He able to do that because their is nothing protecting anything at the binary level and the VM lives below the binary level for that virtual OS so the OS can’t take any protective measures
Same, I thought we lost the serial kernel debugger on Windows 98. TH-cam casually dropping this knowledge bomb in my recommended videos was a welcome surprise.
Wow I've never seen anyone explain assembly in such an easy to follow manner. My mind usually glazes over but this was just engaging the whole way through
If I remember correctly, osdev may also mention about a specific byte sequence you send or read from ps/2 keyboard in order to initiate system reboot, which is often used in hobby kernels and I guess I've even seen it in linux somewhere
@@0xfadead No, in the old days the RESET line of the x86 CPU was connected to the 8042 keyboard controller. Ctrl+Alt+Delete is just a sequence of key presses given special meaning in the OS. But if you poll port 0x64 until the controller is ready, then write 0xFE, it resets the CPU to its initial state, rebooting the system. Although this is actually how you switched out of 16 bit protected mode back into real mode on the 80286 as well (as memory stays powered, you can hook into the reset handler and skip system initialization). void reboot() { uint8_t good = 0x02; while (good & 0x02) good = inb(0x64); outb(0x64, 0xFE); halt(); }
Linux has something called "Magic SysRQ". For modern devices, you can press & hold ALT, then tap PrintScreen. This activates the SysRQ, then while holding down ALT, press B to reboot.
this is actually very cool. i've been working on my own hobby OS recently and a keyboard driver is the module i've just finished (for now). some good revision.
Nooo, windbg😢. Haha lol, its almost amazing how the app became a meme. Jokes aside, this is actually a very good video. You have earned a new subscriber.❤
I didn't even know you could hook Windows' kernel debugger on retail after Windows 98, let alone retail Windows 10. I imagine there's a fair number of failsafes and hardware-level mechanics to keep you from doing anything super fun with it, like Commodore-style cheating like the olden days, but it's still neat.
I did engineering work where I had to do alot of copying and pasting, well the ctrl+c failed alot and didnt know if I copied or not.. so made a program that would listen to my keyboard and show green in taskbar if I pressed ctrl+c or ctrl+v(paste) lol... and it helps.. well I student at university I was reminded him saying that they make ctrl difficult to press as in previous gaming it could be pressed with other buttons that disrupt the gaming so you really need to press it hard, my current laptop didnt needed a hard ctrl press but now it does for copy and paste what a shame... and if the manifacturers are really doing that to people do stop that garbage and make the press easier even for ctrl...
funny that I get this recommended to me, given that I've had to write custom keyboard drivers for NT4 (on PowerPC) recently, and kbdclass expects to receive PS/2 scancodes so I had to convert USB HID to PS/2 scancodes...
As always , concise video debugging low-level code , I am really curious how have you come about learning "low-level computing" and how have yoi built the experience ? was it Computer architecture courses at Uni orworking somewhere where you were involved in that field ?
Just writing this on a whim since maybe you'll see it, but would you happen to have any ideas regarding dealing with a keyboard driver corruption issue on a laptop? Daily, my keyboard will cut out, and stop responding for about 3 to 10 seconds, then work fine for a few hours, where it will then do it again. This eventually leads to the driver completely dying and me having to uninstall the keyboard driver, restart the laptop, and then deal with it randomly cutting out here and there for a couple of days, until it does it all over again. I think the easiest solution would be an alternative keyboard driver, and just seeing if that solves it, but idk, ultimately this is a known problem with all higher end Lenovo laptops, and seemingly, there is no solution whatsoever, it always comes back.
That sounds bad :( Hard to help without having the device physically to inspect, but generally, it sounds weird that it has a custom non-standard keyboard driver, for example my Lenovo Y50 has the laptop built-in keyboard connected to the keyboard port on the motherboard, and then on Device Manager it shows up as a standard PS/2 keyboard and uses the standard Microsoft driver I talked about in the video. How does it show up on your device manager keyboard category? (make sure to disconnect any additional keyboards you may have to avoid confusion)
it's a good video with simple explanation but i hope that you do a video about the execution flow and the pe/mz format it's weird format to me. elf is easy understandable. but windows has weird executables they store charachters as if they were 16bit not 8bit and things like that....
That is because we are increasing the keyboard scan code by one and not the ASCII characters (the keyboard doesn't work with ASCII, the encoding happens in a higher level)
This is super fascinating! I have a bit of experience with x64 assembly but I don't really know how drivers work. I always wondered what the kernel debugging was for and if we can use it. Can we also debug the kernel of an installation on itself without a VM?
Local kernel debugging is possible but it won't have all the abilities that you have when you do remote kernel debugging ( learn.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging ), BTW you can also debug another physical computer, it doesn't have to be a VM
That's awesome! I'm wondering though why when the cmp instruction was set the address jumped from ...64 to ...68? It doesn't seem like the instruction is using any large values to fill up what I presume is 32 bytes (ig each address can store 8 bytes but please correct me if I'm wrong).
@@b4ttlemast0r yeah idk maybe that could something related to the OS kernel or maybe even the hardware itself. But still even then it doesn't make sense for me that a compare instruction would require 4 bytes if that's the case.
The cmp instruction took in total 4 bytes even though we are in 64 bit, since the jump in this case is relative and not absolute so the machine code doesn't need to store the entire 8 bytes of the memory address
hmmm... okay, I must say I'm still kinda new to low level machine stuff, but that's fascinating. So what I understood is that the cmp instruction could make use of those 4 addresses but it didn't so it just skipped them, right?
The padding is for alignment! For several reasons (hardware, cache...), functions are 16-bit aligned and the remaining space is usually filled with instruction "INT 3" (breaks execution if hit) as a safety measure. You'll notice all functions start at a 0-ending address. 😉
Hello!! can you tell me if its possible to "emulate" (Change) the status of an gamepad joystick?? I wish to use two of them, but they both assign to the same buttons, but I wish they were 2 separate controllers so I could use 4 "analogs" instead of 2. Thank you so much
This video is awesome, I learned a lot, but how are we gonna pretend that most motherboards in 2024 have serial ports 😂. My X99 board from 2014 doesnt even have one
If you just want to see how it works, you could debug another instance of the the debugger process with the debugger, it doesn't care what it's debugging.
the ps2 keyboard driver is responsible for reading the hardware level data from the I/O port, kbdclass is a higher level driver that communicates with the ps2 driver and gives some consistency to the os with abstraction (correct me if im wrong)
A lot of desktop motherboards still have these ports nowadays, the motherboard I have shown in the video is one of the first results I had when searching on Amazon for a motherboard :)
@@nirlichtman no, not really. That’s exotic motherboards with those ports nowadays. But it doesn’t matter, was a really cool video, gonna check out more, well done. I just had a giggle for nostalgic reason there 😂
@@lychy645 Yeah i know that =P i was kinda trolling right now XD But now that you say that... is there any Gamepad as PS/2 ? that would be amazing, no?
This is mind blowing. The fact that you can just modify the kernal on the fly through a serial port is crazy. Wow.
At the same time you can disable the serial debugger in bcdedit. Especially important since many motherboards still ship with a hardware serial port.
He able to do that because their is nothing protecting anything at the binary level and the VM lives below the binary level for that virtual OS so the OS can’t take any protective measures
@@GamePlays_1230dude what bs did you just say
i didn't even know you were allowed to debug the kernel that easily
nice video!
Yea, this is pretty spicy info! I can see it being used for some not so good uses.
You are, likely to debug your own drivers.
Same, I thought we lost the serial kernel debugger on Windows 98. TH-cam casually dropping this knowledge bomb in my recommended videos was a welcome surprise.
@@KiraSlith XP added the FireWire as a channel, newer version maybe ethernet
I don't think I've ever seen such a concise and easy to follow explanation of low-level stuff like this. Very, very cool!
Reminds me when I used to do assembly in DOS. I used this port to detect a keypress instead of using the BIOS int 16h keyboard services
Wow I've never seen anyone explain assembly in such an easy to follow manner. My mind usually glazes over but this was just engaging the whole way through
Don't ever stop making videos man.
Also, I would love comprehensive courses/playlists on writing drivers and stuff like this.
If I remember correctly, osdev may also mention about a specific byte sequence you send or read from ps/2 keyboard in order to initiate system reboot, which is often used in hobby kernels and I guess I've even seen it in linux somewhere
Do you mean Ctrl-Alt-Delete?
That was used to reboot computers in the DOS days
@@0xfadead nah, there is a keycode for reboot, i have an 90s keyboard with such key and it works in modern operating systems.
@@0xfadead No, in the old days the RESET line of the x86 CPU was connected to the 8042 keyboard controller. Ctrl+Alt+Delete is just a sequence of key presses given special meaning in the OS.
But if you poll port 0x64 until the controller is ready, then write 0xFE, it resets the CPU to its initial state, rebooting the system. Although this is actually how you switched out of 16 bit protected mode back into real mode on the 80286 as well (as memory stays powered, you can hook into the reset handler and skip system initialization).
void reboot()
{
uint8_t good = 0x02;
while (good & 0x02)
good = inb(0x64);
outb(0x64, 0xFE);
halt();
}
@@nathanielcleland6566 Ah lol, didn't know about that. It makes much more sense. Thanks for the swift response!
Linux has something called "Magic SysRQ". For modern devices, you can press & hold ALT, then tap PrintScreen. This activates the SysRQ, then while holding down ALT, press B to reboot.
Very nice demonstration of debugging a remote Windows machine :)
Absolutely gorgeous elucidation.
@@milk-it indeed
I didn't know that WinDbg contained an assembler, that's so neat!
this is actually very cool. i've been working on my own hobby OS recently and a keyboard driver is the module i've just finished (for now). some good revision.
Bless you man! You explained how to connect and debug Windows in 10 minutes! Always fantastic! 🥳😀
Nooo, windbg😢. Haha lol, its almost amazing how the app became a meme.
Jokes aside, this is actually a very good video. You have earned a new subscriber.❤
Thanks for the video it's great how you make complex low-level stuff so easy to follow! Thanks!!
very true!
I wish you were a reactos developer. You would be so helpful. You are great. You would bring life to Reactos.
I didn't even know you could hook Windows' kernel debugger on retail after Windows 98, let alone retail Windows 10. I imagine there's a fair number of failsafes and hardware-level mechanics to keep you from doing anything super fun with it, like Commodore-style cheating like the olden days, but it's still neat.
I did not expect this video to be entertaining and teach me about fucking with the keyboard driver. YT always give me fire recommendations
If you don't already have a job at Microsoft then you should man. Great stuff.
Short and precise demo of reverse engineering the kernel with ASM. Amazing and entertaining stuff!
thanks bro, really nice demonstration of windows driver debbuging, love it !!!!
Never knew debugging the kernel was that easy. Nice video, you've got yourself a subscriber!
That's the beauty of virtual machines
You can create enigma codes with this.
Thanks for this, TIL OS dev wiki.
yoo new keyboard layout wertyu
i dont understan anything but im still watch all vid
I would recommend making a video about hypervisor internals
Is there a point to it ? No.
Does it make it more interesting? Yes
Thanks for yet another educational vid, Nir!
I did engineering work where I had to do alot of copying and pasting, well the ctrl+c failed alot and didnt know if I copied or not.. so made a program that would listen to my keyboard and show green in taskbar if I pressed ctrl+c or ctrl+v(paste) lol... and it helps.. well I student at university I was reminded him saying that they make ctrl difficult to press as in previous gaming it could be pressed with other buttons that disrupt the gaming so you really need to press it hard, my current laptop didnt needed a hard ctrl press but now it does for copy and paste what a shame... and if the manifacturers are really doing that to people do stop that garbage and make the press easier even for ctrl...
Neat! Maybe cleaner to jne over the increment and have them both use the same ret, no? xD
Nice, thats a good idea :)
Wow, this was almost impossible to understand. I imagine debugging a graphics driver…
never thought someone would explain assembly and i'd understand it (idk assembly)
funny that I get this recommended to me, given that I've had to write custom keyboard drivers for NT4 (on PowerPC) recently, and kbdclass expects to receive PS/2 scancodes so I had to convert USB HID to PS/2 scancodes...
As always , concise video debugging low-level code , I am really curious how have you come about learning "low-level computing" and how have yoi built the experience ? was it Computer architecture courses at Uni orworking somewhere where you were involved in that field ?
I hear "screw up" - I watch video until the end🗿
Just writing this on a whim since maybe you'll see it, but would you happen to have any ideas regarding dealing with a keyboard driver corruption issue on a laptop? Daily, my keyboard will cut out, and stop responding for about 3 to 10 seconds, then work fine for a few hours, where it will then do it again. This eventually leads to the driver completely dying and me having to uninstall the keyboard driver, restart the laptop, and then deal with it randomly cutting out here and there for a couple of days, until it does it all over again. I think the easiest solution would be an alternative keyboard driver, and just seeing if that solves it, but idk, ultimately this is a known problem with all higher end Lenovo laptops, and seemingly, there is no solution whatsoever, it always comes back.
That sounds bad :( Hard to help without having the device physically to inspect, but generally, it sounds weird that it has a custom non-standard keyboard driver, for example my Lenovo Y50 has the laptop built-in keyboard connected to the keyboard port on the motherboard, and then on Device Manager it shows up as a standard PS/2 keyboard and uses the standard Microsoft driver I talked about in the video. How does it show up on your device manager keyboard category? (make sure to disconnect any additional keyboards you may have to avoid confusion)
it's a good video with simple explanation but i hope that you do a video about the execution flow and the pe/mz format it's weird format to me. elf is easy understandable. but windows has weird executables they store charachters as if they were 16bit not 8bit and things like that....
It's just UTF-16, it's not that bad. Buy yeah, PE is kind of weird, too complex for my liking
I didn't understand the last part, why it won't show the next char in ASCII, but the next chart on the physical keyboard
That is because we are increasing the keyboard scan code by one and not the ASCII characters (the keyboard doesn't work with ASCII, the encoding happens in a higher level)
This is super fascinating! I have a bit of experience with x64 assembly but I don't really know how drivers work. I always wondered what the kernel debugging was for and if we can use it. Can we also debug the kernel of an installation on itself without a VM?
Local kernel debugging is possible but it won't have all the abilities that you have when you do remote kernel debugging ( learn.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging ), BTW you can also debug another physical computer, it doesn't have to be a VM
@@nirlichtman Wow! Thanks! I'm gonna have some fun with this!
That's awesome! I'm wondering though why when the cmp instruction was set the address jumped from ...64 to ...68? It doesn't seem like the instruction is using any large values to fill up what I presume is 32 bytes (ig each address can store 8 bytes but please correct me if I'm wrong).
I think each address just refers to a single byte (the address itself is what's 64-bits)
@@b4ttlemast0r yeah idk maybe that could something related to the OS kernel or maybe even the hardware itself. But still even then it doesn't make sense for me that a compare instruction would require 4 bytes if that's the case.
The cmp instruction took in total 4 bytes even though we are in 64 bit, since the jump in this case is relative and not absolute so the machine code doesn't need to store the entire 8 bytes of the memory address
hmmm... okay, I must say I'm still kinda new to low level machine stuff, but that's fascinating. So what I understood is that the cmp instruction could make use of those 4 addresses but it didn't so it just skipped them, right?
@@ahmadshami5847 could you elaborate what exactly you mean?
Why did they add the padding to the functions?
The padding is for alignment! For several reasons (hardware, cache...), functions are 16-bit aligned and the remaining space is usually filled with instruction "INT 3" (breaks execution if hit) as a safety measure. You'll notice all functions start at a 0-ending address. 😉
That was fun to watch and I dont even code, thx
Great primer!
thtop, the plebs wil learn how easy it is
This is next level shit. I love it.
Smart.... Brains.... (Bugs Bunny reference 😄). Awesome work! Cheers🥂
Where did the extra space after the ret instruction come from? Was the driver compiled like this?
It has to do with alignment, check out one of the other comments over here for a more in depth explanation
Hello!! can you tell me if its possible to "emulate" (Change) the status of an gamepad joystick?? I wish to use two of them, but they both assign to the same buttons, but I wish they were 2 separate controllers so I could use 4 "analogs" instead of 2. Thank you so much
Something tells me the peanuts in MS support aren't exactly diving this deep into your issue when you call Microsoft for support 🤣
why not:
jne f+c
inc al
c: ret
How did you get the linux terminal on powershell?
you don't see this type of content anywhere on youtube
How will it error out once the register overflows when you press the last mapped key and it increments it by 1?
didn't know that be possible great video ❤
Interesting!
This video is awesome, I learned a lot, but how are we gonna pretend that most motherboards in 2024 have serial ports 😂. My X99 board from 2014 doesnt even have one
Thanks :) You mean PS2? desktop or laptop motherboard? from what I have checked on desktops it is still pretty common
Yo I didn't know my pc had an entire PS2 just through port
cool - i wonder if malware could abuse windows Debugging on a windows VM
subscribed forever
Not sure if this is a logical question, but can the debugger debug itself in the kernel scope? Or does that even make sense?
If you just want to see how it works, you could debug another instance of the the debugger process with the debugger, it doesn't care what it's debugging.
this is cool
Awesome video bro
this is what we need in this community!!
cool
Linux users been real quiet since this dropped
1:02 whats the other driver then?
the ps2 keyboard driver is responsible for reading the hardware level data from the I/O port, kbdclass is a higher level driver that communicates with the ps2 driver and gives some consistency to the os with abstraction (correct me if im wrong)
I find it very unecessary to login into windows, let alone in a VM, But ok. Cool video
nice video! tho i think it would be safer to push/pop flags since ur adding a cmp, right? but who cares for a quick demo lol
This is a motherboard nowadays... Shows PS2, VGA and DVI lol. Otherwise very cool video
A lot of desktop motherboards still have these ports nowadays, the motherboard I have shown in the video is one of the first results I had when searching on Amazon for a motherboard :)
@@nirlichtman no, not really. That’s exotic motherboards with those ports nowadays. But it doesn’t matter, was a really cool video, gonna check out more, well done. I just had a giggle for nostalgic reason there 😂
@@wolfgangvogel5407 wdym? My 2020 mobo still has PS2
How to remap Copilot key to R Ctrl key on newer windows laptops? Custom drivers or registry hacks? PowerToys works but doesn't work on all apps.
you can use autohotkey.
Can remap it in the registry, that'll work in administrator level applications.
I’ve noticed one thing, you seem to press pretty danged hard on keys and buttons every now and again.
fantastic!
Actually, PS2 is a game console released by Sony on 4/3/2000
rage bait
yoo!!!
So, now remove the input lag from USB drivers nyeeeehhehe if it were that ez
lol just use a ps2 device
@@lychy645 Yeah i know that =P i was kinda trolling right now XD
But now that you say that... is there any Gamepad as PS/2 ? that would be amazing, no?
What if we input latest character I mean ASCII table, what would happen? Windows gonna throw IndexOutOfRange error😅
Screw up some linux stuff next, please.
The screwed up keyboard for Linux already exists, check the videos
@@_lun4r_ ooh 👍
You can't scam people into getting tech support if you break Linux!
can i give money?
Appreciate the complement! I am considering enabling the super thanks soon :)
What
yay, i am first
Can you stop ending 99% of sentences with a high note?
why is that bothering you lmao