Log in

View Full Version : NEW: Syser Kernel Debugger by wuyanfeng


Kayaker
January 15th, 2005, 21:27
Hi All

I came upon what looks to be a very promising kernel debugger on a Chinese forum. There is an active thread discussing it here:

http://www.driverdevelop.com/forum/html_61514.html?1105821078

There appears to be 2 download packages, I had some problems with CRC corrupt rar files for both packages, but was finally able to d/l a clean copy of the 2nd.

One with an .msi installer (5.4MB):
ftp://soft:mysoft@www.zndev.com/syserinstall.rar

and the other without (1.9MB):
http://link.coolala.net/temp/syser.rar
SyserMgr.exe
wisp.dat
wispsyser.sys

From another link I found pictures of the debugger:
http://link.coolala.net/temp/debug1.jpg
http://link.coolala.net/temp/debug2.jpg


It has a *very* impressive subset of the usual Softice commands, as well as many interesting new ones ("Set Debug Register DR7" anyone?). It supports windows 2000 server, windows xp, windows xp sp1, 2003 server.

I've only begun to look at it, but it seems to run well even under VMWare. It seems like it is supposed to be compatible with Softice in some fashion, but I've found conflicts. I'm not sure if it's a ring3 debugger with a kernel component (something I've been expecting as a natural progression for a long time...), or whether it can also trace ring0 code.

I tried its I1HERE ON option to break on an INT 1 in my own kernel driver, to see if it would trace in kernel code, and under VMWare it went BSOD. If it can trace ring0 it could be extremely useful, if not it may still have a few nice extended capabilities as a ring3 debugger.

There is a lot of exploring to do here. Since there is neither source nor a help file, any analysis of it here would be interesting. That also includes if anyone has the language capabilities to decipher any of the active thread and report anything useful... did I see the name Sephiroth?

After loading the sys driver, attach to a process. You can toggle into a command window with Ctrl-2 and type 'help' for a list of commands.

Regards,
Kayaker

disavowed
January 16th, 2005, 02:52
Cool post, Kayaker.

Luckily, http://www.worldlingo.com/en/websites/url_translator.html (Chinese-simp) does a hell of a good job translating it!

ZaiRoN
January 16th, 2005, 14:08
Hi Kayaker,
nice link
Quote:
[Originally Posted by Kayaker]It seems like it is supposed to be compatible with Softice in some fashion, but I've found conflicts
I tried this tool on a xp-sp1 machine with Softice. The program starst but it doesn't load the WispSyser driver (fails on OpenServiceA); I tried to load the driver with KmdManager and it passes OpenServiceA call loading the driver without problem... pretty strange.
It runs fine on a xp-sp1 machine without Softice, btw.
Quote:
I tried its I1HERE ON option to break on an INT 1 in my own kernel driver
I did the same thing (on the machine without Softice) and the result is a nice bsod...

Best regards,
Z.

Kayaker
January 16th, 2005, 22:26
That's not a bad translation actually... it seemed to do a better job than I used to get with Babelfish and wasm.ru anyway. The debugger is obviously still in the bugfix stage, will be worth watching for updates.

I tried tracing into an Int2E and kernel code, but the debugger couldn't handle it, still not sure if it's designed to. It seems to be able to create its own system symbol files, but I couldn't get them loaded successfully, nor my own source files. Still, poking around the disassembly should be interesting to see how the author approached things.

Solomon
January 16th, 2005, 23:32
The above machine translation is understandable. It's a ring0 debugger just like softice.The author implemented a rich set of GUI functions by directly manipulating video RAM. He said there will be a Linux version after 1~2 year. If you need further translation, I can do. I'm Chinese.

disavowed
January 16th, 2005, 23:53
Just to make myself clear, I wasn't being sarcastic above. I too am impressed with the translation compared to that of Babelfish, etc.

4nil
January 17th, 2005, 00:56
Quote:
[Originally Posted by Solomon]The above machine translation is understandable. It's a ring0 debugger just like softice.The author implemented a rich set of GUI functions by directly manipulating video RAM. He said there will be a Linux version after 1~2 year. If you need further translation, I can do. I'm Chinese.

yeah, i'm a chinese too,if u go to bbs.pediy.com,and what's ur ID there?

Kayaker
January 17th, 2005, 20:04
To come to some conclusion on this,

The larger download with full install is the much newer version of the debugger (Dec/08/2004). It now uses 4 drivers,
Syser.sys
SysBoot.sys
SyserDisk.sys
SysLang.sys

loads on boot, has full symbol download connection to the MSDN server (converts them to its own SDS format), can load executable or kernel driver for debugging. While it looks much improved, I have lockup problems I didn't have with the earlier version I tested. I single step once and the keyboard and mouse are unresponsive and the system locks. Until I sort it out I can't do much more. :-(

Kayaker

fudy
February 25th, 2005, 03:33
Quote:
[Originally Posted by 4nil]yeah, i'm a chinese too,if u go to bbs.pediy.com,and what's ur ID there?


i'm a chinese three. it's seems a little cold here, would you please introduce
a hotter site about driver&kernel development to me?

Kayaker
February 25th, 2005, 11:22
Hi,

The usual method is not to complain about the cold, but to add fuel to the fire. But I understand what you're saying.

If you want traditional, the most "active" forums I know of are:
microsoft.public.win32.programmer.kernel
microsoft.public.development.device.drivers

If you want untraditional:
rootkit.com

There are others that try, as we do, to encourage driver development discussions, but you would likely find these "cold" as well

If you find other sites, please pass them along.

Kayaker

4nil
February 27th, 2005, 10:02
Quote:
[Originally Posted by fudy]i'm a chinese three. it's seems a little cold here, would you please introduce
a hotter site about driver&kernel development to me?

maybe exeTool in Eng & DFCG in Chinese is hotter...

Solomon
March 15th, 2005, 02:24
new version, seems more stable, but still need more development.
hxxp://www.syser.net/download/SyserSetup.exe
screenshot
hxxp://www.syser.net/jpg/
at least 256MB RAM is needed, or your system will crash.
Quote:

Syser Debugger 是基于X86平台专门为 Windows NT Family 开发的内核级的全
图形界面的调试器.支持汇编级调试和源代码级调试.

系统需求:
至少 256M 内存(少于256MB会导致系统崩溃
  至少 CPU 300MHz.
操作系统支持:
windows 2000 (sp1,sp2,sp3,sp4)
windows xp (sp1,sp2)
windows 2003 (sp1)
....

软件特点:

1. 彩色反汇编支持.
2. 源代码级调试支持语法配色.
3. 源代码级调试支持原代码与汇编指令折叠式对映.
4. 支持动态加载也卸载.
5. 全键盘操作支持.(如果在没有鼠标设备的情况所有操作都可以用键盘来操作)
6. 全鼠标操作支持.(在没有键盘设备的情况可以用鼠标控制所有操作.这在
softice 中是不可能的.如果softice 被激活,没有键盘时就没有办法退出)
7. 命令兼容Softice
8. 多语言支持.底层全 unicode 实现.
9. 插件机制支持.
10. 多 CPU 的支持.支持 Intel Hyper-Threaded processors.
11. 支持启动脚本。(类似于批处理文件
12. 调试符号文件的自动生成和自动加载机制。省去了 softice 源代码调试的
  烦琐步骤.如果你开发和调试使用同一台机器.在你不改变源代码存放目
  录的情况下,你只要在你编译出的可执行文件上点鼠标右键,在右键菜单
  中选择用Debug with Syser 菜单项就可以进入我们的调试器进行源代码级
  或汇编级调试.

13. 可以和Softice和平共处.Softice 在 Syser 之后启动.Syser 也可以卸载.甚至可以调试softice.
14. PDB 调试符号文件的全面支持。
15. 自动装载 驱动程序调试。

硬件输入设备支持:

1. USB 键盘和 USB 鼠标支持.
2. PS2 键盘和 PS2 鼠标支持.
3. 笔记本的 TouchPad (触摸板)和 TrackPoint(轨迹点)设备的全面支持.(TouchPad 和TrackPoint的高级模式在 DS 3.2中尚不支持).

disavowed
March 22nd, 2005, 23:30
It seems to crash when trying to debug something inside VirtualPC

SiGiNT
August 19th, 2005, 18:23
There is a newer commercial version of this puppy, the site has a "buy" button but it just takes you to a download - I haven't tried this yet but it looks like a cross between DeDe Sice, and Olly, I saw some claims on another board, (from the manufacturer's description), that it's better than Olly for unpacking, (or as they call it unwrapping), the new URL is www.sysersoft.com (http://).

SiGiNT

JohnWho
August 19th, 2005, 19:57
So far i had no succes with this debugger, it always hang my system. It sure does look promising, so i really hope it will get more stable with newer builds

SiGiNT
August 19th, 2005, 23:46
OMG!

I must be precient - check the new thread by the author.

SiGiNT