7

Apparently, the EASEUS Partition Master program can display graphics before the Windows GUI starts (i.e., it runs at the same time CheckDisk runs at boot).

What I already know:

  1. This might require not-very-well-documented functions. That's fine with me.

  2. I already know how to compile native NT executables, so feel free to omit that from responses.

Questions:

  1. How can you display graphics before everything has started up? (i.e. What functions/libraries do you use?)

  2. How does it display formatted and aligned text on the screen?
    I know NtDisplayString is capable of writing text, but it can't draw things in a formatted manner, as you can see below. What function(s) do you use to replicate the behavior below?

Screenshot

user541686
  • 189,354
  • 112
  • 476
  • 821
  • The only graphics I see in that picture are VirtualBox, the rest can be done using line and box characters in the extended ASCII character set. – Ben Voigt Jun 04 '11 at 23:37
  • 1
    @Ben: How do you do a blue pixel followed by a white pixel followed by a black pixel followed by a gray pixel, just with extended ASCII characters? (See the progress bar's borders.) Aren't the fonts a bit bigger than that? – user541686 Jun 04 '11 at 23:45
  • @Mehrdad: If it is done with extended ASCII, most likely the progress bar outline would be dark blue, same as the progress bar itself. I don't think I could tell the difference on your screenshot. I think you're right that this image isn't just text, but text could give you all those graphic elements with a similar look, even if not identical. – Ben Voigt Jun 05 '11 at 00:05
  • @Ben: Well, there's still another issue, even if I ignored that: How do you move the cursor up? You can move it *left* by printing backspaces or `\r` using `NtDisplayString`, but they're definitely using a different method for printing things to different parts of the screen. – user541686 Jun 05 '11 at 00:07
  • @Mehrdad: IIRC, boot-time chkdsk even displays in graphical mode on recent versions of Windows. – Ben Voigt Jun 05 '11 at 00:11
  • @Ben: I guess I can't tell if it's *actually* text mode or not, but let's say it's graphics mode. *How* do you draw something that way? – user541686 Jun 05 '11 at 00:24
  • I have to agree with @BenVoigt, given what I know about how the VGA text mode characters can be manipulated, I think this is entirely within the realm of possibility without requiring classic graphics mode. And besides, `NtDisplayString` would be just one way, given the privileges with which such a program would be running (TCB) it's conceivable that it places the graphics card into a predefined text mode and writes directly to the buffers of the graphics card in text mode. When I was reverse engineering a similar program 15 years ago this seemed to be the case. `NtDisplayString` is sloooow... – 0xC0000022L Oct 27 '18 at 19:44

2 Answers2

6

I feel kind of silly answering my own question right now, but Ben's hints helped me figure it out:

It's using a driver, which in turn uses these functions in BootVid.dll:

VidBufferToScreenBlt
VidScreenToBufferBlt
VidBitBlt
user541686
  • 189,354
  • 112
  • 476
  • 821
  • You can probably work out the resolution being used by looking at virtualbox - it's probably going to be something standard like 640x480 or 800x600. Writing some code that outputs a single line of bytes will help you work out the width, and by trying different values, you can probably work out the organization of the pixels as well (I would do all of this in virtualbox). – Stuart Axon Jan 08 '19 at 15:46
0

Perhaps it's using low-level VGA calls to switch to graphics mode and manipulate video memory.

Neil
  • 50,855
  • 8
  • 54
  • 69
  • Whoa really?! So you think it might not be using OS features at all? – user541686 Jun 04 '11 at 22:53
  • Actually, I really doubt that's the case -- they're using the same font and resolution as Windows, so doubt that's actually happening. – user541686 Jun 05 '11 at 00:07
  • @Mehrdad: Maybe it's using whatever calls windows uses for the graphical loading screen (which appears before boot-time chkdsk, and has been around since Win2000). It isn't using the usual graphics drivers, since those can't load without locking the system partition (registry mounted read-write and all that). – Ben Voigt Jun 05 '11 at 00:09
  • @Ben: That's likely, but what *are* those calls? Which DLLs are they in, and which functions are they? – user541686 Jun 05 '11 at 00:10
  • @Mehrdad: Have you run the file through dependency walker? – Ben Voigt Jun 05 '11 at 00:12
  • @Mehrdad: Why do they need to be exported from a DLL? Could be opening a device handle and using IOCTLs, could be using the `syscall` instruction. – Ben Voigt Jun 05 '11 at 00:19
  • @Ben: I can't figure out what the code does -- the disassembly seems to have errors in it. All I see is that the DLL is named `EuEpmGdi.dll`, but I can't figure out what it's doing -- other than the fact that I don't see anything other than `NTDLL` imported, with the only relevant function being `ZwDisplayString`. (Edit: I also see `NtLoadDriver`... maybe it's loading a driver...) – user541686 Jun 05 '11 at 00:26
  • @Ben: Actually, I figured it out, see my own answer. :-) – user541686 Jun 05 '11 at 00:30