have anyone could explain to me trw2000 internals, about bpx concept, idt/gdt/ldt thingy, vxdcallhook, blah-blah... to me? or is there any trw2000 internal tut out there?

from now, i just understand the apiplugs mechanism only. i get stuck understanding how trw2000 break in to kernel and popup itself. maybe icedump gurus could help me out, please...

here's my lame readme about plugsapi [i've posted that lame plugs here]. and execuse me if any mistakes written here, any correction needed . trw2000 consists a loader and a master plugs. i call it master plugs coz :

- it's a plugs indeed, but a master/main plugs
- it loaded first before other plugs, so it can provide api services
for other/slave plugs loaded later [what i called plugsapi].

in the plugs init routine of trw2000.sys, it first registering every local function that will be exported as plugsapi. these exported api were placed in one struct. the plugsapi struct declaration can be read at plugapi.h file. the struct itself not comprises plugsapi only, but some trw internal variable are there too.

what the plugsapi plugs coded by me doing is just dumping this struct with address related to each struct members. so u can see directly to those addresses and recognize these function's names . then u can busy to rename all the function in ur disasembled list of trw2000.sys file. from here u have had little knowledge to reverse the master plugs.

now, after registering each struct members, the master plugs enumerates slave plugs and load it. i don't know yet what the rule used to load the slaves here. i bother with rule coz ordinary vxds are using it. its called InitOrder. but the case here is, the first loaded plugs is always master plugs, and there's no plan from author to let slave plugs providing another plugsapi service set to enhance the plugs functionality.

when a plugs loaded, execution gets in to plugs init proc, where u can see the param passed to this proc is a ptr named [PLUGS_API* plugsapi]. i don't know who is passing this ptr, but i guest the master plugs is the one who did it when loading plugs, bcoz the only one who knows his own locals functions address is master plugs, right? that's why every plugsapi called in plugs src code have form like: api->???. if u see it in assembly form, its looks like this:
call dword ptr [e?x+??h]
where the e?x contain ptr passed by master plugs.
after initialization proc, slave plugs are ready to receive cmds or do something else.

so, the point is... this plugsapi method is rather diff with vxdservices method, in which the master plugs don't have to 'snaps' the slaves apicall for the 1st time.

hmm... is there anyone imagine the add_api like implementations here . if there is, then here's i tell what come to my mind when thinking about it:
- the export table must have one method, that is add api entry.
- if there's unload scenario here, the plugsapi service provider
responsible to handle dead entry and to redirect that dead
entry to return false/true to the caller. huh... that's hard,
isn't it?
- make plugsapi set proto in a separate header file
- make a rule in loading, or load order. the provider must have
top priority before users, right? here maybe we can use an INI
file instead of... argh, i don't know how WDM's DDB looks like.
- ok, say the new plugs provider loaded by master plugs, and he
had an export table. then who'll load the users of that new
provider? if its master who load it, then master plug have to
somehow registering new plugsapi set and snaps the users link,
right? how complicated it is...
- anyone wants to do this...

hmm... i just knows a little about breakpoints. again, its a big chance i do mistakes here. the one used for LOG3 plugs is software bp. its hooking int1, looks like softice using this method too. u can see it barely in LOG2 source code. and maybe there's one internal variable involved, named pfSoft_1Step. it's a member of PLUGS_API struct.

when u break in to trw, trw freezes VMs and the registers show up in upwindow is register value from current VM, maybe. the register value can be ripped from a struct called CLIENT_STRUCT. refer to vmm.h to see his members. from here, i just filter the eip value to satisfy what i need, like LOG3 did. its lame easy to code LOG3, right? that's why i felt no need to release the source ;p.

the only info about this bp i got is from BPINT and LOG2 source code.
may there's gurus figures this all out. could anyone add what missed here, please... .

man, no one helps me...
i've take all i know about trw internal here, and no respon...

Maybe no one in this forum has experience in developing debuggers for windows. (just guess... I am new comer too :-)

Thx for your efforts...

i need to know the process of debugger break, and what happens when it break? i know thats relate to modify idt of current thread (maybe), but anyone can tell me more detail about this ?

most of the guys who still use Win9x (like me) don't use TRW because it's kinda buggy and unreliable (crashes very often, it's unstable and so on...)
Anyway you can debug TRW with Softice..eg. to see how it does bp, use in Softice BPR on the api you will breakpoint with TRW...it worx fine (I also was a year ago interested in how it's breakpoints work)..hmmz, maybe that doesn't answer to your question..i dont know anything else about that debugger, sorry

Well i dont know specially how trw works but the ways a debugger can be implemented are very limited There are software and hardware breakpoints.

Hardware breakpoints are set using SetThreadContext() api. There is a _CONTEXT structure and depending on the ContextFlags of this structure it can be used for setting different type of information. Among them are reading and modifying the FPU registers, the debug registers, and the control structures. With the last you can change the current EIP of the thread and more. The _CONTEXT structure is defined for all different processors and it is hardware dependant. The best resource about this for intel processos is the intel documentation. The 3 pdf files about 5Mb each. I guess you can find them on the net. There should be a section about debugging and hardware exceptions. There is very detailed documentation about how to use the debug registers to debug a process. The bmps are only possible to be made with debug registers btw.

The software way is with a simply using int 3 for a break point and int 1 for step by step tracing. You can use WriteProcessMemory to change the next instruction that is going to be executed and this way generate debug event for the debugger. You can attach to active process by DebugActiveProcess() and with WaitForDebugEvent() wait until a debug event is generated. May be you would like to check the _DEBUG_EVENT structure returned by the last function for more details. I'm not quite sure but as far as i can remember there is a fully functional ring 3 software debugger in the examples of the Matt Pietrek's book for win 95. I even may be have it somewhere

Cheerz

thanks Hwoarang. but please tell me whatever u know about breakpoints, trw not so diff with softice and im not talk specific to trw about this breakpoint context.

emm... ok, say i code a dynamic load WDM driver. i put in a ring0 kbd handler and an universal miniport graphics driver. when loaded, i hook the kbd for hotkey access. and then i hook int3 and int1 and... how do i set bp in kernel/current thread? coz we need to break in, right?

i'm not sure debugger such softice using attach method. i ever seen a log instruction application written using debug api, and it act very badly, not like softice/trw do. btw, debug api are designed for ring3 debug application, i thought.

First of all i dont know ring 0 stuff and never coded something. Only have called the ring 3 function for calling ring 0 stuff. The first export from kernel32.dll



whats the problem to write in kernel32.dll memory and put an int 3 where you want? Ofcourse after calling VirtualProtect to deprotect the page. And this will only work on 9x as well.




SoftIce is ring 0 debugger and it defenitely dont use debug api I was just talking about debuggers You can use hardware breakpoints from ring 0 or write int 3s in the process memory.

reading softice internal by +Spath...
seeing winice.exe unasm...
it said that winice.exe are a vxd [LE format], so theres 16 and 32 bit in one file. pasted from tut:

-------------------------------------------
winice.exe performs the following steps :
1. change video mode to mode 3 (80x25, text mode, 16 colors) and display SoftICE intro message (SoftICE version, OS, ...).
-------------------------------------------

what i saw in start is:
public start
RCOD:0000 start proc near
RCOD:0000 xor ax, ax
RCOD:0002 xor si, si
RCOD:0004 xor bx, bx
RCOD:0006 retn
RCOD:0006 start endp

how can this code perform video mode switching???

it ripped off roughly from master plugs disasm. these cmd related to VER cmd. they are:

:VER TST8 ; just crash my comp
:VER INFO ; disp debugger environment infos?
:VER MEM ; disp trw path and dibeng infos
:VER SAY ; disp windows properties?
:VER TEST ; n/a? (no action)
:VER TST1 ; n/a?
:VER ERRO ; n/a?
:VER BLUE ; n/a?
:VER KEEP ; keep the debug screen

from here, we know that trw2000 using dibeng somehow. infos from 98DDK says:
"To help you create more efficient display drivers, Microsoft supplies the DIB engine, which is a DLL that contains most of the functions needed to translate GDI commands. A display driver that uses the DIB engine is called a display minidriver. The minidriver only contains hardware-specific code for your display adapter and redirects the non-device specific calls from GDI to the DIB engine."

so, if i'm not wrong here, the master plugs include the display minidriver that handle h/w specific code. but, somehow i felt the display minidriver discussed in 98DDK are loaded as static vxd drivers. meanwhile, the trw loaded dynamically. therefore, my first bet is trw intercept the minidriver link to dibeng (DIB engine). i'm seeing codes that related to video buffer at &A0000 and &B8000, but dont know what its really do.

if anyone knows this stuff in depth, please add what missed here

thanks

ok, after read 98ddk help a while, accidentally ;p, i saw the DIBENGINE struct which the first member match with one value pointed by ver mem command. here below i include my source code .

and, remember the two lines after Dibeng value in ver mem command...
yeah! thats value is the same like what would display in the member listing. maybe u wonder why just these two value get displayed, wheres the others? is the rest is not important?
honestly... i dont know the answer. but i see those two value gets involved in screen operations. i thought i'm closer to it, but...

now, trying to get deeper understanding... btw, its hard, guys... none of u could give me a clue

feeling lame thinking about this subject, meanwhile i dont have much access to my 'home' computer anymore right now, i just want to tell my idea here with assume that SI would be the best debugger among the other and so used as reference.

the points of debugger design would be:
- free/open source/copyrighted/whatever [but no commerce, please ]
- plugin based architecture
- very... i mean very... customizable debugger
- support multi OSes [w9x,wnt,w2k,wxp,etc]
- full documentation

about plugin stuff, it should:
- support script language [ie calling VMM services from script, can make a 'real' driver as plugin, etc]
- have controlled plugin environment [ie can debug plugin easily]
- dynamically loaded

the plugin includes the kernel itself, cpu info, disasm routine, display driver, windowing routine, skin switching [actually, this is my favorite part if applicable], etc...

about customizable stuff. it should be the mindset from beginning of design. such as debugger can easily perform counterattack from antidebug stuff with small changes, or in some situation that need special breakpoint [that not supported by SI, of course] users can easily perform it with little effort.

about multi OSes. it applied to every debugger component, even the kernel itself. i think it can be compiled in separated package or using OS auto detect. in this stuff, there mostly problem will faced [ie display/mouse problem].

documentation was a thing that everyone should have an eye on it, so that will be more ppl can use the debugger.

well, its just a bluffing and incomplete idea from me.
thanks for reading.