Jump to content

Zorba the Geek

Member
  • Posts

    75
  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    United Kingdom

Everything posted by Zorba the Geek

  1. I am planning to embark on a kernel extension for Windows XP with a topic started here. Perhaps win32 or someone else interested in this Vista Kernel Extension could advise me about where to obtain NT6.x functions that can be integrated into the Microsoft NT5.1 libraries. I am wary of extracting these functions from Win7 libraries due to possible incompatibility with the XP kernel, but I am not qualified to judge what problems might arise if you do this. An alternative source sometimes recommended for extracting NT6.1 functions for kernel extensions is Wine. A Wine download for Slackware can be downloaded from here. Is there a reason why Wine would be a preferable source for extracted functions compared to Microsoft libraries? Why does no-one recommend extracting NT6.1 functions from Reactos? Should I rely on BlackWingCat's W2K Extended Kernel 3.0e as a source for extracted NT6.1 functions assuming that he is expert enough to select this code from appropriate sources?
  2. Ghidra requires 64 bit JAVA 17, and Relyze is overkill for this simple task and probably does not work under XP. I have discovered the disassembler Dibya used for his KernelEx for XP project. The output from the disassembler incorporated into PE Explorer is exactly like the code in Dibya's ExKernel.asm. This is a superb program that enables you to search for the entry point of functions without having to rely on Microsoft symbols which only work on Microsoft products. However, the help file states so I am not sure that this is the way to go. A MSFN forum member using the name win32 has started a thread titled [WIP] Windows Vista Extended Kernel in which he proposes to develop a kernel extension using the same approach as BlackWingCat which is copy functions as hex and paste them into a hex dump of the section designated for containing these Nt6.1 functions. Judging by this thread this approach is fraught with problems.
  3. Dibya please reply to this question. I have been investigating how I could update your Kernelex for Windows XP, and I am uncertain about which disassembler to use which gives an output compatible with NASM. I have been able to extract the assembly code for particular functions in BlackWingCat's build of kernel32.dll using the GNU disassembler gdb, and IDA Pro 6.8, but there are differences in the syntax compared to your source code in kernelex.asm which may or may not be significant. Here are some examples: Dibya: mov eax,[ebp+0Ch] gdb: mov eax,DWORD PTR [ebp+0xc] IDA: mov eax, [ebp+arg_4] Dibya: mov word [ebp-08h],0008h gdb: mov WORD PTR [ebp-0x8],0x8 IDA: mov [ebp+var_8], 8 Is it it possible that NASM would recognize DWORD PTR and trailing h after numerals even though they are not present in the output of NDISASM? What about the number formats like 0008 compared to 0x8? I have tried x64dbg and Ollydbg, but I could not get them to work in this application.
  4. I thought that I ought to push things along with this project with this post. The objective is to update Dibya's last patched binaries so that they are based on the last POSReady 2009 updates of these modules. It ought to be possible to patch other system files using the same techniques. The approach that Dibya has used is to patch the export table of these binaries so that API calls to NT6 functions are forwarded to an external dynamic link library that acts as a container for all the additional NT6 functions for the patched kernel32.dll, advapi32.dll, ole32.dll, shell32.dll and user32.dll. This external dynamic link library is called ExKernel.dll. I have provided a screen shot of the patched advapi32.dll opened in PE Maker here: Exkernel.dll is built by dissasembling Microsoft and Wine binaries to extract the subroutines for the additional NT6 functions to make the asm file ExKernel.asm which is then assembled with nasm.exe to produce the object file ExKernel.obj. ExKernel.obj is passed to golink.exe to link Exkernel to advapi32.dll, shell32.dll, kernel32.dll, and ntdll.dll. The ExKernel.asm file contains a table for imports as in the sample below: ; IMPORT TABLE EXTERN RtlEnterCriticalSection EXTERN RtlLeaveCriticalSection EXTERN WaitForSingleObject ;EXTERN _alloca_probe EXTERN RtlInitializeCriticalSection EXTERN SetEvent EXTERN RtlSetLastWin32Error EXTERN RtlTryEnterCriticalSection EXTERN GetLastError EXTERN GetProcessHeap EXTERN RtlAllocateHeap EXTERN ExitThread EXTERN CreateEventA EXTERN LoadLibraryA The table for exports is shown in the sample below: ; EXPORT TABLE GLOBAL AcquireSRWLockExclusive EXPORT AcquireSRWLockExclusive GLOBAL AcquireSRWLockShared EXPORT AcquireSRWLockShared GLOBAL InitializeSRWLock EXPORT InitializeSRWLock GLOBAL ReleaseSRWLockExclusive EXPORT ReleaseSRWLockExclusive GLOBAL ReleaseSRWLockShared EXPORT ReleaseSRWLockShared GLOBAL TryAcquireSRWLockExclusive EXPORT TryAcquireSRWLockExclusive GLOBAL TryAcquireSRWLockShared EXPORT TryAcquireSRWLockShared GLOBAL InterlockedCompareExchange64 EXPORT InterlockedCompareExchange64 Here is a sample of a subroutine in assembly included in ExKernel.asm FindNextStreamW: ;blackwingcat KB935839 2017.04 push ebp mov ebp,esp mov ecx,[ebp+08h] mov edx,[ecx+04h] add edx,[ecx+0Ch] mov eax,[ecx+08h] cmp eax,edx jnz L77EA5881 push 3221225489 ;C0000011h call SUB_L77E5826D xor eax,eax jmp L77EA58D4 L77EA5881: mov ecx,[eax+08h] mov edx,[ebp+0Ch] mov [edx],ecx mov ecx,[eax+0Ch] mov [edx+04h],ecx mov ecx,[eax+04h] push ebx push esi mov ebx,ecx push edi shr ecx,02h lea esi,[eax+18h] lea edi,[edx+08h] rep movsd mov ecx,ebx and ecx,00000003h rep movsb mov ecx,[eax+04h] shr ecx,1 and word [edx+ecx*2+08h],0000h mov eax,[eax] test eax,eax pop edi pop esi pop ebx jbe L77EA58C5 mov ecx,[ebp+08h] add [ecx+08h],eax jmp L77EA58D1 L77EA58C5: mov eax,[ebp+08h] mov ecx,[eax+04h] add ecx,[eax+0Ch] mov [eax+08h],ecx L77EA58D1: xor eax,eax inc eax L77EA58D4: pop ebp retn 0008h Here are some issues that I am unclear about and I would like Dibya or someone to clarify: Can someone supply instructions on how to use PE Maker to add additional entries to the export table? How do you know if there is sufficient space in the binary to be patched to accommodate these new entries in the export table without over-writing some of the existing code? Is there some way of creating extra space in the binary to to accommodate these new entries? What tool is recommended to extract functions as assembly from Microsoft and Wine binaries? Why criteria would you use to choose either Microsoft, Wine or BWC binaries as a source for these extracted functions? If you decide not to use an external dynamic link library as a container for the additional NT6 functions how would you insert them into the binary to be patched? Would you dissasemble the binary to be patched and paste the dissasembled NT6 functions into it's asm file then assemble it, or could you extract the NT6 functions as hex and paste them into a hex dump of the binary to be patched? ExKernel.asm
  5. My previous post must have seemed naive to an expert like VistaLover, but I had anticipated that the CDM client would calculate a checksum of it's main dll to detect tampering, and if the checksum did not match the correct one in the client's code a signal would be sent to the widevine server to halt the download of the encrypted keys. Castlabs are now offering a free service for Widevine/VMP signing of application packages derived from official releases of Electron. They also offer a commercial VMP certification of custom Chromium/Electron adaptations which sounds like it is not free. Perhaps VistaLover could study this page Electron for Content Security VMP signing service and make some recommendations to the Supermium developer.
  6. Supermium Version 121.0.6167.81 is compatible with XP and 2003 and it includes the Widevine CDM. To activate it you have to go to chrome://components and click "Check for update" which will download version 4.10.2710.0. widevinecdm.dll requires imports from kernel32.dll missing in Windows XP so I have changed the entry for kernel32.dll in the widevinecdm.dll import table to the OneCore API xpspkernel32.dll after having renamed it to kernelxp.dll and placed it in the %UserProfile%\Local Settings\Temp\Supermium\User Data\WidevineCdm\4.10.2710.0\_platform_specific\win_x86 folder. I am almost there because when I go to this DRM stream test site I receive the notification "EME is supported by your current browser." with a tick next Widevine. However the player will not load and it displays the error message "General source error".
  7. The releases page for Tor.exe at https://github.com/artenax/tor-xp/releases redirects to https://github.com/artenax/tor/releases which only includes releases for Vista and Windows 7.
  8. Thanks for pointing out the errors. Line 56 was thus: Reg.exe add "HKLM\SOFTWARE\Classes\Python.File\Shell\editwithidle\shell\edit38-32\command" /ve /t REG_SZ /d "\"%ProgramFilest%\Python38\pythonw.exe\" -m idlelib \"%%L\" %%*" /f When it should have been: Reg.exe add "HKLM\SOFTWARE\Classes\Python.File\Shell\editwithidle\shell\edit38-32\command" /ve /t REG_SZ /d "\"%SystemDrive%\Python38\pythonw.exe\" -m idlelib \"%%L\" %%*" /f I shall re-upload Python 3.8.1350.7z with these corrections. I made the batch file by monitoring the changes made to the system by installing an official Python 3.8 distribution and saving the changes to the registry as a reg file which was then converted into a batch file using RegConvert. In the registry paths were not written as variables, so I had to convert them to variables in the batch file.
  9. The only way to resolve this issue is to identify updates that are unique in my list and the list provided by the Legacy Update site and then consult the Microsoft Update Catalog to see if these updates were superseded. If not they could be added to a revised update list. The problem with this approach is that the Microsoft Update Catalog has removed many SP3 updates
  10. As far as I know Microsoft has not published a comprehensive list of updates for their EOL operating systems. I obtained the list provided in "What is included in XPSP3_QFE_UpdatePack_20210829.rtf" using the Windows Update Powershell modules to query Windows Update for outstanding updates. I used version 1.5.2.2 with Powershell 2.0. I also experimented with Windows Update MiniTool version 20.12.2016. Of course, neither is any good now that the XP update servers have been decommissioned, but it may be possible to modify them to work with the Legacy Windows Update website. You could always use the SHA1 version of WSUSSCNT2, but it will not work with POSReady 2009. I have uploaded an XP compatible WSUSSCNT2 here: File: wsusscn2_sha1.cab (OneDrive) SHA-1: 5FCDBED0E904F233CCC6DE6FE3ABAC713DAC706F SHA-256: C4E9A67A8EA2A8C8AD8341D16B069B653EF6647DB85CC9520633F15508F5F379 Release date: 13/07/2020 Size: 882 MB I have also uploaded PSWindowsUpdate for Powershell 2.0 File: PSWindowsUpdate 1.5.2.2.7.7z (OneDrive) SHA-1: 7EEA217DE0818F1A888A7D1DEB078C4DDD313FDC SHA-256: CB52F08BB78C8AC96F5C1CA0D4BE450438BBF3AF5FC20BF28A0CD9B10DF9D6C9 Release date: 05/08/2016 Size: 29.2 KB
  11. I have made a new binary build of LOKI the indicator of compromise scanner, and have downgraded yara-python from version 4.3 to version 4.2.3 to eliminate the error message: "TypeError: 'yara.StringMatch' object is not subscriptable" The explanation in the release notes for version 4.3 is as follows: File: Loki-0.46.2-xp.zip (OneDrive) File: Loki-0.46.2-xp.zip (4Shared) MD5: 8D646734522303FCCD1058DFA126C11D SHA-1: E8F32E0F03AA55E5F3A419AFDBD47ED42E12F8EA Size: 24.5 MB Build date: 11/02/2024 Once unzipped the package does no need to be installed, except that an XP compatible build of bcrypt.dll must be in your path, and the IPV6 protocol must be installed from your Local Area Connection. The relevant Python modules to build LOKI under Windows XP are: colorama 0.4.6 future 0.18.3 netaddr 0.8.0 psutil 5.6.1 pyinstaller 4.10 rfc5424-logging-handler 1.4.3 python 3.8.13 pywin32 300 WMI 1.5 yara-python 4.2.3
  12. I reorganized the contents of cmalex's distribution of Python 3.8.13 and made a simple batch file to install it along with shortcuts, file associations and environment variables. You can download it here: File: Python 3.8.1350.7z (OneDrive) SHA-1: 0D8C5A3009AD45D6199FC78A0219702B2BB35E58 SHA-256: 21AB796973A635378824B09F5CF8C78D0319C79E05885E488AA23E35D380D8EC Build Date: 14/07/2022 Size: 42.8 MB I intend to make a proper installer one day, but at least in this form you can see what is included and make modifications to suit your needs. Enclosed are batch files to temporarily set environment variables if you want to run more than one version of Python on a drive. CP28_Env.bat CP34_Env.bat CP35_Env.bat
  13. Yes, I am using Pyinstaller 4.10 under Windows XP with Visual Studio 2010 to package XP compatible binaries of LOKI the IOC scanner. Needless to say I have installed cmalex's XP compatible build of Python 3.8.13.
  14. Here is a revised build of my POSReady 2009 Update Pack with corrections suggested by MilkChan XPSP3_QFE_UpdatePack for Windows XP Post-SP3 Combined (Spanish) File: XPSP3_QFE_POSReady_Addon_20240101_ESN.7z (OneDrive) File: XPSP3_QFE_POSReady_Addon_20240101_ESN.7z (4Shared) MD5: 5D9F25C41DB91C97583BDAF65E9F8335 SHA-1: E5F8E43B7BAEF3D75C1309C45EA57C4AA362D60A Build date: 01/01/2024 Size: 34.7 MB Note: 4Shared is blocked in the UK, so UK residents need to use a VPN server in the United States or the Netherlands
  15. I see your point about the text strings in the INF file not being translated. For instance the line "Export data from the current database into a Lotus 1-2-3 version 2 file. This process will overwrite data if exported to an existing file." should be "Exportar datos de la base de datos activa a un archivo de Lotus 1-2-3 versión 2. Si el archivo de destino ya existe, este proceso sobrescribirá los datos." Also the line HKLM,"SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase","win32",0x0,"D:\WINDOWS\system32\msxbde40.dll" should be HKLM,"SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase","win32",0x0,"%11%\msxbde40.dll" The text string error occured because I reused the 5erPOSUp.inf file from my original English build of the POSReady update pack, rather than rebuild it anew by installing each Microsoft Spanish update and logging the changes. Because I use the entries from logs of the changes made by the update installers the path error was included in my 5erPOSUp.inf file. Thanks for pointing this out. I shall make the required revisions to 5erPOSUp.inf and reupload my Spanish POSReady update pack. Edit: I have also attempted to translate the {Strings] section into Spanish as best I can using Google Translate.
  16. I downloaded pywin32-300-cp38-cp38-win32.whl from pypi.org and extracted win32ui.pyd, but Dependency Walker did not reveal missing imports. You can try using this installer that I have archived for my own use using this link pywin32-300.win32-py3.8.exe
  17. Here are some links to tools that maybe useful for developing Extended XP IDA Disassembler 6.6 Demo This requires patching of idaq.exe to remove the message "Sorry, the evaluation version has expired". Forum rule 1a prevents me from providing instructions on how to do this, so you need to send me PM. PEMaker by Blackwingcat. When run under XP text is garbled due to incompatible imagehlp.dll. Export Table Tester. Read forum topic here. gdb.exe from MinGW-W64 GCC-8.1.0 to disassemble specific functions. Ollydbg 1.10 with OllySymbolServer at OllyDbg1plugins pefille Python module to analyse and overwrite parts of PE file header pepatch Python module for patching PE format binaries I cannot find a download link for Rudy's modexp. Can someone upload it so that we can share it?
  18. Here are the Spanish versions of the XPSP3 QFE Update Pack and the POSready 2009 Addon that I promised. XPSP3_QFE_UpdatePack for Windows XP Post-SP3 Combined (Spanish) File: XPSP3_QFE_UpdatePack_20231213_ES.7z (One Drive) File: XPSP3_QFE_UpdatePack_20231213_ES.7z (4Shared) MD5: 16d754c9e434ae181007b561592d6950 SHA-1: 7a6d66f62f4e2093238fb47df45464f07e20ca12 Release date:13/12/2023 Size: 67.2 MB XPSP3 QFE POSReady Updates Addon Combined (Spanish) File: XPSP3_QFE_POSReady_Addon_20231213_ESN.7z (One Drive) File: XPSP3_QFE_POSReady_Addon_20231213_ESN.7z (4Shared) MD5: fec168f42b828f0e6b9e76995127fca8 SHA-1: 5a69aec94ad94ad338e8eaf63e390efd4ef5736a Build date: 13/12/2023 Size: 34.7 MB The update pack will cause setuperr.log to show dpcdll.dll, wowfax.dll and wowfaxui.dll to be unsigned. I have been unable to remedy this, but a SFC scan does not show any errors. The addon works flawlessly when integrated into a professional edition source, but when integrated into a home edition source setuperr.log shows several OLE controls are unregistered. When you log into Windows there is a message about srclient.dll not found and the following error message is displayed: API error NTCREATEFILE. This error should never be returned by an application; it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines. I am baffled by the errors when the addon is integrated into a home edition source and would appreciate some insight into how to remedy this. Spanish POSReady 2009 Updates Archived File: Spanish POSReady 2009 Updates.7z (One Drive) MD5: dba804337e0510bf3df2e30879be0b83 SHA-1: 1820e9e4b8eb2b37e08fa7f13502179524e4aa76 Build date: 16/12/2023 Size: 39.1 MB
  19. Thanks for providing a link to this fantastic archive of all the NT5.1x final updates released in every language. Had I had this resource my build of the Spanish XPSP3 QFE Update Pack would have been problem free, but instead I found that many SP3 updates were no longer available at the Microsoft Update Catalog, so I had to import Spanish modules from the One Piece Spanish AIO update pack. The result is not entirely satisfactory, but it should be OK in practice
  20. Dibya cannot receive messages, so I am requesting here that he provide me with the source code for his Extended XP, so that I can update it.
  21. Kernelex uses dll injection, whereas One Core API uses patched Microsoft binaries. It also includes new binaries from the developer and has linked the Microsoft binaries in new ways which makes it more like a new operating system. The main drawback of one Core API for me is that it is built on the last SP3 updates rather than POSReady 2009 which makes it less secure. Dibya's Extended XP package also provides patched Microsoft binaries, but it merely extends the API of the kernel,so that things like Python, GTK, and OpenSSL can be run under XP. It also has the advantage of being built on POSReady 2009 which made it as secure as possible when it was released. The package includes an update installer which will update existing Microsoft binaries and provide a security catalog, so that they are not flagged by SFP. The package also includes the tools he used to make the extended binaries with a sample rebuilt binary and it's source code in the form of an .asm file. I am still waiting for an update.
  22. Ricktendo's Spanish XPSP3 update pack was released in 2015, and can be obtained here. I cannot see any modules dated later than 2014. To update it I assume that I would have to integrate it into a Spanish ISO then install XP using this ISO, and wait for Automatic Update to produce a list of pending updates which I could install one by one while logging the changes. Of course the XP update server has long been decommissioned and an offline update is not possible because no-one has produced a Spanish version of an XP WSUS Offline ISO . I think my approach would be to collect all the last Windows XP and embedded updates, including those with Spanish versions, and use DXUAPC to automatically produce a Spanish XPSP3 update pack and embedded addon. The registry entries in sp3updck.inf would be taken from each of the update installer's inf files so they could be incomplete. Therefore I would copy over the Spanish modules into the extracted user_hidden XPSP3 QFE Update pack and retain all the registry entries in his qfe_updpck.inf except for the time zone entries which would have to be revised.
  23. English Only Internationalization This addon will remove non English files for code pages, keyboard layouts, MUI, msagent, and fonts with their associated registry entries. RyanVM Integrator only. File: KBD_Eng_Intl_Addon.7z (OneDrive) File: KBD_Eng_Intl_Addon.7z (4Shared) MD5: EAC0FF87D49FBF0DAEBA6262F664EEE9 SHA-1: 94B635D9DBA6C6182E210BE76C50AB492F28F714 Size: 20.5 KB Build date: 31/10/2023 Code Pages Included 037 = US/Canada 437 = United States 850 = West European 1252 = West European 20127 = US-ASCI (7 bit) 28591 = Latin Western European (ISO) 28605 = Latin 9 Keyboard Layouts Included 409 United States English 452 = United Kingdom Extended 809 = United Kingdom 10409 =Dvorak United States English 20409 = United States International 30409 = Dvorak Left-Hand US English 40409 = Dvorak Right-Hand US English The entries for the removed code page and keyboard files in sfcfiles.dll have been edited so that they are no longer monitored by the file protection service. Running the system file checker utility should not flag any errors. Update 31/10/2023 The Following language files have been removed: wbcache.deu, wbcache.esn, wbcache.fra, wbcache.ita, wbcache.nld, wbcache.sve, wbdbase.deu, wbdbase.esn, wbdbase.fra, wbdbase.ita, wbdbase.nld,wbdbase.sve Note that 4Shared is blocked in the UK. Residents in the UK should use a VPN server in the US or the Netherlands
  24. So far no-one has requested a language specific version of the XPSP3_QFE_UpdatePack for Windows XP Post-SP3 addon, and the XPSP3 QFE POSReady Update Pack, so I need not give this any attention until they do. On reflection I think I would have to obtain an XP installation ISO in their language, identify all the Windows updates required for the above addon and update pack that include language options, then install them one by one while logging the changes made to the registry and file system. I could then use these logs to edit the entries.ini and inf file of my releases of the addon and update pack. This would be a lot of work, so I hope they request a popular language like Spanish rather than Maori for instance.
  25. WinUSB 2.0 File: WinUsb_2.0_XP-SRV03_True_AddOn.7z (OneDrive) File: WinUsb_2.0_XP-SRV03_True_AddOn.7z (4Shared) MD5: 4b3625f09bcf8cb52c7070a1fd7dc431 SHA-1: ccc39c6b0a9a7dbe5dc764a29431a9c13d21c57a Size: 2.10 MB Build date: 07/09/2021 The Winusb coinstaller and driver are included but installation occurs when a WCID compatible device is connected. Rather than require a custom INF file for the device the generic hardware ID WINUSB,USB\MS_COMP_WINUSB is used. In the Found New Hardware wizard there will be the message “this wizard helps you install software for: USBDevice”. Select “Install the software automatically”. If, after installing Windows, you prefer to use the WMTP driver delete the file wcid.inf in the %SystemRoot%\INF directory and it will be installed automatically. Note that WinUSB 2.0 has been included in my XPSP3_QFE_UpdatePack for Windows XP Post-SP3 above. Note: 4Shared is blocked in the UK, so UK residents need to use a VPN server in the United States
×
×
  • Create New...