Damnation Posted March 30 Posted March 30 (edited) @Dietmar Heres how you might be able to use AI to help you reverse engineer. You'll need 3 tools. pdbripper - https://github.com/horsicq/PDBRipper/releases/tag/2.03 relyze disassembler - https://www.relyze.com/download.html I use relyze because I've found that neither Ghidra nor IDA pro will let me just copy the assembly code of a single function into a text filr or the clipboard. Lastly, Perplexity AI - https://www.perplexity.ai/ --- OK, lets pick a sizable function from the Netwtn04.sys file using the PDB symbols we have, lets go with oscWfdeSetPreferredOperatingChannel. Using relyze, oscWfdeSetPreferredOperatingChannel is defined as this. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ). We will need to get the struct definitions for MINIPORT_CONTEXT and OID_EVENT_DATA for perplexity AI to use or it'll bul***** its way through with hallucinations, so this is what pdbripper is for. Using pdbripper we can get this for struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Then, in relyze we right click inside the oscWfdeSetPreferredOperatingChannel disassembly window and select Export -> To Clipboard (Function). We now write a prompt for perplexity AI. --- Using the following struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Convert the following x86 assembly into human readable C code - int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ) { push ebp mov ebp, esp push edi mov edi, dword ptr [pMpContext] test edi, edi jnz code_0x4235 code_0x422B: mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x4235: push ebx push esi mov esi, dword ptr [pOid] mov ebx, dword ptr [esi+0x4] test ebx, ebx jnz code_0x424D code_0x4241: pop esi pop ebx mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x424D: movzx eax, word ptr [esi+0x1C] mov ecx, 0x5 cmp cx, ax jz code_0x4271 code_0x425B: mov ecx, 0x2 cmp cx, ax jz code_0x4271 code_0x4265: pop esi pop ebx mov eax, 0xC0000001 pop edi pop ebp ret 0x8 code_0x4271: push 0x0 push 0x8 push 0xFF10060B push esi call OidEventHandlerPrologCommon; int32_t __stdcall( struct _OID_EVENT_DATA * _pOid, unsigned long _oidExpected, unsigned long _inputBuffLenExpected, unsigned long _outputBuffLenExpected ) test eax, eax jnz code_0x42E3 code_0x4284: push ebx push edi call vifMgrGetContext; inline struct _VIF_MGR_CONTEXT * __stdcall( struct _MINIPORT_CONTEXT * pMpCotnext ) push eax call vifMgrChSelSetPreferredOperatingChannel; int32_t __stdcall( struct _VIF_MGR_CONTEXT * pVifMgrContext, struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL * pOpChannelParams ) mov edi, eax test edi, edi jz code_0x42D6 code_0x4297: mov ecx, dword ptr [WPP_GLOBAL_Control] cmp ecx, va_ptr WPP_GLOBAL_Control jz code_0x42D6 code_0x42A5: test byte ptr [ecx+0x530], 0x1 jz code_0x42D6 code_0x42AE: cmp byte ptr [ecx+0x52D], 0x2 jb code_0x42D6 code_0x42B7: mov eax, dword ptr [ecx+0x524] push va_ptr string_oscWfdeSet; "oscWfdeSetPreferredOperatingChannel" push va_ptr WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids push 0x3B push eax mov eax, dword ptr [ecx+0x520] push eax call WPP_SF_s; void __stdcall( uint64_t Logger, uint16_t id, struct _GUID * TraceGuid, char * _a1 ) code_0x42D6: push edi push 0x0 push 0x8 push esi call OidEventHandlerEpilog; void __stdcall( struct _OID_EVENT_DATA * pOid, unsigned long bytesRead, unsigned long bytesWritten, int32_t rc ) mov eax, edi code_0x42E3: pop esi pop ebx pop edi pop ebp ret 0x8 } --- Perplexity AI gave me this answer. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT *pMpContext, struct _OID_EVENT_DATA *pOid) { int32_t status; struct _VIF_MGR_CONTEXT *vifCtx; struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *params; // Validate inputs if (pMpContext == NULL) return 0xE0020001; if (pOid == NULL || pOid->pInfoBuffer == NULL) return 0xE0020001; // Validate opcode (must be 2 or 5) if (pOid->opCode != 2 && pOid->opCode != 5) return 0xC0000001; // Validate OID + buffer lengths status = OidEventHandlerPrologCommon( pOid, 0xFF10060B, 8, 0 ); if (status != 0) return status; // Extract input buffer params = (struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *)pOid->pInfoBuffer; // Get VIF manager context and set preferred channel vifCtx = vifMgrGetContext(pMpContext); status = vifMgrChSelSetPreferredOperatingChannel(vifCtx, params); // Logging (WPP) if (status != 0) { if (WPP_GLOBAL_Control != NULL && (WPP_GLOBAL_Control->Flags[0x530] & 0x1) && WPP_GLOBAL_Control->Level >= 2) { WPP_SF_s( WPP_GLOBAL_Control->Logger, 0x3B, &WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids, "oscWfdeSetPreferredOperatingChannel" ); } } // Complete OID handling OidEventHandlerEpilog( pOid, 0, // bytesRead 8, // bytesWritten status ); return status; } https://www.perplexity.ai/search/using-the-following-struct-def-iH1rN.zcSMaVPiFOgI5RlA @Dietmar Do you find this helpful? Edited March 30 by Damnation 1
user57 Posted March 30 Posted March 30 it seems that it translated correct to me 2 things for example raise questions to me but that "WPP_GLOBAL_Control" it did not translate the access names instead "WPP_GLOBAL_Control->Flags[0x530] = (hex)" - that certainly works but no names just the distance also whatever this is "0xFF10060B" it might also has a name still that code will function i think so from my side and i do translate such things that sounds ok to me you will have a big problem still, it seems that dietmar needs an entire driver like this - what is like a lot somewhere in that dietmar related post i also saw some side drivers - there he also would have to get out the things the linux idea is not bad either - it has a working solution from what i understand ? so certainly you can repeat that one on windows
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now