Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

USB drivers for Win 7 on 8th generation Intel chipset

All-in-one reversing related discussions
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

WaxfordSqueers wrote:
Have you run ice on your XP version?
since you have the ice + symbol files even the kernel mode internals are very well visable and you can see what problems happen

yep but its in a vmmachine, i even have a older computer where i run xp
also i have a lot of all debug stuff there since i still work with some older software
for a lot tools i didnt find replacements aka the ice, filemonitors, regmon, some driver based plugins for example for ollydbg


whenever i did the upgrades it asked for more then 834 upgrades

it really would be time that some1 fix them together as being 1 installer tool
for example there is a framework 4 installer but then it still loads like 20 upgrades only for framework 4, those could be included to a 1 step install
or even better to 1 step all in installer

but in total its over 834 upgrades its a lot work to do to fuse all together into a 1 step install - but its doable


you really have just to set that dword value in registry and windows automatic trigger the updates for newer date then 2014
for example it also downloaded the windows media player 11

to trigger the install you just have to go to system and start up the "windows security center "
then you can either choose that brower install or "automatic updates" installer

if that posready entry is set it also download the new upgrades

i got like 3 legit xp keys but still i used
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents
edit the OOBETimer key value and set its value to "ff d5 71 d6 8b 6a 8d 6f d5 33 93 fd"

for compatibility (that might also help you out)

having the newest files you can do what you want extensions, fixes , new drivers that would be a idea

but a big 1 is a newer framework then 4.0 , google, firefox only for that reason dont work on xp its just that (same goes for many new applications all included that framework dll�s)

as blabberer told the most of those are just used functions with new names

it also did the job for me on ie6 but here is the ie8 (the installer in in the update folder)
https://www.file-upload.net/download-13 ... R.zip.html

yep all those updates could be fairly considered as windows xp sp4
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote: i got like 3 legit xp keys but still i used
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents
edit the OOBETimer key value and set its value to "ff d5 71 d6 8b 6a 8d 6f d5 33 93 fd"
Got the XP OS to the desktop using key above...thanks.

I have USB now for keyboard/mouse through my VIA onboard USB card but still no LAN/Network. Fired up softice for a laugh and got an 0x24 bsod. That seems to be related to ntfs.sys.
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

WaxfordSqueers wrote:Got the XP OS to the desktop using key above...thanks.

I have USB now for keyboard/mouse through my VIA onboard USB card but still no LAN/Network. Fired up softice for a laugh and got an 0x24 bsod. That seems to be related to ntfs.sys.
it happend when starting softice or it triggered somewhere else ? if the onboard lan not work a card might solve the problem

maybe its a classical driver (like realtek universal driver) that long had support for xp/8.1 going back some versions would be a idea only 10 got problems with driver



https://plugable.com/drivers/rtl-ethernet/
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:it happend when starting softice or it triggered somewhere else ? if the onboard lan not work a card might solve the problem
It happened when I activated the desktop icon 'Start SI'. That icon usually brings up the SI window.

Not sure what you mean by the onboard LAN not working crashing SI. I have no drivers for the LAN yet, I am trying to find an XP x86 driver that will run on a 300 series Intel chipset. If I can find a driver that is close in compatibility I can try modifying the INF file to include my onboard LAN which is a VEN_8086&DEV_15BC for an Intel 1219-v LAN chip.

The USB-LAN converter at your link sounds promising, I will look into it.

BTW...got my sound card (Creative Xfi) running and my Nvidia GT 730 video card. Have USB support through an onboard VIA USB card. XP never looked so good. If only SI would run. :D
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

WaxfordSqueers wrote:It happened when I activated the desktop icon 'Start SI'. That icon usually brings up the SI window.

Not sure what you mean by the onboard LAN not working crashing SI. I have no drivers for the LAN yet, I am trying to find an XP x86 driver that will run on a 300 series Intel chipset. If I can find a driver that is close in compatibility I can try modifying the INF file to include my onboard LAN which is a VEN_8086&DEV_15BC for an Intel 1219-v LAN chip.

The USB-LAN converter at your link sounds promising, I will look into it.

BTW...got my sound card (Creative Xfi) running and my Nvidia GT 730 video card. Have USB support through an onboard VIA USB card. XP never looked so good. If only SI would run. :D
yea the display driver problem was the problem that actually killed softice

im still not certain what softice use to draw directdraw from ring0 (DirectDraw APIs), direct video buffer, input/output to the grafic card , filter driver ?
softice just has something like they called "universal display driver"

what is very certain softice is drawn from a mask what you useally use to classical draw to the video frame buffer

the grafic cards give out information via i/o what mode they use, the mode thats are supported/used are in a specific ini file (if not windows would not work)

this is the most compatible way , i tryed to look into windows how this works could didnt figure it out fully

but anyway the video problem for softice (what cause the crash i could not figure out for the reason that i dont know what softice exactly do here) so on a lot graficcards softice just crashes
on my tests it was not neccesary the chip (test way back was a 7800 gt, because here the same manifactured pcb�s are used for msi, gigabyte ect.)
it came out that only the bios is different while the 1 from gigabyte gives a crash (same drivers version) while msi with the same driver does not do this crash it just works
maybe the buffer was write protected so i made a routine that make that memory writeable , but then the computer instead of having a bsod the computer just froze

to figure this out i would need a vm debugger what actually can trace softice (deeper then iceprobe would do)
---
but back to your problem

there useally only 2 reasons softice gonna crash , the internal functions have not been found (this you can solve with the patch ntice function from icestealth (after this has been done, you have the replace the ntice files in your windows directory) the other reason is the "video draw" is crashing
if you also have a onboard grafic-card you might can change the options in the bios, that can might can help if you use that graficcard (or maybe a test out here if its the classical grafic problem)
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:yea the display driver problem was the problem that actually killed softice

im still not certain what softice use to draw directdraw from ring0 (DirectDraw APIs), direct video buffer, input/output to the grafic card , filter driver ?
softice just has something like they called "universal display driver"
Kayaker might know, he's familiar with the inner working of SI.

Someone offered me an interesting way to examine drivers today. He suggested using Dependency Walker. Load the driver in question in a new directory and copy all the drivers from the windows driver directory into the same directory. I suggested moving the files from system32 into that directory as well. Run DW in that directory and load the driver in question and DW should give you all the imports that are missing.

I have not tried it yet but it sounds interesting. With regard to directdraw, I did a crackme by Silver that involved a DirectX app running a spinning cube in a full screen window. The mouse in the DX window is not the same mouse used in Windows, DX supplies it's own mouse and driver. So you can't use any screen mouse functions to bring it up in SI.

To solve it, I trapped the windows mouse using a hwnd related to LButtonDown then traced the mouse right through ring 0 with SI till it reached the code where the DX mouse was activated. Meantime, I traced from the OEP to just after ShowWindow, where the DX initialization code began. Inside that initialization code was a table where the fullscreen/window mode bit could be toggled, so I was able to turn off full screen and get the DX window in it's own window.

Don't know if DirectDraw can be reached the same way. With the DX crackme, there were video frame buffers that could be accessed.

Don't know if you could do that with windbg. Blabberer would know but he gets hives when you talk about softice. :devil:
Elenil wrote:but anyway the video problem for softice (what cause the crash i could not figure out for the reason that i dont know what softice exactly do here) so on a lot graficcards softice just crashes
I have encountered those problems but can't remember how I solved them. Normally I let it run in VGA mode and it was happy.
Elenil wrote:there useally only 2 reasons softice gonna crash , the internal functions have not been found (this you can solve with the patch ntice function from icestealth (after this has been done, you have the replace the ntice files in your windows directory) the other reason is the "video draw" is crashing
Since I am working in real windows mode with XP I need a debugger that will trace through ring 0 in real mode, not virtual mode. It is still not clear to me whether windbg will enter ring 0. Blabberer has kindly tried to explain it to me but whenever I try to get past a sysenter call to the system windbg kicks me out the other end without allowing me to trace the code.

I now have remote debugging with real mode/kernel mode capability in W7 and W10 via a serial connection. I have read an article on github wherein someone claims to be able to debug remotely with XP, using windbg.

Ideally, I should be able to start SI in the target and watch it initialize. That is, if SI is not doing something to interfere with windbg operation.
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

WaxfordSqueers wrote:Kayaker might know, he's familiar with the inner working of SI.

Someone offered me an interesting way to examine drivers today. He suggested using Dependency Walker. Load the driver in question in a new directory and copy all the drivers from the windows driver directory into the same directory. I suggested moving the files from system32 into that directory as well. Run DW in that directory and load the driver in question and DW should give you all the imports that are missing.

I have not tried it yet but it sounds interesting. With regard to directdraw, I did a crackme by Silver that involved a DirectX app running a spinning cube in a full screen window. The mouse in the DX window is not the same mouse used in Windows, DX supplies it's own mouse and driver. So you can't use any screen mouse functions to bring it up in SI.

To solve it, I trapped the windows mouse using a hwnd related to LButtonDown then traced the mouse right through ring 0 with SI till it reached the code where the DX mouse was activated. Meantime, I traced from the OEP to just after ShowWindow, where the DX initialization code began. Inside that initialization code was a table where the fullscreen/window mode bit could be toggled, so I was able to turn off full screen and get the DX window in it's own window.

Don't know if DirectDraw can be reached the same way. With the DX crackme, there were video frame buffers that could be accessed.

Don't know if you could do that with windbg. Blabberer would know but he gets hives when you talk about softice. :devil:


I have encountered those problems but can't remember how I solved them. Normally I let it run in VGA mode and it was happy.


Since I am working in real windows mode with XP I need a debugger that will trace through ring 0 in real mode, not virtual mode. It is still not clear to me whether windbg will enter ring 0. Blabberer has kindly tried to explain it to me but whenever I try to get past a sysenter call to the system windbg kicks me out the other end without allowing me to trace the code.

I now have remote debugging with real mode/kernel mode capability in W7 and W10 via a serial connection. I have read an article on github wherein someone claims to be able to debug remotely with XP, using windbg.

Ideally, I should be able to start SI in the target and watch it initialize. That is, if SI is not doing something to interfere with windbg operation.
the mouse in windows is read out via i/o in the i8042prt.sys (same goes for the keyboard)
at some point it reaches win32k.sys where it calls a mousemove function in the keservicedescriptortableshadow
this function has a global var flag (since some patch) if the mouse was from i/o or from a classical kernel32.dll function like sendinputa,mouse_event,keybd_event
i once looked how this is done but the most of these functions are converted and then lead up to this function what is then transfered to an application

if this information is not taken that way you have to make the i/o
i did this view, look how close i got to the softice look:
Image
i coded a own softice that is functional but it has to many of bugs and actually only runs in vmware (never worked further)

the dependency walker its been years since i heared about this 1
well yea if its the direct draw api from ring0 , or maybe some super weird ntgdi drawing
we probaly would see the import

i/o would be possible for softice it has functions realted to this but those could be used for like anything realted to i/o even the harddrive
the thing here is tho that softice can use a different method to make this happen without a such import
for example it could search the dxg.sys and call its function via a IRP , or the functions over the driver object , softice has the IoCallDriver function

a other way would be to reconstruct the softice functions and emulate them on your driver but that is really big work special because softice has the biggest of its routines there

blabbarer doesnt like me? i dont know why

you right windbg might be "the one debugger" but close to ollydbg a lot parts are emulated , or limited to the application you are debugging
its not a "classical ring0 debugger" where the operations are pure ring0 the entire window is in ring3 and it also use classical debug functions
thats not what i personally want
what i want would be a virtual machine based softice as close it was in 98 thats why you could break on the IDT instruction for example (kinda useful)
the keyboard should be read manually (mouse is not neccesary needed for me), video buffer should be directly written to not over windows functions
on ntice the vm based part is already gone but at least it has keeped the most other stuff



the video problem could be found if we have a vmbased debugger before softice and having this video problem (in vmware the video problem does not apear, but at least
i could look into the process how it is being done and the problem might be found)
i might would still do this even today

you debugging winxp before it goes into the protected mode ? or from that emulated dos cmd.exe ? i didnt understand that part
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

@elenil i dont think waxford means i hate you

when he posted
Blabberer would know but he gets hives when you talk about softice.
in english put doesn't sound like but and out considers put and but as aliens

here you does not represent you as in you elenil
it represents anyone who talks about softice including waxford and obviously kayaker as well

and hate here does not represent hate as in hatred

it is a kind of speech form and literally it means blabberer does not like to talk about softice that is all

@wax


wax can't you wax a little more eloquently did you actually mean to say i hate elenil :speechless:

and actually i do not hate anyone when they talk about softice

i have never used softice much so i do not know how it works

so i refrain from posting anything related to softice

also i try and avoid using commercial software as much as i can

so I might skip a query regarding Ida while i would answer the same query if it was tagged ghidra

so elenil i hope this explanation clears your misunderstanding if any
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:wax can't you wax a little more eloquently did you actually mean to say i hate elenil :speechless:
Of course not. I don't even recall mentioning elenil when I quipped (joked) that you get hives when softice is mentioned. That was an affectionate joke. I presumed you two had a misunderstanding at another time in the past, but that's not like either of you.

I think it's hard to discuss things accurately when people speak different languages. You (blabbs) can be a bit gruff (blunt, direct) at times and whereas I take that with humour, since I've known you a long time, maybe your gruffness does not translate well into Elenil's language.

@Elenil....blabbs is a good guy and I am sure he has never intended to give the impression he does not like you. Unfortunately, we have different ways of speaking in English that are colloquial (very informal) and they don't always translate well. They can even give the impression of rudeness or unfriendliness when neither is intended.
blabberer wrote:...and actually i do not hate anyone when they talk about softice ...i have never used softice much so i do not know how it works
Again...I was only joking when I claimed blabbs got hives (a skin reaction to an allergy).
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Hey guys, I split this thread to a new topic. Please carry on there for that subject. Good to see a discussion.

http://www.woodmann.com/forum/showthrea ... rn-systems
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:Hey guys, I split this thread to a new topic. Please carry on there for that subject. Good to see a discussion.
Thanks, K.
Post Reply