Diving into Windows Keyboard Driver
Ғылым және технология
In this video I will demonstrate how you can cause funny behavior of the Windows PS/2 keyboard driver by connecting with a kernel debugger and modifying the assembly.
Checkout my channel welcome link for setup information about windbg and VirtualBox.
You can grab the Windows 10 ISO from the Microsoft official website.
Articles:
- reactos.org/wiki/I8042prt.sys
- wiki.osdev.org/%228042%22_PS/...
Пікірлер: 68
i didn't even know you were allowed to debug the kernel that easily nice video!
@jedimasternoob
8 күн бұрын
Yea, this is pretty spicy info! I can see it being used for some not so good uses.
I don't think I've ever seen such a concise and easy to follow explanation of low-level stuff like this. Very, very cool!
If I remember correctly, osdev may also mention about a specific byte sequence you send or read from ps/2 keyboard in order to initiate system reboot, which is often used in hobby kernels and I guess I've even seen it in linux somewhere
@0xfadead
15 күн бұрын
Do you mean Ctrl-Alt-Delete? That was used to reboot computers in the DOS days
@komram4396
15 күн бұрын
@@0xfadead nah, there is a keycode for reboot, i have an 90s keyboard with such key and it works in modern operating systems.
@nathanielcleland6566
15 күн бұрын
@@0xfadead No, in the old days the RESET line of the x86 CPU was connected to the 8042 keyboard controller. Ctrl+Alt+Delete is just a sequence of key presses given special meaning in the OS. But if you poll port 0x64 until the controller is ready, then write 0xFE, it resets the CPU to its initial state, rebooting the system. Although this is actually how you switched out of 16 bit protected mode back into real mode on the 80286 as well (as memory stays powered, you can hook into the reset handler and skip system initialization). void reboot() { uint8_t good = 0x02; while (good & 0x02) good = inb(0x64); outb(0x64, 0xFE); halt(); }
@0xfadead
15 күн бұрын
@@nathanielcleland6566 Ah lol, didn't know about that. It makes much more sense. Thanks for the swift response!
@ktheveg
11 күн бұрын
Linux has something called "Magic SysRQ". For modern devices, you can press & hold ALT, then tap PrintScreen. This activates the SysRQ, then while holding down ALT, press B to reboot.
Reminds me when I used to do assembly in DOS. I used this port to detect a keypress instead of using the BIOS int 16h keyboard services
Very nice demonstration of debugging a remote Windows machine :)
@milk-it
10 күн бұрын
Absolutely gorgeous elucidation.
@xfxpositions
5 күн бұрын
@@milk-it indeed
Bless you man! You explained how to connect and debug Windows in 10 minutes! Always fantastic! 🥳😀
Why did they add the padding to the functions?
Nooo, windbg😢. Haha lol, its almost amazing how the app became a meme. Jokes aside, this is actually a very good video. You have earned a new subscriber.❤
thanks bro, really nice demonstration of windows driver debbuging, love it !!!!
Thanks for yet another educational vid, Nir!
As always , concise video debugging low-level code , I am really curious how have you come about learning "low-level computing" and how have yoi built the experience ? was it Computer architecture courses at Uni orworking somewhere where you were involved in that field ?
this is what we need in this community!!
Thanks for this, TIL OS dev wiki.
I would recommend making a video about hypervisor internals
Smart.... Brains.... (Bugs Bunny reference 😄). Awesome work! Cheers🥂
That's awesome! I'm wondering though why when the cmp instruction was set the address jumped from ...64 to ...68? It doesn't seem like the instruction is using any large values to fill up what I presume is 32 bytes (ig each address can store 8 bytes but please correct me if I'm wrong).
@b4ttlemast0r
15 күн бұрын
I think each address just refers to a single byte (the address itself is what's 64-bits)
@ahmadshami5847
15 күн бұрын
@@b4ttlemast0r yeah idk maybe that could something related to the OS kernel or maybe even the hardware itself. But still even then it doesn't make sense for me that a compare instruction would require 4 bytes if that's the case.
@nirlichtman
15 күн бұрын
The cmp instruction took in total 4 bytes even though we are in 64 bit, since the jump in this case is relative and not absolute so the machine code doesn't need to store the entire 8 bytes of the memory address
@ahmadshami5847
15 күн бұрын
hmmm... okay, I must say I'm still kinda new to low level machine stuff, but that's fascinating. So what I understood is that the cmp instruction could make use of those 4 addresses but it didn't so it just skipped them, right?
@nirlichtman
15 күн бұрын
@@ahmadshami5847 could you elaborate what exactly you mean?
Awesome video bro
this is cool
You can create enigma codes with this.
fantastic!
subscribed forever
I did engineering work where I had to do alot of copying and pasting, well the ctrl+c failed alot and didnt know if I copied or not.. so made a program that would listen to my keyboard and show green in taskbar if I pressed ctrl+c or ctrl+v(paste) lol... and it helps.. well I student at university I was reminded him saying that they make ctrl difficult to press as in previous gaming it could be pressed with other buttons that disrupt the gaming so you really need to press it hard, my current laptop didnt needed a hard ctrl press but now it does for copy and paste what a shame... and if the manifacturers are really doing that to people do stop that garbage and make the press easier even for ctrl...
This is super fascinating! I have a bit of experience with x64 assembly but I don't really know how drivers work. I always wondered what the kernel debugging was for and if we can use it. Can we also debug the kernel of an installation on itself without a VM?
@nirlichtman
11 күн бұрын
Local kernel debugging is possible but it won't have all the abilities that you have when you do remote kernel debugging ( learn.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging ), BTW you can also debug another physical computer, it doesn't have to be a VM
@teamredstudio7012
10 күн бұрын
@@nirlichtman Wow! Thanks! I'm gonna have some fun with this!
Neat! Maybe cleaner to jne over the increment and have them both use the same ret, no? xD
@nirlichtman
10 күн бұрын
Nice, thats a good idea :)
I hear "screw up" - I watch video until the end🗿
This is next level shit. I love it.
Is there a point to it ? No. Does it make it more interesting? Yes
1:02 whats the other driver then?
@Hallilo
15 күн бұрын
the ps2 keyboard driver is responsible for reading the hardware level data from the I/O port, kbdclass is a higher level driver that communicates with the ps2 driver and gives some consistency to the os with abstraction (correct me if im wrong)
Something tells me the peanuts in MS support aren't exactly diving this deep into your issue when you call Microsoft for support 🤣
it's a good video with simple explanation but i hope that you do a video about the execution flow and the pe/mz format it's weird format to me. elf is easy understandable. but windows has weird executables they store charachters as if they were 16bit not 8bit and things like that....
@mikeuk1927
9 күн бұрын
It's just UTF-16, it's not that bad. Buy yeah, PE is kind of weird, too complex for my liking
you don't see this type of content anywhere on youtube
cool - i wonder if malware could abuse windows Debugging on a windows VM
How to remap Copilot key to R Ctrl key on newer windows laptops? Custom drivers or registry hacks? PowerToys works but doesn't work on all apps.
@mertemr
15 күн бұрын
you can use autohotkey.
@fluffball1415
10 күн бұрын
Can remap it in the registry, that'll work in administrator level applications.
I’ve noticed one thing, you seem to press pretty danged hard on keys and buttons every now and again.
Screw up some linux stuff next, please.
@_lun4r_
15 күн бұрын
The screwed up keyboard for Linux already exists, check the videos
@gokul2003g
15 күн бұрын
@@_lun4r_ ooh 👍
@vlc-cosplayer
10 күн бұрын
You can't scam people into getting tech support if you break Linux!
yay, i am first
Can you stop ending 99% of sentences with a high note?