Mov AX, 0xDEAD

security_cookie is constant 0x4EE640BB inside file

NTOSKRNL Emu_Extender Library of missing functions for Windows XP/2003/Vista/7 NTOSKRNL.EXE Project is intended to help in porting drivers from Windows 7/8/8.1/10 for work with Windows XP/2003/Vista/7 How-To: Compile sources to make ntoskrn8.sys Make corrections to target driver XXX.sys so that it loads ntoskrn8.sys instead of the original ntoskrnl.exe If XXX.sys is driver made for Windows 8, change security_cookie to random value, security_cookie is constant 0x4EE640BB(x32) / 0x32A2DF2D992B(x64) inside file, change only first match ! Place ntoskrn8.sys to X:/Windows/system32/drivers/ folder Compiling: 1) Install Windows 7 DDK v7.1.0 (download from Microsoft site) 1a) Original DDK header files has mistake with definintion of MmAllocateContiguousMemorySpecifyCacheNode, apply fix to two files \WinDDK\Win7\inc\ddk\ntddk.h and \WinDDK\Win7\inc\ddk\wdm.h: replace: #if (NTDDI_VERSION >= NTDDI_WIN2K) typedef ULONG NODE_REQUIREMENT; to: #if (NTDDI_VERSION >= NTDDI_VISTA) typedef ULONG NODE_REQUIREMENT; 2) Download project files to any local folder git clone https://github.com/MovAX0xDEAD/NTOSKRNL_Emu 3) Choose Target OS (XP, 2003, Vista or WIndows 7) for which OS Emu_Extender will be compiled. Keep in mind that depending on the target operating system the way of exporting the functions changes, if a function already exists in the kernel it will be simply redirected without injecting emulation code 4) Run shell: "Start Menu\Programs\Windows Driver Kits\Win7 7600.16385.1\Build Environments\Windows XXX\YYY Free Build Environment" (XXX - target OS, YYY - target CPU) 5) In shell change current directory to local project folder 6) Use shell command BLD to compile project 7) Compiled ntoskrn8.sys will be in ntoskrn8/objfre_XXX_x86/YYY folder STORPORT Windows 7 Emu_Extender This is Library of missing functions for Windows 7' STORPORT.SYS v6.1.7601.23403 to emulate Windows 8' STORPORT.SYS How-To: Compile ntoskrnl Emu_Extender Place storpor8.sys to X:/Windows/system32/drivers/ folder Make corrections to target xxx.sys so that it loads storpor8.sys instead of the original storport.sys Place backported storport.sys from Windows 7 to X:/Windows/system32/drivers/ folder Ported drivers: Windows 7's WDF 1.11 for Windows XP/2003 x32 Last version for Windows XP/2003 is 1.9, but possible to backport 1.11 version: 1) Get files from Windows 7 Updates (KB3125574): WDF01000.SYS v 1.11.9200.20755 WdfLdr.sys v 1.11.9200.16384 2) In WDF01000.SYS replace string ntoskrnl.exe to ntoskrn8.sys in import section 3) Recalc checksum If need coexist with original WDF1.9 drivers: 4) Rename WDF01000.SYS->WDF01_W8.SYS, WdfLdr.sys->WdfLdr8.sys 5) In WDF01_W8.SYS replace string WdfLdr.sys to WdfLdr8.sys in import section 6) In WdfLdr8.sys replace unicode string \Registry\Machine\System\CurrentControlSet\Services\Wdf%02d000 to \Registry\Machine\System\CurrentControlSet\Services\Wdf%02d_w8 7) In WdfLdr8.sys replace hex pattern F6 78 1B F6 to F6 EB 1B F6 (x32), ** ** to ** ** (x64) 8) In target driver XXX.sys replace string "WdfLdr.sys" to "WdfLdr8.sys" in import section 9) In .INF of ported driver add creating new service: AddService=WDF01_W8,, WDF.AddService .... [WDF.AddService] DisplayName = "Windows Driver Framework v1.11 for XP/2003" ServiceType = 1 ; SERVICE_KERNEL_DRIVER StartType = 3 ; SERVICE_DEMAND_START ErrorControl = 1 ; SERVICE_ERROR_NORMAL ServiceBinary = %12%\WDF01_W8.SYS LoadOrderGroup = Base Recalc checksum of all edited *.sys Windows 7's Storport.sys for Windows XP x32 Storport was released since Windows 2003, but possible to backport Windows 7 version: 1) Get files from Windows 7 Updates (KB3125574): storport.sys v 6.1.7600.23403 2) In storport.sys replace string ntoskrnl.exe to ntoskrn8.sys in import section, now storport.sys will import all kernel functions only from Emu_Extender 3) Storport uses MSI interrupts, need to force use only legacy/compatible interrupts x32 - replace hex pattern 8B 8E 3C 01 00 00 to B9 00 00 00 00 90 (mov ecx, [esi+13Ch] -> mov ecx, 0) x64 - replace hex pattern 8B 83 C0 01 00 00 to B8 00 00 00 00 90 (mov eax, [rbx+1C0h] -> mov eax, 0) 4) Recalc checksum Windows 7's NVMe driver for Windows XP x32 1) Get files from Windows 7 Updates (KB3125574): stornvme.sys v 6.1.7600.23403 2) MS Win7 NVMe driver require Win7 Storport.sys, use backported one Windows 8's USB3 driver for Windows XP x32 1) Get required files from Windows 8 (KB4534283/4556840, KB2984005, RTM ISO): ucx01000.sys v6.2.9200.22453 usbhub3.sys v6.2.9200.21180 usbxhci.sys v6.2.9200.22099 wpprecorder.sys v6.2.9200.16384 usbd.sys v6.2.9200.20761 from Vista Beta/Longhorn 5456.5: ksecdd.sys v6.0.5456.5 2) In files ucx01000.sys, usbhub3.sys, usbxhci.sys, wpprecorder.sys, usbd.sys change security_cookie to random value 3) In files ucx01000.sys, usbhub3.sys, usbxhci.sys, ksecdd.sys replace string name "ntoskrnl.exe" to "ntoskrn8.sys' in import section 4) Rename ksecdd.sys->ksecd8.sys, usbd.sys->usbd_w8.sys 5) In usbhub3.sys replace string name "ksecdd.sys" to "ksecd8.sys' in import section 6) In usbhub3.sys replace string name "usbd.sys" to "usbd_w8.sys' in import section, 7) recalc checksum Windows 8’s STORAHCI driver for Windows XP x32 STORAHCI driver requires storport.sys from Windows 8, but possible to use storport.sys v6.1.7601.23403 from Windows 7 Storport.sys from Windows 7 more compatible with Windows XP/2003 because it still call required PoStartNextPowerIrp when processing power IRPs. Microsoft removed calls to PoStartNextPowerIrp in Windows 8's storport.sys, without this call Windows XP/2003 kernel cannot finish current power IRP and start next IRP => it generate BSOD (0x0000009F). Also storport.sys from Windows 7 has compatibility mode to allow old XP/2003 kernels write crashdumps through storport based disk drivers. In storport.sys from Windows 8 compatibility mode was removed, writing crashdumps possible only with new kernels. Take attention: Windows 8's STORAHCI + Windows 7's STORPORT may have significal performance drop and high CPU usage, there is no fix yet 1) Get files from Windows 8 (RTM ISO): storahci.sys v 6.2.9200.16384 2) In storahci.sys replace string storport.sys to ntoskrn8.sys in import section 3) Storahci.sys was compiled with Windows 8 DDK's storport.h and writes values to new fields of _PORT_CONFIGURATION_INFORMATION struct, these fields not exist in Windows 7's storport.sys. Need to skip these writes to avoid damaging other structures in memory x32: Replace hex pattern 83 A6 C8 00 00 00 00 to 90 90 90 90 90 90 90 (and dword ptr [esi+0C8h], 0 -> nop) Replace hex pattern 83 8E CC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [esi+0CCh], 3 -> nop) x64:Replace hex pattern 44 89 B7 D8 00 00 00 to 90 90 90 90 90 90 90 (mov [rdi+0D8h], r14d -> nop) Replace hex pattern 83 8F DC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [rdi+0DCh], 3 -> nop) If you want compile storahci from sources (from Windows 8 DDK Samples), comment two lines ConfigInfo->BusResetHoldTime = 0; ConfigInfo->FeatureSupport |= STOR_ADAPTER_FEATURE_STOP_UNIT_DURING_POWER_DOWN; 4) In storahci.sys change security_cookie to random value 5) Recalc checksum Windows 7’s MSAHCI driver for Windows XP x32 1) Get files from Windows 7 Updates(KB3125574): atapi.sys v 6.1.7600.23403 ataport.sys v 6.1.7600.23403 msahci.sys v 6.1.7600.23403 pciidex.sys v 6.1.7600.23403 2) In ataport.sys, pciidex.sys replace string ntoskrnl.exe to ntoskrn8.sys in import section 3) Pciidex.sys uses MS Internal/Undocumented HalDispatchTable way to call functions from Kernel/HAL, for Windows XP/2003 need to use compatible variant: x32: Replace hex pattern FF 50 3C to FF 50 40 same in asm code: mov eax, ds:HalDispatchTable ... call dword ptr [eax+3Ch] => call dword ptr [eax+40h] x64: Replace hex pattern FF 50 78 to EB 2A 90 Replace hex pattern at offset +2Ch: CC CC CC CC CC CC CC CC to FF 90 80 00 00 00 EB CF, same in asm code: mov rax, cs:HalDispatchTable ... call qword ptr [rax+78h] => jmp patch orig: mov r10d, eax patch: call qword ptr [eax+80h] jmp orig 4) Recalc checksum 5) MSHDC.INF from Windows 7 conflict with original mshdc.inf from Windows XP/2003. msahci.sys enumerates IDE/SATA channels as "Internal_IDE_Channel" and compatible ID is "*PNP0600". Original mshdc.inf from Windows XP/2003 for compatible Device ID "*PNP0600" will install wrong "Standard IDE/ESDI Hard Disk Controller" driver Intel RSTe (Enterprise/Premium) AHCI/RAID driver 4.7.0.1098 for Windows XP/2003 Intel RST AHCI/RAID drivers (any version, last compatible is 16.8.3) for Windows XP/2003 These drivers require storport.sys from Windows 7, use backported version. 1) In file iaStorA.sys/iaStorAC.sys/iaStorAVC.sys replace string “ntoskrnl.exe” to “ntoskrn8.sys” in import section (do not change second string “NTOSKRNL.exe”) now these *.sys will import kernel functions only from Emu_Extender 3) Recalc checksum Implemented Func List v60: _chkstk _i64toa_s _i64tow_s _itoa_s _itow_s _ltoa_s _ltow_s _makepath_s _snprintf_s _snscanf_s _snwprintf_s _snwscanf_s _splitpath_s _strnset_s _strset_s _strtoui64 _swprintf _ui64toa_s _ui64tow_s _ultoa_s _ultow_s _vsnprintf_s _vsnwprintf_s _vswprintf _wcsnset_s _wcsset_s _wmakepath_s _wsplitpath_s _wtoi _wtol DbgkLkmdRegisterCallback EmClientQueryRuleState EtwActivityIdControl EtwEventEnabled EtwProviderEnabled EtwRegister EtwRegisterClassicProvider EtwUnregister EtwWrite EtwWriteString EtwWriteTransfer ExAcquireRundownProtectionCacheAware ExAcquireRundownProtectionCacheAwareEx ExAllocateCacheAwareRundownProtection ExDeleteLookasideListEx ExEnterCriticalRegionAndAcquireFastMutexUnsafe ExEnterCriticalRegionAndAcquireResourceExclusive ExEnterCriticalRegionAndAcquireResourceShared ExEnterPriorityRegionAndAcquireResourceExclusive ExEnterPriorityRegionAndAcquireResourceShared ExFreeCacheAwareRundownProtection ExfReleasePushLockShared ExfTryToWakePushLock ExGetFirmwareEnvironmentVariable ExInitializeLookasideListEx ExInitializeRundownProtectionCacheAware ExReInitializeRundownProtectionCacheAware ExReleaseFastMutexUnsafeAndLeaveCriticalRegion ExReleaseResourceAndLeaveCriticalRegion ExReleaseResourceAndLeavePriorityRegion ExReleaseRundownProtectionCacheAware ExReleaseRundownProtectionCacheAwareEx ExRundownCompletedCacheAware ExSetFirmwareEnvironmentVariable ExSizeOfRundownProtectionCacheAware ExWaitForRundownProtectionReleaseCacheAware IoAllocateSfioStreamIdentifier IoConnectInterruptEx IoDisconnectInterruptEx IoFreeSfioStreamIdentifier IoGetActivityIdIrp IoGetAffinityInterrupt IoGetDevicePropertyData IoGetIoPriorityHint IoGetSfioStreamIdentifier IoInitializeWorkItem IoQueueWorkItemEx IoSetActivityIdIrp IoSetDevicePropertyData IoSizeofWorkItem IoUninitializeWorkItem IoUnregisterPlugPlayNotificationEx KdRefreshDebuggerNotPresent KeAcquireGuardedMutex KeAcquireGuardedMutexUnsafe KeAlertThread KeAreAllApcsDisabled KeEnterGuardedRegion KeExpandKernelStackAndCallout KeGetCurrentNodeNumber KeGetCurrentProcessorNumberEx KeGetProcessorIndexFromNumber KeGetProcessorNumberFromIndex KeInitializeGuardedMutex KeInvalidateAllCaches KeInvalidateRangeAllCaches KeLeaveGuardedRegion KeQueryActiveGroupCount KeQueryActiveProcessorCount KeQueryActiveProcessorCountEx KeQueryDpcWatchdogInformation KeQueryGroupAffinity KeQueryHighestNodeNumber KeQueryLogicalProcessorRelationship KeQueryMaximumGroupCount KeQueryMaximumProcessorCount KeQueryMaximumProcessorCountEx KeQueryNodeActiveAffinity KeReleaseGuardedMutex KeReleaseGuardedMutexUnsafe KeRevertToUserAffinityThreadEx KeRevertToUserGroupAffinityThread KeSetActualBasePriorityThread KeSetCoalescableTimer KeSetSystemAffinityThreadEx KeSetSystemGroupAffinityThread KeSetTargetProcessorDpcEx KeTestAlertThread KeTryToAcquireGuardedMutex LdrResFindResource LdrResFindResourceDirectory LpcReplyWaitReplyPort LpcRequestWaitReplyPortEx LpcSendWaitReceivePort memcpy_s memmove_s MmAllocateContiguousMemorySpecifyCacheNode MmAllocateContiguousNodeMemory ObDeleteCapturedInsertInfo ObfDereferenceObjectWithTag ObfReferenceObjectWithTag ObGetObjectType ObQueryNameInfo PcwAddInstance PcwCloseInstance PcwCreateInstance PcwRegister PcwUnregister PoDisableSleepStates PoEndDeviceBusy PoGetSystemWake PoReenableSleepStates PoRegisterPowerSettingCallback PoSetDeviceBusyEx PoSetSystemWake PoStartDeviceBusy PoUnregisterPowerSettingCallback PoUserShutdownInitiated PsAcquireProcessExitSynchronization PsEnterPriorityRegion PsGetCurrentProcessWin32Process PsGetCurrentThreadProcess PsGetCurrentThreadProcessId PsGetCurrentThreadTeb PsGetCurrentThreadWin32Thread PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion PsGetProcessSessionIdEx PsIsProtectedProcess PsIsSystemProcess PsLeavePriorityRegion PsReleaseProcessExitSynchronization PsSetCreateProcessNotifyRoutineEx RtlCheckPortableOperatingSystem RtlGetIntegerAtom RtlGetThreadLangIdByIndex RtlIsNtDdiVersionAvailable RtlQueryElevationFlags RtlQueryRegistryValuesEx RtlSetPortableOperatingSystem SeReportSecurityEventWithSubCategory SeSetAuditParameter SeSetAuthorizationCallbacks sprintf_s sscanf_s strcat_s strcpy_s strncat_s strncpy_s strnlen strtok_s swprintf_s swscanf_s vsprintf_s vswprintf_s wcscat_s wcscpy_s wcsncat_s wcsncpy_s wcsnlen wcstoul ZwAllocateLocallyUniqueId ZwAlpcConnectPort ZwAlpcSendWaitReceivePort ZwQueryLicenseValue ZwQueryVirtualMemory Download Sources https://github.com/MovAX0xDEAD/NTOSKRNL_Emu

Dedicated to fans of windows XP/2003 running on moderm (Acpi 2.0) PC Main purpose of patcher is help with eliminate/fixing Acpi 2.0 opcodes and 64-bit fields/regions/math without touching bios. Patch modify acpi tables every time when os start, it change current state of acpi tables in RAM memory (Bios load tables from flash chips to ram). Patcher works only with CSM (compatibility) mode, it will never works in UEFI boot mode. Using: 1) All custom files must named in old "8.3" DOS way ! 2) Create folder "ACPI_PAT" at root of you boot drive where installed target OS, this folder is place for storing all custom files (except bootloader) 3) Replace original bootloader (NTLDR for windows 2000/2003/XP, BOOTMGR for Vista/7/8/10, GRLDR for grub4dos) with patcher, original bootloader save as "xpldr" in ACPI_PAT folder 4) Place acpi_pat.img at ACPI_PAT folder 5) Place main configuration file ACPI_PAT.CFG: [DSDT] reload.bin bnum_fix.dif iotr_fix.dif,201904 test1.dif test2.hex [SSDT1] ; patch1 ;SSDT_FI1.HEX [SSDT3] ; patch 3 ;SSDT_FI3.HEX [SSDT*] # universal ssdt patch #SSDT_UNI.HEX [FACS] ;APIC_FIX.HEX [DSDT] [SSDT] - name of acpi table, only 4 chars !!! [SSDT3] - patch 3rd ssdt table, order of the ssdt table is determined by its position in the rsdt/xsdt tables [SSDT*] - special name to modify all ssdt tables ; patch1 - comments start with ";" or "#" reload.bin - BIN override table from binary file bnum_fix.dif - DIF is text format for GNU Patch iotr_fix.dif,201904 - DIF format with forcing iasl compiler version test2.hex - HEX is text format of "Find&Replace" hex strings 6) Order of applying patches is up-to-down, better to place first .bin patch, then .dif or .hex 7) Example of .hex format: ; comment 706869637320/706869637420 ;without spaces 70 68 69 63 73 20 / 70 68 69 63 74 20 ;with spaces, more readable 70 68 69 63 73 20 - hex string to find 70 68 69 63 74 20 - hex string to replace you can increase/decrease count of replaced bytes, size of table will be changed dynamicaly 8) Patcher supplied with 3 versions of iasl compiler/decompiler: IA201604.EXE IA201612.EXE IA201904.EXE These versions are equivalent of 20160422, 20161222, 20190405 at acpica.org Default version for processing dsdt/ssdt tables maded before 2016-12-31 is IA201612.EXE, for later dates is IA201904.EXE. You can also use your own version (DOS VERSION, compile yourself from acpica sources), name it "iaXXXX.exe" and place inside EXE.7z archive on floppy image. 9) Examples of .dif format: Fix BNUM Decompiling Bug: --- DSDT.dsl +++ DSDT.dsl @@ -1,1 +1,0 @@ - External (BNUM, UnknownObj) Fix Resource conflicting on Windows XP for Gigabyte H110-HD2 bioses: --- DSDT.dsl +++ DSDT.dsl @@ -1,36 +1,13 @@ AMI1 = ITA1 /* \ITA1 */ AMA1 = ITA1 /* \ITA1 */ AMI2 = ITA2 /* \ITA2 */ AMA2 = ITA2 /* \ITA2 */ AMI3 = ITA3 /* \ITA3 */ AMA3 = ITA3 /* \ITA3 */ - If ((ITS0 == One)) - { - ConcatenateResTemplate (Local0, BUF0, Local1) - Local0 = Local1 - } - - If ((ITS1 == One)) - { - ConcatenateResTemplate (Local0, BUF1, Local1) - Local0 = Local1 - } - - If ((ITS2 == One)) - { - ConcatenateResTemplate (Local0, BUF2, Local1) - Local0 = Local1 - } - - If ((ITS3 == One)) - { - ConcatenateResTemplate (Local0, BUF3, Local1) - Local0 = Local1 - } Return (Local0) } } } Scope (_SB.PCI0.LPCB) Patches generated by invoking (you can change/remove "-u6" option) Diff : diff -u6 --strip-trailing-cr OLD.DSL NEW.DSL > my_patch.dif Keep in mind that different versions of the compiler generate different versions of the ASL text. So context of .dif file is in most cases bound to specific version of the compiler 10) If using .dif patches, need additional file external.txt this is text format for using iasl.exe decompiler "-fe" option like this: External (AL6F, MethodObj, 0) External (HLVT, MethodObj, 0) External (P0L6, MethodObj, 0) External (P1L6, MethodObj, 0) External (P2L6, MethodObj, 0) External (PS0X, MethodObj, 0) External (PS2X, MethodObj, 0) External (PS3X, MethodObj, 0) External (_SB_.PCI0.GFX0.IUEH, MethodObj, 1) External (_SB_.PCI0.GFX0.GSCI, MethodObj, 0) External (_SB_.PCI0.PAUD.PUAM, MethodObj, 0) External (_SB_.PCI0.PEG0.HPME, MethodObj, 0) External (_SB_.PCI0.PEG1.HPME, MethodObj, 0) External (_SB_.PCI0.PEG2.HPME, MethodObj, 0) External (_SB_.PCI0.XHC_.DUAM, MethodObj, 0) External (_SB_.PCI0.XHC_.RHUB.INIR, MethodObj, 0) External (_SB_.PCI0.SAT0.SDSM, MethodObj, 4) External (MDBG, MethodObj, 1) External (_SB_.TPM_.PTS_, MethodObj, 1) 11) If using .dif patches, may be need additional file ignores.txt this is text format for filter iasl.exe decompiler errors, example of file: [BNUM] Namespace lookup failure, AE_ALREADY_EXISTS Many kabylake/coffelake bioses created with uncorrected asl code around BNUM fileld, when you decompile it, you will get "ACPI Error: [BNUM] Namespace lookup failure, AE_ALREADY_EXISTS (20161222/dswload-390)" error. With ignores.txt possible to filter/ignore these errors 12) When using .bin files, take care about override DSDT/SSDT tables, "template" from BIOS image is bad choice for such files. Bios patch some parts inside table before deploying to OS (bios usualy set absolute adresses). In this case run OS and save tables from runned state. Regards & Copyrights: FreeDOS by FreeDOS Project SHSURDRV by Jason Hood 7zdec by Igor Pavlov/7-zip.org Move by Joe Cosentino/Imre Leber XCOPY by Rene Ableidinger/Eric Auer GRUB4DOS by GRUB4DOS Developers FAT module for grub4dos by chenall.net Volkov Commander by Vsevolod V. Volkov NTFS for DOS by Avira GmbH iASL by Intel/Acpica DJGPP by DJ Delorie CWSDPMI by CW Sandmann inih by benhoyt Internals & Hacks: - acpi_pat.img is bootable 2.88MB FAT12 floppy image with FreeDOS & utils - When pressing any SHIFT key when starting, Patcher will go to debug mode, it will stop loading OS and run shell - Patcher replace original bootloader with grub4dos, when all job is done, patcher run grub4dos.exe for loading original loader - Patcher reserve 2Mb of RAM for storing acpi tables (Windows will report -2Mb available memory) - Before decompiling any table, all ssdt and dsdt tables stored at disk and used as external files "iasl -e ssdt1 ssdt 2 ... " History: v1 - Initial (Beta) Download Binaries https://github.com/MovAX0xDEAD/ACPI-Patcher/releases Download Sources https://github.com/MovAX0xDEAD/ACPI-Patcher