How to directly write to the frame buffer in windows driver

I am writing the driver that can directly write data to the frame buffer, so that I can show the secret message on the screen while the applications in user space can’t get it. Below is my code that trying to write the value to the frame buffer, but after I write the value to the frame buffer, the values i retrieved from the frame buffer are all 0.

I am puzzled, anyone knows the reason? Or anyone knows how to display a message on the screen while the applications in the user space can’t get the content of the message? Thanks a lot!

#define FRAME_BUFFER_PHYSICAL_ADDRESS 0xA0000
#define BUFFER_SIZE 0x20000

void showMessage()
{
int i;
int *vAddr;
PHYSICAL_ADDRESS pAddr;

pAddr.QuadPart = FRAME_BUFFER_PHYSICAL_ADDRESS;
vAddr = (int *)MmMapIoSpace(pAddr, BUFFER_SIZE, MmNonCached);
KdPrint((“Virtual address is %p”, vAddr));

for(i = 0; i < BUFFER_SIZE / 4; i++)
{
vAddr[i] = 0x11223344;
}

for(i = 0; i < 0x80; i++)
{
KdPrint((“Value: %d”, vAddr[i])); // output are all zero
}
MmUnmapIoSpace(vAddr, BUFFER_SIZE);
}

You’re writing the driver for the display or trying to hijack resources owned by another driver?

Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

On Mar 14, 2012, at 1:05 PM, xxxxx@gmail.com wrote:

I am writing the driver that can directly write data to the frame buffer, so that I can show the secret message on the screen while the applications in user space can’t get it. Below is my code that trying to write the value to the frame buffer, but after I write the value to the frame buffer, the values i retrieved from the frame buffer are all 0.

I am puzzled, anyone knows the reason? Or anyone knows how to display a message on the screen while the applications in the user space can’t get the content of the message? Thanks a lot!

#define FRAME_BUFFER_PHYSICAL_ADDRESS 0xA0000
#define BUFFER_SIZE 0x20000

void showMessage()
{
int i;
int *vAddr;
PHYSICAL_ADDRESS pAddr;

pAddr.QuadPart = FRAME_BUFFER_PHYSICAL_ADDRESS;
vAddr = (int *)MmMapIoSpace(pAddr, BUFFER_SIZE, MmNonCached);
KdPrint((“Virtual address is %p”, vAddr));

for(i = 0; i < BUFFER_SIZE / 4; i++)
{
vAddr[i] = 0x11223344;
}

for(i = 0; i < 0x80; i++)
{
KdPrint((“Value: %d”, vAddr[i])); // output are all zero
}
MmUnmapIoSpace(vAddr, BUFFER_SIZE);
}

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

xxxxx@gmail.com wrote:

I am writing the driver that can directly write data to the frame buffer, so that I can show the secret message on the screen while the applications in user space can’t get it. Below is my code that trying to write the value to the frame buffer, but after I write the value to the frame buffer, the values i retrieved from the frame buffer are all 0.

I am puzzled, anyone knows the reason? Or anyone knows how to display a message on the screen while the applications in the user space can’t get the content of the message? Thanks a lot!

#define FRAME_BUFFER_PHYSICAL_ADDRESS 0xA0000
#define BUFFER_SIZE 0x20000

It is, I am afraid, because you are living about 15 years in the past.
A0000 was the physical address for the original VGA card. No graphics
card in living memory has placed its frame buffer at that address.
That’s partly because they are all now PCI devices, so their physical
addresses are assigned by the BIOS, and partly because 131k bytes is not
even large enough for a 640x480 image.

Windows drivers cannot get at the graphics frame buffer.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Actually my driver wants to show the secret message on the screen, telling the user that the protection starts. And i also want the user space application cant get this message in case that the application can fake this message.
My senior has successfully display the message with Linux, and the physical address he use is 0xA0000. I have checked the physical address of my graphics with device manager, and i discovered that it has 4 memory regions, one region is 0xA0000~0xBFFFF.
By the way, do you have any suggestions on how to do this? I only want to display the secret message on the screen in the kernel space, the user space can’t get this information.

Yes so you have a vga compatible graphics card that decodes the legacy
vga space. Shortly after boot the graphics driver flips the device out
of vga mode and writing to the legacy VGA addresses is useless.

There is nothing particularly more secure about writing the secret
message from ‘kernel space’ than from writing it using a service in
user mode.

This design you have is horrible. Convince ‘your senior’ to think of
something else.

Mark Roddy

On Wed, Mar 14, 2012 at 2:51 PM, wrote:
> Actually my driver wants to show the secret message on the screen, telling the user that the protection starts. And i also want the user space application cant get this message in case that the application can fake this message.
> My senior has successfully display the message with Linux, and the physical address he use is 0xA0000. I have checked the physical address of my graphics with device manager, and i discovered that it has 4 memory regions, one region is 0xA0000~0xBFFFF.
> By the way, do you have any suggestions on how to do this? I only want to display the secret message on the screen in the kernel space, the user space can’t get this information.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

xxxxx@gmail.com wrote:

Actually my driver wants to show the secret message on the screen, telling the user that the protection starts. And i also want the user space application cant get this message in case that the application can fake this message.

That doesn’t make any sense. It’s actually EASIER for a user-mode
application to write to the screen than it is for a kernel driver. A
user-mode app can just do GetDC(0) and TextOut to draw anywhere on the
desktop. You cannot prevent that.

My senior has successfully display the message with Linux, and the physical address he use is 0xA0000. I have checked the physical address of my graphics with device manager, and i discovered that it has 4 memory regions, one region is 0xA0000~0xBFFFF.

Your “senior” is using a console, not a hi-resolution graphics screen.
Take a few minutes to think about this logically, will you? Say your
desktop is 1024x768 true color. That’s a 3MB frame buffer. How do you
think that’s going to be squeezed into a 128kB region in low memory?

By the way, do you have any suggestions on how to do this? I only want to display the secret message on the screen in the kernel space, the user space can’t get this information.

If you need to display messages to the screen, write a user-mode service
that gets signals from your driver. You do need to be aware that
anything you write to the screen can be spoofed by an application. I
would HOPE that was obvious.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

What are you going to do for systems without the hardware? Over the
years I have cursed idiots who do this, since you can have headless
windows with no display. For that matter what will you do with “lights
out” operations? I know of a software company whose clever software put
up a display on a server, and hung waiting for input in certain special
cases, a large firm bought the software and only got the problem on one
server in a field office, that typically did not have a keyboard, mouse
or monitor even connected and no on site IT guy. The firm sued the
software company when they found the “feature” and demanded their money
back.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:

> I am writing the driver that can directly write data to the frame buffer, so that I can show the secret message on the screen while the applications in user space can’t get it. Below is my code that trying to write the value to the frame buffer, but after I write the value to the frame buffer, the values i retrieved from the frame buffer are all 0.
>
> I am puzzled, anyone knows the reason? Or anyone knows how to display a message on the screen while the applications in the user space can’t get the content of the message? Thanks a lot!
>
> #define FRAME_BUFFER_PHYSICAL_ADDRESS 0xA0000
> #define BUFFER_SIZE 0x20000
>
> void showMessage()
> {
> int i;
> int *vAddr;
> PHYSICAL_ADDRESS pAddr;
>
> pAddr.QuadPart = FRAME_BUFFER_PHYSICAL_ADDRESS;
> vAddr = (int *)MmMapIoSpace(pAddr, BUFFER_SIZE, MmNonCached);
> KdPrint((“Virtual address is %p”, vAddr));
>
> for(i = 0; i < BUFFER_SIZE / 4; i++)
> {
> vAddr[i] = 0x11223344;
> }
>
> for(i = 0; i < 0x80; i++)
> {
> KdPrint((“Value: %d”, vAddr[i])); // output are all zero
> }
> MmUnmapIoSpace(vAddr, BUFFER_SIZE);
> }

It sounds like you want to write some secret message on the screen from your hardware or driver.

It’s going to be WAY more complex than just writing to physical address 0xA0000. That might have worked in 1986, but displays are a lot more complex now.

If you search this list, you will find a thread from a year or so ago (with comments from me) about having an app allocate a DirectX surface and passing that down to a driver that then writes to it. This method should be pretty independent of that hardware. There was a report in that thread of this being successful. I once used this for testing some inter device DMA operations, and the video buffer just happened to be a handy high bandwidth target.

You also realize if you write to the screen buffer, an application can potentially read the screen buffer and capture anything you display. Windows DOES have support for DRM protected video, which should (in theory) not be accessible by a user mode program. You might investigate what a DRM protected video kernel component needs to do to generate protected content.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, March 14, 2012 11:05 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to directly write to the frame buffer in windows driver

I am writing the driver that can directly write data to the frame buffer, so that I can show the secret message on the screen while the applications in user space can’t get it. Below is my code that trying to write the value to the frame buffer, but after I write the value to the frame buffer, the values i retrieved from the frame buffer are all 0.

I am puzzled, anyone knows the reason? Or anyone knows how to display a message on the screen while the applications in the user space can’t get the content of the message? Thanks a lot!

#define FRAME_BUFFER_PHYSICAL_ADDRESS 0xA0000 #define BUFFER_SIZE 0x20000

void showMessage()
{
int i;
int *vAddr;
PHYSICAL_ADDRESS pAddr;

pAddr.QuadPart = FRAME_BUFFER_PHYSICAL_ADDRESS;
vAddr = (int *)MmMapIoSpace(pAddr, BUFFER_SIZE, MmNonCached);
KdPrint((“Virtual address is %p”, vAddr));

for(i = 0; i < BUFFER_SIZE / 4; i++)
{
vAddr[i] = 0x11223344;
}

for(i = 0; i < 0x80; i++)
{
KdPrint((“Value: %d”, vAddr[i])); // output are all zero
}
MmUnmapIoSpace(vAddr, BUFFER_SIZE);
}

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

And why do you think this message is “secret”? I believe Print Screen
captures the pixels in the display buffer (how you arrived at the magical
address 0xA0000 escapes me), and before you try to do something this
weird, you need to think about the implications in terms of invalidating
user’s application windows.

I used to program VGA cards by writing to the video frame buffer, but that
was in 1989. And while some systems may support backward compatibility to
VGA hardware, Windows makes no pretension to do so.

I suspect that once you get this working I could write a “capture secret
message” program in less than an hour, possibly in under ten minutes,
proving that what you have accomplished has been a waste of time. So what
you get to do is spend a lot of time screwing up the end-user’s system,
violating all kinds of abstractions, and get nothing useful as a result.

It would be a lot more useful if you asked how to solve the problem,
instead of asking how to implement a foolishly naive and dangerous
non-solution. Note that it may not be possible at all, but the current
idea is not viable.
joe

Actually my driver wants to show the secret message on the screen, telling
the user that the protection starts. And i also want the user space
application cant get this message in case that the application can fake
this message.
My senior has successfully display the message with Linux, and the
physical address he use is 0xA0000. I have checked the physical address of
my graphics with device manager, and i discovered that it has 4 memory
regions, one region is 0xA0000~0xBFFFF.
By the way, do you have any suggestions on how to do this? I only want to
display the secret message on the screen in the kernel space, the user
space can’t get this information.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks for all your answers, I think I should try another way to do it.
My requirement is the kernel contains the secret message, after the user actives my driver, the user can see the message, while the content of the message can’t be retrieved by the user space application.
Anyone has good suggestions? Thanks.

On 3/15/2012 6:09 AM, xxxxx@gmail.com wrote:

My requirement is the kernel contains the secret message, after the user actives my driver, the user can see the message, while the content of the message can’t be retrieved by the user space application.
Anyone has good suggestions? Thanks.

Design an external device that gets a PK-encrypted message, deciphers it
with its private, secret key and displays it in plaintext on an external
screen.
Anything you do inside windows address space can be grabbed by user-mode
or kernel-mode components.

The most you can do is to have a usermode service, the service will need to open the current local window station, call CreateDesktop, make it current desktop, and draw your message on it. These bits CANNOT be grabbed by any other user-privilege application.

On 15-Mar-2012 19:04, xxxxx@broadcom.com wrote:

These bits CANNOT be grabbed by any other user-privilege application.

Unless there are exploits that allow reading kernel memory (something
like what Mr. Bassov proudly demonstrated long ago
A hypervisor is a better place to display the secret GUI.

– pa

/* am looking at the virtualcomputer’s NxTop… unfortunately
it requires a VT capable host but I have none free. the damned economy. */

Pavel A wrote:

On 15-Mar-2012 19:04, xxxxx@broadcom.com wrote:
> These bits CANNOT be grabbed by any other user-privilege application.
Unless there are exploits that allow reading kernel memory (something
like what Mr. Bassov proudly demonstrated long ago
A hypervisor is a better place to display the secret GUI.

Come now, you’re just being silly. You’ve taken what is clearly a
poorly-researched conclusion derived from an ill-defined requirement,
and assumed to the extreme that the requirement must be implemented
exactly as stated. This answer is not helpful.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Note that the behavior of this will resemble what happens when you hit
Ctrl-Alt-Del when logged in. The whole screen changes, and then you have
the option of dismissing the screen. This seems a bit more intrusive than
the subtle response the OP seemed to want, which I believe is impossible
to achieve.

Can a service create a desktop in Vista+? I thought user interfaces to
services were deprecated in Vista.

People who write requirements should understand something about the
technology necessary to implement a solution that meets the requirements.
Too often (such as in this case) the requirements are incompatible with
any known form of reality the rest of us know.

In a famous story of the late 1960s, one academic researcher was in the
habit of doing off-the-wall p-baked (p < 0.1) ideas, and telling his
students, “We’ve got the design. The rest is just details of
implementation”. One day, he discovered that his grant was at risk unless
he appeared to defend it in Washington DC that day (this was in the days
before email, and apparently the letter had been delayed). “How am I
going to get to Washington by this afternoon?” he anguished. One of his
students said, “Just turn yourself into a bird and fly there.” The
researcher responded “That’s the most stupid f****** idea I’ve ever
heard!” to which the student replied, “Hey, I’ve got the design; the rest
is just a detail of implementation.”
joe

The most you can do is to have a usermode service, the service will need
to open the current local window station, call CreateDesktop, make it
current desktop, and draw your message on it. These bits CANNOT be grabbed
by any other user-privilege application.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

People who write requirements should understand something about the
technology necessary to implement a solution that meets the requirements.
Too often (such as in this case) the requirements are incompatible with any
known form of reality the rest of us know.

+1

And yet our role in that process [as engineers on the receiving side] is to
negotiate those requirements and push back until an intersection with
reality is achieved. Recently I find that a growing population on the
‘receiving’ side of those requirements have an equally deficient
understanding of where that reality starts & ends on today’s commercially
significant platforms.

Dave Cattley

Dave,

They have either a deficient understanding of reality, or else they
take the attitude “We can’t contradict the boss or client”. Lately a
few companies I know of have used ridiculous requirements in screening
(either job applicants or consulting firms) and are horrified at the
number of idiots who claim to be kernel developers who say “sure we can
do that”.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“David R. Cattley” wrote in message
news:xxxxx@ntdev:

>
> People who write requirements should understand something about the
> technology necessary to implement a solution that meets the requirements.
> Too often (such as in this case) the requirements are incompatible with any
> known form of reality the rest of us know.
>
>
> +1
>
> And yet our role in that process [as engineers on the receiving side] is to
> negotiate those requirements and push back until an intersection with
> reality is achieved. Recently I find that a growing population on the
> ‘receiving’ side of those requirements have an equally deficient
> understanding of where that reality starts & ends on today’s commercially
> significant platforms.
>
> Dave Cattley

Which leads to the question of how many of those “sure, we can do that”
people end up posting here some of those insane “how do I implement the
optimum chord of a pig’s wing?” questions we get here…
joe

Dave,

They have either a deficient understanding of reality, or else they
take the attitude “We can’t contradict the boss or client”. Lately a
few companies I know of have used ridiculous requirements in screening
(either job applicants or consulting firms) and are horrified at the
number of idiots who claim to be kernel developers who say “sure we can
do that”.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“David R. Cattley” wrote in message
> news:xxxxx@ntdev:
>
>>
>> People who write requirements should understand something about the
>> technology necessary to implement a solution that meets the
>> requirements.
>> Too often (such as in this case) the requirements are incompatible with
>> any
>> known form of reality the rest of us know.
>>
>>
>> +1
>>
>> And yet our role in that process [as engineers on the receiving side] is
>> to
>> negotiate those requirements and push back until an intersection with
>> reality is achieved. Recently I find that a growing population on the
>> ‘receiving’ side of those requirements have an equally deficient
>> understanding of where that reality starts & ends on today’s
>> commercially
>> significant platforms.
>>
>> Dave Cattley
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Well I know of a case where I told a potential client that what they
wanted could not be done. They told me I was a lousy consultant since
they had multiple firms assure them they had done this and so the client
choose “an experienced consultant”. Within a few weeks we saw desperate
pleas for help with exactly the project description I had rejected. I
believe they soaked the client for a decent amount and walked.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@flounder.com” wrote in message
news:xxxxx@ntdev:

> Which leads to the question of how many of those “sure, we can do that”
> people end up posting here some of those insane “how do I implement the
> optimum chord of a pig’s wing?” questions we get here…
> joe
>
> > Dave,
> >
> > They have either a deficient understanding of reality, or else they
> > take the attitude “We can’t contradict the boss or client”. Lately a
> > few companies I know of have used ridiculous requirements in screening
> > (either job applicants or consulting firms) and are horrified at the
> > number of idiots who claim to be kernel developers who say “sure we can
> > do that”.
> >
> >
> > Don Burn
> > Windows Filesystem and Driver Consulting
> > Website: http://www.windrvr.com
> > Blog: http://msmvps.com/blogs/WinDrvr
> >
> >
> >
> >
> > “David R. Cattley” wrote in message
> > news:xxxxx@ntdev:
> >
> >>
> >> People who write requirements should understand something about the
> >> technology necessary to implement a solution that meets the
> >> requirements.
> >> Too often (such as in this case) the requirements are incompatible with
> >> any
> >> known form of reality the rest of us know.
> >>
> >>
> >> +1
> >>
> >> And yet our role in that process [as engineers on the receiving side] is
> >> to
> >> negotiate those requirements and push back until an intersection with
> >> reality is achieved. Recently I find that a growing population on the
> >> ‘receiving’ side of those requirements have an equally deficient
> >> understanding of where that reality starts & ends on today’s
> >> commercially
> >> significant platforms.
> >>
> >> Dave Cattley
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >

>Can a service create a desktop in Vista+? I thought user interfaces to
services were deprecated in Vista.

All services are running inside a terminal session separate from all applications. But a service can create a process into another TS.