Jump to content

Damnation

Member
 View Profile  See their activity

  • Posts

    825

  • Joined

  • Last visited

  • Days Won

    3

  • Donations

    0.00 USD 

  • Country

    Australia

Damnation last won the day on April 13 2022

Damnation had the most liked content!

4 Followers

About Damnation

Profile Information

  • OS
    Windows 10 x64

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Damnation's Achievements

186

Reputation

  1. Damnation
    @UsefulAGKHelper Best to start over again with a fresh, unmodified source code tree and reapply the patches over again then.
  2. Damnation
    @modnar I've heard that the SP2 version of fltmgr.sys apparently still works just fine.
  3. Damnation
    @sk9392 You can comment out the KeBugCheckEx(0xDEADBEEFL parts of the ntoskrnl extender code to get rid of the DEADBEEF BSOD's.
  4. Damnation
    @Dietmar Heres how you might be able to use AI to help you reverse engineer. You'll need 3 tools. pdbripper - https://github.com/horsicq/PDBRipper/releases/tag/2.03 relyze disassembler - https://www.relyze.com/download.html I use relyze because I've found that neither Ghidra nor IDA pro will let me just copy the assembly code of a single function into a text filr or the clipboard. Lastly, Perplexity AI - https://www.perplexity.ai/ --- OK, lets pick a sizable function from the Netwtn04.sys file using the PDB symbols we have, lets go with oscWfdeSetPreferredOperatingChannel. Using relyze, oscWfdeSetPreferredOperatingChannel is defined as this. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ). We will need to get the struct definitions for MINIPORT_CONTEXT and OID_EVENT_DATA for perplexity AI to use or it'll bul***** its way through with hallucinations, so this is what pdbripper is for. Using pdbripper we can get this for struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Then, in relyze we right click inside the oscWfdeSetPreferredOperatingChannel disassembly window and select Export -> To Clipboard (Function). We now write a prompt for perplexity AI. --- Using the following struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Convert the following x86 assembly into human readable C code - int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ) { push ebp mov ebp, esp push edi mov edi, dword ptr [pMpContext] test edi, edi jnz code_0x4235 code_0x422B: mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x4235: push ebx push esi mov esi, dword ptr [pOid] mov ebx, dword ptr [esi+0x4] test ebx, ebx jnz code_0x424D code_0x4241: pop esi pop ebx mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x424D: movzx eax, word ptr [esi+0x1C] mov ecx, 0x5 cmp cx, ax jz code_0x4271 code_0x425B: mov ecx, 0x2 cmp cx, ax jz code_0x4271 code_0x4265: pop esi pop ebx mov eax, 0xC0000001 pop edi pop ebp ret 0x8 code_0x4271: push 0x0 push 0x8 push 0xFF10060B push esi call OidEventHandlerPrologCommon; int32_t __stdcall( struct _OID_EVENT_DATA * _pOid, unsigned long _oidExpected, unsigned long _inputBuffLenExpected, unsigned long _outputBuffLenExpected ) test eax, eax jnz code_0x42E3 code_0x4284: push ebx push edi call vifMgrGetContext; inline struct _VIF_MGR_CONTEXT * __stdcall( struct _MINIPORT_CONTEXT * pMpCotnext ) push eax call vifMgrChSelSetPreferredOperatingChannel; int32_t __stdcall( struct _VIF_MGR_CONTEXT * pVifMgrContext, struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL * pOpChannelParams ) mov edi, eax test edi, edi jz code_0x42D6 code_0x4297: mov ecx, dword ptr [WPP_GLOBAL_Control] cmp ecx, va_ptr WPP_GLOBAL_Control jz code_0x42D6 code_0x42A5: test byte ptr [ecx+0x530], 0x1 jz code_0x42D6 code_0x42AE: cmp byte ptr [ecx+0x52D], 0x2 jb code_0x42D6 code_0x42B7: mov eax, dword ptr [ecx+0x524] push va_ptr string_oscWfdeSet; "oscWfdeSetPreferredOperatingChannel" push va_ptr WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids push 0x3B push eax mov eax, dword ptr [ecx+0x520] push eax call WPP_SF_s; void __stdcall( uint64_t Logger, uint16_t id, struct _GUID * TraceGuid, char * _a1 ) code_0x42D6: push edi push 0x0 push 0x8 push esi call OidEventHandlerEpilog; void __stdcall( struct _OID_EVENT_DATA * pOid, unsigned long bytesRead, unsigned long bytesWritten, int32_t rc ) mov eax, edi code_0x42E3: pop esi pop ebx pop edi pop ebp ret 0x8 } --- Perplexity AI gave me this answer. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT *pMpContext, struct _OID_EVENT_DATA *pOid) { int32_t status; struct _VIF_MGR_CONTEXT *vifCtx; struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *params; // Validate inputs if (pMpContext == NULL) return 0xE0020001; if (pOid == NULL || pOid->pInfoBuffer == NULL) return 0xE0020001; // Validate opcode (must be 2 or 5) if (pOid->opCode != 2 && pOid->opCode != 5) return 0xC0000001; // Validate OID + buffer lengths status = OidEventHandlerPrologCommon( pOid, 0xFF10060B, 8, 0 ); if (status != 0) return status; // Extract input buffer params = (struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *)pOid->pInfoBuffer; // Get VIF manager context and set preferred channel vifCtx = vifMgrGetContext(pMpContext); status = vifMgrChSelSetPreferredOperatingChannel(vifCtx, params); // Logging (WPP) if (status != 0) { if (WPP_GLOBAL_Control != NULL && (WPP_GLOBAL_Control->Flags[0x530] & 0x1) && WPP_GLOBAL_Control->Level >= 2) { WPP_SF_s( WPP_GLOBAL_Control->Logger, 0x3B, &WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids, "oscWfdeSetPreferredOperatingChannel" ); } } // Complete OID handling OidEventHandlerEpilog( pOid, 0, // bytesRead 8, // bytesWritten status ); return status; } https://www.perplexity.ai/search/using-the-following-struct-def-iH1rN.zcSMaVPiFOgI5RlA @Dietmar Do you find this helpful?
  5. Damnation
    @Dietmar here is the intel wifi driver with private symbols. https://buzzheavier.com/qra6oddo79o8 I've basically got a whole windows 10 beta build with private symbols for everything in the OS as far as I can tell. I'll PM you with a link to it, you'll probably find it useful for debugging. edit: I couldn't PM you so I sent you an email.
  6. Damnation
    @Dietmar I do have private symbols for an Intel(R) Dual Band Wireless-AC 7265 driver, are you interested?
  7. Damnation
    I can get an AI to pretty reliably convert assembly back into C code if I have the proper symbols.
  8. Damnation
    @Dietmar Here are some private PDB symbols of Intel and Realtek LAN drivers, in case it might help you with future bugfixing. https://buzzheavier.com/i56b89uu20qa I have more, so if you're looking for anything in particular send me a Device ID and I'll check if I've got something for it.
  9. Damnation
    @reboot12 https://www.upload.ee/files/19163520/KDNET-master-x64-16MAR2026.7z.html
  10. Damnation
    @Dietmar I don't have XP x64 installed. I just wanted to get it compiling for you.
  11. Damnation
    @Dietmar @reboot12 I successfully build an x64 kdstub.dll Though in kdstub.c there is a warning I disabled #pragma warning (disable : 4717) // kdstub.c(188) : warning C4717: '_KdInitializeLibrary' : recursive on all control paths, function will cause runtime stack overflow I wasn't sure how to resolve that. https://buzzheavier.com/risw492dkhzy
  12. Damnation
    @Dietmar regarding reworking Mov Ax DEAD's KDNET to compile for x64, do you think the following would work? replacing __declspec(naked) void KdShutdownController () { __asm jmp dword ptr [KdShutdownController_tramp]; } with __declspec(noinline) void KdShutdownController(void) { KdShutdownController_tramp(); // tail call candidate } and doing this for all the functions that use x86 inline assembly?
  13. Damnation
    @Dietmar I thought I'd have another go at trying to get Windows 7 ndis.sys to work on XP, now trying using AI to help reverse engineer assembly into C. This time round I get a 7F 0.0.0.0 Divide by Zero BSOD. If you have time, can you try and find where it's happening in ntoskrn8.sys? https://buzzheavier.com/cy852zg5l602
  14. Damnation
    DisINTx should be disabled in XP I think since XP isn't using MSI? The disintx (Disable Interrupt) bit, located in the PCI Command Register (offset 0x04, bit 10), is used to mask legacy INTx interrupts for PCI/PCIe devices. When set to 1, this bit prevents the device from asserting interrupt lines, which is crucial for managing IRQ sharing and configuring MSI/MSI-X.
  15. Damnation
    Oh, OK.
×
×
  • Create New...