Damnation

@reboot12 Are you going to be putting everything you've worked on into a WIM image for easy UEFI 64bit installation? You could probably use something like Universal NT Installer to apply the image, but getting the UEFI boot part working might need some additional script of some sort.

@UsefulAGKHelper Best to start over again with a fresh, unmodified source code tree and reapply the patches over again then.

@modnar I've heard that the SP2 version of fltmgr.sys apparently still works just fine.

@sk9392 You can comment out the KeBugCheckEx(0xDEADBEEFL parts of the ntoskrnl extender code to get rid of the DEADBEEF BSOD's.

@Dietmar Heres how you might be able to use AI to help you reverse engineer. You'll need 3 tools. pdbripper - https://github.com/horsicq/PDBRipper/releases/tag/2.03 relyze disassembler - https://www.relyze.com/download.html I use relyze because I've found that neither Ghidra nor IDA pro will let me just copy the assembly code of a single function into a text filr or the clipboard. Lastly, Perplexity AI - https://www.perplexity.ai/ --- OK, lets pick a sizable function from the Netwtn04.sys file using the PDB symbols we have, lets go with oscWfdeSetPreferredOperatingChannel. Using relyze, oscWfdeSetPreferredOperatingChannel is defined as this. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ). We will need to get the struct definitions for MINIPORT_CONTEXT and OID_EVENT_DATA for perplexity AI to use or it'll bul***** its way through with hallucinations, so this is what pdbripper is for. Using pdbripper we can get this for struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Then, in relyze we right click inside the oscWfdeSetPreferredOperatingChannel disassembly window and select Export -> To Clipboard (Function). We now write a prompt for perplexity AI. --- Using the following struct definitions - struct _MINIPORT_CONTEXT { void * hMiniportAdapterHandle; void * hWrapperConfigContext; void * hNdisMiniportDmaHandle; struct _FLOW_PROCESSOR * pHmacFlowProcessor; struct _FLOW_PROCESSOR * pMmacFlowProcessor; struct _JOB_SCHEDULER_DATA * pJobScheduler; long numWorkitemsRunningWithoutJobSched; void * pOsc; struct _ALON_CONTEXT * pAlonContext; struct _MLME_SUBSYSTEM * pMlmeSubSystem; struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem; struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes; void * pUmacContext; struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem; struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters; long version; long productVersion; enum _MINIPORT_STATE uNdisMiniportState; struct _SpinlockR NdisMiniportStateLock; struct _SpinlockR NdisMiniportSendPacketLock; struct _SpinlockR contextLock; unsigned char bIsInMPInitialize; long bMiniportInitiatedHandshake; struct _MINIPORT_RESET_CONTEXT miniportReset; struct _DOT11_MIB_CONTEXT dot11Mib; struct _MIB_TABLE * pMib; struct _DATA_PATH_CONTEXT * pDataPathContext; void * pDeviceContext; enum _DOT11_CIPHER_ALGORITHM currentCipherAlg; union _LARGE_INTEGER lastOsScanTime; struct _MEMORY_MANAGER memoryManager; class CheckForHang * pCheckForHang; int doesUmacRunInHost; struct _XVT_CONTEXT * pXvtContext; int bXvtProxyModeEnabled; struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent; int isWdi; int bWdiOffloadMode; int bRestartPending; int bMacAddressRandomizationEnabled; }; struct _OID_EVENT_DATA { unsigned long oid; void * pInfoBuffer; unsigned long infoBufferLen; unsigned long methodOutputBufferLen; unsigned long * pBytesUsed; unsigned long * pMethodBytesWritten; unsigned long * pBytesNeeded; unsigned short opCode; unsigned long portNumber; struct _NDIS_OID_REQUEST * pNdisOidRequest; }; Convert the following x86 assembly into human readable C code - int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ) { push ebp mov ebp, esp push edi mov edi, dword ptr [pMpContext] test edi, edi jnz code_0x4235 code_0x422B: mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x4235: push ebx push esi mov esi, dword ptr [pOid] mov ebx, dword ptr [esi+0x4] test ebx, ebx jnz code_0x424D code_0x4241: pop esi pop ebx mov eax, 0xE0020001 pop edi pop ebp ret 0x8 code_0x424D: movzx eax, word ptr [esi+0x1C] mov ecx, 0x5 cmp cx, ax jz code_0x4271 code_0x425B: mov ecx, 0x2 cmp cx, ax jz code_0x4271 code_0x4265: pop esi pop ebx mov eax, 0xC0000001 pop edi pop ebp ret 0x8 code_0x4271: push 0x0 push 0x8 push 0xFF10060B push esi call OidEventHandlerPrologCommon; int32_t __stdcall( struct _OID_EVENT_DATA * _pOid, unsigned long _oidExpected, unsigned long _inputBuffLenExpected, unsigned long _outputBuffLenExpected ) test eax, eax jnz code_0x42E3 code_0x4284: push ebx push edi call vifMgrGetContext; inline struct _VIF_MGR_CONTEXT * __stdcall( struct _MINIPORT_CONTEXT * pMpCotnext ) push eax call vifMgrChSelSetPreferredOperatingChannel; int32_t __stdcall( struct _VIF_MGR_CONTEXT * pVifMgrContext, struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL * pOpChannelParams ) mov edi, eax test edi, edi jz code_0x42D6 code_0x4297: mov ecx, dword ptr [WPP_GLOBAL_Control] cmp ecx, va_ptr WPP_GLOBAL_Control jz code_0x42D6 code_0x42A5: test byte ptr [ecx+0x530], 0x1 jz code_0x42D6 code_0x42AE: cmp byte ptr [ecx+0x52D], 0x2 jb code_0x42D6 code_0x42B7: mov eax, dword ptr [ecx+0x524] push va_ptr string_oscWfdeSet; "oscWfdeSetPreferredOperatingChannel" push va_ptr WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids push 0x3B push eax mov eax, dword ptr [ecx+0x520] push eax call WPP_SF_s; void __stdcall( uint64_t Logger, uint16_t id, struct _GUID * TraceGuid, char * _a1 ) code_0x42D6: push edi push 0x0 push 0x8 push esi call OidEventHandlerEpilog; void __stdcall( struct _OID_EVENT_DATA * pOid, unsigned long bytesRead, unsigned long bytesWritten, int32_t rc ) mov eax, edi code_0x42E3: pop esi pop ebx pop edi pop ebp ret 0x8 } --- Perplexity AI gave me this answer. int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT *pMpContext, struct _OID_EVENT_DATA *pOid) { int32_t status; struct _VIF_MGR_CONTEXT *vifCtx; struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *params; // Validate inputs if (pMpContext == NULL) return 0xE0020001; if (pOid == NULL || pOid->pInfoBuffer == NULL) return 0xE0020001; // Validate opcode (must be 2 or 5) if (pOid->opCode != 2 && pOid->opCode != 5) return 0xC0000001; // Validate OID + buffer lengths status = OidEventHandlerPrologCommon( pOid, 0xFF10060B, 8, 0 ); if (status != 0) return status; // Extract input buffer params = (struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *)pOid->pInfoBuffer; // Get VIF manager context and set preferred channel vifCtx = vifMgrGetContext(pMpContext); status = vifMgrChSelSetPreferredOperatingChannel(vifCtx, params); // Logging (WPP) if (status != 0) { if (WPP_GLOBAL_Control != NULL && (WPP_GLOBAL_Control->Flags[0x530] & 0x1) && WPP_GLOBAL_Control->Level >= 2) { WPP_SF_s( WPP_GLOBAL_Control->Logger, 0x3B, &WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids, "oscWfdeSetPreferredOperatingChannel" ); } } // Complete OID handling OidEventHandlerEpilog( pOid, 0, // bytesRead 8, // bytesWritten status ); return status; } https://www.perplexity.ai/search/using-the-following-struct-def-iH1rN.zcSMaVPiFOgI5RlA @Dietmar Do you find this helpful?

@Dietmar here is the intel wifi driver with private symbols. https://buzzheavier.com/qra6oddo79o8 I've basically got a whole windows 10 beta build with private symbols for everything in the OS as far as I can tell. I'll PM you with a link to it, you'll probably find it useful for debugging. edit: I couldn't PM you so I sent you an email.

@Dietmar I do have private symbols for an Intel(R) Dual Band Wireless-AC 7265 driver, are you interested?

I can get an AI to pretty reliably convert assembly back into C code if I have the proper symbols.

@Dietmar Here are some private PDB symbols of Intel and Realtek LAN drivers, in case it might help you with future bugfixing. https://buzzheavier.com/i56b89uu20qa I have more, so if you're looking for anything in particular send me a Device ID and I'll check if I've got something for it.

@reboot12 https://www.upload.ee/files/19163520/KDNET-master-x64-16MAR2026.7z.html

@Dietmar I don't have XP x64 installed. I just wanted to get it compiling for you.

@Dietmar @reboot12 I successfully build an x64 kdstub.dll Though in kdstub.c there is a warning I disabled #pragma warning (disable : 4717) // kdstub.c(188) : warning C4717: '_KdInitializeLibrary' : recursive on all control paths, function will cause runtime stack overflow I wasn't sure how to resolve that. https://buzzheavier.com/risw492dkhzy

@Dietmar regarding reworking Mov Ax DEAD's KDNET to compile for x64, do you think the following would work? replacing __declspec(naked) void KdShutdownController () { __asm jmp dword ptr [KdShutdownController_tramp]; } with __declspec(noinline) void KdShutdownController(void) { KdShutdownController_tramp(); // tail call candidate } and doing this for all the functions that use x86 inline assembly?

@Dietmar I thought I'd have another go at trying to get Windows 7 ndis.sys to work on XP, now trying using AI to help reverse engineer assembly into C. This time round I get a 7F 0.0.0.0 Divide by Zero BSOD. If you have time, can you try and find where it's happening in ntoskrn8.sys? https://buzzheavier.com/cy852zg5l602

DisINTx should be disabled in XP I think since XP isn't using MSI? The disintx (Disable Interrupt) bit, located in the PCI Command Register (offset 0x04, bit 10), is used to mask legacy INTx interrupts for PCI/PCIe devices. When set to 1, this bit prevents the device from asserting interrupt lines, which is crucial for managing IRQ sharing and configuring MSI/MSI-X.