PCI devce DMA

I was referring to the the documentations provided by OS vendors.

Yes, LDD3 is very nice book. It helped me porting drivers between Windows
and Linux.

On Wed, May 29, 2013 at 12:03 PM, wrote:

> >Well, take a look at the online DDK documentation
> http://msdn.microsoft.com/en-us/library/windows
> >/hardware/ff557573(v=vs.85).aspx It’s the best available documentation
> for host OS driver developers.
> >The second best I had used is Solaris man pages section 9 many years ago.
> Linux and BSDs don’t
> >have document for drivers AFAIK.
> thx, what about ldd3. It’s a really short guide, but well written.
> http://free-electrons.com/doc/books/ldd3.pdf
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

the guard wrote:

I don’t care if someone is doing a screenshot. I want to do a
screenshot myself! I’m going to save that screenshot on the
filesystem. If the player is suspected in cheating he will be asked
to upload a screenshot which will resolve the matter.

Sure it will. What if the cheater has a second computer, which you can’t possibly know even exists, and is using it to snoop on the game’s UDP traffic? Same effective result as the wallhack on your website; the cheater could be displaying the coordinates/location and health/weapons/readiness of all the other players in real time on the second computer and there’s no way you could possibly know. Sorry, don’t think you’re going to solve anything this way.

(Joe Newcomer-style anecdote: back in the day, Quake1 used to tell you the IP addresses of all the other players on the server in response to a certain console command [I forget which one]. As a teenager I got a big kick out of finding a player I wanted to annoy, grabbing their IP address from the server, and then ping flooding them out of existence while their soldier suddenly developed a bad case of Parkinson’s…)

>Sure it will. What if the cheater has a second computer, which you can’t possibly know even exists,

and is using it to snoop on the game’s UDP traffic? Same effective result as the wallhack on your
website; the cheater could be displaying the coordinates/location and health/weapons/readiness of all
the other players in real time on the second computer and there’s no way you could possibly know.

OMG. Have you ever played fps??? It’s all useless displayed on a separate monitor. There are other blanks in your story.

Sorry, don’t think you’re going to solve anything this way.

My task is not to eradicate cheaters, it’s to write a driver that takes a screenshot.

> My task is not to eradicate cheaters, it’s to write a driver that takes a screenshot.

No, your task is to eradicate cheaters. BTW, cheaters can use second video card on the same machine to display the extra items.

Digital signatures on the game binaries would solve all of this.

As about screenshots: sorry, but MS have forgotten to implement the native supported way of making D3D screenshots. There is no OS-provided mechanisms.

So, you’re on your own, and will probably need hooking yourself to dxgkrnl (to stuff like VidPNs and such), probably to particular video chip drivers (one solution for ATI, another for nVidia, another for Intel) and so on.

Probably this solution will require updates on new release of Catalyst/Detonator.

And, for sure, there will be 2 solutions - one XP, another Vista+, since D3D internals were totally reworked between NT5 and NT6.

DMA is just plain funny. First, the DMA engine of the video card is fully controller by the driver, so, if you will meddle with it, you will ruin the driver’s work.

Second, even if you will copy the whole VRAM - how will you know where is the primary display surface there?

What you need is just to get the DDraw surface which is the current primary display. Then, you map it to your process and memcpy() from it (or run libjpeg over it). To get this surface and expose it to user mode, you will probably need to hook into dxgkrnl.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

***********
Experienced driver writers can go on to the next message. This is another
(probably useless) attempt to impart some concept of reality to the OP.
***********

No, the goal of your assignment is vague to the point of uselessness.
There is zero value in doing a screenshot from the kernel just because it
seems like a cool thing to do. There is a reason for doing this. You
have hinted that the larger problem is to detect cheaters. As already
pointed out, there are so many ways to fake this out that software to game
it will appear within days. A friend of mine is fond of saying, “This
makes the game a real bargain. You get two games for the price of one.”

There are few projects sillier than those that have as an overall goal,
“If I could just do X, I will solve all problems
with our product”. The value of X changes, the purpose changes, and the
result is
A piece of software that fails to accomplish the task
A piece of software that interferes with legitimate use
A piece of software that is a Denial-of-Service attack
A piece of software that gives the illusion that it has met its
design goal, but can be defeated in a few days by s savvy 12-year-old
A piece of software whose intrinsic failures can be spotted by the
experts in this list before they’ve even finished reading your post
A piece of software that creates a back door for malware (e.g., the
Sony debacle)
A piece of software indistinguishable from malware
All of the above

This is why we keep asking newbies, “What problem are you trying to
solve?” In any real OS, there are many problems whose solutions are so
far from anything the OS can support that they cannot be implemented;
there are those that might work if you spend enought time and money on
them; there are those that work perfectly, but have nothing to do with
solving the problem; there are problems so complex that they cannot be
solved at all; and there are those so complex that they can be solved, but
not in a time frame that is less than the Heat Death of the Universe.
Those of us with decades of experience can usually detect if the OP is
proposing a solution that can’t work. We aren’t trying to be obnoxious
and discourage people from getting enough experience to Join Our Hallowed
Ranks, to keep people “Out of the club”, but if we were a swim club and
someone proposed to swim across the North Atlantic, or even don a hardsuit
and walk across, we’d point out all the potential failures, such as
hypothermia, nitrogen narcosis, oxygen toxicity (did you know that pure
oxygen under high pressure will kill you?), etc. Same here. If your goal
is to see an Opera in New York or London (depending upon what side you are
starting on), somebody might suggest that a ship or airplane is a better
choice. If price is no object the Concorde is the best choice
(wait…support for that was discontinued several releases back…)

The goal is to help you (and your employer) from wasting resources to
solve impossible problems. It’s in your best interest to pay attention;
wht do you think your performance review is going to look like a year from
now when you have still not delivered the impossible solution? Or
shipping dates have slipped because your impossible solution is in the
critical path of product release? Or the company’s reputation when a user
reports how bad your latest release is, causing BSODs, and five hundred
others chime in with a “me, too” response, just because you did not test
what happens when the machine has a MumbleGraph 700Z card (the
ninth-most-used card, popular because, although it is by no means the
fastest, only costs $10.99 at Wal-Mart) installed? Whose job, and whose
product reputation, is on the line here? I can tell you, none of ours.
We aren’t telling you any of this to cover our own asses.

So if your task is just to create a screenshot, go ahead. But don’t be
surprised if this ultimately fails to accomplish the task (“vunce rockets
are up, who cares where they come down? That’s not my department” says
Werner von Braun–google for Tom Lehrer and von Braun; you’ll probably
find a YouTube performance). Don’t rely on tbe “I was just following
orders” defense to save your job.

Been there, done that, almost. My satisfaction was in being able to say
“I told you so”. As I handed in my resignation and walked out the door.
joe

>>Sure it will. What if the cheater has a second computer, which you can’t
>> possibly know even exists,
>>and is using it to snoop on the game’s UDP traffic? Same effective result
>> as the wallhack on your
>>website; the cheater could be displaying the coordinates/location and
>> health/weapons/readiness of all
>>the other players in real time on the second computer and there’s no way
>> you could possibly know.
>
> OMG. Have you ever played fps??? It’s all useless displayed on a separate
> monitor. There are other blanks in your story.
>
>>Sorry, don’t think you’re going to solve anything this way.
>
> My task is not to eradicate cheaters, it’s to write a driver that takes a
> screenshot.
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OK. This has gone way off topic, so
I’m not a politician or an employee. If I ever succeed I don’t really care how this piece of code is
used. To detect cheating/to save the world from aids/ - I don’t really care.

>The goal is to help you (and your employer) from wasting resources to solve impossible problems.

I’m afraid That’s impossible. However you can share relevant driver development knowledge.

The only thing I expect from this affair is knowledge, experience, fun and a big thanks from my
friends (and perhaps code).

Any more suggestions on how this could be done, gentlemen?

btw nice lyrics, Joseph.

You keep waving the concept of “DMA” around as if you think it will
accomplish something. For all practicalpurposes, it does not exist in the
problem domain you are addressing. So just forget it as being relevant to
your problem.

You are asking for a near-impossible solution. Your best bet would be to
contact the vendors of display cards to provide the support you need.
Trying to roll your own hack seems to be a waste of time. Each of the
ideas I’ve seen you propose are trivial to defeat, and those who produce
the “cheat software” could defeat these solutions without much effort. If
I knew you were doing screen snapshots, and were doing this in
collaboration with display driver vendors, I’d use a text-to-speech
converter and talk to the player. Or I’d develop an external LCD
character display with a USB interface. Or…well, I must admit I thought
long and hard about this, and expended more time typing in my descriptions
than it took to come up with them. Oh, yes, you look for the USB-based
external display, so I build one that plugs into the serial port, or has
an IP address, or…

If I can invent these in under a minute, what do you think someone who
sells “cheats” is going to be able to do?
joe

>What, exactly, are you really trying to do? You’ve already dragged us
> down two different rat holes >by asking questions that are not actually
> relevant to your problem.

Hi. Thanks for answering.
Let me start from the beginning.
As you may know, there are a lot of 3d multiplayer games out there, and a
lot of cheaters.
Cheats are becoming more sophisticated and I’m fighting those cheats
(cracks ) that allow the player to see what they actually shouldn’t be
able to see. To determine what they see and what they
don’t we usually take a screenshot. Those cracks however can track the
moment when the screenshot is taken and seize operating for a moment.

My job is to take a screenshot the lowest possible way in ring0.

At first I wanted to map video framebuffer by sending a corresponding
ioctl, but someone told me
that I can’t get resources in kernel that easily.
Assuming that there’s a physical framebuffer (area of memory of the video
card) I thought that
I could get it through dma. It’s not a good idea if you don’t know the
place where the framebuffer starts because modern video cards can have up
to 1gb of memory, but it’s the only one I have
after weeks of googling.
And correct me if I’m wrong, but windows driver development is poorly
documented. That’s why I
decided to ask real people.

---

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

xxxxx@mail.ru wrote:

The only thing I expect from this affair is knowledge, experience, fun and a big thanks from my
friends (and perhaps code).

Any more suggestions on how this could be done, gentlemen?

Several of the posts in this long, rambling thread actually provided you
with a general skeleton on how to do this, including mine. Have you
decided to ignore those?

You need a user-mode app to help you find the virtual address of the
frame buffer. I pointed you toward the APIs to do that. Once you have
that, you can send it into a driver, and that driver can go do an
RtlMoveMemory any time it wants to. It will be up to you to decide WHEN
to do it, but that’s certainly HOW you would do it.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks, Tim.

Have you decided to ignore those?

Not yet

I’ll read the whole thread again, google a little and try to write some code as soon as I have a couple of days for myself.

without knowing anything more, what I can infer from your posts thus far is
that

1. this game is provided by a company you do not work for and therefore
   cannot alter;
2. you do not understand layered driver modes; and
3. your friends are less sophisticated users than yourself and have
   suggested or approved this kind of solution

If the gave software were under your control, then I would suggest that you
research cryptographic technologies. Correctly coded, you can make it
sufficiently hard for a remote machine to guess the right response, that you
can all but preclude the possibility that a hacked version of the game can
be played. And if you can make that assumption, then no effort to discover
what a hacked binary might be displaying to a video card would be relevant.
But given that you suggest that uploading a screen capture file would be
sufficient proof that no tampering has occurred, I think your friends will
be disappointed; either by system crashes or by the one our you who figures
out how to cheat and get away with it first or best

BTW I had to dispel the dreams of someone with a similarly brilliant
suggestion today. they came to me an suggested that a production problem
caused by lack of throughput could be solved by inserting a delay in an IO
procedure to allow other threads a fair chance. Notwithstanding that the
lock was held at the point he suggested, the effect on total throughput
should be self evident. Your proposal is of the same kind in that the
result, assuming you are successful and can capture the whole stream of
video, is still useless unless you have some way of compelling this capture
to be the one submitted. As you can’t, unless you employ cryptographic
techniques, and you don’t need to if you do, then the best you can do is
make the game slower and catch the cheats who aren’t smart enough to do
anything besides download a hack and upload the unmodified video anyway

wrote in message news:xxxxx@ntdev…

OK. This has gone way off topic, so
I’m not a politician or an employee. If I ever succeed I don’t really care
how this piece of code is
used. To detect cheating/to save the world from aids/problem> - I don’t really care.

>The goal is to help you (and your employer) from wasting resources to solve
>impossible problems.

I’m afraid That’s impossible. However you can share relevant driver
development knowledge.

The only thing I expect from this affair is knowledge, experience, fun and a
big thanks from my
friends (and perhaps code).

Any more suggestions on how this could be done, gentlemen?

btw nice lyrics, Joseph.

Determining memory resources this way may result in getting several different memory resources with different addresses and sizes.
How do I say which memory resource do I need?

> Determining memory resources this way may result in getting several different memory resources

with different addresses and sizes.
How do I say which memory resource do I need?

Huh! And this is your personal task, my friend

Hooking, intercepting and monitoring is really this kind of things.

Sorry, but MS have not designed & developed the standard way of accessing the primary display surface. You’re up to your own.

I think that VidPN stuff in dxgkrnl is where the decision on the primary surface is made. Try put some hooks there.

Also note that the internals of 3D graphics in pre-Vista Windows and Vista+ has just plain nothing in common. The video card driver is 100% different, for instance, and talks to different OS modules via different APIs.

So, you will need to repeat all your effort (investigation on how to hook/intercept the 3D stack in Windows) in XP too, not only in Win7.

This is possible. There was a company (DemoForge?) which developed their own full mirror driver support layer for Vista+, given that MS-provided facilities for mirror driver are just plain pathetic in Vista+ (the mirror driver disables Aero to begin with).

So, people have done similar things.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

i think this can be helpful too:
https://www.osronline.com/showthread.cfm?link=223025

xxxxx@mail.ru wrote:

Determining memory resources this way may result in getting several different memory resources with different addresses and sizes.
How do I say which memory resource do I need?

You have to make an assumption. The largest BAR is probably the frame
buffer.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.