Zorba the Geek

Deleted

Even if I was capable of writing my own code this would be reinventing the wheel because Wine and Reactos have already done this. I still think that disassembling BWCs extended W2K kernel is a problematic way of going about this when it would be more logical to create an extension DLL by compiling the C code provided by Wine. If someone could tell me how to modify Wine code so that it is compatible with Windows XP I might have a go at doing it myself.

Looking at your ExKernel.asm I see that many functions have been derived from BWCs W2K Extended Kernel 3.0e, but as far as I know he has not released any source code written in C/C++. Where would this C/C++ code come from? From Wine perhaps? Once a disassembly has been derived from this C/C++ code it is not injected into the Microsoft DLLs, but rather assembled into an extension DLL to which API calls for NT6 functions are forwarded. If I had access to C/C++ code for these NT6 functions I could just compile it to make this extension DLL, without the necessity of creating a disassembly.

Remove Obsolete Drivers File: Drivers_Removal_Addon.7z (Google Drive) File: Drivers_Removal_Addon.7z (4Shared) MD5: 7868DD0B5761D8E5C36C8E2EB62A65DE SHA-1: 1F64D0AA1E4830B45D242F71A6EFA28395AEC803 SHA-256: 5ABC43259A0833F6301AD34971EDF40F31EE3CE4F8A36228B691ABB2A26E9DA3 Release date: 16/05/2024 Size: 80.9 KB This addon will remove obsolete drivers from %SystemRoot%\System32\drivers, driver.cab and SP3 along with associated executables, DLLs and INF files,including those in %SystemRoot%\inf. Registry keys have been removed from HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2, HKLM\SYSTEM\CurrentControlSet\Services, and HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System. List of categories of drivers removed Asynchronous Transfer Mode (ATM) Cameras and Camcorders Display Adapters Display Adapters (old) Ethernet (LAN) IBM PS2 TrackPoint IBM ThinkPad ISDN Logitech WingMan Microsoft SideWinder Modems Multifunctional Portable Audio Printers Scanners SCSI/RAID Serial Pen Tablet Sony Jog Dial Sound Controllers Tape drives Toshiba DVD decoder card Wireless Ethernet (WLAN) Brother Devices Gravis Digital GamePort Multi-port serial adapters I have retained infra red and card reader drivers Note that 4Shared is blocked in the UK. Residents in the UK should use a VPN server in the US or the Netherlands

One-Core API is indeed awesome, but it is too big, too complex and too ambitious for my purposes. A typical example where I may need to extend the NT5.1 API is EncFSP 0.99.1 by Roland Hiestand. This would require the function _wsopen_s in msvcrt.dll which is missing in version 7.0.2600.5701 installed on my XP computer, although it is present in msvcr80/90/100/110/120.dll and ucrtbase.dll. Other examples where I may need to supply a few missing functions to make an application work are Python, OpenSSl and GTK. The approach suggested by Dibya seems ideal to me because it would enable the user to customise patched Microsoft DLLs without programming expertise. Dibya's approach depends on being able to completely reverse disassembly which everyone says is impossible. I am not convinced that it is necessarily impossible, but it would require some editing to be done on the disassembled code. I am experimenting on disassembling System32 DLLs using dumppe, disasm. PE Explorer and ndisasm, and I have found that there is a high degree of consistency between their outputs, although anomalies do appear where they provide different outputs. This is where you have to use your judgement to make an edit. The main issue with reversing disassembly is that most disassemblers do not produce an output that conforms to the syntax rules of any assemblers. However, ndisasm is supposed to have an output that conforms to the nasm syntax, so that the instruction mov eax,fs:[18h] in dumppe is shown as mov eax,[fs:0x18]. I am attempting to make an assembly file for Windows 7 functions in kernel32.dll that can supplement the XP version of kernel32.dll and will present it as attachment in a later post so that you can examine it and make comments.

I am planning to embark on a kernel extension for Windows XP with a topic started here. Perhaps win32 or someone else interested in this Vista Kernel Extension could advise me about where to obtain NT6.x functions that can be integrated into the Microsoft NT5.1 libraries. I am wary of extracting these functions from Win7 libraries due to possible incompatibility with the XP kernel, but I am not qualified to judge what problems might arise if you do this. An alternative source sometimes recommended for extracting NT6.1 functions for kernel extensions is Wine. A Wine download for Slackware can be downloaded from here. Is there a reason why Wine would be a preferable source for extracted functions compared to Microsoft libraries? Why does no-one recommend extracting NT6.1 functions from Reactos? Should I rely on BlackWingCat's W2K Extended Kernel 3.0e as a source for extracted NT6.1 functions assuming that he is expert enough to select this code from appropriate sources?

Ghidra requires 64 bit JAVA 17, and Relyze is overkill for this simple task and probably does not work under XP. I have discovered the disassembler Dibya used for his KernelEx for XP project. The output from the disassembler incorporated into PE Explorer is exactly like the code in Dibya's ExKernel.asm. This is a superb program that enables you to search for the entry point of functions without having to rely on Microsoft symbols which only work on Microsoft products. However, the help file states so I am not sure that this is the way to go. A MSFN forum member using the name win32 has started a thread titled [WIP] Windows Vista Extended Kernel in which he proposes to develop a kernel extension using the same approach as BlackWingCat which is copy functions as hex and paste them into a hex dump of the section designated for containing these Nt6.1 functions. Judging by this thread this approach is fraught with problems.

Dibya please reply to this question. I have been investigating how I could update your Kernelex for Windows XP, and I am uncertain about which disassembler to use which gives an output compatible with NASM. I have been able to extract the assembly code for particular functions in BlackWingCat's build of kernel32.dll using the GNU disassembler gdb, and IDA Pro 6.8, but there are differences in the syntax compared to your source code in kernelex.asm which may or may not be significant. Here are some examples: Dibya: mov eax,[ebp+0Ch] gdb: mov eax,DWORD PTR [ebp+0xc] IDA: mov eax, [ebp+arg_4] Dibya: mov word [ebp-08h],0008h gdb: mov WORD PTR [ebp-0x8],0x8 IDA: mov [ebp+var_8], 8 Is it it possible that NASM would recognize DWORD PTR and trailing h after numerals even though they are not present in the output of NDISASM? What about the number formats like 0008 compared to 0x8? I have tried x64dbg and Ollydbg, but I could not get them to work in this application.

I thought that I ought to push things along with this project with this post. The objective is to update Dibya's last patched binaries so that they are based on the last POSReady 2009 updates of these modules. It ought to be possible to patch other system files using the same techniques. The approach that Dibya has used is to patch the export table of these binaries so that API calls to NT6 functions are forwarded to an external dynamic link library that acts as a container for all the additional NT6 functions for the patched kernel32.dll, advapi32.dll, ole32.dll, shell32.dll and user32.dll. This external dynamic link library is called ExKernel.dll. I have provided a screen shot of the patched advapi32.dll opened in PE Maker here: Exkernel.dll is built by dissasembling Microsoft and Wine binaries to extract the subroutines for the additional NT6 functions to make the asm file ExKernel.asm which is then assembled with nasm.exe to produce the object file ExKernel.obj. ExKernel.obj is passed to golink.exe to link Exkernel to advapi32.dll, shell32.dll, kernel32.dll, and ntdll.dll. The ExKernel.asm file contains a table for imports as in the sample below: ; IMPORT TABLE EXTERN RtlEnterCriticalSection EXTERN RtlLeaveCriticalSection EXTERN WaitForSingleObject ;EXTERN _alloca_probe EXTERN RtlInitializeCriticalSection EXTERN SetEvent EXTERN RtlSetLastWin32Error EXTERN RtlTryEnterCriticalSection EXTERN GetLastError EXTERN GetProcessHeap EXTERN RtlAllocateHeap EXTERN ExitThread EXTERN CreateEventA EXTERN LoadLibraryA The table for exports is shown in the sample below: ; EXPORT TABLE GLOBAL AcquireSRWLockExclusive EXPORT AcquireSRWLockExclusive GLOBAL AcquireSRWLockShared EXPORT AcquireSRWLockShared GLOBAL InitializeSRWLock EXPORT InitializeSRWLock GLOBAL ReleaseSRWLockExclusive EXPORT ReleaseSRWLockExclusive GLOBAL ReleaseSRWLockShared EXPORT ReleaseSRWLockShared GLOBAL TryAcquireSRWLockExclusive EXPORT TryAcquireSRWLockExclusive GLOBAL TryAcquireSRWLockShared EXPORT TryAcquireSRWLockShared GLOBAL InterlockedCompareExchange64 EXPORT InterlockedCompareExchange64 Here is a sample of a subroutine in assembly included in ExKernel.asm FindNextStreamW: ;blackwingcat KB935839 2017.04 push ebp mov ebp,esp mov ecx,[ebp+08h] mov edx,[ecx+04h] add edx,[ecx+0Ch] mov eax,[ecx+08h] cmp eax,edx jnz L77EA5881 push 3221225489 ;C0000011h call SUB_L77E5826D xor eax,eax jmp L77EA58D4 L77EA5881: mov ecx,[eax+08h] mov edx,[ebp+0Ch] mov [edx],ecx mov ecx,[eax+0Ch] mov [edx+04h],ecx mov ecx,[eax+04h] push ebx push esi mov ebx,ecx push edi shr ecx,02h lea esi,[eax+18h] lea edi,[edx+08h] rep movsd mov ecx,ebx and ecx,00000003h rep movsb mov ecx,[eax+04h] shr ecx,1 and word [edx+ecx*2+08h],0000h mov eax,[eax] test eax,eax pop edi pop esi pop ebx jbe L77EA58C5 mov ecx,[ebp+08h] add [ecx+08h],eax jmp L77EA58D1 L77EA58C5: mov eax,[ebp+08h] mov ecx,[eax+04h] add ecx,[eax+0Ch] mov [eax+08h],ecx L77EA58D1: xor eax,eax inc eax L77EA58D4: pop ebp retn 0008h Here are some issues that I am unclear about and I would like Dibya or someone to clarify: Can someone supply instructions on how to use PE Maker to add additional entries to the export table? How do you know if there is sufficient space in the binary to be patched to accommodate these new entries in the export table without over-writing some of the existing code? Is there some way of creating extra space in the binary to to accommodate these new entries? What tool is recommended to extract functions as assembly from Microsoft and Wine binaries? Why criteria would you use to choose either Microsoft, Wine or BWC binaries as a source for these extracted functions? If you decide not to use an external dynamic link library as a container for the additional NT6 functions how would you insert them into the binary to be patched? Would you dissasemble the binary to be patched and paste the dissasembled NT6 functions into it's asm file then assemble it, or could you extract the NT6 functions as hex and paste them into a hex dump of the binary to be patched? ExKernel.asm

My previous post must have seemed naive to an expert like VistaLover, but I had anticipated that the CDM client would calculate a checksum of it's main dll to detect tampering, and if the checksum did not match the correct one in the client's code a signal would be sent to the widevine server to halt the download of the encrypted keys. Castlabs are now offering a free service for Widevine/VMP signing of application packages derived from official releases of Electron. They also offer a commercial VMP certification of custom Chromium/Electron adaptations which sounds like it is not free. Perhaps VistaLover could study this page Electron for Content Security VMP signing service and make some recommendations to the Supermium developer.

Supermium Version 121.0.6167.81 is compatible with XP and 2003 and it includes the Widevine CDM. To activate it you have to go to chrome://components and click "Check for update" which will download version 4.10.2710.0. widevinecdm.dll requires imports from kernel32.dll missing in Windows XP so I have changed the entry for kernel32.dll in the widevinecdm.dll import table to the OneCore API xpspkernel32.dll after having renamed it to kernelxp.dll and placed it in the %UserProfile%\Local Settings\Temp\Supermium\User Data\WidevineCdm\4.10.2710.0\_platform_specific\win_x86 folder. I am almost there because when I go to this DRM stream test site I receive the notification "EME is supported by your current browser." with a tick next Widevine. However the player will not load and it displays the error message "General source error".

The releases page for Tor.exe at https://github.com/artenax/tor-xp/releases redirects to https://github.com/artenax/tor/releases which only includes releases for Vista and Windows 7.

Thanks for pointing out the errors. Line 56 was thus: Reg.exe add "HKLM\SOFTWARE\Classes\Python.File\Shell\editwithidle\shell\edit38-32\command" /ve /t REG_SZ /d "\"%ProgramFilest%\Python38\pythonw.exe\" -m idlelib \"%%L\" %%*" /f When it should have been: Reg.exe add "HKLM\SOFTWARE\Classes\Python.File\Shell\editwithidle\shell\edit38-32\command" /ve /t REG_SZ /d "\"%SystemDrive%\Python38\pythonw.exe\" -m idlelib \"%%L\" %%*" /f I shall re-upload Python 3.8.1350.7z with these corrections. I made the batch file by monitoring the changes made to the system by installing an official Python 3.8 distribution and saving the changes to the registry as a reg file which was then converted into a batch file using RegConvert. In the registry paths were not written as variables, so I had to convert them to variables in the batch file.

The only way to resolve this issue is to identify updates that are unique in my list and the list provided by the Legacy Update site and then consult the Microsoft Update Catalog to see if these updates were superseded. If not they could be added to a revised update list. The problem with this approach is that the Microsoft Update Catalog has removed many SP3 updates

As far as I know Microsoft has not published a comprehensive list of updates for their EOL operating systems. I obtained the list provided in "What is included in XPSP3_QFE_UpdatePack_20210829.rtf" using the Windows Update Powershell modules to query Windows Update for outstanding updates. I used version 1.5.2.2 with Powershell 2.0. I also experimented with Windows Update MiniTool version 20.12.2016. Of course, neither is any good now that the XP update servers have been decommissioned, but it may be possible to modify them to work with the Legacy Windows Update website. You could always use the SHA1 version of WSUSSCNT2, but it will not work with POSReady 2009. I have uploaded an XP compatible WSUSSCNT2 here: File: wsusscn2_sha1.cab (Google Drive) SHA-1: 5FCDBED0E904F233CCC6DE6FE3ABAC713DAC706F SHA-256: C4E9A67A8EA2A8C8AD8341D16B069B653EF6647DB85CC9520633F15508F5F379 Release date: 13/07/2020 Size: 882 MB I have also uploaded PSWindowsUpdate for Powershell 2.0 File: PSWindowsUpdate 1.5.2.2..7z (Google Drive) SHA-1: 7EEA217DE0818F1A888A7D1DEB078C4DDD313FDC SHA-256: CB52F08BB78C8AC96F5C1CA0D4BE450438BBF3AF5FC20BF28A0CD9B10DF9D6C9 Release date: 05/08/2016 Size: 29.2 KB

I have made a new binary build of LOKI the indicator of compromise scanner, and have downgraded yara-python from version 4.3 to version 4.2.3 to eliminate the error message: "TypeError: 'yara.StringMatch' object is not subscriptable" The explanation in the release notes for version 4.3 is as follows: File: Loki-0.46.2-xp.zip (Google Drive) File: Loki-0.46.2-xp.zip (4Shared) MD5: 8D646734522303FCCD1058DFA126C11D SHA-1: E8F32E0F03AA55E5F3A419AFDBD47ED42E12F8EA Size: 24.5 MB Build date: 11/02/2024 Once unzipped the package does no need to be installed, except that an XP compatible build of bcrypt.dll must be in your path, and the IPV6 protocol must be installed from your Local Area Connection. The relevant Python modules to build LOKI under Windows XP are: colorama 0.4.6 future 0.18.3 netaddr 0.8.0 psutil 5.6.1 pyinstaller 4.10 rfc5424-logging-handler 1.4.3 python 3.8.13 pywin32 300 WMI 1.5 yara-python 4.2.3 Note: 4Shared is blocked in the UK. Use a VPN sever located in the United States or the Netherlands.

I reorganized the contents of cmalex's distribution of Python 3.8.13 and made a simple batch file to install it along with shortcuts, file associations and environment variables. You can download it here: File: Python 3.8.1350 For XP.7z (4Shared) File: Python 3.8.1350 For XP.7z (Google Drive) MD5: F7F1C486DDAEB417B0D46431947D3E18 SHA-1: CD5876AFD726029F713451E9F15AACB230CCB3EE SHA-256: C05D4F6F092565DEB8C7E89F9DB763605841FA865767936B945B9374F3E98AB6 Build Date: 14/07/2022 Size: 42.8 MB I intend to make a proper installer one day, but at least in this form you can see what is included and make modifications to suit your needs. Enclosed are batch files to temporarily set environment variables if you want to run more than one version of Python on a drive. Note: 4Shared is blocked in the UK. Use a VPN server located in the United States or the Netherlands. CP28_Env.bat CP34_Env.bat CP35_Env.bat

Yes, I am using Pyinstaller 4.10 under Windows XP with Visual Studio 2010 to package XP compatible binaries of LOKI the IOC scanner. Needless to say I have installed cmalex's XP compatible build of Python 3.8.13.

Here is a revised build of my POSReady 2009 Update Pack with corrections suggested by MilkChan XPSP3_QFE_UpdatePack for Windows XP Post-SP3 Combined (Spanish) File: XPSP3_QFE_POSReady_Addon_20240101_ESN.7z (Google Drive) File: XPSP3_QFE_POSReady_Addon_20240101_ESN.7z (4Shared) MD5: 5D9F25C41DB91C97583BDAF65E9F8335 SHA-1: E5F8E43B7BAEF3D75C1309C45EA57C4AA362D60A Build date: 01/01/2024 Size: 34.7 MB Note: 4Shared is blocked in the UK, so UK residents need to use a VPN server in the United States or the Netherlands

I see your point about the text strings in the INF file not being translated. For instance the line "Export data from the current database into a Lotus 1-2-3 version 2 file. This process will overwrite data if exported to an existing file." should be "Exportar datos de la base de datos activa a un archivo de Lotus 1-2-3 versión 2. Si el archivo de destino ya existe, este proceso sobrescribirá los datos." Also the line HKLM,"SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase","win32",0x0,"D:\WINDOWS\system32\msxbde40.dll" should be HKLM,"SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase","win32",0x0,"%11%\msxbde40.dll" The text string error occured because I reused the 5erPOSUp.inf file from my original English build of the POSReady update pack, rather than rebuild it anew by installing each Microsoft Spanish update and logging the changes. Because I use the entries from logs of the changes made by the update installers the path error was included in my 5erPOSUp.inf file. Thanks for pointing this out. I shall make the required revisions to 5erPOSUp.inf and reupload my Spanish POSReady update pack. Edit: I have also attempted to translate the {Strings] section into Spanish as best I can using Google Translate.

I downloaded pywin32-300-cp38-cp38-win32.whl from pypi.org and extracted win32ui.pyd, but Dependency Walker did not reveal missing imports. You can try using this installer that I have archived for my own use using this link pywin32-300.win32-py3.8.exe

Here are some links to tools that maybe useful for developing Extended XP IDA Disassembler 6.6 Demo This requires patching of idaq.exe to remove the message "Sorry, the evaluation version has expired". Forum rule 1a prevents me from providing instructions on how to do this, so you need to send me PM. PEMaker by Blackwingcat. When run under XP text is garbled due to incompatible imagehlp.dll. Export Table Tester. Read forum topic here. gdb.exe from MinGW-W64 GCC-8.1.0 to disassemble specific functions. Ollydbg 1.10 with OllySymbolServer at OllyDbg1plugins pefille Python module to analyse and overwrite parts of PE file header pepatch Python module for patching PE format binaries I cannot find a download link for Rudy's modexp. Can someone upload it so that we can share it?

Here are the Spanish versions of the XPSP3 QFE Update Pack and the POSready 2009 Addon that I promised. XPSP3_QFE_UpdatePack for Windows XP Post-SP3 Combined (Spanish) File: XPSP3_QFE_UpdatePack_20231213_ES.7z (Google Drive) File: XPSP3_QFE_UpdatePack_20231213_ES.7z (4Shared) MD5: 16d754c9e434ae181007b561592d6950 SHA-1: 7a6d66f62f4e2093238fb47df45464f07e20ca12 Release date:13/12/2023 Size: 67.2 MB XPSP3 QFE POSReady Updates Addon Combined (Spanish) File: XPSP3_QFE_POSReady_Addon_20240101_ESN.7z (Google Drive) File: XPSP3_QFE_POSReady_Addon_20231213_ESN.7z (4Shared) MD5: fec168f42b828f0e6b9e76995127fca8 SHA-1: 5a69aec94ad94ad338e8eaf63e390efd4ef5736a Build date: 13/12/2023 Size: 34.7 MB The update pack will cause setuperr.log to show dpcdll.dll, wowfax.dll and wowfaxui.dll to be unsigned. I have been unable to remedy this, but a SFC scan does not show any errors. The addon works flawlessly when integrated into a professional edition source, but when integrated into a home edition source setuperr.log shows several OLE controls are unregistered. When you log into Windows there is a message about srclient.dll not found and the following error message is displayed: API error NTCREATEFILE. This error should never be returned by an application; it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines. I am baffled by the errors when the addon is integrated into a home edition source and would appreciate some insight into how to remedy this. Spanish POSReady 2009 Updates Archived File: Spanish POSReady 2009 Updates.7z (Google Drive) MD5: dba804337e0510bf3df2e30879be0b83 SHA-1: 1820e9e4b8eb2b37e08fa7f13502179524e4aa76 Build date: 16/12/2023 Size: 39.1 MB

Thanks for providing a link to this fantastic archive of all the NT5.1x final updates released in every language. Had I had this resource my build of the Spanish XPSP3 QFE Update Pack would have been problem free, but instead I found that many SP3 updates were no longer available at the Microsoft Update Catalog, so I had to import Spanish modules from the One Piece Spanish AIO update pack. The result is not entirely satisfactory, but it should be OK in practice

Dibya cannot receive messages, so I am requesting here that he provide me with the source code for his Extended XP, so that I can update it.