Leaderboard

Updated FFmpeg links in the post above.

3.9.22

@Dietmar Heres how you might be able to use AI to help you reverse engineer. You'll need 3 tools. pdbripper - https://github.com/horsicq/PDBRipper/releases/tag/2.03 relyze disassembler - https://www.relyze.com/download.html I use relyze because I've found that neither Ghidra nor IDA pro will let me just copy the assembly code of a single function into a text filr or the clipboard. Lastly, Perplexity AI - https://www.perplexity.ai/ --- OK, lets pick a sizable function from the Netwtn04.sys file using the PDB symbols we have, lets go with oscWfdeSetPreferredOperatingChannel. Using relyze, oscWfdeSetPreferredOperatingChannel is defined as this. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ). We will need to get the struct definitions for MINIPORT_CONTEXT and OID_EVENT_DATA for perplexity AI to use or it'll bul***** its way through with hallucinations, so this is what pdbripper is for. Using pdbripper we can get this for struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Then, in relyze we right click inside the oscWfdeSetPreferredOperatingChannel disassembly window and select Export -> To Clipboard (Function). We now write a prompt for perplexity AI. --- Using the following struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Convert the following x86 assembly into human readable C code - int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ) { push ebp mov ebp, esp push edi mov edi, dword ptr [pMpContext] test edi, edi jnz code_0x4235 code_0x422B: mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x4235: push ebx push esi mov esi, dword ptr [pOid] mov ebx, dword ptr [esi+0x4] test ebx, ebx jnz code_0x424D code_0x4241: pop esi pop ebx mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x424D: movzx eax, word ptr [esi+0x1C] mov ecx, 0x5 cmp cx, ax jz code_0x4271 code_0x425B: mov ecx, 0x2 cmp cx, ax jz code_0x4271 code_0x4265: pop esi pop ebx mov eax, 0xC0000001 pop edi pop ebp ret 0x8 code_0x4271: push 0x0 push 0x8 push 0xFF10060B push esi call OidEventHandlerPrologCommon; int32_t __stdcall( struct _OID_EVENT_DATA * _pOid, unsigned long _oidExpected, unsigned long _inputBuffLenExpected, unsigned long _outputBuffLenExpected ) test eax, eax jnz code_0x42E3 code_0x4284: push ebx push edi call vifMgrGetContext; inline struct _VIF_MGR_CONTEXT * __stdcall( struct _MINIPORT_CONTEXT * pMpCotnext ) push eax call vifMgrChSelSetPreferredOperatingChannel; int32_t __stdcall( struct _VIF_MGR_CONTEXT * pVifMgrContext, struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL * pOpChannelParams ) mov edi, eax test edi, edi jz code_0x42D6 code_0x4297: mov ecx, dword ptr [WPP_GLOBAL_Control] cmp ecx, va_ptr WPP_GLOBAL_Control jz code_0x42D6 code_0x42A5: test byte ptr [ecx+0x530], 0x1 jz code_0x42D6 code_0x42AE: cmp byte ptr [ecx+0x52D], 0x2 jb code_0x42D6 code_0x42B7: mov eax, dword ptr [ecx+0x524] push va_ptr string_oscWfdeSet; "oscWfdeSetPreferredOperatingChannel" push va_ptr WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids push 0x3B push eax mov eax, dword ptr [ecx+0x520] push eax call WPP_SF_s; void __stdcall( uint64_t Logger, uint16_t id, struct _GUID * TraceGuid, char * _a1 ) code_0x42D6: push edi push 0x0 push 0x8 push esi call OidEventHandlerEpilog; void __stdcall( struct _OID_EVENT_DATA * pOid, unsigned long bytesRead, unsigned long bytesWritten, int32_t rc ) mov eax, edi code_0x42E3: pop esi pop ebx pop edi pop ebp ret 0x8 } --- Perplexity AI gave me this answer. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT *pMpContext, struct _OID_EVENT_DATA *pOid) { int32_t status; struct _VIF_MGR_CONTEXT *vifCtx; struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *params; // Validate inputs if (pMpContext == NULL) return 0xE0020001; if (pOid == NULL || pOid->pInfoBuffer == NULL) return 0xE0020001; // Validate opcode (must be 2 or 5) if (pOid->opCode != 2 && pOid->opCode != 5) return 0xC0000001; // Validate OID + buffer lengths status = OidEventHandlerPrologCommon( pOid, 0xFF10060B, 8, 0 ); if (status != 0) return status; // Extract input buffer params = (struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *)pOid->pInfoBuffer; // Get VIF manager context and set preferred channel vifCtx = vifMgrGetContext(pMpContext); status = vifMgrChSelSetPreferredOperatingChannel(vifCtx, params); // Logging (WPP) if (status != 0) { if (WPP_GLOBAL_Control != NULL && (WPP_GLOBAL_Control->Flags[0x530] & 0x1) && WPP_GLOBAL_Control->Level >= 2) { WPP_SF_s( WPP_GLOBAL_Control->Logger, 0x3B, &WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids, "oscWfdeSetPreferredOperatingChannel" ); } } // Complete OID handling OidEventHandlerEpilog( pOid, 0, // bytesRead 8, // bytesWritten status ); return status; } https://www.perplexity.ai/search/using-the-following-struct-def-iH1rN.zcSMaVPiFOgI5RlA @Dietmar Do you find this helpful?

No, I can test it on Windows XP Professional 32 Bit only because I neither use Windows XP 64 Bit nor have an installation of it. If @cmalex's ProxyMII runs on this OS, my release will do it, too.

Hi @mina7601! This is an excellent examination and logical conclusion. Thanks for that! I second @Dave-H's finalization, i.e. q.e.d. Cheers, AstroSkipper

Hi @Ben Markson! Although there is a small glitch in the left corner above, VirusTotal still works properly in Serpent v52.9.0 (2022-07-15) (32-bit) if updating palefill to version 1.17. A file can be uploaded, the service checks the hash, and the results are shown correctly. Same in New Moon 28.10.6a1, latest build from 2022-07-15. Therefore, I can't confirm your statement. Cheers, AstroSkipper

Hi @George King! Here now is the code of a batch with the command start /wait, which works as it should: @echo on echo Notepad will be executed start "Notepad" /wait notepad.exe echo Notepad has been executed and closed pause exit You see the command start /wait works with some programs, and with others, it doesn't. That is the epitome of a bug! In the case of starting ProxyMII, the command start /wait fails completely as it is described in Microsoft's documentation. Kindest regards, AstroSkipper

Use a trusted VPN provider with a no log policy! The Tor Network is well-known and actually great, but if a node is a server of the government or a criminal, then the user may get into real trouble. In principle, anyone can participate in the Tor Network. Nothing for me! AstroSkipper

@maile3241 Did you install it?

Just to clarify it! I do not use extensions but a trusted VPN service to establish secure and anonymous connections. The installation in Windows is very simple.

Thanks for your reply! I know nircmd very well, and I used in the past, too. But cmdow is really great. A lot of parameters! I use it when windows have to be controlled in a batch in different ways. AstroSkipper

This thread is the right one. Don't worry! It's about anonymity, VPN and browser extensions promising safety.

Hi @XPerceniol! I used to be sceptical about payments and anonymity, too. But in the meanwhile I don't see any problems if the vendor can be trusted. And that's the problem. At the end you have to trust the vendor of a VPN service, otherwise you won't be happy at all. What I did is to buy a time-limited for one (or more) year(s) or a lifetime license of a VPN service at StackSocial. They have less expensive offers. When you buy a license there, you get a code which must be redeemed with the corresponding provider. The seller and the VPN provider are independent of each other. Thus, the VPN provider only knows what you have booked. But in the end, it's all a question of trust. And there is no such thing as one hundred percent security.