Tír Na HiFi

using kd debugger for ntdeviceiocontrolfile disassembly

need to use bcdedit to switch on local kernel debugging first

guess it has lot's of code to cope with the different ioctl codes, so could break out the code I'm interested in

calls nt!IopXxxControlFile

Microsoft Windows [Version 10.0.9926]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd \

C:\>cd C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64

C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64>kd -kl

Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Connected to Windows 8 9926 x64 target at (Sat Apr 4 13:33:05.683 2015 (UTC + 1:00)), ptr64 TRUE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows 8 Kernel Version 9926 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9926.0.amd64fre.fbl_awesome1501.150119-1648
Machine Name:
Kernel base = 0xfffff800`fa683000 PsLoadedModuleList = 0xfffff800`fa98aef0
Debug session time: Sat Apr 4 13:33:05.824 2015 (UTC + 1:00)
System Uptime: 0 days 0:09:59.475
lkd> ln nt!NtDeviceIoControlFile
(fffff800`fab0d130) nt!NtDeviceIoControlFile | (fffff800`fab0d190) nt!NtQueryDirectoryObject
Exact matches:
nt!NtDeviceIoControlFile (<no parameter info>)
lkd> u fffff800`fab0d130 fffff800`fab0d190
GetContextState failed, 0x80004001
nt!NtDeviceIoControlFile:
fffff800`fab0d130 4883ec68 sub rsp,68h
fffff800`fab0d134 8b8424b8000000 mov eax,dword ptr [rsp+0B8h]
fffff800`fab0d13b c644245001 mov byte ptr [rsp+50h],1
fffff800`fab0d140 89442448 mov dword ptr [rsp+48h],eax
fffff800`fab0d144 488b8424b0000000 mov rax,qword ptr [rsp+0B0h]
fffff800`fab0d14c 4889442440 mov qword ptr [rsp+40h],rax
fffff800`fab0d151 8b8424a8000000 mov eax,dword ptr [rsp+0A8h]
fffff800`fab0d158 89442438 mov dword ptr [rsp+38h],eax
fffff800`fab0d15c 488b8424a0000000 mov rax,qword ptr [rsp+0A0h]
fffff800`fab0d164 4889442430 mov qword ptr [rsp+30h],rax
fffff800`fab0d169 8b842498000000 mov eax,dword ptr [rsp+98h]
fffff800`fab0d170 89442428 mov dword ptr [rsp+28h],eax
fffff800`fab0d174 488b842490000000 mov rax,qword ptr [rsp+90h]
fffff800`fab0d17c 4889442420 mov qword ptr [rsp+20h],rax
fffff800`fab0d181 e80a9bf7ff call nt!IopXxxControlFile (fffff800`faa86c90)
fffff800`fab0d186 4883c468 add rsp,68h
fffff800`fab0d18a c3 ret
fffff800`fab0d18b cc int 3
fffff800`fab0d18c cc int 3
fffff800`fab0d18d cc int 3
fffff800`fab0d18e cc int 3
fffff800`fab0d18f cc int 3
nt!NtQueryDirectoryObject:
fffff800`fab0d190 488bc4 mov rax,rsp
lkd> ln nt!IopXxxControlFile
(fffff800`faa86c90) nt!IopXxxControlFile | (fffff800`faa87e80) nt!IopFreeMiniCompletionPacket
Exact matches:
nt!IopXxxControlFile (<no parameter info>)
lkd> u fffff800`faa86c90 fffff800`faa87e80
GetContextState failed, 0x80004001
nt!IopXxxControlFile:
fffff800`faa86c90 4c894c2420 mov qword ptr [rsp+20h],r9
fffff800`faa86c95 4c89442418 mov qword ptr [rsp+18h],r8
fffff800`faa86c9a 53 push rbx
fffff800`faa86c9b 56 push rsi
fffff800`faa86c9c 57 push rdi
fffff800`faa86c9d 4154 push r12
fffff800`faa86c9f 4155 push r13
fffff800`faa86ca1 4156 push r14
fffff800`faa86ca3 4157 push r15
fffff800`faa86ca5 4881ec60010000 sub rsp,160h
fffff800`faa86cac 488b05a5d2edff mov rax,qword ptr [nt!_security_cookie (fffff800`fa963f58)]
fffff800`faa86cb3 4833c4 xor rax,rsp
fffff800`faa86cb6 4889842458010000 mov qword ptr [rsp+158h],rax
fffff800`faa86cbe 48899424c0000000 mov qword ptr [rsp+0C0h],rdx
fffff800`faa86cc6 4c8bd1 mov r10,rcx
fffff800`faa86cc9 4889942410010000 mov qword ptr [rsp+110h],rdx
fffff800`faa86cd1 488b8424c0010000 mov rax,qword ptr [rsp+1C0h]
fffff800`faa86cd9 48898424a8000000 mov qword ptr [rsp+0A8h],rax
fffff800`faa86ce1 488b9424d0010000 mov rdx,qword ptr [rsp+1D0h]
fffff800`faa86ce9 4889942488000000 mov qword ptr [rsp+88h],rdx
fffff800`faa86cf1 8b8424d8010000 mov eax,dword ptr [rsp+1D8h]
fffff800`faa86cf8 89442470 mov dword ptr [rsp+70h],eax
fffff800`faa86cfc 4c8b8424e0010000 mov r8,qword ptr [rsp+1E0h]
fffff800`faa86d04 4c898424b0000000 mov qword ptr [rsp+0B0h],r8
fffff800`faa86d0c 8b8424e8010000 mov eax,dword ptr [rsp+1E8h]
fffff800`faa86d13 89442460 mov dword ptr [rsp+60h],eax
fffff800`faa86d17 33db xor ebx,ebx
fffff800`faa86d19 48899c2480000000 mov qword ptr [rsp+80h],rbx
fffff800`faa86d21 8bbc24c8010000 mov edi,dword ptr [rsp+1C8h]
fffff800`faa86d28 448bff mov r15d,edi
fffff800`faa86d2b 4183e703 and r15d,3
fffff800`faa86d2f 65488b042588010000 mov rax,qword ptr gs:[188h]
fffff800`faa86d38 48898424e0000000 mov qword ptr [rsp+0E0h],rax
fffff800`faa86d40 440fb6a832020000 movzx r13d,byte ptr [rax+232h]
fffff800`faa86d48 4584ed test r13b,r13b
fffff800`faa86d4b 0f842d0f0000 je nt!IopXxxControlFile+0xfee (fffff800`faa87c7e)
fffff800`faa86d51 488b8c24a8000000 mov rcx,qword ptr [rsp+0A8h]
fffff800`faa86d59 488b0520d3f9ff mov rax,qword ptr [nt!MmUserProbeAddress (fffff800`faa24080)]
fffff800`faa86d60 483bc8 cmp rcx,rax
fffff800`faa86d63 0f83e4000000 jae nt!IopXxxControlFile+0x1bd (fffff800`faa86e4d)

etc

goon-heaven wrote:https://drive.google.com/folderview?id= ... sp=sharing

have seen:
win8/ws2012 use system dll v6.2 9200 xxxx,
win8.1/ws2012R2 use system dll v6.3 9600 xxxx

so then build for you:
lekt.exe v3.26 256 win8.1
lekt.exe v3.26 256.1 win8.1

these versions back to render loop of v3.22, replaced only 1 function with syscall for you do testing.
v3.26 256.1 win8.1 use trick with registers (like as yesterday v3.25 256 sys win8.1 and v3.25.1 256 sys win8.1), maybe doesn't work for you. try them and comment me, the first they work?

lekt wrote: so then build for you:
lekt.exe v3.26 256 win8.1
lekt.exe v3.26 256.1 win8.1

these versions back to render loop of v3.22, replaced only 1 function with syscall for you do testing.
v3.26 256.1 win8.1 use trick with registers (like as yesterday v3.25 256 sys win8.1 and v3.25.1 256 sys win8.1), maybe doesn't work for you. try them and comment me, the first they work?

Thank you for the build for me - much appreciated.

v3.26 256 plays very nicely - new favorite - tighter sound - best kick drum yet - more visceral, not overblown- in comparison v22 sounds tame! More comparision testing to do.

v3.26 256.1 stops immediately, no music. 12R2 no likey your register tricks.

goon-heaven wrote:...v3.26 256.1 stops immediately, no music. 12R2 no likey your register tricks.

understand. win8.1/ws2012R2 rewrite sycall, difference than win8/ws2012, code number and internal procedure. but can make some trick (even more than currently win8) if i install win8.1 and detect something from it.
think syscall send signal data to port and call interrupt, like as "int 21h" in old x86, but now all things of x64 are undocumented.

sbgk wrote:using kd debugger for ntdeviceiocontrolfile disassembly
...fffff800`fab0d181 e80a9bf7ff call nt!IopXxxControlFile (fffff800`faa86c90)
fffff800`fab0d186 4883c468 add rsp,68h
fffff800`fab0d18a c3 ret
fffff800`fab0d18b cc int 3
fffff800`fab0d18c cc int 3
fffff800`fab0d18d cc int 3
fffff800`fab0d18e cc int 3
fffff800`fab0d18f cc int 3
nt!NtQueryDirectoryObject:
fffff800`fab0d190 488bc4 mov rax,rsp

etc

have seen system internally use interrupt, sbgk. maybe you debug NtWaitForSingleObject and do discovery. interesting if can replace syscall with "int xxh" like as old x86 directly work with ports, big benefit shall be get. i have not kd debugger now.

lekt wrote:

sbgk wrote:using kd debugger for ntdeviceiocontrolfile disassembly
...fffff800`fab0d181 e80a9bf7ff call nt!IopXxxControlFile (fffff800`faa86c90)
fffff800`fab0d186 4883c468 add rsp,68h
fffff800`fab0d18a c3 ret
fffff800`fab0d18b cc int 3
fffff800`fab0d18c cc int 3
fffff800`fab0d18d cc int 3
fffff800`fab0d18e cc int 3
fffff800`fab0d18f cc int 3
nt!NtQueryDirectoryObject:
fffff800`fab0d190 488bc4 mov rax,rsp

etc

have seen system internally use interrupt, sbgk. maybe you debug NtWaitForSingleObject and do discovery. interesting if can replace syscall with "int xxh" like as old x86 directly work with ports, big benefit shall be get. i have not kd debugger now.

iopxxxcontrolfile is not exported so can't use syscall with it.

syscall is faster than the interrupt method, read up about it. http://www.evilsocket.net/2014/02/11/on ... w8Ria.dpbs

have tried ntDelayExecution instead of waitforsingleobject, but couldn't get it to work.

sbgk wrote:...have tried ntDelayExecution instead of waitforsingleobject, but couldn't get it to work.

have read this link, but i think x64 still use interrupts, not sure better than syscall or not. see in ntdll.dll win10 many "int xxh", code of ntDelayExecution win10:

; Exported entry 310. NtDelayExecution ; Exported entry 1715. ZwDelayExecution
public ZwDelayExecution
ZwDelayExecution proc near
mov eax, 60034h ; NtDelayExecution
mov edx, offset sub_4B2FCA80
call edx ; sub_4B2FCA80
retn 8
ZwDelayExecution endp

sub_4B2FCA80 proc near
mov edx, large fs:30h
mov edx, [edx+254h]
test edx, 2
jz short loc_4B2FCA98
int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
; DS:SI -> counted CR-terminated command string
retn

loc_4B2FCA98:
jmp far ptr 33h:4B2FCA9Fh
sub_4B2FCA80 endp

have not seen syscall. this "jmp far ptr 33h:4B2FCA9Fh" is secret, you need copy data from this address, think 128 bytes is enough, write into file.txt, put into global variable area of you application, disassembler this last file, and can discover what is this.
---------------------------

share to you NtDelayExecution win8/8.1/ws2012/ws2012R2:

;NtDelayExecution(IN BOOLEAN Alertable, IN PLARGE_INTEGER DelayInterval);
lea rdx, [rsp+32] ; i use some valid pointer on stack
xor r10d, r10d ; Alertable=FALSE. If TRUE, execution can break in a result of NtAlertThread call
mov qword ptr [rdx], -xxxh ;Negative value means delay relative to current
mov eax, 32h ;win8/ws2012
;mov eax, 33h ;win8.1/ws2012R2

syscall ;return rax = 0

1 millisecond = 1 million (1,000,000) nanoseconds.
1 nanosecond = 0.000001 milliseconds.
1 nanosecond = 0.000000001 seconds, ie. 1 billionth of 1 second (1 / 1,000,000,000).

be careful with DelayInterval, it's Negative value.

for win10 you may try:
mov eax, 60034h
or use int 2Eh, not sure. or get syscall number by your method.
tried use this function instead of NtWaitForSingleObject in render loop, but difficult determine DelayInterval, sound have sand, need correct calculate for 16/44100, seems 56.69ms for my 256 buffer size. do you know how calculate?

it's only as accurate as the system time, default is 15.6 ms, can be set to 0.5ms

http://www.powerbasic.com/support/pbfor ... p?p=460308

max accuracy is 0.5 ms so best to use object synchronisation

best way would be code injection into the device driver so it doesn't come back to user level and just renders in kernel.

retuned OS based on 3.19.1 pop and html5
3.25 256 sys turns out to be the best sound, as it seems. power, rythm, focus, notes, depth... never better