Dietmar Posted May 13 Posted May 13 @reboot12 Here are the screenshots Dietmar https://www.upload.ee/files/19341658/x.zip.html
reboot12 Posted May 13 Posted May 13 @Dietmar Is Time zone set: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna ??? Do you use any german character in computer name ? Is error The parameter is incorrect is only if you try install your 9560 driver or also any driver ?
Dietmar Posted May 13 Posted May 13 (edited) @reboot12 It is for any unsigned driver: nvme, usb, lan Dietmar EDIT: no, use julia, didi2, abc, abc Edited May 13 by Dietmar
Dietmar Posted May 13 Posted May 13 @reboot12 I dont remember, because I tried soso many. And mostly not on XP bit 64, or they give Bsod in XP bit64. I remember only the post about the nvme OFA (or like this) driver from 2024, that you already mentioned Dietmar
reboot12 Posted May 13 Posted May 13 @Dietmar I make test on Dell. I set exactly same regional settings as you, reboot PC, try install your driver 9560 and no any problems except Code 10 I can't reproduce Parameter is incorrect error
Dietmar Posted May 13 Posted May 13 @reboot12 Some things we will never understand;)).. I am just on the way for Lan-Windbg ala @Mov AX, 0xDEAD but now for XP SP2 64 bit. Thank you for all the KD-files. I already build a crazy nice setup: I use my Asrock z370 k6 board for this. It has COM1 port and Intel Lan i211. There I just install fresh XP SP2 bit 64 but now over ntldr, boot.ini because of debug over COM1. So, I can debug the Lan-Windbg over COM1 port. I think, tomorrow I already know, if we will succeed with this Dietmar
reboot12 Posted May 13 Posted May 13 (edited) @Dietmar You can try also UEFI setup and use my 3rd boot option Serial debug COM1 115200 for enable debuger If you install in UEFI mode on MBR then you can boot WinXP also in Legacy mode without reinstall - simply use bios BootMenu then select run from disk instead UEFI: WinXP Boot Manager Edited May 13 by reboot12
K4sum1 Posted May 13 Posted May 13 (edited) 13 hours ago, Dietmar said: 85 C0 74 04 8B DE EB 08 FF 15 CC 7C FF FF 8B D8 48 8B 8F 08 02 00 00 ==> 85 C0 90 90 8B DE EB 08 FF 15 CC 7C FF FF 8B D8 48 8B 8F 08 02 00 00 Did you happen to change anything else in your provided download? I was curious and compared it to stock newdev.dll + your change. Same file version and all. There are a multitude of differences that someone of my limited skills can't make sense of. Edited May 13 by K4sum1
Dietmar Posted May 13 Posted May 13 @K4sum1 I really patch only this 74 04 ==> 90 90 . But, because XP may cry, when you offer to it a hacked file, I open the hacked newdev.dll with Resources Hacker and store it again. The owner of this tool makes something magically: After this step, always XP is sure, that it is own file. I notice, that it is enough to open the hacked file and just store again. The a lot of changes comes from this step Dietmar PS: You also get with the RTL8125 this "The parameter is incorrect". Is this message now gone with my modded newdev.dll ?
wyf180 Posted May 14 Posted May 14 On 5/11/2026 at 7:20 PM, George King said: Ported Drivers Collection v46 Updated release of the ported driver collection. All drivers are restricted to legacy NT 5.x systems only (no Windows 2000 support). These drivers are intended exclusively for: Windows XP (5.1) Windows Server 2003 / XP x64 (5.2) Even when using integrated driver solutions such as DriverPack or similar tools, these drivers should never interfere with newer operating systems like Windows 7 or later. The entire collection is legacy-focused and specifically designed for NT 5.x compatibility. Important To use properly signed drivers, import the following certificates before installation. Run both commands from an elevated command prompt: reg add "HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2516FF09B7786B05CBB7B96B97690821A13B36AF" /v "Blob" /t REG_BINARY /d "5C0000000100000004000000000800000300000001000000140000002516FF09B7786B05CBB7B96B97690821A13B36AF1900000001000000100000006604E2B4AF8E1E311D7D01577BADCE9C14000000010000001400000001A43F9D5BAEBFE4D86C9D007514AA094103C73A0F000000010000001400000080F75388C42C3A5209BC64307A711CE8E258BFFF04000000010000001000000029A595DC50B71061B554EB3F74A2BCED20000000010000001E0400003082041A30820306A00302010202109C4595B4E1845E8B445B11B720F1BC38300906052B0E03021D050030543123302106092A864886F70D010901161461646D696E6973747261746F724078702E636F6D311C301A060355040A131347656F726765204B696E6720436F6D70616E79310F300D060355040313065850324553443020170D3231313233313232303030305A180F32323231313233313232303030305A30543123302106092A864886F70D010901161461646D696E6973747261746F724078702E636F6D311C301A060355040A131347656F726765204B696E6720436F6D70616E79310F300D0603550403130658503245534430820122300D06092A864886F70D01010105000382010F003082010A0282010100DC0EAF99F8FD61A19AC1B151DA02347897480373974B34E464C9896298FD513183C31BE742059BF7493A428C0B899F948F432B2EEAE29A617ADE75AEE6D7FBF0055AF5A6944B1AE427551553C05319E2B65301EDC6E7DC03159CDD228129058FFB46EBF26B871B5A1546B158EA8006744BA12DAEAE49BF266ADE97166BCDE424C43E7AE4E951BBFE8F6CA3AAA9A692851B5E5F91409B2071EECE7F5BF2EE372FA40D4DB30FF43062363F8CE499F5960350B49ECFB72559C234A356ABC97F300E7F6389C31A622294707E8143DC219E3A0BBCED4AD5C7A6DE2A44B65587D7FB5E898326C2905D4546EACAFF0A579A8643D99E58410623492DB4535F7502060CB90203010001A381ED3081EA300F0603551D130101FF040530030101FF304F0603551D250448304606082B06010505070303060A2B0601040182370A0305060A2B0601040182370A0306060A2B0601040182370A0307060A2B0601040182370A0308060A2B0601040182370A03093081850603551D01047E307C80106E13AE59A3D4C6AB69BD5A699E28E3F3A15630543123302106092A864886F70D010901161461646D696E6973747261746F724078702E636F6D311C301A060355040A131347656F726765204B696E6720436F6D70616E79310F300D0603550403130658503245534482109C4595B4E1845E8B445B11B720F1BC38300906052B0E03021D0500038201010033C95C0CB8471EB54CB8DA1B176178F8ADA702DB79FAD0447A2B2E2D5C26143198C643E0F7A566B7A6D7B148A0FD72ABD762B7BCF7B46DF55C5BF5905C53CD3CA6DD4E12DA2AFC2E1355A4AD1658DA3D875E0C33C37C680B3D8E7D057F0183A6458D03B16EBC7D4155B26930EAAA0629E4FAC432DE31A848706DD5BB3D66EDC8E3DE5ED2D17F515EB810B1856B906C8714CC72EF8F8A91813EF65CD3224923ADBD4FD08FBE8147C11AF4D9CF047698E870B3F698B490F4C639713DBE31CBE51334783D8EE325CE803438B6E959F5466BA3B178448569864CE3542B7C31E76A81857993CFB3D6C1818C8D357E4A0B19DBE3DDDC8739A02D2A883C89F0923EBA6A" /f reg add "HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\B9B6F07ACD8C0A29597BB2AC1EECF59D046697A7" /v "Blob" /t REG_BINARY /d "030000000100000014000000B9B6F07ACD8C0A29597BB2AC1EECF59D046697A75C00000001000000040000000008000019000000010000001000000027114C6CAC4F2A0B4B6D0B1D3FD888AA140000000100000014000000EC77C51CB1021AD6278248DD8D6D474DF123699A0F00000001000000140000007C2BE80346DA6933211FB3E086D2D373454DEF48040000000100000010000000AA5FE38C7A8D84E83EC756AEAB36705920000000010000001B0400003082041730820303A0030201020210AA944720F0F0E89A4C7925C5BD795FDE300906052B0E03021D050030543123302106092A864886F70D010901161461646D696E6973747261746F724078702E636F6D311C301A060355040A131347656F726765204B696E6720436F6D70616E79310F300D060355040313065850324553443020170D3231313233313232303030305A180F32323231313233313232303030305A30543123302106092A864886F70D010901161461646D696E6973747261746F724078702E636F6D311C301A060355040A131347656F726765204B696E6720436F6D70616E79310F300D0603550403130658503245534430820122300D06092A864886F70D01010105000382010F003082010A0282010100F0C27E766F7D27BC2BA2CC1B3E0A6E7434589F51AF1554A37BE1C23939B54E601DB393A14C3A223EFD61A47973E1093C1810BCF0298A2D4603684EA80CB5ED303C7D20094CCFFBE903EFA0CDF9FB29CF3F9CFD04E820494100E8E72C2719ED983202DAA59C2FB1DEC68AECBA724DE40173FEBDF9C8D20918538DDEDD7DEF033B69EB584B547910C69166953EF08E226FE26B02310975929C7862AF41B0739C0463A7356988E13AA396DC87195B1744D10EA59E1449F6DA6A6D536F423C81F325870756FBE54BCB0B1A7F8A0B4E165B730CC5A4A1C464CAF6257EB3575ECC38077A8334BF11C7561AF1A8F16D6A570ACD1343510329F6AAB6EF96741FCE7E58E50203010001A381EA3081E7300C0603551D130101FF04023000304F0603551D250448304606082B06010505070303060A2B0601040182370A0305060A2B0601040182370A0306060A2B0601040182370A0307060A2B0601040182370A0308060A2B0601040182370A03093081850603551D01047E307C80106E13AE59A3D4C6AB69BD5A699E28E3F3A15630543123302106092A864886F70D010901161461646D696E6973747261746F724078702E636F6D311C301A060355040A131347656F726765204B696E6720436F6D70616E79310F300D0603550403130658503245534482109C4595B4E1845E8B445B11B720F1BC38300906052B0E03021D050003820101000307298CCD1B761CAEDAABD7BC51E6528CE75CCB8F99C1092146C0E1589CD900D713F3EF97B18B3B43FADE02403F36EEAE7EAE1DD100F1A005F14F095D55653F35A4A44AAA00837DADB5E985388987D9798331AC8A1AB78CA13F457C110B0A87ACC98D3288E482AA403055D4119066C9384DB0A8646A399202117FFE9098DE5B6E9FCF59DD3D2A1050086C52009D5C80A8D677F1FDE7CF2C9B0F2ED11FE847B9DA132A9D9DCE584CC28CB694DC661CFD8F7C2BDB9ECAAA970D191655C327C819F3AB93D4EADBAF67B8B1CF5C2BC4D50944E9ED46CB6584BAC6E70D7F1FFADC72ACC2CCFECFAF1404902174EE0C6620A619F178238DF70D9EFE09E92500E29A1E" /f x86 Driver Packages AMD_SATA — 1.2.001.0337 / 1.2.001.0402 / 3.3.1540.40 AMD_SD+MMC — 1.0.0.0106 AMD_USB3 — 1.1.0.0145 Generic_ACPITime — 6.2.9200.16384 Generic_AHCI — 1.0.0.0 / 1.0.0.585 / 6.2.7989.0 / 6.2.9200.20652 / 6.3.0.1 Generic_Disk — 5.2.3790.4171 Generic_HDABUS — 5.10.01.5013 Generic_HIDI2C — 6.2.9200.16384 Generic_MSAHCI — 6.1.7601.26057 Generic_NVMe — 1.2.0.1 / 1.3.1014.00 / 1.5.1200.00 / 10.4.49.0 / 6.1.7601.23403 Generic_SD+MMC — 6.2.8056.0 Generic_UASP — 1.0.0.51 / 6.1.7600.4002 / 6.2.9200.16384 Generic_USB2 — 5.2.3790.5203 Generic_USB3 — 6.1.7800.0 Generic_USB3x — 6.2.9200.21180 Generic_USBMassStorage — 5.2.3790.5829 / 6.1.7601.25735 Generic_USBParent — 5.2.3790.5203 / 6.1.7601.24138 IaNVMe — 4.4.0.1003 Intel_HCSwitch — 5.0.4.43 IRST — 16.8.2.1002 RSTe — 4.7.0.1119 Samsung_NVMe — 3.3.0.2003 TPM — 6.1.7601.24564 WinUSB — 6.2.9200.16384 x64 Driver Packages AMD_SATA — 1.2.001.0337 / 1.2.001.0402 / 3.3.1540.40 AMD_SD+MMC — 1.0.0.0106 AMD_USB3 — 1.1.0.0145 Generic_ACPITime — 6.2.9200.16384 Generic_AHCI — 1.0.0.0 / 1.0.0.585 / 6.2.7989.0 / 6.2.9200.20652 / 6.3.0.1 Generic_Disk — 5.2.3790.4171 Generic_HDABUS — 5.10.01.5013 Generic_HIDI2C — 6.2.9200.16384 Generic_MSAHCI — 6.1.7601.26057 Generic_NVMe — 1.2.0.1 / 1.3.1014.00 / 1.5.1200.00 / 10.4.49.0 / 6.1.7601.23403 Generic_SD+MMC — 6.2.8056.0 Generic_UASP — 1.0.0.51 / 6.1.7600.4002 / 6.2.9200.16384 Generic_USB2 — 5.2.3790.5203 Generic_USB3 — 6.1.7800.0 Generic_USB3x — 6.2.9200.21180 Generic_USBMassStorage — 5.2.3790.5829 / 6.1.7601.25735 Generic_USBParent — 5.2.3790.5203 / 6.1.7601.24138 IaNVMe — 4.4.0.1003 Intel_HCSwitch — 5.0.4.43 IRST — 16.8.2.1002 RSTe — 4.7.0.1119 Samsung_NVMe — 3.3.0.2003 TPM — 6.1.7601.24564 WinUSB — 6.2.9200.16384 https://www.mediafire.com/file/k1zlg5oiz4on5xc/DP_Ported_DriversCollection_v46.7z/file Could you share older version of ported drivers?I don't know why some drivers in v46 seem older then shown in 2023 and lack some drivers including vga driver? https://forums.mydigitallife.net/threads/tool-xp2esd-create-modern-windows-xp-installer-v1-6-2.82935/page-134#post-1810919
reboot12 Posted May 14 Posted May 14 (edited) 7 hours ago, K4sum1 said: There are a multitude of differences Yea, I found also many, many differences. I also noticed this in other files from @Dietmar, e.g. acpi.sys or others - I thought he had compiled it from scratch but this is Resource Hacker's fault 6 hours ago, Dietmar said: I open the hacked newdev.dll with Resources Hacker and store it again. The owner of this tool makes something magically: After this step, always XP is sure, that it is own file. I notice, that it is enough to open the hacked file and just store again. This is bad way to fix file - Resource Hacker unnecessarily rebuild all file and make many, many unnecessarily differences: Please do not use Resource Hacker anymore to fix edited files !!! To fix edited file you need only rebuild checksum - use my nice tool setcsum 32_64 (I compiled also 64-bit version). Just drag and drop the edited file to setcsum.exe and press Y for Yes to fix the checksum - now the file is only >>> 5 bytes <<< different from the original: Search for differences 1. org_newdev.dll: 284 160 bytes 2. fix_newdev.dll: 284 160 bytes Offsets: hexadec. 130: C0 DD 131: 49 D5 132: 05 04 8928: 74 90 8929: 04 90 5 difference(s) found. Edited May 14 by reboot12 1
Dietmar Posted May 14 Posted May 14 (edited) Project: LAN WinDbg / KDNET according to @Mov AX, 0xDEAD for Windows XP SP2 x64 / Server 2003 x64 kernel 3790 Goal: The goal is to get LAN kernel debugging working for Windows XP Professional x64 Edition / XP SP2 x64 using an Intel i211 LAN adapter on an ASRock Z370 K6 motherboard. COM1 WinDbg already works and serves as the rescue/debug fallback. XP x64 boots via NTLDR. Current status: KDNET loads kdnet.dll when using /DEBUGPORT=NET, but it does not connect yet. Several guessed x64 payload hooks were wrong and caused the system to hang immediately or very early. Hardware / setup: Motherboard: ASRock Z370 K6 Has CSM and COM1 LAN: Intel i211 Intel i211 PCI ID: VEN_8086 DEV_1539 Therefore, for MovAX /PCI_ID: /PCI_ID=80861539 Host IP: 192.168.2.102 Target IP: 192.168.2.110 Host port: 50000 Encryption key: 1.2.3.4 CPUFREQ used so far: 3000 Working COM1 fallback boot.ini entry: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="XP x64 COM1 DEBUG PCILOCK" /fastdetect /DEBUG /DEBUGPORT=COM1 /BAUDRATE=115200 /BREAK /W2003 /PCILOCK NET boot.ini entry that was tested: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="XP x64 KDNET i211" /fastdetect /noexecute=optin /DEBUG /DEBUGPORT=NET /HOST_IP=192.168.2.102 /HOST_PORT=50000 /ENCRYPTION_KEY=1.2.3.4 /CPUFREQ=3000 /TARGET_IP=192.168.2.110 /PCI_ID=80861539 /W2003 /PCILOCK /BREAK Host WinDbg command: windbg -k net:port=50000,key=1.2.3.4 Host output when KDNET is not working: Microsoft (R) Windows Debugger Version 6.3.9600.17200 X86 Using NET for debugging Opened WinSock 2.0 Waiting to reconnect... MovAX0xDEAD option mapping: For Intel i211 we use Option A, not Option B. Option A: Win8.1 kdnet.dll -> C:\WINDOWS\system32\kdnet.dll Win8.1 kd_02_8086.dll -> rename to C:\WINDOWS\system32\kdstub.dll kdnet10.dll is NOT needed for Option A. kdnet10.dll belongs only to MovAX Option B with Win10 kd_02_*.dll, mainly for newer NICs such as i219 and newer. Therefore, for i211, do NOT use kdnet10.dll. After copying, there is normally no kd_02_8086.dll left under its original name in system32, because it is present as kdstub.dll. Files on XP x64 for Option A: C:\WINDOWS\system32\kdnet.dll C:\WINDOWS\system32\kdstub.dll C:\WINDOWS\system32\kdcom.dll Not needed / do not use: C:\WINDOWS\system32\kdnet10.dll C:\WINDOWS\system32\kd_02_8086.dll Important proof regarding the load path: kdnet.dll was temporarily renamed to kdnet.testoff. Then the NET boot entry was selected. Result: no error message, but black screen / very early hang. Conclusion: /DEBUGPORT=NET really searches for and loads kdnet.dll. Therefore the NET boot path is active. The problem is NOT that XP x64 does not touch kdnet.dll at all. COM boot observation: With /DEBUGPORT=COM1 only kdcom.dll is loaded. kdnet.dll / kdstub.dll are not loaded during COM boot, as expected. This does not prove that KDNET is broken. It only proves that COM1 loads the COM KD transport kdcom.dll. Directly debugging a /DEBUGPORT=NET boot via COM1 is not possible, because the kernel debugger transport is NET instead of COM. Exact KD target environment from COM WinDbg: vertarget: Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP Free x64 Built by: 3790.srv03_sp2_rtm.070216-1710 XP x64 internally uses the Server 2003 x64 kernel 3790. Modules / addresses from COM KD: nt base: fffff80001000000 hal: base fffff80000800000 end fffff8000085e000 size 0005e000 pci.sys: base fffffadcc057c000 end fffffadcc059d000 size 00021000 ACPI.sys: base fffffadcc059d000 end fffffadcc05f2000 kdcom.dll: base fffffadcc09fb000 end fffffadcc0a05000 NDIS.sys: base fffffadcc0205000 end fffffadcc026b000 Important pci.sys addresses / RVAs: pci!PciHookHal: VA fffffadcc05803e0 RVA 000043e0 pci!PciTranslateBusAddress: VA fffffadcc0580150 RVA 00004150 pci!PciAssignSlotResources: VA fffffadcc057fe20 RVA 00003e20 pci!PciLockDeviceResources: VA fffffadcc0587b90 RVA 0000bb90 pci!PcipSavedAssignSlotResources: VA fffffadcc0587a68 RVA 0000ba68 pci!PcipSavedTranslateBusAddress: VA fffffadcc0587a70 RVA 0000ba70 pci!HalPrivateDispatchTable pointer: VA fffffadcc0584120 RVA 00008120 Content: fffffadcc0584120 = fffff800011b07d0 HalPrivateDispatchTable: VA fffff800011b07d0 Before PciHookHal: [HalPrivateDispatchTable+38] = fffff800008136a0 [HalPrivateDispatchTable+40] = fffff8000084fa70 After PciHookHal: [HalPrivateDispatchTable+38] = fffffadcc0580150 = pci!PciTranslateBusAddress [HalPrivateDispatchTable+40] = fffffadcc057fe20 = pci!PciAssignSlotResources Saved original values after hook: pci+0xba68 = fffff8000084fa70 pci+0xba70 = fffff800008136a0 PciHookHal code: pci!PciHookHal: fffffadcc05803e0 488b0d393d0000 mov rcx,qword ptr [pci!HalPrivateDispatchTable] fffffadcc05803e7 488b4140 mov rax,qword ptr [rcx+40h] fffffadcc05803eb 48890576760000 mov qword ptr [pci!PcipSavedAssignSlotResources],rax fffffadcc05803f2 488d0527faffff lea rax,[pci!PciAssignSlotResources] fffffadcc05803f9 48894140 mov qword ptr [rcx+40h],rax fffffadcc05803fd 488b0d1c3d0000 mov rcx,qword ptr [pci!HalPrivateDispatchTable] fffffadcc0580404 488b4138 mov rax,qword ptr [rcx+38h] fffffadcc0580408 48890561760000 mov qword ptr [pci!PcipSavedTranslateBusAddress],rax fffffadcc058040f 488d053afdffff lea rax,[pci!PciTranslateBusAddress] fffffadcc0580416 48894138 mov qword ptr [rcx+38h],rax fffffadcc058041a c3 ret PCILOCK proof: The boot options string contained: "DEBUG DEBUGPORT=COM1 BAUDRATE=115200 BREAK PCILOCK" pci!PciUnicodeStringStrStr successfully searched for PCILOCK. PCILOCK string: VA fffffadcc0598900 RVA 0001c900 String "PCILOCK" pci!PciUnicodeStringStrStr: VA fffffadcc0583190 RVA 00007190 RtlEqualUnicodeString call inside PciUnicodeStringStrStr: VA fffffadcc05831fc RVA 000071fc Success path: VA fffffadcc0583238 RVA 00007238 DriverEntry area relevant to PCILOCK: fffffadcc05980f0 call pci!PciGetRegistryValue fffffadcc05980f5 test eax,eax fffffadcc05980f7 js pci!DriverEntry+0x24d fffffadcc05980f9 mov ecx,dword ptr [rsp+68h] fffffadcc05980fd lea rax,[pci!string = PCILOCK at fffffadcc0598900] fffffadcc059814b call pci!PciUnicodeStringStrStr fffffadcc0598150 test al,al fffffadcc0598152 je pci!DriverEntry+0x24d fffffadcc0598154 mov byte ptr [pci!PciLockDeviceResources],dil Manual setting was tested: eb fffffadcc0587b90 01 db fffffadcc0587b90 L10 Result: fffffadcc0587b90 01 00 00 00 00 00 00 00 ... Conclusion regarding PCILOCK: /PCILOCK works on XP x64. pci!PciLockDeviceResources is set to 1 by it. PciHookHal runs cleanly. HalPrivateDispatchTable is patched correctly. The old x86 MovAX PCI hack using [esi+43h] and [esi+38h] must NOT be transferred 1:1 to x64. HAL x64 search / patch area: hal base fffff80000800000 Search: s -b fffff80000800000 L5e000 f7 c2 f0 ff ff ff f7 No hit. Search: s -b fffff80000800000 L5e000 f7 c2 f0 ff ff ff Hit: fffff8000080970d f7 c2 f0 ff ff ff 75 0e ... The real x64 instruction starts one byte earlier: fffff8000080970c 49 f7 c2 f0 ff ff ff = test r10,0FFFFFFFFFFFFFFF0h Surrounding HAL code: fffff800008096d0 eb56 jmp fffff80000809728 fffff800008096d2 3bcb cmp ecx,ebx fffff800008096d4 734d jae fffff80000809723 fffff800008096d6 4e8d44e238 lea r8,[rdx+r12*8+38h] fffff800008096e0 498b10 mov rdx,qword ptr [r8] fffff800008096e3 493bd3 cmp rdx,r11 fffff800008096e6 773b ja fffff80000809723 fffff800008096e8 4d8b50f8 mov r10,qword ptr [r8-8] fffff800008096ec 498d4201 lea rax,[r10+1] fffff800008096f0 483bc2 cmp rax,rdx fffff800008096f3 752e jne fffff80000809723 fffff800008096f5 498bc2 mov rax,r10 fffff800008096f8 4833c2 xor rax,rdx fffff800008096fb 48a90000f0ff test rax,0FFFFFFFFFFF00000h fffff80000809701 7520 jne fffff80000809723 fffff80000809703 4080fe01 cmp sil,1 fffff80000809707 740c je fffff80000809715 fffff80000809709 4c33d2 xor r10,rdx fffff8000080970c 49f7c2f0ffffff test r10,0FFFFFFFFFFFFFFF0h fffff80000809713 750e jne fffff80000809723 fffff80000809715 81c100100000 add ecx,1000h fffff8000080971b 4983c008 add r8,8 fffff8000080971f 3bcb cmp ecx,ebx fffff80000809721 72bd jb fffff800008096e0 fffff80000809723 3bcb cmp ecx,ebx fffff80000809725 0f47cb cmova ecx,ebx fffff80000809728 4885ff test rdi,rdi ... fffff800008097cf 4c8b742408 mov r14,qword ptr [rsp+8] fffff800008097d4 4c8b642410 mov r12,qword ptr [rsp+10h] fffff800008097d9 488b7c2418 mov rdi,qword ptr [rsp+18h] fffff800008097de 488b742420 mov rsi,qword ptr [rsp+20h] fffff800008097e3 488b6c2428 mov rbp,qword ptr [rsp+28h] fffff800008097e8 488b5c2430 mov rbx,qword ptr [rsp+30h] fffff800008097ed 4883c438 add rsp,38h fffff800008097f1 c3 ret Additional HAL functions: fffff800008136a0: fffff800008136a0 488b442428 mov rax,qword ptr [rsp+28h] fffff800008136a5 4c8900 mov qword ptr [rax],r8 fffff800008136a8 b001 mov al,1 fffff800008136aa c3 ret fffff8000084fa70: fffff8000084fa70 488bc4 mov rax,rsp fffff8000084fa73 4881ec28010000 sub rsp,128h fffff8000084fa7a 83bc245001000005 cmp dword ptr [rsp+150h],5 ... Important MovAX x86 ASM block from the chat: use32 ORG equ $80037490 BASE equ $80010000 Continue1 equ $8001B5FA - ($$+ORG) HalpKdReadPCIConfig@20 equ $80021404 HalpKdWritePCIConfig@20 equ $80021408 GetPciDataByOffset equ $800371B2 SetPciDataByOffset equ $80037020 CPUFREQ_STR equ $80037360 W2003_STR equ $80037368 DEVID_STR equ $8003736E Win2003 equ $80021178 Header_Patch equ $8001016C PCI_ID equ $800211AA __strupr equ $8001B76C - ($$+ORG) _strstr equ $8001B6E0 - ($$+ORG) MovAX x86 payload logic from ASM: Start jumps to MyPatches. MyPatches begins with: add esp,0Ch push eax/ecx/edx/esi/edi/ebx Base is obtained via call/pop: call $+5 pop edi sub edi, base1+ORG-BASE kdnet internal PCI config function pointers are replaced: HalpKdReadPCIConfig@20 -> GetPciDataByOffset HalpKdWritePCIConfig@20 -> SetPciDataByOffset Header_Patch is set to 5. The loader block is searched for kdstub.dll. Optionally, kdnet10.dll is searched. PE header / reloc / security cookie are patched. /W2003 is searched for inside the boot options string. /PCI_ID=xxxxxxxx is searched for and stored in PCI_ID. hal.dll is searched. Inside hal.dll, this magic byte sequence is searched: F7 C2 F0 FF FF FF F7 A JMP to Patch_PCI64 is installed there. pci.sys is searched. Inside pci.sys, this magic byte sequence is searched: B0 01 EB AE CC A JMP to Patch_Debug_PCI is installed there. Then registers are restored and execution jumps to Continue1. MovAX x86 HAL patch: Patch_PCI64: mov eax,edx and eax,6 cmp eax,4 jnz PCI32 add dword [ebp+??],4 dec dword [ebp-??] PCI32: test edx,FFFFFFF0h jmp back MovAX x86 PCI patch: Patch_Debug_PCI: mov al,1 mov esi,[ebp+8] cmp byte [esi+43h],2 jnz Skip_This mov dword [esi+38h],BEEFDEADh Skip_This: jmp back Important conclusion: This x86 patch is NOT directly transferable to x64. The instruction add esp,0Ch proves that MovAX did not simply hook at the beginning of KdDebuggerInitialize0. The hook location is a specific x86 location with a specific stack situation. My previous x64 hook at KdDebuggerInitialize0+0 was guessed and wrong. Previously incorrect test packages / results: 1. test1 kdnet.dll was only patched for PE/header/import compatibility. No real ASM payload. Result: Host only waits with "Waiting to reconnect". Conclusion: boot path yes, functionality no. 2. test2 A real x64 payload was inserted, but it was wrong. Hook at KdDebuggerInitialize0 RVA 0x569c. New section .xpth RVA 0x29000 / VA 0x80039000. Payload searched the loader list / pci.sys and set pci+0xBB90. Result: XP x64 hangs from the beginning / very early. Conclusion: kdnet.dll is loaded and hook/payload is probably reached, but the approach is wrong. 3. test3 No-op payload with new section .xpnop. Hook still at KdDebuggerInitialize0 RVA 0x569c. Result: hangs after about one second. Conclusion: hook location / approach has not been proven correct; no-op does not fix anything. 4. test4 No-op payload inside .reloc instead of a new section. No new section. Hook still at KdDebuggerInitialize0 RVA 0x569c. Result: hangs as before. Additional mistake: .reloc is not executable, which is problematic with NX. 5. test5 No-op payload in an executable .text code cave. No new section, no .reloc code. Hook still at KdDebuggerInitialize0 RVA 0x569c. Result: immediate hang. Conclusion: hook at KdDebuggerInitialize0+0 is wrong / not conceptually equivalent to MovAX. Important correction: Do not continue hooking KdDebuggerInitialize0+0. Do not use any more guessed x64 hooks. First the real x86 MovAX patch must be analyzed at binary level. What needs to be done next: Obtain the original x86 Win8.1 kdnet.dll version 6.3.9600.17276. Apply MovAX kdnet_delta.bin to it. Binary-diff the original x86 kdnet.dll against the MovAX-patched x86 kdnet.dll. Determine exactly: Which bytes were changed at the real hook location? Where does the first JMP go? Which x86 function is it really? Which original instructions are replaced? Why is add esp,0Ch necessary at the beginning of the payload? Which register / stack situation does the payload expect? Find this exact function semantically inside the x64 kdnet.dll. Only then write the x64 ASM. The x64 payload must use the real MovAX-analogous location, not KdDebuggerInitialize0+0. Values still missing for a real x64 MovAX port: x64 hook location analogous to the real x86 MovAX hook location. x64 continue address analogous to x86 Continue1 0x8001B5FA. x64 equivalents of: HalpKdReadPCIConfig HalpKdWritePCIConfig GetPciDataByOffset SetPciDataByOffset PCI_ID Win2003 Header_Patch x64 equivalent of the location where x86 add esp,0Ch was semantically necessary. x64 implementation of the HAL patch, if it is really still necessary. x64 replacement for the x86 PCI structure hack, or a deliberate decision to omit it because /PCILOCK already works. What is certain: /DEBUGPORT=NET loads kdnet.dll on XP x64. If kdnet.dll is missing, the system reaches an early black screen. Intel i211 Option A means: kdnet.dll + kd_02_8086.dll renamed as kdstub.dll. kdnet10.dll is wrong for our i211 / Option A test. /PCILOCK works on XP x64 and sets pci!PciLockDeviceResources. PciHookHal works and patches HalPrivateDispatchTable correctly. The old x86 PCI hack using [esi+43h] and [esi+38h] is not directly usable on x64. The previous x64 payload test packages were not MovAX-conformant because the hook location was guessed. What is not certain: Whether the Win8.1 x64 kdnet.dll can fully run on XP x64 with only an x64 MovAX payload. Whether the HAL patch is still necessary on x64. Whether /PCILOCK fully replaces the x86 PCI hack. Whether the Intel i211 kdstub.dll from Win8.1 x64 fully initializes without additional cookie / LoadConfig patches. Whether host KD version 6.3.9600.17200 is sufficient or whether an exact matching version is required. Important for the next step: Do not claim that the ASM payload has already been inserted correctly. Do not hook KdDebuggerInitialize0+0 again. First diff the original x86 kdnet.dll against the MovAX-patched kdnet.dll. Then port the real hook location to x64. Relevant MovAX note: Quote Yes, quite a lot. I attached part of the FASM source code; you need to convert it to x64 ASM. The remaining part is injected code inside kdnet.dll. Edited May 14 by Dietmar 1
K4sum1 Posted May 14 Posted May 14 20 hours ago, Dietmar said: But, because XP may cry, when you offer to it a hacked file, I thought that was only for .sys drivers, at least until you got to Windows 8 where it got fussy about system dll files afaik. but also idk about this case specifically. 18 hours ago, Dietmar said: PS: You also get with the RTL8125 this "The parameter is incorrect". Is this message now gone with my modded newdev.dll ? So I did that, but I get a code 28 when trying to install the new driver, it fails to install. It just prompts me to install it again right after. However if I tell it to automatically install, it actually installs, but gives me a code 10 and doesn't start. I went back to the old driver to try it on just the RTL8125, and it actually installed, and recognized the device, however it never connected. However, it also made the RTL8126 with the new driver go from code 10, to supposedly working. So I plugged the Ethernet cable into the RTL8126, and a few seconds later, I got this BSOD. So the driver still needs some work, at least to work on my machine. 20 hours ago, wyf180 said: Could you share older version of ported drivers?I don't know why some drivers in v46 seem older then shown in 2023 and lack some drivers including vga driver? I know newer isn't always better here, and I'd probably trust this collection more than newer drivers as I've had them be unreliable. However I also need to get around to testing this collection so idk. 15 hours ago, reboot12 said: To fix edited file you need only rebuild checksum - use my nice tool setcsum 32_64 (I compiled also 64-bit version). Just drag and drop the edited file to setcsum.exe and press Y for Yes to fix the checksum - now the file is only >>> 5 bytes <<< different from the original: For me, I would use the CFF Explorer Rebuilder to update the checksum, but this looks like it would work and be less clicks. It would be cool to have a reg file to add it to the right click or shift + right click menu for increased efficiency.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now