah-blah... to me? or is there any trw2000 internal tut out there?

    from now, i just understand the apiplugs mechanism only. i get stuck understanding how trw2000 break in to kernel and popup itself. maybe icedump gurus could help me out, please...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    dion
    Guest

    plugsapi readme

    here's my lame readme about plugsapi [i've posted that lame plugs here]. and execuse me if any mistakes written here, any correction needed . trw2000 consists a loader and a master plugs. i call it master plugs coz :

    - it's a plugs indeed, but a master/main plugs
    - it loaded first before other plugs, so it can provide api services
    for other/slave plugs loaded later [what i called plugsapi].

    in the plugs init routine of trw2000.sys, it first registering every local function that will be exported as plugsapi. these exported api were placed in one struct. the plugsapi struct declaration can be read at plugapi.h file. the struct itself not comprises plugsapi only, but some trw internal variable are there too.

    what the plugsapi plugs coded by me doing is just dumping this struct with address related to each struct members. so u can see directly to those addresses and recognize these function's names . then u can busy to rename all the function in ur disasembled list of trw2000.sys file. from here u have had little knowledge to reverse the master plugs.

    now, after registering each struct members, the master plugs enumerates slave plugs and load it. i don't know yet what the rule used to load the slaves here. i bother with rule coz ordinary vxds are using it. its called InitOrder. but the case here is, the first loaded plugs is always master plugs, and there's no plan from author to let slave plugs providing another plugsapi service set to enhance the plugs functionality.

    when a plugs loaded, execution gets in to plugs init proc, where u can see the param passed to this proc is a ptr named [PLUGS_API* plugsapi]. i don't know who is passing this ptr, but i guest the master plugs is the one who did it when loading plugs, bcoz the only one who knows his own locals functions address is master plugs, right? that's why every plugsapi called in plugs src code have form like: api->???. if u see it in assembly form, its looks like this:
    call dword ptr [e?x+??h]
    where the e?x contain ptr passed by master plugs.
    after initialization proc, slave plugs are ready to receive cmds or do something else.

    so, the point is... this plugsapi method is rather diff with vxdservices method, in which the master plugs don't have to 'snaps' the slaves apicall for the 1st time.

    hmm... is there anyone imagine the add_api like implementations here . if there is, then here's i tell what come to my mind when thinking about it:
    - the export table must have one method, that is add api entry.
    - if there's unload scenario here, the plugsapi service provider
    responsible to handle dead entry and to redirect that dead
    entry to return false/true to the caller. huh... that's hard,
    isn't it?
    - make plugsapi set proto in a separate header file
    - make a rule in loading, or load order. the provider must have
    top priority before users, right? here maybe we can use an INI
    file instead of... argh, i don't know how WDM's DDB looks like.
    - ok, say the new plugs provider loaded by master plugs, and he
    had an export table. then who'll load the users of that new
    provider? if its master who load it, then master plug have to
    somehow registering new plugsapi set and snaps the users link,
    right? how complicated it is...
    - anyone wants to do this...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    dion
    Guest

    breakpoint

    hmm... i just knows a little about breakpoints. again, its a big chance i do mistakes here. the one used for LOG3 plugs is software bp. its hooking int1, looks like softice using this method too. u can see it barely in LOG2 source code. and maybe there's one internal variable involved, named pfSoft_1Step. it's a member of PLUGS_API struct.

    when u break in to trw, trw freezes VMs and the registers show up in upwindow is register value from current VM, maybe. the register value can be ripped from a struct called CLIENT_STRUCT. refer to vmm.h to see his members. from here, i just filter the eip value to satisfy what i need, like LOG3 did. its lame easy to code LOG3, right? that's why i felt no need to release the source ;p.

    the only info about this bp i got is from BPINT and LOG2 source code.
    may there's gurus figures this all out. could anyone add what missed here, please... .
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    dion
    Guest

    man...:(

    man, no one helps me...
    i've take all i know about trw internal here, and no respon...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    midibox
    Guest
    Maybe no one in this forum has experience in developing debuggers for windows. (just guess... I am new comer too :-)

    Thx for your efforts...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    dion
    Guest

    more specific

    i need to know the process of debugger break, and what happens when it break? i know thats relate to modify idt of current thread (maybe), but anyone can tell me more detail about this ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Hwoarang
    Guest
    most of the guys who still use Win9x (like me) don't use TRW because it's kinda buggy and unreliable (crashes very often, it's unstable and so on...)
    Anyway you can debug TRW with Softice..eg. to see how it does bp, use in Softice BPR on the api you will breakpoint with TRW...it worx fine (I also was a year ago interested in how it's breakpoints work)..hmmz, maybe that doesn't answer to your question..i dont know anything else about that debugger, sorry
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    DaFixer
    Guest

    debuggers

    Well i dont know specially how trw works but the ways a debugger can be implemented are very limited There are software and hardware breakpoints.

    Hardware breakpoints are set using SetThreadContext() api. There is a _CONTEXT structure and depending on the ContextFlags of this structure it can be used for setting different type of information. Among them are reading and modifying the FPU registers, the debug registers, and the control structures. With the last you can change the current EIP of the thread and more. The _CONTEXT structure is defined for all different processors and it is hardware dependant. The best resource about this for intel processos is the intel documentation. The 3 pdf files about 5Mb each. I guess you can find them on the net. There should be a section about debugging and hardware exceptions. There is very detailed documentation about how to use the debug registers to debug a process. The bmps are only possible to be made with debug registers btw.

    The software way is with a simply using int 3 for a break point and int 1 for step by step tracing. You can use WriteProcessMemory to change the next instruction that is going to be executed and this way generate debug event for the debugger. You can attach to active process by DebugActiveProcess() and with WaitForDebugEvent() wait until a debug event is generated. May be you would like to check the _DEBUG_EVENT structure returned by the last function for more details. I'm not quite sure but as far as i can remember there is a fully functional ring 3 software debugger in the examples of the Matt Pietrek's book for win 95. I even may be have it somewhere

    Cheerz
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    dion
    Guest
    Originally posted by Hwoarang
    most of the guys who still use Win9x (like me) don't use TRW because it's kinda buggy and unreliable (crashes very often, it's unstable and so on...)
    Anyway you can debug TRW with Softice..eg. to see how it does bp, use in Softice BPR on the api you will breakpoint with TRW...it worx fine (I also was a year ago interested in how it's breakpoints work)..hmmz, maybe that doesn't answer to your question..i dont know anything else about that debugger, sorry
    thanks Hwoarang. but please tell me whatever u know about breakpoints, trw not so diff with softice and im not talk specific to trw about this breakpoint context.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    dion
    Guest

    thx giving me general pictures, DaFixer

    emm... ok, say i code a dynamic load WDM driver. i put in a ring0 kbd handler and an universal miniport graphics driver. when loaded, i hook the kbd for hotkey access. and then i hook int3 and int1 and... how do i set bp in kernel/current thread? coz we need to break in, right?

    i'm not sure debugger such softice using attach method. i ever seen a log instruction application written using debug api, and it act very badly, not like softice/trw do. btw, debug api are designed for ring3 debug application, i thought.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    DaFixer
    Guest

    Re: thx giving me general pictures, DaFixer

    First of all i dont know ring 0 stuff and never coded something. Only have called the ring 3 function for calling ring 0 stuff. The first export from kernel32.dll

    Originally posted by dion
    how do i set bp in kernel/current thread? coz we need to break in, right?
    whats the problem to write in kernel32.dll memory and put an int 3 where you want? Ofcourse after calling VirtualProtect to deprotect the page. And this will only work on 9x as well.


    Originally posted by dion

    i'm not sure debugger such softice using attach method. i ever seen a log instruction application written using debug api, and it act very badly, not like softice/trw do. btw, debug api are designed for ring3 debug application, i thought.
    SoftIce is ring 0 debugger and it defenitely dont use debug api I was just talking about debuggers You can use hardware breakpoints from ring 0 or write int 3s in the process memory.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    dion
    Guest
    reading softice internal by +Spath...
    seeing winice.exe unasm...
    it said that winice.exe are a vxd [LE format], so theres 16 and 32 bit in one file. pasted from tut:

    -------------------------------------------
    winice.exe performs the following steps :
    1. change video mode to mode 3 (80x25, text mode, 16 colors) and display SoftICE intro message (SoftICE version, OS, ...).
    -------------------------------------------

    what i saw in start is:
    public start
    RCOD:0000 start proc near
    RCOD:0000 xor ax, ax
    RCOD:0002 xor si, si
    RCOD:0004 xor bx, bx
    RCOD:0006 retn
    RCOD:0006 start endp

    how can this code perform video mode switching???
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    dion
    Guest

    little undocumented trw cmd

    it ripped off roughly from master plugs disasm. these cmd related to VER cmd. they are:

    :VER TST8 ; just crash my comp
    :VER INFO ; disp debugger environment infos?
    :VER MEM ; disp trw path and dibeng infos
    :VER SAY ; disp windows properties?
    :VER TEST ; n/a? (no action)
    :VER TST1 ; n/a?
    :VER ERRO ; n/a?
    :VER BLUE ; n/a?
    :VER KEEP ; keep the debug screen

    from here, we know that trw2000 using dibeng somehow. infos from 98DDK says:
    "To help you create more efficient display drivers, Microsoft supplies the DIB engine, which is a DLL that contains most of the functions needed to translate GDI commands. A display driver that uses the DIB engine is called a display minidriver. The minidriver only contains hardware-specific code for your display adapter and redirects the non-device specific calls from GDI to the DIB engine."

    so, if i'm not wrong here, the master plugs include the display minidriver that handle h/w specific code. but, somehow i felt the display minidriver discussed in 98DDK are loaded as static vxd drivers. meanwhile, the trw loaded dynamically. therefore, my first bet is trw intercept the minidriver link to dibeng (DIB engine). i'm seeing codes that related to video buffer at &A0000 and &B8000, but dont know what its really do.

    if anyone knows this stuff in depth, please add what missed here

    thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    dion
    Guest
    ok, after read 98ddk help a while, accidentally ;p, i saw the DIBENGINE struct which the first member match with one value pointed by ver mem command. here below i include my source code .

    and, remember the two lines after Dibeng value in ver mem command...
    yeah! thats value is the same like what would display in the member listing. maybe u wonder why just these two value get displayed, wheres the others? is the rest is not important?
    honestly... i dont know the answer. but i see those two value gets involved in screen operations. i thought i'm closer to it, but...

    now, trying to get deeper understanding... btw, its hard, guys... none of u could give me a clue
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    dion
    Guest

    debugger prototype

    feeling lame thinking about this subject, meanwhile i dont have much access to my 'home' computer anymore right now, i just want to tell my idea here with assume that SI would be the best debugger among the other and so used as reference.

    the points of debugger design would be:
    - free/open source/copyrighted/whatever [but no commerce, please ]
    - plugin based architecture
    - very... i mean very... customizable debugger
    - support multi OSes [w9x,wnt,w2k,wxp,etc]
    - full documentation

    about plugin stuff, it should:
    - support script language [ie calling VMM services from script, can make a 'real' driver as plugin, etc]
    - have controlled plugin environment [ie can debug plugin easily]
    - dynamically loaded

    the plugin includes the kernel itself, cpu info, disasm routine, display driver, windowing routine, skin switching [actually, this is my favorite part if applicable], etc...

    about customizable stuff. it should be the mindset from beginning of design. such as debugger can easily perform counterattack from antidebug stuff with small changes, or in some situation that need special breakpoint [that not supported by SI, of course] users can easily perform it with little effort.

    about multi OSes. it applied to every debugger component, even the kernel itself. i think it can be compiled in separated package or using OS auto detect. in this stuff, there mostly problem will faced [ie display/mouse problem].

    documentation was a thing that everyone should have an eye on it, so that will be more ppl can use the debugger.

    well, its just a bluffing and incomplete idea from me.
    thanks for reading.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. JavaCard internal structure (JCOP, CyberFlex, etc.)
    By FractalizeR in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: March 18th, 2005, 08:21
  2. problem with TRW2000
    By synphony in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: July 3rd, 2001, 23:46
  3. TRW2000
    By Andrei00 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: May 23rd, 2001, 14:49
  4. TRW2000
    By garvic in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 8th, 2001, 09:03
  5. TRW2000
    By DeathLord in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: November 24th, 2000, 06:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •