Jump to content
MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×


  • Posts

  • Joined

  • Last visited

  • Days Won

  • Donations

  • Country


win32 last won the day on December 23 2021

win32 had the most liked content!

About win32

  • Birthday 05/24/2001

Profile Information

  • OS
    Vista Ultimate x64

Recent Profile Visitors

15,153 profile views

win32's Achievements



  1. If this is what I think it is (NT 4), then I think it may not be possible to generate a dump early in boot. I could not in Vista when it was time to initialize ntdll as well. If you bugcheck early enough, no text will be printed on screen except for the four bug check parameters.
  2. I was always told that NT4 was exceptionally tough. I'm not even sure if the approaches we use for 2000 and Vista are applicable here. I used wrappers written in C for NT4 over kernel32. But that is a very touchy subject because of the potential sources of "inspiration" for the wrapper code.
  3. If it doesn't boot, then you might have to consider doing that.
  4. Yes, Northern Canada got off this very lightly relative to southern areas, especially far northern Quebec, NWT and Nunavut. Unfortunately I live in the deep south of Canada.
  5. Yes. But don't rebuild the PE header. That doesn't work out as well. The checksum needs to be corrected every time the file is modified.
  6. You can do it in CFF Explorer. Go to rebuilder, only check "Update Checksum", "Rebuild" then save.
  7. Install NT 4 SP5 in a VM (better in a VM because you can take snapshots) or on a real PC and replace kernel32 with that one. I will remind you that the PE checksum must be corrected before using it or else you will bugcheck. And you cannot redistribute these files publicly in the forum.
  8. IDA Pro does not like to assemble things very well, so you will have to go into the hex view to modify the import calls. In x86, the import calls directly reference the memory address of the import table entry as opposed to an offset. So the hex codes for the import call instruction will be (in little-endian notation): FF 15 B8 C0 F3 77 Local function calls remain offset based, so you can just go to edit -> patch program -> assemble and type in "call 77f01762h".
  9. You put the memory address of the function in the wrong place (00000040 is near the beginning of the file; not the end where .xdata is located). In IDA Pro you will notice two numbers on the status bar: The one on the left, 0005B840 is the offset memory address and the one that Export Table Tester uses, as well as hex editors. So that is where you want to put the address of the function. And then there are a few other concerns, especially with regards to the export table: if you do not move it to an empty space in the file, such as farther down as .xdata, with lots of expansion room, you may end up running into other code or data.
  10. Imports are really hard to work with, if they are not there in the file already. There are a couple of things you can do. Either you get the imported function from the imported file and try implementing it in the target file, if it's simple. Or you take other import entries to simple functions, reimplement the simple functions in the file itself and rename the now unused import to the one you want. However, you have to make sure the new import name is not too long as the import names are packed together very close.
  11. Rebuild the PE header? No. Just set the checksum but make sure you do not rebuild the header. Warning: LordPE silently rebuilds PE headers when a file is saved.
  12. Completely rewriting kernel32 will prove very difficult. And IDA's pseudocode is not always compilable without other changes, and may be incorrect. But if you don't write anything in C, you can go into IDA, outline the entire function and go to "Edit -> export data". Then copy and paste that hex code into the target file, and find the starting address for the beginning of the hex code and then add an entry in the export table that references the starting address. After pasting in the new function, you will have to fix up the imports, function calls and data references to ensure that will work somewhat.
  13. Those are stubs that I deprecated a long time ago. I now grab my code from newer versions of Windows using IDA pro or write my own (you can do it in C, then disassemble if you don't know asm well). SetThreadErrorMode calls RtlSetThreadErrorMode in ntdll. Perhaps you can call RtlSetThreadErrorMode locally by putting it in kernel32. K32GetModuleFileNameExA is the same as GetModuleFileNameExA in psapi.dll. In fact every function that starts with "K32" was originally in there. But I don't believe kernel32 can call psapi because psapi relies on kernel32.

  • Create New...