Mov AX, 0xDEAD

No need to wait for full desktop loading, there is no error, so output may be infinine Stop in windbg after some time and commit logfile look for NMAS word and copy few lines below when it calc if is it what we expected, i will update start post to include fix to diff file

@George King without macro you need write extrn __imp_swprintf:PROC .... call qword ptr [__imp_swprintf] with macro more readable EXTRNTHUNK swprint .... callex swprint ALIGN16 is ONE replace of this *s_h_i_t* before loops

Hi ! Solving problem with reading 64bit declared field: in ReadField() change to WriteField() doesn't have problem with 64bit field, but writes only LOW 4 bytes to 64Bit field(8 bytes) It must write 0x00000000 to HIGH 4 bytes to remove garbage because field may point to hardware MMIO space or BIOS shared memory. Remember AMD USB3 driver's bug with PAE ? This is same case when we forget to set/write full 64 address to hardware registers @Dietmar Can you repeat debug session with this micropatch and share logfile to confirm solving problem with this DSDT problem code ?

@Dietmar 1) Keep original DSDT code, if compiled acpi.sys will have generic solution, it helps not only to you, but to other users too with same DSDT problem 2) If you want again mask errors as "blindman", you really don't need acpi.sys from sources, use existing v6666 binary

@George King Reanalyze file from scratch, but first disable decompiling stack things: Kernal Analyze Options 1/2 - Trace stack pinter, Create stack variables,Perform full stack pointer analyze, Propagade stack argument information, Propagade register argument information.This will disable [...+arg_10] converting Disable adress column Options->General->Disassembly->Line prefixes(...) Your goal is: (i use EXTRNTHUNK/ALIGN16/callex macros to reduce code size and better viewing)

@George King C++ compiler doesn't allow embeded x64 asm code, there is no __asm {} to mix C and Asm code Need to rip assembly code of new functions from exist acpi.sys x64 5.2.3790.3959/4099 to external .asm and add to build scipt See ntoskrnl_emu extender as example, it has two x64 asm functions in external file Welcome to club, you can not just bypass, you need change lines with warnings to meet type conversion requirements ULONG_PTR on x32 is same as ULONG or Pointer = 32 Bit ULONG_PTR on x64 is same as ULONG64 or Pointer = 64 Bit ULONG on x32 and x64 is always 32 Bit

ACPIBusIrpQueryResourceRequirements(): ACPIBusIrpQueryResourceRequirements doesn't have trace output, we can rely only on ACPIDevPrint() text output

@Dietmar Creating fields was OK NBAS = NHLA shows as OK, but NHLA was evaluated as Buffer, must be Integer NHLL - One is OK, NHLL evaluated as 0x0 Integer, result = 0 - 1 = -1 = 0xffffffff NMAS = (NHLA + (NHLL - One)) is Failed Add() expect two integers, but first argument (Arg0=NHLA) evaluated as Buffer/Field How it was declared (on my bios): NHLL is OK, 32bit field, at Subtract() evaluated as 0x0 Integer NHLA is BAD, seems XP ACPI don't handle 64bit field declaration as Integer and alias it as Buffer type This declaration is not CreateQWordField opcode, it handled in other place(OperationRegion/Buffer opcode i guess ) On my Skylake H110 board this code has OS check, so DSDT authors know about ACPI compatibility

Solving BSODs 0xA5(..., ..., ..., ...): Windows XP/2003 supports only ACPI 1.0b syntax, last generation bioses uses ACPI 2.0+ To support ACPI 2.0 syntax need replace acpi.sys and apply additional patches to avoid known BSODs : - 0xA5 (0x03, ..., C0140001, ...) missing ACPI 2.0 syntax, 95% solved, solutions: 1) acpi.sys v.5048, sha1:a09c0d9f6b5cb63192e2cebada56db38d3870b29) from Vista Beta/Longhorn v.5048 Pro: - Has most of ACPI 2.0 syntax opcodes - All integers are 64-bit regarding ACPI 2.0 specification Cons: - beta, compiled for next generation of windows - failed implementation of some internal data types, _ValidateArgTypes generates BSOD 0xA5(0x03, xxx, C0140008, yyy) Patches: - Add pointer to _atDataObj struct for QWord Opcode (_OpcodeTable start at .data:00039848, _atDataObj struct at .data:000397A8, missing pointer at .data:00039880, dont forget add additional relocs) 2) acpi.sys v.6666 based on original Windows XP SP3 v.5512 with integrated acpi 2.0 syntax support Pro: - based on original v.5512, match binary/offsets Cons: - All integers are still 32-bit, any operations on 64-bit fields/variables will drop high part of QuadWord 3) acpi.sys compiled from leaked "XP SP1+W2003 RTM" sources Pro: - allow compile x64 build based on W2003 sources Cons: - same as v.6666 - 0xA5 (0x11, 0x08, ..., ...) unknow error in _AMLILoadDDB, probably fail after parsing DSDT/SSDT table, solved Patch (by Diderius): - Ignore status of _AMLILoadDDB in _ACPIInitializeDDB (v5512 jl short .text:00036214 => nop, nop) - 0xA5(0x03, ..., C0140008, ...) DSDT code have operation with unexpected type of arguments, partially solved This BSOD probably means some argument has datatype, allowed only in ACPI 2.0 v6666 & v5048 support only argument datatypes allowed in ACPI 1.0b specification Patch: - _ValidateArgTypes must always return "OK", even on realy wrong types (mov edi, 0xC0140008=>mov edi, 0x00000000 at head of _ValidateArgTypes) - 0xA5 (0x10006, ..., ..., ...), missing _DIS method for "PNP0C0F"s (PCI Interrupt Link Devices) in DSDT/SSDT table Patch (by Daniel_k): - Skip looking for PNP0C0F in _DisableLinkNodesAsyncWorker, (v5512 call strstr, ..., jz .text:0001BBBD => jmp .text:0001BBBD ) Intel Motherboards specific issues: 1) ACPI BSOD 0xA5 (0x02, ..., ..., ...), error in ACPIRangeValidatePciResources, ACPI vs E820 conflict, solved BSOD is generated by DSDT code like this: DWordMemory (ResourceProducer, PosDecode, MinFixed, MaxFixed, NonCacheable, ReadWrite, 0x00000000, // Granularity 0x00000000, // Range Minimum 0xDFFFFFFF, // Range Maximum 0x00000000, // Translation Offset 0xE0000000, // Length ,, _Y0E, AddressRangeMemory, TypeStatic) ... CreateDWordField (BUF0, \_SB.PCI0._Y0E._MIN, M1MN) // _MIN: Minimum Base Address CreateDWordField (BUF0, \_SB.PCI0._Y0E._MAX, M1MX) // _MAX: Maximum Base Address CreateDWordField (BUF0, \_SB.PCI0._Y0E._LEN, M1LN) // _LEN: Length M1LN = M32L /* External reference */ M1MN = M32B /* External reference */ M1MX = ((M1MN + M1LN) - One) Sometimes M1LN, M1MN, M1MX cannot be calculated properly and this code claim most of memory (E0000000 = 3.7Gb) as motherboard resource, this brings to conflict with E820 memory ranges list Patch: - memory check in ACPIRangeValidatePciResources must always return "OK" (v5512 jz short .text:0001E0BB => jmp short .text:0001E0BB) 2) Device Manager show conflict between Video Card and Motherboard resources Device IOTR(PNP0C02) claim 255 I/O adresses in range 0xFF00-0xFFFE, this range conflict with Video Card I/O range because vga has limitation to 10Bit I/O decoding. solved, two solutions: 1) Manual patching DSDT table, remove this lines inside method _CRS of IOTR device, so _CRS will return empty Local0: If ((ITS0 == One)) { ConcatenateResTemplate (Local0, BUF0, Local1) Local0 = Local1 } If ((ITS1 == One)) { ConcatenateResTemplate (Local0, BUF1, Local1) Local0 = Local1 } If ((ITS2 == One)) { ConcatenateResTemplate (Local0, BUF2, Local1) Local0 = Local1 } If ((ITS3 == One)) { ConcatenateResTemplate (Local0, BUF3, Local1) Local0 = Local1 } 2) Patch acpi.sys with injecting special code to override IOTR template buffer: In _Buffer opcode handler replace: mov eax, [ebx+14h] mov ecx, [ebp+arg_0] to call Check_IOTR_Buffer ... Check_IOTR_Buffer: cmp eax, 0Ah ; eax - size of buffer jnz short Skip mov eax, [ebx+30h] mov eax, [eax+10h] ; eax - buffer cmp dword ptr [eax], 00000147h ; need matching all 10 bytes jnz short Skip cmp dword ptr [eax+4], 0FF010000h jnz short Skip cmp word ptr [eax+8], 0079h jnz short Skip mov byte ptr [eax+7], 0 ; MAIN ACTION, set i/o range to 0 instead 255 Skip: mov eax, [ebx+14h] mov ecx, [ebp+arg_0] ret IOTR template defined as: Name (BUF0, ResourceTemplate () { IO (Decode16, 0x0000, // Range Minimum 0x0000, // Range Maximum 0x01, // Alignment 0xFF, // Length _Y21) }) in bytecode: 11 0D 0A 47 01 00 00 00 00 01 FF 79 00 3) No CPU power saving, most time CPU in C0 state even without cpu load Some part of acpi hardware is disabled, so CPU should not use nonexistent ACPI C2/C3 power savings, solved, two solutions (intelppm.sys): 1) C2/C3 States => C1 State : - in _InitializeAcpi2IoSpaceCstates replace offsets AcpiC2Idle and AcpiC3ArbdisIdle to offset AcpiC1Idle 2) C2/C3 States => C7+ States (default Windows 7 power saving mode, DPC Latency Checker shows significal increased latency in this mode): Replace Acpi2C3ArbdisIdle to: push ebx mov ebx, ecx push esi push 0 call _KeQueryPerformanceCounter mov [ebx], eax mov [ebx+4], edx mov eax, offset DummyMon xor ecx, ecx xor edx, edx monitor mov ecx, 1 mov eax, 60h mwait push 0 call _KeQueryPerformanceCounter mov [ebx+8], eax mov [ebx+0Ch], edx xor eax, eax pop esi pop ebx retn DummyMon - any unused 4 byes in .data segment Replace Acpi2C2Idle: push ecx push 0 call _KeQueryPerformanceCounter mov ecx, [esp+4+var_4] mov [ecx], eax mov [ecx+4], edx mov eax, offset DummyMon xor ecx, ecx xor edx, edx monitor mov ecx, 1 mov eax, 33h mwait push 0 call _KeQueryPerformanceCounter pop ecx mov [ecx+8], eax mov [ecx+0Ch], edx xor eax, eax retn 4) Programs show wrong timing results/works only first 3.5 sec Windows XP SP2+ uses disabled acpi timer, solved Skylake+ bioses by default disable ACPI hardware timer (register "ACPI Timer Control (ACPI_TMR_CTL)" in southbridge, see PDF), but WinXP SP2+ still uses disabled acpi timer for getting incremental time counter (acpi spec declare this counter as part of specification). WinXP detect existing this timer by checking special bit USE_PLATFORM_CLOCK in FACP ACPI table, modern bioses still set USE_PLATFORM_CLOCK=1 in acpi (mistake by programmers / inform Win7+ about existing HPET timer (not acpi timer!)) Patch (by Diderius) "HAL_acpitimer_fix" to use CPU TSC counter as performance timer/counter: - in HaliAcpiTimerInit force to ignore USE_PLATFORM_CLOCK and receive it always =0 (v.5512 jns short PAGE:8002934B => jmp short PAGE:8002934B) Compatibility fix ("HAL TSC frequency divider") Some programms do wrong calculation with high values of PerformanceCounter/PerformanceFrequency (HAL_acpitimer_fix set values to cpu freq), to avoid this problem values need to divide to much lesser value, Windows 7 just divide it to 1024, so timer frequency on 3600Mhz cpu is only 3.51Mhz Patch: - divide to 1024 values of PerformanceCounter/PerformanceFrequency, replace _HalpAcpiTimerQueryPerfCount to: 5) No driver for Intel SATA Controller - BSOD 0x7B(..,..,..,..) Windows XP/2003 support SATA controllers only in Legacy IDE mode, modern Intel chipsets has only AHCI mode, solved, many solutions: 1) Intel RST AHCI/RAID 11.2.0.1006 (iaStor.sys) 2) Intel RSTe AHCI/RAID 4.7.0.1098 backport by daniel_k (iaStorA.sys+iaStorF.sys) 3) StorAHCI by skulltera/OneCore (storahci.sys), compiled from Microsoft Windows 8.x DDK Samples, (require storport.sys from Windows 2003) 4) UniATA (opensource) 5) Intel RSTe AHCI/RAID 4.0.2.1019, for Windows 2003 only, enterprise controllers only(??) (iaStorA.sys+iaStorF.sys)) 6) StorAHCI from Windows 8 (require backported storport.sys from Windows 8) 7) StorAhci for Windows 2003, based on Microsoft Windows 8.x DDK Samples source code, https://sourceforge.net/projects/storahci-for-windows-2003/ Tip: Add PCI\VEN_8086&CC_0106 or PCI\VEN_8086&CC_010601 to *.inf as universal DEV_ID for any Intel AHCI Sata Controller AMD Motherboards Issues ACPI BSOD 0xA5 (0x0000000D, ..., ..., ...) duplicated _HID method Patch: - Skip DetectDuplicateHID processing (v5512 .text:00013F6C => jmp .text:00013F6C) BSOD 0x7E (..., ..., C0000005, ...) unknow error in AcpiArbCrackPRT Patch: (v5512 jnz short .text:0001BD6D => jmp short .text:0001BD6D) Intel USB3 Controller Drivers Intel released USB3.x drivers only for Windows 7/8/10, so there were many attempts to use drivers of other usb chip manufacturers. Most of them do not work at Intel hardware, some works, but have problems with PAE or USB3 ports. Following drivers confirmed to work in normal and PAE environment, solved, three solutions: 1) Microsoft Generic v6.2.9200.16384/v6.2.9200.22453 from Windows 8.0, recommended driver 2) AMD v1.1.0.0145 (need amdxhci_adresscalc_fix) 3) Fresco Logic v3.6.9.0 (extended to 32 ports) AMD and Fresco drivers have ssues with recognizing devices after plug<->unplug, sometimes ports go to power saving modes and can't back UAS (Attached SCSI Mass Storage) drivers also available, solved, many solutions: 1) UAS Driver from Windows 8 + storport.sys from Windows 2003, beta 2) UAS Driver from Windows 8 + storport.sys from Windows 7, beta 3) UAS Driver from Windows 8 + storport.sys from Windows 8, beta 4) VIA UAS Driver 5) Etron UAS Driver VIA and Etron UAS Drivers doesn't support Safe Remove, require fixes, solved (via_uas_fix, etron_uas_fix) By default VIA and Etron UAS works only with genuine vendor USB3.0 Driver, but they are generic(?) and can work with any USB3 driver vusbstor.inf: change USB_VIA\Class_08&SubClass_06&Prot_62 to USB\Class_08&SubClass_06&Prot_62 EtronXHCI.inf: change ENUSB\Class_08&SubClass_06&Prot_62 to USB\Class_08&SubClass_06&Prot_62 Patches for Microsoft Generic USB3 driver Windows 8 USB3 driver always report USB2 speed on inserted USB3 devices, MS call it "compatibility", but vendors driver report proper USB3 speed and dont have compatibility issues(?) Fix to report proper USB3 speed, usbhub3.sys (v6.2.9200.21180): .text:19C58: jnz 00019C63 => jmp 00019C63 (75 09 => EB 09) Patch for AMD driver (amdxhci_adresscalc_fix) This driver is known to have issues with PAE environment, need fix: - replace in amdxhc.sys: mov ecx, [esi+458h] ; esi+458h = store of 64bit adress mov eax, [esi+28h] mov [eax], ecx ; low part mov [eax+4], ebx ; dropped high part, ebx=zeroes..... to mov ecx, [esi+458h] mov eax, [esi+28h] mov [eax], ecx mov ecx, [esi+45Ch] ; HIGH part of 64bit mov [eax+4], ecx ; no more zeroes Patch for VIA UASP driver (via_uas_fix) Restore "Safe Remove": - replace in vusbstor.sys (v6.1.7600.4002): page:000209B4: mov [ebp+SurpriseRemovalOK], ebx -> NOPs (89 9D 70 FF FF FF 89 9D 68 FF FF FF => 90 90 90 90 90 90 89 9D 68 FF FF FF) Patch for Etron UASP driver (etron_uas_fix) Restore "Safe Remove": - replace in EtronSTOR.SYS (any version): OR dword ptr [eax+4], 0300h -> OR dword ptr [eax+4], 0000h 4GB+ RAM Support - Windows 2003 supports more than 4Gb RAM without additional actions, limited to some value depending "Edition" - Windows XP ServicePack1 supports more than 4Gb RAM without additional actions, limited to some value (16Gb ?) - Windows XP ServicePack2/3 don't support RAM above 4Gb, need patching, solved, many solutions: 1) PatchPae(v2) by wj32, remove limits only in kernel, lack of HAL_DMA patch 2) fix128/PatchPae(v3) by Evgen_b, contains unfinished HAL_DMA patch, kernel patch is OK 3) WinXPPAE(v2+) by Daniel_k, contains proper HAL_DMA patch, kernel patch is OK UEFI Boot - Bootmgr from some Vista Betas/Longhorns allow boot Windows XP x64 from UEFI x64, alpha, there is issues with Video card, https://www.betaarchive.com/forum/viewtopic.php?f=61&t=20327 - Boot Windows x32 on UEFI 32 UEFI32 on real hardware is rare, confirmed only on emulated environment, alpha, Guide LINK by Gelip - Quibble bootloader (experimental, opensource), alpha, no NTFS support, booting possible only if Windows installed on FAT partition, project page - https://github.com/maharmstone/quibble NVMExpress Drivers Many solutions: - Modified OFA 1.3/1.5 driver + storport.sys from Windows 2003 - MS Windows 7 NVMe Driver by daniel_k + backported storport.sys from Windows 7 - MS Windows 7 NVMe Driver + storport.sys from Windows 7 + Emu_Extender - Samsung NVMe driver + storport.sys GPT partitions Windows 2003 already supports GPT Partitions for non-booting disks, no need additional software Windows XP doesn't support GPT Partitions, solved for non-booting disks, one solutions: - Paragon GPT Loader enable access to 3TB+ Disks/GPT partitions (commercial product, currently not available for sale) Booting from GPT disk partially solved, need convert pure GPT to HybridMBR, Guide LINK by Levvon Saving crash dumps through storport based disk controller drivers To enable saving crash dumps with storport-based disk drivers on Windows XP need patch kernel (scsi support will be disabled) Disk Controller drivers written for Windows 8 mostly will not save crash dumps on disk, they use new API to get information from kernel about dump context List of patches: 1) IopGetDumpStack: Replace unicode string "scsiport.sys" to "storport.sys" This string is 3rd argument of "call _IopLoadDumpDriver@12" 2) IopGetDumpStack: Original XP kernel will disable loading storport emulator(diskdump.sys) if storport/miniport return "Device Object" This is not problem for Windows 2003/7/.., newer OS still load diskdump.sys even if storport/miniport return anything Replace "mov [ebp+ScsiDump], 0" with NOPs Example for ntkrpamp.exe v5512: PAGE:004A0E0F mov byte ptr [ebp-29h],0 -> NOP, NOP, NOP, NOP ]3) IopGetDumpStack: Storport doesnt use SCSI ports names and dont need to search name of driver, need to skip this block Example for ntkrpamp.exe v5512: in range PAGE:004A0F49-004A1018 replace first opcode with "jmp 4A1019" 4) Use diskdump.sys from Windows 2003 or Wondows 7 (Windows 8 version not tested) 5) IoInitializeCrashDump: XP kernel allocate for diskdump.sys buffer of 32Kb (same size in Windows 2000), diskdump.sys from Windows 2003+ expect buffer of 64Kb. To be compatible with new diskdump.sys need to increase buffer Replace "push 8000h" with "push 10000h" as 3rd arg of ExAllocatePoolWithTag call Modded AVX/AVX2 kernel Currently Proof-Of-Concept, only one kernel version supported LINK Projects for Developers/Advanced Users - Remote kernel debug over LAN or USB3 cable, https://github.com/MovAX0xDEAD/KDNET - ACPI DSDT/SSDT Patcher at boot time for any windows, https://github.com/MovAX0xDEAD/ACPI-Patcher - WinXP/W2003 ntoskrnl.exe Emu_Extender, https://github.com/MovAX0xDEAD/NTOSKRNL_Emu, https://msfn.org/board/topic/181615-ntoskrnl-emu_extender-for-windows-xp2003/ Research & Experiments Running Windows XP with "new generation" ACPI.sys taken from many Vista Beta/Longhorn version Running existing USB3 vendor's drivers on Intel USB3.0 controller Implementation of ACPI Timer/HPET on different windows generations Switching between DMA32/DMA64 under PAE Environment, Windows XP Switching between DMA32/DMA64 under PAE Environment, Windows 7 Unresolved Problems/Requested Features: - ACPI.SYS v.6666 lack 64-bit integers - ACPI.SYS v.6666 limits possible datatypes in arguments only to ACPI 1.0b Specification - Boot Windows XP/2003 x32 from UEFI x64 - Generating TRIM command for SSD in filesystem (NTFS/???) - Internal GPT support for x32 Windows XP by replacing disk.sys/partmgr.sys/??? from Windows 2003 - Boot Windows x32 XP/2003 from pure GPT - Restore full Windows XP SP1 implementation of PAE/DMA for Windows XP SP3 - Generic/Universal HDA Audio driver - CSM Emulator for UEFI x64 - DirectX 10/11 kernel support - NDIS 6.x for Windows XP/2003

@Dietmar You can keep xxx/yyy as is, _stricmp() is string comparator, you can compare anything with anything, results are ORed

Hi! 1) Little patch to enable text output of wanted function: In function IsTraceOn() inside trace.c after line: BOOLEAN rc = FALSE; add few lines: if ( !_stricmp(pszProcName, "VALIDATEARGTYPES") || !_stricmp(pszProcName, "VALIDATETARGET") || !_stricmp(pszProcName, "xxx") || !_stricmp(pszProcName, "yyy") ) { rc = TRUE; } You can add/replace xxx/yyy to any wanted function, just look at begin of function for line like TRACENAME("FATAL"), word FATAL is what you need 2) Configure WinDbg: for massive verbose output build acpi.sys debug version configure boot.ini to insta-break /BREAK enable WinDbg output to file: Edit->Opem/Close log file (repeat at every session) bu acpi!DriverEntry - tell to stop at acpi.sys (windbg will save between sessions) g - run kernel before first breakpoint wait for break in acpi, you must see message Breakpoint 0 hit ACPI!DriverEntry: ed Kd_ACPI_Mask 0xFFFFFFFF !amli set spewon verboseon logon traceon g - continue to load windows type Ignore few times if asked, usually this is assertion check, so better to check in source files what condition was triggered wait until desktop loaded, you must see a lot of text commit log file: Edit->Opem/Close log file->Close

Ok, this trace dont show usefull info c0140008 = AMLIERR_UNEXPECTED_ARGTYPE, in all cases AMLIERR_UNEXPECTED_ARGTYPE used with code like this rc = AMLI_LOGERR(AMLIERR_UNEXPECTED_ARGTYPE, ("ValidateArgTypes: expected Arg%d to be type Integer (Type=%s)..); seems AMLI_LOGERR() has some requirement to enable text message, need to change it to show messsage in any case

Use official MS way: create separate .asm files in amd64 folder, let's name as amd64_helpers.asm add AMD64_SOURCES= amd64\amd64_helpers.asm to file "sources" of project place inlined __asm {...} code with preprocessor #ifdef _X86_ ...... #endif, it will processed only for x32 builds example of x64 asm: PUBLIC OSNotifyDeviceCheck EXTRN g_AmliHookEnabled:DWORD EXTRN memcpy:PROC EXTRN memset:PROC OSNotifyDeviceCheck PROC ... call memcpy ... OSNotifyDeviceCheck ENDP

MS VC++ compiler allow to use internal assembler only for x86, for x64 need use external *.asm files (compiler will use external MASM x64 to make .obj) Yes, XP SP3 driver can "coexist" with W2003 SP2, but real W2003 SP2 acpi.sys based on newer sorces Difference XP SP1 vs XP SP3 is small, only few function was improved/changed. W2003 RTM vs W2003 SP2 is much huge, it has a lot of new arblib* functions. To make x64 acpi need to use w2003 sources as base (because xp x64 is renamed w2003 x64) or use existing binary v5048 from Longhorn beta. p.s. W2003 RTM sources + ACPI 2.0 patches are bad, my coffeelake just hangs, no BSOD, no reset

This is just declaration, real job is in ReadField*/WriteField* Let assume you sucessfully made qword field, how you plan to write/read to it if all local variables in acpi driver are 32 bit ? Driver don't offer variables with full 64 bit range...

Hi Winword2000, Club This is possible only if someone leak win2000 acpi sources from MS. Second option is binary patching without sources, but you need to find some Bro who interested with this job

Hi Dietmar Setup remote debug connection, otherwise you again mask error without knowledge why modded driver not compatible with new DSDT/SSDT tables. ValidateArgTypes() is very important and used in any opcode to check IN argument types (string, buffer, integer, ...) You can build debug version, it has a lot of tips/messages, to enable printing everything in windbg enter ed Kd_ACPI_Mask 0xFFFFFFFF before running kernel (use boot.ini /BREAK to instant stop)

This project make possible to compile ACPI 2.0 driver from leaked XP SP1 & W2003 RTM sources, has same functionality as existing acpi.sys v6666 (still missed integer/fields/memory 64 bit support/) Grab leaked XP SP1/W2003 RTM sources (google it) Use "XPSP1/NT" directory as basedir if you want to compile acpi.sys for Windows XP x32 Use "Win2K3/NT" directory as basedir for Windows 2003 x32 / Windows 2003 x64 / Windows XP x64 Download any GNU patch package for windows (gnuwin32.sourceforge.net, cygwin, mingw, msys2, ...) Open command console, change current dir to base\busdrv\acpi\ (Windows XP x32) Save text diff patch https://pastebin.com/C5NXwHbS (v7 update) to file base\busdrv\acpi\sp1_to_sp3(ACP2).patch (Windows 2003 x32 / Windows 2003 x64 / Windows XP x64) Save text diff patch https://pastebin.com/8QURrM49 (v7 update) to file base\busdrv\acpi\rtm_to_sp2(ACP2).patch (Windows 2003 x32 / Windows 2003 x64 / Windows XP x64) Rename Win2K3/NT/public to Win2K3/NT/public2 (Windows 2003 x32 / Windows 2003 x64 / Windows XP x64) Update compiler and headers to mix of W2003 DDK+WRK, unpack https://anonfiles.com/J1W9H1a8y1/W2003_tools_update_7z to basedir with overriding existing files Remove "read only" flag from base\busdrv\acpi directory including sub-dirs and files Apply patch to convert original SP1/RTM sources to SP3/SP2 with extended ACPi 2.0 syntax: patching file driver/amlinew/amlipriv.h patching file driver/amlinew/amlitest.c patching file driver/amlinew/data.c patching file driver/amlinew/misc.c patching file driver/amlinew/object.c patching file driver/amlinew/parser.c patching file driver/amlinew/proto.h patching file driver/amlinew/type1op.c patching file driver/amlinew/type2op.c patching file driver/inc/aml.h patching file driver/nt/debug.c patching file driver/nt/debug.h patching file driver/nt/devpower.c patching file driver/nt/internal.c patching file driver/nt/interupt.c patching file driver/nt/irqarb.c patching file driver/nt/osnotify.c patching file driver/nt/pciopregion.c patching file driver/nt/rangesup.c patching file driver/nt/root.c patching file driver/nt/wake.c Change current dir to basedir (Windows XP x32 / Windows 2003 x32) Run razzle environment setup: (Windows 2003 x64 / Windows XP x64) Run razzle environment setup Change current dir to base\busdrv\acpi\driver\ Complie ACPI driver: build /Dcegbw Compiled acpi.sys.sys will be in (x32) base\busdrv\acpi\driver\nt\obj\i386\ or (x64) base\busdrv\acpi\driver\nt\obj\amd64\ Project contains implementation of new ACPi 2.0 syntax: ToInteger ToString ToHexString Continue ConcatenateResTemplate ToDecimalString Mod ToBuffer CopyObject MidString QwordConst (inside ParseIntObj) Timer CreateQWordField(fake it as CreateDWordField) Know issues workarounds: BSOD 0xA5 (0x10006, ...) missing _DIS method for "PNP0C0F" (PCI Interrupt Link Devices) BSOD 0xA5 (0x02,xxx, 0x0, ...) ACPI vs E820 mem ranges conflict IOTRAPS I/O range 0xFF00-0xFFFF vs VGA (10-bit decode!) conflict BSOD 0xA5(0x03, ..., C0140008, ...) error in ValidateArgTypes() when reading 64-bit fields BSOD 0x7E(c0000005, ...) error in AcpiArbCrackPRT() when referencing null pointer BSOD 0xA5 (0x11, 0x08, ..., ...) error in _AMLILoadDDB() (zero lenght buffer) BSOD 0xA5 (0x11, 0x08, ..., ...) error in _AMLILoadDDB() (doubled device definition) BSOD 0xA5 (0x0000000D, ..., 0x4449555F, 0) absence _UID method BSOD 0xA5 (0x11, 0x08, ..., ...) error in _AMLILoadDDB() (Connection() opcode) CPU definition as Device with _HID=ACPI0007 BSOD 0xA5(0x03, ..., C0000034, ...) postponed SSDT loading on x64 platform (v8 update) Assertion Fail on loaddsdt.c, line 488 for x64 builds (v8 update) Unresolved issues: BSOD 0xA5 (0x0000000D, ..., ..., ...) duplicated/absence _HID/_UID method (AMD boards) BSOD 0xA5 (0x2001, 0x01, 0xC0000034, ...) failure to evaluate the _PIC method in NotifyHalWithMachineStates() Conflicted device names in Windows device manager (Code 42)

Hi Windows2 1) MS rebases all critical system .dlls to avoid overlapping ranges, you can rebase too using 3rd utils (pe_rebaser from PEBLISS project) or rebase.exe from leaked XP/W2003 sources 2) No matter how sections ordered, just assign new section to new mem range, example kernel32 from NT4 Service Pack 6, base adress 77F00000 .text 77F01000 .rdata 77F3C000 .data 77F45000 .rsrc 77F47000 .reloc 77F5B000, size 2E00 Free range starts at 77F5B000+2E00=77F5DE00 Unfortunately this range probably will be assigned to next system dll like user32.dll. If you need more mem range, you need to find enough gap between DLLs and rebase kernel32 to new adress For XP couple years ago i find holes with bat file: basic_info_viewer.exe c:\WINDOWS\system32\1033\dwintl.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\1033\vsjitdebuggerui.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\1cfgmgr32.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\1winsta.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\6to4svc.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\a3d.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\aaaamon.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\aaclient.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\ac3api.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\acctres.dll >> c:\dllbase.txt basic_info_viewer.exe c:\WINDOWS\system32\acledit.dll >> c:\dllbase.txt ...all remain dll in system32.... generated dllbase.txt: c:\WINDOWS\system32\1033\dwintl.dll Image base: 0x314c0000 Len: 0xc000 c:\WINDOWS\system32\1033\vsjitdebuggerui.dll Image base: 0x3b3f0000 Len: 0x4000 c:\WINDOWS\system32\1cfgmgr32.dll Image base: 0x74ae0000 Len: 0x7000 c:\WINDOWS\system32\1winsta.dll Image base: 0x76360000 Len: 0x10000 c:\WINDOWS\system32\6to4svc.dll Image base: 0x6bc00000 Len: 0x1d000 c:\WINDOWS\system32\a3d.dll Image base: 0x2000000 Len: 0x12000 c:\WINDOWS\system32\aaaamon.dll Image base: 0x717a0000 Len: 0xa000 c:\WINDOWS\system32\aaclient.dll Image base: 0x6d640000 Len: 0x25000 c:\WINDOWS\system32\ac3api.dll Image base: 0x2000000 Len: 0xf000 c:\WINDOWS\system32\acctres.dll Image base: 0x71780000 Len: 0x12000 c:\WINDOWS\system32\acledit.dll Image base: 0x71b70000 Len: 0x22000 c:\WINDOWS\system32\aclui.dll Image base: 0x71550000 Len: 0x1f000 Import dllbase to excel with splitting every line to 3 cells, name, addr, len. Then sort by addr and look for gaps.Max available address for user mode dll is 8000000 (/3G systems allow above) 3) PE format allow BINDING to hardcoded adresses at compile time, this mean addresses of functions from kernel32 already embedded to other DLLs like 77F23344, you cannot rebase in such case, don't sure how NT4 was compiled, i hope this mode is not used

First made for XP only, then added W2003, at end added XP/W2003 x64 and little Vista/W7 support. i just dont had motivation to support W2000, too much similar systems - W2000/XP/W2003...

Hi ntoskrnl_extender compilable and usable on xp64 too, usb3/storage drivers works (but not tested widely) "OneCore API and XomPie" - read carefully what these and this projects do, they live in different words "ring3 vs ring0" and no way to say hello to companion :)

No need to implement every function, only functs really used in working drivers. This mean "vista video" and some rare drivers (like intel raid drivers for server chipsets) still have missed imports because they not working anyway or no one use it

Hi, Seems you are messed with arguments/stack at return, "ret x" must take return adress to parent, but it take from stack random arg and jump to it :)

Hi Ximonite, any source code available ? or all functions was ripped as disassembly ?

win32k declare own ring3->ring0 service table for user32 and gdi32 see KeAddSystemServiceTable() inside win32k