Leaderboard

NTOSKRNL Emu_Extender Library of missing functions for Windows XP/2003/Vista/7 NTOSKRNL.EXE Project is intended to help in porting drivers from Windows 7/8/8.1/10 for work with Windows XP/2003/Vista/7 How-To: Compile sources to make ntoskrn8.sys Make corrections to target driver XXX.sys so that it loads ntoskrn8.sys instead of the original ntoskrnl.exe If XXX.sys is driver made for Windows 8, change security_cookie to random value, security_cookie is constant 0x4EE640BB(x32) / 0x32A2DF2D992B(x64) inside file, change only first match ! Place ntoskrn8.sys to X:/Windows/system32/drivers/ folder Compiling: 1) Install Windows 7 DDK v7.1.0 (download from Microsoft site) 1a) Original DDK header files has mistake with definintion of MmAllocateContiguousMemorySpecifyCacheNode, apply fix to two files \WinDDK\Win7\inc\ddk\ntddk.h and \WinDDK\Win7\inc\ddk\wdm.h: replace: #if (NTDDI_VERSION >= NTDDI_WIN2K) typedef ULONG NODE_REQUIREMENT; to: #if (NTDDI_VERSION >= NTDDI_VISTA) typedef ULONG NODE_REQUIREMENT; 2) Download project files to any local folder git clone https://github.com/MovAX0xDEAD/NTOSKRNL_Emu 3) Choose Target OS (XP, 2003, Vista or WIndows 7) for which OS Emu_Extender will be compiled. Keep in mind that depending on the target operating system the way of exporting the functions changes, if a function already exists in the kernel it will be simply redirected without injecting emulation code 4) Run shell: "Start Menu\Programs\Windows Driver Kits\Win7 7600.16385.1\Build Environments\Windows XXX\YYY Free Build Environment" (XXX - target OS, YYY - target CPU) 5) In shell change current directory to local project folder 6) Use shell command BLD to compile project 7) Compiled ntoskrn8.sys will be in ntoskrn8/objfre_XXX_x86/YYY folder STORPORT Windows 7 Emu_Extender This is Library of missing functions for Windows 7' STORPORT.SYS v6.1.7601.23403 to emulate Windows 8' STORPORT.SYS How-To: Compile ntoskrnl Emu_Extender Place storpor8.sys to X:/Windows/system32/drivers/ folder Make corrections to target xxx.sys so that it loads storpor8.sys instead of the original storport.sys Place backported storport.sys from Windows 7 to X:/Windows/system32/drivers/ folder Ported drivers: Windows 7's WDF 1.11 for Windows XP/2003 x32 Last version for Windows XP/2003 is 1.9, but possible to backport 1.11 version: 1) Get files from Windows 7 Updates (KB3125574): WDF01000.SYS v 1.11.9200.20755 WdfLdr.sys v 1.11.9200.16384 2) In WDF01000.SYS replace string ntoskrnl.exe to ntoskrn8.sys in import section 3) Recalc checksum If need coexist with original WDF1.9 drivers: 4) Rename WDF01000.SYS->WDF01_W8.SYS, WdfLdr.sys->WdfLdr8.sys 5) In WDF01_W8.SYS replace string WdfLdr.sys to WdfLdr8.sys in import section 6) In WdfLdr8.sys replace unicode string \Registry\Machine\System\CurrentControlSet\Services\Wdf%02d000 to \Registry\Machine\System\CurrentControlSet\Services\Wdf%02d_w8 7) In WdfLdr8.sys replace hex pattern F6 78 1B F6 to F6 EB 1B F6 (x32), ** ** to ** ** (x64) 8) In target driver XXX.sys replace string "WdfLdr.sys" to "WdfLdr8.sys" in import section 9) In .INF of ported driver add creating new service: AddService=WDF01_W8,, WDF.AddService .... [WDF.AddService] DisplayName = "Windows Driver Framework v1.11 for XP/2003" ServiceType = 1 ; SERVICE_KERNEL_DRIVER StartType = 3 ; SERVICE_DEMAND_START ErrorControl = 1 ; SERVICE_ERROR_NORMAL ServiceBinary = %12%\WDF01_W8.SYS LoadOrderGroup = Base Recalc checksum of all edited *.sys Windows 7's Storport.sys for Windows XP x32 Storport was released since Windows 2003, but possible to backport Windows 7 version: 1) Get files from Windows 7 Updates (KB3125574): storport.sys v 6.1.7600.23403 2) In storport.sys replace string ntoskrnl.exe to ntoskrn8.sys in import section, now storport.sys will import all kernel functions only from Emu_Extender 3) Storport uses MSI interrupts, need to force use only legacy/compatible interrupts x32 - replace hex pattern 8B 8E 3C 01 00 00 to B9 00 00 00 00 90 (mov ecx, [esi+13Ch] -> mov ecx, 0) x64 - replace hex pattern 8B 83 C0 01 00 00 to B8 00 00 00 00 90 (mov eax, [rbx+1C0h] -> mov eax, 0) 4) Recalc checksum Windows 7's NVMe driver for Windows XP x32 1) Get files from Windows 7 Updates (KB3125574): stornvme.sys v 6.1.7600.23403 2) MS Win7 NVMe driver require Win7 Storport.sys, use backported one Windows 8's USB3 driver for Windows XP x32 1) Get required files from Windows 8 (KB4534283/4556840, KB2984005, RTM ISO): ucx01000.sys v6.2.9200.22453 usbhub3.sys v6.2.9200.21180 usbxhci.sys v6.2.9200.22099 wpprecorder.sys v6.2.9200.16384 usbd.sys v6.2.9200.20761 from Vista Beta/Longhorn 5456.5: ksecdd.sys v6.0.5456.5 2) In files ucx01000.sys, usbhub3.sys, usbxhci.sys, wpprecorder.sys, usbd.sys change security_cookie to random value 3) In files ucx01000.sys, usbhub3.sys, usbxhci.sys, ksecdd.sys replace string name "ntoskrnl.exe" to "ntoskrn8.sys' in import section 4) Rename ksecdd.sys->ksecd8.sys, usbd.sys->usbd_w8.sys 5) In usbhub3.sys replace string name "ksecdd.sys" to "ksecd8.sys' in import section 6) In usbhub3.sys replace string name "usbd.sys" to "usbd_w8.sys' in import section, 7) recalc checksum Windows 8’s STORAHCI driver for Windows XP x32 STORAHCI driver requires storport.sys from Windows 8, but possible to use storport.sys v6.1.7601.23403 from Windows 7 Storport.sys from Windows 7 more compatible with Windows XP/2003 because it still call required PoStartNextPowerIrp when processing power IRPs. Microsoft removed calls to PoStartNextPowerIrp in Windows 8's storport.sys, without this call Windows XP/2003 kernel cannot finish current power IRP and start next IRP => it generate BSOD (0x0000009F). Also storport.sys from Windows 7 has compatibility mode to allow old XP/2003 kernels write crashdumps through storport based disk drivers. In storport.sys from Windows 8 compatibility mode was removed, writing crashdumps possible only with new kernels. Take attention: Windows 8's STORAHCI + Windows 7's STORPORT may have significal performance drop and high CPU usage, there is no fix yet 1) Get files from Windows 8 (RTM ISO): storahci.sys v 6.2.9200.16384 2) In storahci.sys replace string storport.sys to ntoskrn8.sys in import section 3) Storahci.sys was compiled with Windows 8 DDK's storport.h and writes values to new fields of _PORT_CONFIGURATION_INFORMATION struct, these fields not exist in Windows 7's storport.sys. Need to skip these writes to avoid damaging other structures in memory x32: Replace hex pattern 83 A6 C8 00 00 00 00 to 90 90 90 90 90 90 90 (and dword ptr [esi+0C8h], 0 -> nop) Replace hex pattern 83 8E CC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [esi+0CCh], 3 -> nop) x64:Replace hex pattern 44 89 B7 D8 00 00 00 to 90 90 90 90 90 90 90 (mov [rdi+0D8h], r14d -> nop) Replace hex pattern 83 8F DC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [rdi+0DCh], 3 -> nop) If you want compile storahci from sources (from Windows 8 DDK Samples), comment two lines ConfigInfo->BusResetHoldTime = 0; ConfigInfo->FeatureSupport |= STOR_ADAPTER_FEATURE_STOP_UNIT_DURING_POWER_DOWN; 4) In storahci.sys change security_cookie to random value 5) Recalc checksum Windows 7’s MSAHCI driver for Windows XP x32 1) Get files from Windows 7 Updates(KB3125574): atapi.sys v 6.1.7600.23403 ataport.sys v 6.1.7600.23403 msahci.sys v 6.1.7600.23403 pciidex.sys v 6.1.7600.23403 2) In ataport.sys, pciidex.sys replace string ntoskrnl.exe to ntoskrn8.sys in import section 3) Pciidex.sys uses MS Internal/Undocumented HalDispatchTable way to call functions from Kernel/HAL, for Windows XP/2003 need to use compatible variant: x32: Replace hex pattern FF 50 3C to FF 50 40 same in asm code: mov eax, ds:HalDispatchTable ... call dword ptr [eax+3Ch] => call dword ptr [eax+40h] x64: Replace hex pattern FF 50 78 to EB 2A 90 Replace hex pattern at offset +2Ch: CC CC CC CC CC CC CC CC to FF 90 80 00 00 00 EB CF, same in asm code: mov rax, cs:HalDispatchTable ... call qword ptr [rax+78h] => jmp patch orig: mov r10d, eax patch: call qword ptr [eax+80h] jmp orig 4) Recalc checksum 5) MSHDC.INF from Windows 7 conflict with original mshdc.inf from Windows XP/2003. msahci.sys enumerates IDE/SATA channels as "Internal_IDE_Channel" and compatible ID is "*PNP0600". Original mshdc.inf from Windows XP/2003 for compatible Device ID "*PNP0600" will install wrong "Standard IDE/ESDI Hard Disk Controller" driver Intel RSTe (Enterprise/Premium) AHCI/RAID driver 4.7.0.1098 for Windows XP/2003 Intel RST AHCI/RAID drivers (any version, last compatible is 16.8.3) for Windows XP/2003 These drivers require storport.sys from Windows 7, use backported version. 1) In file iaStorA.sys/iaStorAC.sys/iaStorAVC.sys replace string “ntoskrnl.exe” to “ntoskrn8.sys” in import section (do not change second string “NTOSKRNL.exe”) now these *.sys will import kernel functions only from Emu_Extender 3) Recalc checksum Implemented Func List v60: _chkstk _i64toa_s _i64tow_s _itoa_s _itow_s _ltoa_s _ltow_s _makepath_s _snprintf_s _snscanf_s _snwprintf_s _snwscanf_s _splitpath_s _strnset_s _strset_s _strtoui64 _swprintf _ui64toa_s _ui64tow_s _ultoa_s _ultow_s _vsnprintf_s _vsnwprintf_s _vswprintf _wcsnset_s _wcsset_s _wmakepath_s _wsplitpath_s _wtoi _wtol DbgkLkmdRegisterCallback EmClientQueryRuleState EtwActivityIdControl EtwEventEnabled EtwProviderEnabled EtwRegister EtwRegisterClassicProvider EtwUnregister EtwWrite EtwWriteString EtwWriteTransfer ExAcquireRundownProtectionCacheAware ExAcquireRundownProtectionCacheAwareEx ExAllocateCacheAwareRundownProtection ExDeleteLookasideListEx ExEnterCriticalRegionAndAcquireFastMutexUnsafe ExEnterCriticalRegionAndAcquireResourceExclusive ExEnterCriticalRegionAndAcquireResourceShared ExEnterPriorityRegionAndAcquireResourceExclusive ExEnterPriorityRegionAndAcquireResourceShared ExFreeCacheAwareRundownProtection ExfReleasePushLockShared ExfTryToWakePushLock ExGetFirmwareEnvironmentVariable ExInitializeLookasideListEx ExInitializeRundownProtectionCacheAware ExReInitializeRundownProtectionCacheAware ExReleaseFastMutexUnsafeAndLeaveCriticalRegion ExReleaseResourceAndLeaveCriticalRegion ExReleaseResourceAndLeavePriorityRegion ExReleaseRundownProtectionCacheAware ExReleaseRundownProtectionCacheAwareEx ExRundownCompletedCacheAware ExSetFirmwareEnvironmentVariable ExSizeOfRundownProtectionCacheAware ExWaitForRundownProtectionReleaseCacheAware IoAllocateSfioStreamIdentifier IoConnectInterruptEx IoDisconnectInterruptEx IoFreeSfioStreamIdentifier IoGetActivityIdIrp IoGetAffinityInterrupt IoGetDevicePropertyData IoGetIoPriorityHint IoGetSfioStreamIdentifier IoInitializeWorkItem IoQueueWorkItemEx IoSetActivityIdIrp IoSetDevicePropertyData IoSizeofWorkItem IoUninitializeWorkItem IoUnregisterPlugPlayNotificationEx KdRefreshDebuggerNotPresent KeAcquireGuardedMutex KeAcquireGuardedMutexUnsafe KeAlertThread KeAreAllApcsDisabled KeEnterGuardedRegion KeExpandKernelStackAndCallout KeGetCurrentNodeNumber KeGetCurrentProcessorNumberEx KeGetProcessorIndexFromNumber KeGetProcessorNumberFromIndex KeInitializeGuardedMutex KeInvalidateAllCaches KeInvalidateRangeAllCaches KeLeaveGuardedRegion KeQueryActiveGroupCount KeQueryActiveProcessorCount KeQueryActiveProcessorCountEx KeQueryDpcWatchdogInformation KeQueryGroupAffinity KeQueryHighestNodeNumber KeQueryLogicalProcessorRelationship KeQueryMaximumGroupCount KeQueryMaximumProcessorCount KeQueryMaximumProcessorCountEx KeQueryNodeActiveAffinity KeReleaseGuardedMutex KeReleaseGuardedMutexUnsafe KeRevertToUserAffinityThreadEx KeRevertToUserGroupAffinityThread KeSetActualBasePriorityThread KeSetCoalescableTimer KeSetSystemAffinityThreadEx KeSetSystemGroupAffinityThread KeSetTargetProcessorDpcEx KeTestAlertThread KeTryToAcquireGuardedMutex LdrResFindResource LdrResFindResourceDirectory LpcReplyWaitReplyPort LpcRequestWaitReplyPortEx LpcSendWaitReceivePort memcpy_s memmove_s MmAllocateContiguousMemorySpecifyCacheNode MmAllocateContiguousNodeMemory ObDeleteCapturedInsertInfo ObfDereferenceObjectWithTag ObfReferenceObjectWithTag ObGetObjectType ObQueryNameInfo PcwAddInstance PcwCloseInstance PcwCreateInstance PcwRegister PcwUnregister PoDisableSleepStates PoEndDeviceBusy PoGetSystemWake PoReenableSleepStates PoRegisterPowerSettingCallback PoSetDeviceBusyEx PoSetSystemWake PoStartDeviceBusy PoUnregisterPowerSettingCallback PoUserShutdownInitiated PsAcquireProcessExitSynchronization PsEnterPriorityRegion PsGetCurrentProcessWin32Process PsGetCurrentThreadProcess PsGetCurrentThreadProcessId PsGetCurrentThreadTeb PsGetCurrentThreadWin32Thread PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion PsGetProcessSessionIdEx PsIsProtectedProcess PsIsSystemProcess PsLeavePriorityRegion PsReleaseProcessExitSynchronization PsSetCreateProcessNotifyRoutineEx RtlCheckPortableOperatingSystem RtlGetIntegerAtom RtlGetThreadLangIdByIndex RtlIsNtDdiVersionAvailable RtlQueryElevationFlags RtlQueryRegistryValuesEx RtlSetPortableOperatingSystem SeReportSecurityEventWithSubCategory SeSetAuditParameter SeSetAuthorizationCallbacks sprintf_s sscanf_s strcat_s strcpy_s strncat_s strncpy_s strnlen strtok_s swprintf_s swscanf_s vsprintf_s vswprintf_s wcscat_s wcscpy_s wcsncat_s wcsncpy_s wcsnlen wcstoul ZwAllocateLocallyUniqueId ZwAlpcConnectPort ZwAlpcSendWaitReceivePort ZwQueryLicenseValue ZwQueryVirtualMemory Download Sources https://github.com/MovAX0xDEAD/NTOSKRNL_Emu

I cannot see the reason for the outrage (relative to the Linux WSL, not the one againt Windows 10 which remains a pile of crap). It is an added option, having choices is IMHO always a good thing. jaclaz

Hi there, just to report that with NewMoon, Slack has to be added in about:config, otherwise it gives an error about the browser not being compatible: general.useragent.override.app.slack.com;Mozilla/5.0 (Windows NT 5.1; WOW64; rv:99.9) Gecko/20100101 Firefox/99.9 (Pale Moon) Changing the user agent works like a charm. Cheers, Frank

To restore your virtual device drivers, etc.: Make a copy of the .reg file you exported from the old windows. Open it in Notepad and find&replace the number in ControlSet00x with the one you picked for the new configuration. Save. Import the file into registry. Reboot. Now, there are two scenarios next: 1. everything works - the job is done, nothing more to do. 2. crash, the driver stops working again, or some other problem - reimport the .reg file from the clean windows, split the .reg file from the old windows into small parts and import them one by one (with reboots) until you find which part causes problems.

I added an additional list of malware content: urlhaus-filter (Online Domains) The 3 predefined malware lists don't seem very efficient. "Malware Domain List" also blocks links from 2017 that have been inactive for some time. "Malware domains" can easily be replaced by DNS blocking. I deleted the "Spam404" list (Phishing) because many links are blocked by DNS or inactive. I also deleted the "NoCoin Filter List".

The 'Rendering Issues' section of the original post indicates web pages are sometimes difficult to read. As indicated one tip that often helps when viewing a web page that does not format well, or if links are missing, is to toggle View dropdown -> Use Style -> 'Default Style' to 'None'. Also experiment with different font and color preferences, select Edit dropdown -> Preferences -> Appearance and modify as desired. Although useful, drawbacks. First, having to toggle Default Style to 'None' is a hassle and new tabs automatically revert back to 'Default Style'. From previous experiments, changing the style to 'None' via about:config then does not allow changing pages back to 'Default Style' during runtime. Secondly, over-riding font and colour preferences won't render the web site as intended, part of it's character and charm. If the font and background are poorly contrasted (ie. not readable), a quick and dirty method is to simply press Ctrl-A to 'select all' on the entire web page. On this system, this automatically changes the font and background to a blue and white combination, ugly but very readable. Alternatively, left-click and drag a selection to change contrast. Read the information you want, click on a desired link and move on. To disable the 'select all' selection, press F5 or click 'Reload' to re-render the page or left-click another area of the page.