Diving into Windows Keyboard Driver

Подписаться 44 тыс.

Просмотров 59 тыс.

50% 1

In this video I will demonstrate how you can cause funny behavior of the Windows PS/2 keyboard driver by connecting with a kernel debugger and modifying the assembly.
Checkout my channel welcome link for setup information about windbg and VirtualBox.
You can grab the Windows 10 ISO from the Microsoft official website.
Articles:
- reactos.org/wiki/I8042prt.sys
- wiki.osdev.org/%228042%22_PS/...

Наука

Опубликовано:

15 май 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 108

@yeong126 12 дней назад

This is mind blowing. The fact that you can just modify the kernal on the fly through a serial port is crazy. Wow.

@soundspark 7 дней назад

At the same time you can disable the serial debugger in bcdedit. Especially important since many motherboards still ship with a hardware serial port.

@kipchickensout 27 дней назад

i didn't even know you were allowed to debug the kernel that easily nice video!

@jedimasternoob 24 дня назад

Yea, this is pretty spicy info! I can see it being used for some not so good uses.

@niewazneniewazne1890 13 дней назад

You are, likely to debug your own drivers.

@KiraSlith 12 дней назад

Same, I thought we lost the serial kernel debugger on Windows 98. RU-vid casually dropping this knowledge bomb in my recommended videos was a welcome surprise.

@ciano5475 8 дней назад

@@KiraSlith XP added the FireWire as a channel, newer version maybe ethernet

@sqrtof81 27 дней назад

I don't think I've ever seen such a concise and easy to follow explanation of low-level stuff like this. Very, very cool!

@spirosgaliatsatos4384 Месяц назад

Reminds me when I used to do assembly in DOS. I used this port to detect a keypress instead of using the BIOS int 16h keyboard services

@MrOnlineCoder Месяц назад

If I remember correctly, osdev may also mention about a specific byte sequence you send or read from ps/2 keyboard in order to initiate system reboot, which is often used in hobby kernels and I guess I've even seen it in linux somewhere

@0xfadead Месяц назад

Do you mean Ctrl-Alt-Delete? That was used to reboot computers in the DOS days

@komram4396 Месяц назад

@@0xfadead nah, there is a keycode for reboot, i have an 90s keyboard with such key and it works in modern operating systems.

@nathanielcleland6566 Месяц назад

@@0xfadead No, in the old days the RESET line of the x86 CPU was connected to the 8042 keyboard controller. Ctrl+Alt+Delete is just a sequence of key presses given special meaning in the OS. But if you poll port 0x64 until the controller is ready, then write 0xFE, it resets the CPU to its initial state, rebooting the system. Although this is actually how you switched out of 16 bit protected mode back into real mode on the 80286 as well (as memory stays powered, you can hook into the reset handler and skip system initialization). void reboot() { uint8_t good = 0x02; while (good & 0x02) good = inb(0x64); outb(0x64, 0xFE); halt(); }

@0xfadead Месяц назад

@@nathanielcleland6566 Ah lol, didn't know about that. It makes much more sense. Thanks for the swift response!

@ktheveg 27 дней назад

Linux has something called "Magic SysRQ". For modern devices, you can press & hold ALT, then tap PrintScreen. This activates the SysRQ, then while holding down ALT, press B to reboot.

@HAGSLAB Месяц назад

Very nice demonstration of debugging a remote Windows machine :)

@milk-it 26 дней назад

Absolutely gorgeous elucidation.

@xfxpositions 21 день назад

@@milk-it indeed

@bmx666bmx666 Месяц назад

Bless you man! You explained how to connect and debug Windows in 10 minutes! Always fantastic! 🥳😀

@BengalEmpire767 28 дней назад

Nooo, windbg😢. Haha lol, its almost amazing how the app became a meme. Jokes aside, this is actually a very good video. You have earned a new subscriber.❤

@Creative_404 10 дней назад

i dont understan anything but im still watch all vid

@mauriciolima1088 8 дней назад

Thanks for the video it's great how you make complex low-level stuff so easy to follow! Thanks!!

@SSnQ_LPCWSTR 27 дней назад

Thanks for yet another educational vid, Nir!

@granitium 9 дней назад

Yo I didn't know my pc had an entire PS2 just through port

@TheTim2626 Месяц назад

thanks bro, really nice demonstration of windows driver debbuging, love it !!!!

@nithssh 18 дней назад

Thanks for this, TIL OS dev wiki.

@waleedalrashed1411 21 день назад

As always , concise video debugging low-level code , I am really curious how have you come about learning "low-level computing" and how have yoi built the experience ? was it Computer architecture courses at Uni orworking somewhere where you were involved in that field ?

@slendi9623 8 дней назад

I didn't know that WinDbg contained an assembler, that's so neat!

@Cyba_IT 7 дней назад

If you don't already have a job at Microsoft then you should man. Great stuff.

@Glitch-569 13 дней назад

yoo new keyboard layout wertyu

@ocry3310 21 день назад

this is what we need in this community!!

@SuperElephant 12 дней назад

Short and precise demo of reverse engineering the kernel with ASM. Amazing and entertaining stuff!

@nonsuch Месяц назад

Smart.... Brains.... (Bugs Bunny reference 😄). Awesome work! Cheers🥂

@____.__._.._ 14 дней назад

That was fun to watch and I dont even code, thx

@ronalerquinigoagurto555 Месяц назад

I would recommend making a video about hypervisor internals

@sourkefir 12 дней назад

Never knew debugging the kernel was that easy. Nice video, you've got yourself a subscriber!

@petermuller608 3 часа назад

Great primer!

@tentimesful 29 дней назад

I did engineering work where I had to do alot of copying and pasting, well the ctrl+c failed alot and didnt know if I copied or not.. so made a program that would listen to my keyboard and show green in taskbar if I pressed ctrl+c or ctrl+v(paste) lol... and it helps.. well I student at university I was reminded him saying that they make ctrl difficult to press as in previous gaming it could be pressed with other buttons that disrupt the gaming so you really need to press it hard, my current laptop didnt needed a hard ctrl press but now it does for copy and paste what a shame... and if the manifacturers are really doing that to people do stop that garbage and make the press easier even for ctrl...

@inqmusician2 24 дня назад

You can create enigma codes with this.

@0bamo0 19 дней назад

Is there a point to it ? No. Does it make it more interesting? Yes

@FurqanHun 12 дней назад

never thought someone would explain assembly and i'd understand it (idk assembly)

@adamz1671 Месяц назад

this is cool

@dsagman 26 дней назад

fantastic!

@ancestrall794 26 дней назад

Awesome video bro

@justinnamilee 26 дней назад

Neat! Maybe cleaner to jne over the increment and have them both use the same ret, no? xD

@nirlichtman 26 дней назад

Nice, thats a good idea :)

@KiraSlith 12 дней назад

I didn't even know you could hook Windows' kernel debugger on retail after Windows 98, let alone retail Windows 10. I imagine there's a fair number of failsafes and hardware-level mechanics to keep you from doing anything super fun with it, like Commodore-style cheating like the olden days, but it's still neat.

@teamredstudio7012 27 дней назад

This is super fascinating! I have a bit of experience with x64 assembly but I don't really know how drivers work. I always wondered what the kernel debugging was for and if we can use it. Can we also debug the kernel of an installation on itself without a VM?

@nirlichtman 27 дней назад

Local kernel debugging is possible but it won't have all the abilities that you have when you do remote kernel debugging ( learn.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging ), BTW you can also debug another physical computer, it doesn't have to be a VM

@teamredstudio7012 26 дней назад

@@nirlichtman Wow! Thanks! I'm gonna have some fun with this!

@amanda_bynes226 25 дней назад

subscribed forever

@Damglador 23 дня назад

I hear "screw up" - I watch video until the end🗿

@TunifyBasic 26 дней назад

it's a good video with simple explanation but i hope that you do a video about the execution flow and the pe/mz format it's weird format to me. elf is easy understandable. but windows has weird executables they store charachters as if they were 16bit not 8bit and things like that....

@mikeuk1927 25 дней назад

It's just UTF-16, it's not that bad. Buy yeah, PE is kind of weird, too complex for my liking

@ferna2294 25 дней назад

This is next level shit. I love it.

@Potew 14 дней назад

Wow, this was almost impossible to understand. I imagine debugging a graphics driver…

@ismbks 25 дней назад

you don't see this type of content anywhere on youtube

@ahmadshami5847 Месяц назад

That's awesome! I'm wondering though why when the cmp instruction was set the address jumped from ...64 to ...68? It doesn't seem like the instruction is using any large values to fill up what I presume is 32 bytes (ig each address can store 8 bytes but please correct me if I'm wrong).

@b4ttlemast0r Месяц назад

I think each address just refers to a single byte (the address itself is what's 64-bits)

@ahmadshami5847 Месяц назад

@@b4ttlemast0r yeah idk maybe that could something related to the OS kernel or maybe even the hardware itself. But still even then it doesn't make sense for me that a compare instruction would require 4 bytes if that's the case.

@nirlichtman Месяц назад

The cmp instruction took in total 4 bytes even though we are in 64 bit, since the jump in this case is relative and not absolute so the machine code doesn't need to store the entire 8 bytes of the memory address

@ahmadshami5847 Месяц назад

hmmm... okay, I must say I'm still kinda new to low level machine stuff, but that's fascinating. So what I understood is that the cmp instruction could make use of those 4 addresses but it didn't so it just skipped them, right?

@nirlichtman Месяц назад

@@ahmadshami5847 could you elaborate what exactly you mean?

@michaelflynn6952 2 дня назад

This video is awesome, I learned a lot, but how are we gonna pretend that most motherboards in 2024 have serial ports 😂. My X99 board from 2014 doesnt even have one

@nirlichtman День назад

Thanks :) You mean PS2? desktop or laptop motherboard? from what I have checked on desktops it is still pretty common

@gabrielv.4358 8 дней назад

Hello!! can you tell me if its possible to "emulate" (Change) the status of an gamepad joystick?? I wish to use two of them, but they both assign to the same buttons, but I wish they were 2 separate controllers so I could use 4 "analogs" instead of 2. Thank you so much

@milk-it 26 дней назад

Something tells me the peanuts in MS support aren't exactly diving this deep into your issue when you call Microsoft for support 🤣

@Neuer_Alias_erstellen 27 дней назад

cool - i wonder if malware could abuse windows Debugging on a windows VM

@MichalCanecky 7 дней назад

Where did the extra space after the ret instruction come from? Was the driver compiled like this?

@nirlichtman 7 дней назад

It has to do with alignment, check out one of the other comments over here for a more in depth explanation

@WhileTrueCode 13 дней назад

nice video! tho i think it would be safer to push/pop flags since ur adding a cmp, right? but who cares for a quick demo lol

@betaswithWack0 10 дней назад

funny that I get this recommended to me, given that I've had to write custom keyboard drivers for NT4 (on PowerPC) recently, and kbdclass expects to receive PS/2 scancodes so I had to convert USB HID to PS/2 scancodes...

@milckshakebeans8356 25 дней назад

Why did they add the padding to the functions?

@kell2185 14 дней назад

The padding is for alignment! For several reasons (hardware, cache...), functions are 16-bit aligned and the remaining space is usually filled with instruction "INT 3" (breaks execution if hit) as a safety measure. You'll notice all functions start at a 0-ending address. 😉

@NikkiMcMistie 13 дней назад

How will it error out once the register overflows when you press the last mapped key and it increments it by 1?

@sf-petru 8 дней назад

I didn't understand the last part, why it won't show the next char in ASCII, but the next chart on the physical keyboard

@nirlichtman 8 дней назад

That is because we are increasing the keyboard scan code by one and not the ASCII characters (the keyboard doesn't work with ASCII, the encoding happens in a higher level)

@gabrielv.4358 8 дней назад

I find it very unecessary to login into windows, let alone in a VM, But ok. Cool video

@MattTrevett 11 дней назад

Not sure if this is a logical question, but can the debugger debug itself in the kernel scope? Or does that even make sense?

@iyar220 10 часов назад

If you just want to see how it works, you could debug another instance of the the debugger process with the debugger, it doesn't care what it's debugging.

@hoteny Месяц назад

1:02 whats the other driver then?

@Hallilo Месяц назад

the ps2 keyboard driver is responsible for reading the hardware level data from the I/O port, kbdclass is a higher level driver that communicates with the ps2 driver and gives some consistency to the os with abstraction (correct me if im wrong)

@RockRock-qf1wj День назад

yoo!!!

@SqualidsargeStudios 25 дней назад

I’ve noticed one thing, you seem to press pretty danged hard on keys and buttons every now and again.

@Splatpope 2 дня назад

why not: jne f+c inc al c: ret

@PavitraGolchha Месяц назад

How to remap Copilot key to R Ctrl key on newer windows laptops? Custom drivers or registry hacks? PowerToys works but doesn't work on all apps.

@mertemr Месяц назад

you can use autohotkey.

@fluffball1415 26 дней назад

Can remap it in the registry, that'll work in administrator level applications.

@MsTatakai 10 дней назад

So, now remove the input lag from USB drivers nyeeeehhehe if it were that ez

@lychy645 8 дней назад

lol just use a ps2 device

@MsTatakai 8 дней назад

@@lychy645 Yeah i know that =P i was kinda trolling right now XD But now that you say that... is there any Gamepad as PS/2 ? that would be amazing, no?