Tír Na HiFi

lekt wrote:

sbgk wrote:wow, finally got it working for waitforsingleobject, what a difference.

I'm using win 10 and the syscall is 851972, would you believe.

Now if I can get deviceiocontrolfile working.

thanks for your help.

enjoy it!
i use onboard laptop sound card, so can't test deviceiocontrolfile with KS, can you upload dll file set of win10, will learn something from it. many api functions on my win8 don't work when i use syscall, hmm...
Try NtCreateFile, NtReadFile,... maybe work for you on win10.

ollydbg is good also used the program on this page to get the syscall

http://www.evilsocket.net/2014/02/11/on ... oNNX6.dpbs

what's the point of doing functions not in the render loop ?

wavecyclic kernel streaming just uses ntwaitforsingleobject and ntdeviceiocontrolfile, you should be able to use wavert which uses gather/scatter with inbuilt cards, but programming a bit more complicated.

How do you work out how the parameters are handled eg the mov r10, hEvent ?

sbgk wrote:...How do you work out how the parameters are handled eg the mov r10, hEvent ?

don't understand you. r10 recieves value from rcx (mov r10, rcx). rcx is first parameter of NtFunctionxxx. so now can directly mov hEven to r10 in code, don't need touch rcx.
use IDA, all things have clearly showed. all syscall numbers in ntdll.dll (in export table window, double click to function name and IAD jump to code view window:

; Exported entry 311. NtDeviceIoControlFile
; Exported entry 1664. ZwDeviceIoControlFile
public ZwDeviceIoControlFile
ZwDeviceIoControlFile proc near
mov r10, rcx ; NtDeviceIoControlFile
mov eax, 5
syscall
retn
ZwDeviceIoControlFile endp

can get function code from kernelbase.dll, try learn this code.
; BOOL __stdcall DeviceIoControl(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped)
public DeviceIoControl
DeviceIoControl proc near
....

(MSDN: NtDeviceIoControlFile Deprecated... NtDeviceIoControlFile is superseded by DeviceIoControl.)

this is what I currently call

; 357 : // DeviceIoControl(
; 358 : // H,
; 359 : // IOCTL_KS_WRITE_STREAM,
; 360 : // NULL,
; 361 : // 0,//NULL,
; 362 : // &P0,
; 363 : // P0.Size,// Packets0.Header.Size,
; 364 : // NULL,//&cbReturned,
; 365 : //&S0);
; 366 :
; 367 : PD(

mov eax, DWORD PTR P0
xor r9d, r9d
mov rdx, QWORD PTR S0+24
xor r8d, r8d
mov rcx, QWORD PTR H
mov DWORD PTR [rsp+72], eax
mov QWORD PTR [rsp+64], rsi
mov BYTE PTR [rsp+56], bl
mov QWORD PTR [rsp+48], rbx
mov DWORD PTR [rsp+40], 3112979 ; 002f8013H
mov QWORD PTR [rsp+32], rdi
call QWORD PTR PD



so changed it to

mov eax, DWORD PTR P0
xor r9d, r9d
mov rdx, QWORD PTR S0+24
xor r8d, r8d
mov r10, QWORD PTR H
mov DWORD PTR [rsp+72], eax
mov QWORD PTR [rsp+64], rsi
mov BYTE PTR [rsp+56], bl
mov QWORD PTR [rsp+48], rbx
mov DWORD PTR [rsp+40], 3112979 ; 002f8013H
mov QWORD PTR [rsp+32], rdi
mov eax, 1769479
syscall

didn't work, so either the syscall number is incorrect or the parameters are.

Any ideas ?

Have uploaded win 10 ntdll.dll, would much appreciate if you could confirm the syscall nos for ntwaitforsingleobject and ntdeviceiocontrolfile using ida. Thanks

it's not really deprecated because deviceiocontrol calls it.

my IDA show:
...
call cs:NtDeviceIoControlFile
mov ecx, eax
cmp eax, 103h
jz loc_18002CB66
...

loc_18002CB66:
xor r8d, r8d
xor edx, edx
mov rcx, rdi
call cs:NtWaitForSingleObject
mov ecx, eax
test eax, eax
js loc_1800022C0
.....

that's need check return value: cmp eax, 103h
and must call cs:NtWaitForSingleObject if needed (when eax=103h). NtReadFile and many functions also need wait for completion of task.

you can get syscall numbers from http://j00ru.vexillium.org/ http://j00ru.vexillium.org/ntapi_64/
just not for win10.

just have the demo version of ida, this is what I get when double click on ntdeviceiocontrolfile

4B2E84D0 public NtDeviceIoControlFile
.text:4B2E84D0 NtDeviceIoControlFile proc near ; CODE XREF: sub_4B36FC30+63p
.text:4B2E84D0 ; sub_4B36FD9E+AAp
.text:4B2E84D0 ; DATA XREF: ...
.text:4B2E84D0 mov eax, 1B0007h ; NtDeviceIoControlFile
.text:4B2E84D5 mov edx, offset sub_4B2FCA80
.text:4B2E84DA call edx ; sub_4B2FCA80
.text:4B2E84DC retn 28h
.text:4B2E84DC NtDeviceIoControlFile endp


no r10 , is that because demo is for 32 bit o/s and r10 is used in 64 bit ?

the syscall no looks correct.

the first, you used ntdll.dll for x86, need copy ntdll.dll from windows\system32 (not from SysWOW64, there's for x86 run on x64).
i use IDA v6.1 (64-bit) portable, .rar file 101MB, forgot link download. Prefer this software, just enough for me.

lekt wrote:my IDA show:
...
call cs:NtDeviceIoControlFile
mov ecx, eax
cmp eax, 103h
jz loc_18002CB66
...

loc_18002CB66:
xor r8d, r8d
xor edx, edx
mov rcx, rdi
call cs:NtWaitForSingleObject
mov ecx, eax
test eax, eax
js loc_1800022C0
.....

that's need check return value: cmp eax, 103h
and must call cs:NtWaitForSingleObject if needed (when eax=103h). NtReadFile and many functions also need wait for completion of task.

you can get syscall numbers from http://j00ru.vexillium.org/ http://j00ru.vexillium.org/ntapi_64/
just not for win10.

thanks, so a bit more complicated than calling ntwaitforsingleobject, maybe that's the best I can get to because I use registers in the render loop so couldn't use rdi for example.

what version of IDA did you use ?

any chance you can upload the complete code extract for ntdll.dll and I'll try and trace ntdeviceiocontrolfile to see what's possible.

Thanks for your help.

lekt wrote:the first, you used ntdll.dll for x86, need copy ntdll.dll from windows\system32 (not from SysWOW64, there's for x86 run on x64).
i use IDA v6.1 (64-bit) portable, .rar file 101MB, forgot link download. Prefer this software, just enough for me.

that was from system32

what target processor and assembler do you use ?

Maybe it get's confused by a haswell cpu.

sbgk wrote:that was from system32

what target processor and assembler do you use ?

Maybe it get's confused by a haswell cpu.

i use MASM/ ml64.exe/ link.exe, take from vs2013, write code on notepad so then don't use any setting for target processor and more. think use api dll from system32 means application can run on AMD64 and IA64 (this architeture for AMD64 and IA64), not sure.
if you use sse/avx then i think "Intel 64 and IA-32 Architectures Software Developer’s Manual - Instruction Set.pdf" can help, some instuctions have architeture dependency.

have seen NtDeviceIoControlFile have complex code, not simple bypass it, need accurate learn. tried learn almost from:
kernel32.dll call -> api-ms-win-core-xxx.dll call -> kernelbase.dll call -> ntdll.dll -> call syscall
almost code in kernelbase.dll, but have detected ntoskrnl.exe, it also contains almost Ntxxx functions, call ext-ms-win-ntos-xxx.dll and hal.dll, and go to ... hehe...
ah, windows doesn't like us.

lekt wrote:uploaded:
lekt.exe v3.25 256 sys
lekt.exe v3.25 256 sys2

replaced 5 api functions with syscall (system calling, level 0, bypass windows API), works in my win8.
not sure they work for win8.1 and ws2012 or not. try them.

JC & goon-heaven,
i think these versions can't work for you, coz used syscall numbers for win8.

uploaded:
v3.25 256 sys win8.1
v3.25 256 sys2 win8.1

maybe shall work for your ws2012R2, think win8.1 and ws2012R2 use similar kernell. try them and comment me, pls.
thx.