Diving into Windows Keyboard Driver

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I'm going to screw up the windows keyboard driver and I'm going to do that by connecting with a kernel debugger and modifying the code of the driver so we're going to use a couple of stuff for this video first of all is virtual box and I have here running a Windows 10 virtual machine and I'm going to use the windows debugger which is called windbg I'm going to list everything in the description if you want to check it out so first of all notice that in this video we're going to play around with the PS2 kernel driver that is because virtual box emulates this type of keyboard what exactly is PS2 so this is a typical motherboard nowadays and you got the PS2 Port right over here you can see that on this motherboard it's unified into a single connector both for the keyboard and the mouse but on older motherboards he had two separate connectors one for the mouse and one for the keyboard so if you go here to the device manager and click here on keyboards and I'm going to double click here on standard PS2 keyboard now click here on driver driver details you can see we have two entries over here specifically the driver that we're going to work with is called i8042 pt. so remember this cuz we're going to connect to this driver in the kernel debugger so I'm going to run Ms config and I'm going to go here for boot afterwards I'm going to click on Advanced options and I'm going to enable here debug debug Port should be comm1 and B rate should be 115200 that's going to be the fastest rate this will basically configure kernel debugging through the serial Port Comm one is one of the serial ports now I'm going to click here okay and it's going to ask me to restart the computer I'm going to say exit without restart so I'm going to shut this down after shutting down I'm going to open the settings of the virtual machine by clicking here on settings and I'm going to click here on serial ports I'm going to enable Port one port mode is going to be host pipe I'm going to uncheck connect to existing pipe let's name it for example back SLB slash do back slash then you need to write here pipe and then we can give it a name let's name it for example win 10 dvg now I'm going to copy it because I'm later going to paste this into the debugger and I'm going to click here on okay now I'm going to start the virtual machine and in the meantime while it's starting I'm going to prepare the kernel debugger so I'm going to open windbg going to click here on file and then attach the kernel over here on B rate we're going to put the faster speed 115200 and here on Port I'm going to paste what I copied there afterwards click here on okay now it's going to connect it's already connected to Windows 10 as you can see now I can see that it caught a little exception in the kernel we're just going to let it continue by running the G command now I'm going to go ahead and log in now I'm going to go ahead and open notepad let's increase the fonts so we can see clearly okay so the typing is currently fine ABC it works fine now let's go ahead and screw this up so I'm back here in the kernal debugger and I'm going to press on control break and you can see we're now break in the debugger and I can start running commands so the First Command I'm going to do is remember that driver that we saw earlier that was I 842 PRT dosis I'm not going to put the sis over here but this is the name of the module in the kernel so what I'm going to do afterwards is an exclamation point and then I'm going to use a wild card and I'm going to search for all the symbols that have the word read in them and X stands for examine so I'm examining all the symbols that have read in them that come from the ad42 driver now I'm going to press enter we have here a couple of results I'm specifically interested on this function it's called read Port utar so I'm going to copy this by marking it and then right clicking and now I'm going to put a breakpoint on this by running the BP command breakpoint then I'm going to paste it now I'm going to run G to continue the execution now I'm going to press on a for example now we can see it hit the breakpoint now let's go ahead and check the assembly over here so I'm going to run the U command to disassemble this place so we can see this function is quite short it's just assigning edx with CX by the way CX is part of the rcx register and on x64 rcx represents the first argument that is passed into the function that is by calling conventions and afterwards it's using the N instruction this is an assembly instruction that reads something from an IO port and the port number comes from DX so essentially it's coming from this line and it's going to read whatever it reads into the AL register Al is a single BTE so we're going to have after this line a single bite of data inside of the AL register so let's read a little more about what is exactly going on here so I have here on the left side the OS Dev Wiki specifically on the article that talks about 842 PS2 controller and I'm going to click here on the section that talks about PS2 controller IO ports and we can see that it tells us that the PS2 controller uses two IO ports one is 0x 60 this that is 60 and hex and that's the data port and the other one is 64 now we want to understand what port is currently used on this function and as we can remember here from the in instruction we can get the port number by reading the DX register before executing this line so I'm going to step to the next instruction by pressing on F10 and now I can see we're currently on the in instruction and now I can go ahead and read what is inside of DX so I'm going to use R command that's going to be R for register and then DX and it's going to tell me that DX is 64 and this is 64 in HEX so this Maps into one of these ports but I'm actually interested in the data Port so I want to know when is this 60 so I'm going to skip to the next call by running F5 now I can see it hit the break point again again checking DX that's going to be again 64 I'm going to press F5 now the breako was hit again and if we check out DX now it's 60 so this is good 60 maps for the data Port so now we know we actually have data in AO after executing this line so I'm going to go to the next line by pressing on F10 and now I read Al I get here a certain number now this number represents the data that comes from the PS2 keyboard it's not really interesting right now to go exactly about what each number means but what I'm going to do to screw up the driver is increment this number by one but I want to only increment this if we're on the 6D Port so for this I need to slightly modify the assembly on this function and I'm going to use for this the a command that's assemble but first of all I want to view all the assembly that goes on on this function so for this I'm going to use the U command again this time I'm going to pass in the L parameter and I'm going to give it for example 12 this will tell the U command to display more instructions now I can take a glimpse at how this function looks like the read Port utar function and we can see we have a bunch of space over here to insert more instructions so that's what I'm going to do I want to check the port that is currently read which is DX and I want to see if it's the data Port if it's the data Port I want to go ahead increment it by one this will have the the effect of typing and each time you type a character on your keyboard it's going to go to the character on its right so I'm going to start the assemble command on this return instruction I'm going to start assembling from here so I'm going to overrun this return so I'm going to copy this address over here then I'm going to pass this into the a command to start assembling instructions now when dbg is starting to ask me what instructions I want to put in place of the return over here so this is the first address and we have here A bunch of space until we get to the next function which is on 70 so when I'm going to do on this line instead of return is I'm going to use the compare command so CMP and I'm going to compare DX which is which represents the port that I'm ring from I'm going to compare this for 60 so I'm going to check if it's the data Port afterwards I'm going to do the following I'm going to say JUMP if equal so that's going to be j e so that is going to jump if it's equal to 60 and I'm going to jump here for example to this spot this looks like we have a couple of space here for more instructions so this will be the flow if we're actually reading from the data Port so in order to get to this address I'm going to start by this function which is 60 we need to get to 6 C so in order to get to this line we need to add C to this function so I'm going to copy this and I'm going to add here plus and then I'm going to write C which will bring me right over here so this will jump to this line if it's equal to the data Port now the line afterwards now I'm writing the instruction that will happen if we're not reading from the data port if it's one of these so in case it's not coming from the data Port I want to act regularly I don't want to change all the other logic only logic that is related to the data Port so in this case I'm just going to return normally now as we remember we need to start from C CU that is where the jump is going on but currently I'm on B 6B so I need to put here a no operation so I'm going to use the KN command that is assembly instruction that does nothing cool and now we're on 6c now I can start putting the logic that happens if we're reading from the data Port so if I'm reading from the data Port I want to go ahead and increment the AL register remember Al represents the data that is coming from the keyboard so I'm going to increment this effectively this is going to cause each key to press the key that is right next to it after incrementing I'm finally going to return and you can see we reached 6f so it didn't overrun instructions that are already over here cuz the next function starts from 70 now to end this I'm going to just press on enter again and you can see we're back here to KD now I can remove the break point by running BC and Then star that's going to clear the break points and then I'm just going to run G and now I'm going to type for example Q let's see what happens you see it typed W which is right next to Q now I'm going to type in G for example but it typed in h let's type in seven for example but it typed in eight
Info
Channel: Nir Lichtman
Views: 80,711
Rating: undefined out of 5
Keywords:
Id: FR1P6g89Vrk
Channel Id: undefined
Length: 10min 28sec (628 seconds)
Published: Thu May 16 2024
Related Videos
How Windows API Works Under the Hood
Nir Lichtman
15K
What Happens When Booting Linux with Low Memory
Nir Lichtman
62K
What is the Smallest Possible .EXE?
Inkbox
269K
Installing Windows 7 in the Recycle.Bin
Banaxi
7.8K
Young People Try Windows 98
Linus Tech Tips
5.2M
new vulnerability in your motherboard lasts forever
Low Level Learning
202K
Making Simple Windows Driver in C
Nir Lichtman
334K
Making a Very Minimal Windows Executable in C
Nir Lichtman
87K
The World Depends on 60-Year-Old Code No One Knows Anymore
Coding with Dee
455K
The 3 Laws of Writing Readable Code
Kantan Coding
358K
this new SSH exploit is absolutely wild
Low Level Learning
304K
Reverse Engineering Game Code from the Neutral Zone
Retro Game Mechanics Explained
556K
I built my own 16-Bit CPU in Excel
Inkbox
1.4M
I Built A $100 Storage Server! (2024)
Tech By Matt
50K
Drawing Graphics with C and Windows API is Easy
Nir Lichtman
30K
What is a Software Driver as Fast As Possible
Techquickie
483K
The TOUCHSCREEN MacBook... From 2011
Michael MJD
153K
Stop Microsoft from getting your data!
Liron Segev
107K
one of the craziest exploits i've ever seen
Low Level Learning
368K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.