Jump to content


  • Posts

  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    United States

Posts posted by WildBill

  1. It's been about a year since I've posted, but I've been quietly working on my rewrite of kernel32.dll on and off. I've gotten it to the point where I'm pretty confident that it's finally free of any bugs :) I've posted the source and DLL here:


    I'm thinking that the next logical step would be to start on a rewrite of ntdll.dll, which I hope will be easier (since it's smaller). I'm not even using Win2k all that much anymore, but I still like the idea of eventually being able to build our own Win2k kernel that can run on modern hardware.

  2. Hi, WildBill.


    Have you fixed srv.sys critical problem?

    5.0.2195.7368 and 5.0.2195.7369.



    I can't find your announce. :P


    I apologize if my post to the problem is fixed something you have already taken care of.



    Yes, it's fixed in KB2508429 v17, which has srv.sys 5.0.2195.7371. I just double-checked the file in IDA and it's fixed.


    On another note, I'm still plugging away with my kernel32.dll rewrite. I had thought it was ready, but I found a bug when I run Seven File Replacer -- the GUI doesn't render properly. I've been slowly verifying the routines that it calls, but Seven File Replacer is a hideously complex program for some reason, so it's been really hard to track down.


    EDIT: I had a bout of insomnia and decided to work on verifying some more routines in my rewrite. What a relief -- I finally tracked that bug down! memset() in the original kernel32 is **evil**.

  3. Unfortunately, I have been unable to download Windows2000-KB2479629-v3-x86-ENU.exe.


    MediaFire says "The file you attempted to download was determined to be dangerous. For your protection, MediaFire does not enable distribution of dangerous files."


    That's just bizarre. I scanned it on my end with Avast and it's clean, so I deleted it from MediaFire and I'm re-uploading it. I'll update the link once it completes.


    Hmm. It still thinks it's infected, so I rebuilt the .exe and I'm reposting it. For some reason the new one is different from the original. I have no idea why.

  4. I've got a couple new versions posted up on the master list:










    (There was no v2, that was internal and only added IsProcessInJob)







    Added support to NtQuerySystemInformation for new kernel32 API calls

  5. Thanks! I'm almost fully recovered; I had a bout of anemia a couple weeks ago, and I've been cooking steaks every night to try to get my numbers back up. I'll be seeing the doc tomorrow, but I anticipate that I should be back to work on Monday.


    I've started looking at the requested routines, and it looks like I only need to add CreateActCtxW (as the patch versions I have here already contain the other routines). That one will be tricky because I've found that putting in stub versions causes some applications to act wonky (because they expect them to actually work). I once took a stab ad making fully functional versions of the activation context API (which MS calls the Fusion API), but it's far from trivial. Still, taking another look never hurts.

  6. Thanks for your work Wildbill.

    To run some modern browsers, some missing dependencies are required. Could you add them?

    GetNumaHighestNodeNumber - Palemoon AtomXP 25x, Firefox 39x

    GetLogicalProcessorInformation - Palemoon AtomXP SSE (for old processors) - http://www.romanstefko.com/pale-moon-sse/

    CreateActCtxW - K-meleon 75x

    WTSGetActiveConsoleSessionId, RtlCaptureContext - Vivaldi - https://vivaldi.com/


    Funny that you mention those, since I'm testing an update here that adds the first two (GetNumaHighestNodeNumber and GetLogicalProcessorInformation). Unfortunately health issues intervened and I'm currently recovering from gall bladder surgery. When I get back on my feet so to speak I'll try to remember to look at the rest of those.

  7. It's been a long while since I mentioned it, but I've quietly been working on a total rewrite of kernel32.dll in C. It took forever, but I've finally squashed enough of the bugs such that it's booting in a VM without exhibiting any errors. Once I synchronize it with the current kernel32.dll in my patches, I'll be releasing a new version of the rewrite with full source.

  8. I've been sitting on the update so I could test it thoroughly, but I just posted KB2479629. It combines KB2479628 and KB2393802, rendering them obsolete. It also adds some new stuff:




    The fix for the NTQueryInformationProcess bug that blackwingcat found.




    Added SetupUninstallOEMInfW




    Added true implementations for the following (for mouse and keyboard support only, not other USB devices)













    Kernel-side implementation of the raw-input API that user32.dll invokes (where the real work is).




    Added stubs for WTSRegisterSessionNotification and WTSUnRegisterSessionNotification

  9. I'm putting together a patched called KB2479629 that combines KB2479628 and KB2393802. It incorporates fixes to the bug that blackwingcat found, the win32k.sys raw-input API, and I think a few other things (I'll have to go back and see what else I added). KB2479629 isn't used by MS so it should be safe to use.

  10. Thanks! I'll integrate it into the next patch. I'm currently testing a win32k/user32 update that adds support for the raw-input API for mouse and keyboard devices. The changes are pretty intrusive so I want to really thoroughly test it before releasing it. Since win32k.sys is contained in both KB2393802 and KB2479628, I'm leaning pretty heavily on combining the two patches and coming up with some other designation for it. I also found at least two potential crash bugs in win32k.sys that the update fixes.

  11. I did some more investigating, and this is something that I'm really going to need help with. The fault during the call to DefineDosDeviceW is really occurring, but it's also a red herring. What's really happening is heap corruption. The stack back trace doesn't have all of the symbols in ntdll that I've figured out by reverse engineering. The actual call hierarchy is like this:






    I'm attaching a .dbg file for ntdll that I've generated from my .map file that has lots more symbol info, but the real issue is there is a bug somewhere in the kernel32 rewrite that's corrupting the application heap. I've suspected this for some time but haven't been able to track it down. I *really* need help on this one.


  12. It looks like the exception occurred somewhere in kernel32.DefineDosDeviceW (address 0x7C5B3DE3). I'll look into it some more during the week, but from what I can see so far it happened when it called CsrFreeCaptureBuffer, which led to RtlZeroHeap, which led to the exception. Maybe it was a bad pointer?

  13. Ugh.

    The good, the bad, and the ugly.

    The good:

    I finally figured out why backup/restore functionality wasn't working in my kernel32 rewrite and fixed it.

    The bad:

    It was due to a bug I introduced right when I first started patching kernel32.dll.

    The ugly:

    I just posted KB2393802 v21, which is an emergency release that fixes the bug.

    Any backups you made using KB2393802 prior to v21 will not restore properly.

  14. This is very interesting :) I've always wished the compatibility between yours and BWC versions of the same files was better. There are still many cases where the APIs offered by your version of a file and by a BWC version of the same file are completely different :(

    Yeah, I generally work on mine independently. If I had a list of the API differences handy I'd probably be able to add whatever is missing.

    Anyway, Windows2000-KB2479628-v10-x86-ENU.exe is now available. I've integrated blackwingcat's additions, and I'm posting this from Firefox 26!

    I did make a couple of changes to blackwingcat's code, however. There was one case where he loads a DLL and then unloads it, but leaves the handle to it unchanged. This could cause other API calls to fail because they would think the DLL was loaded when it wasn't. I bypassed the call to UnloadLibrary() for safety's sake.

    The other change was in how I handle the call to CoCreateInstance(). I call the full routine, which checks to see if it's loaded or not. blackwingcat calls to the middle of it, which seems unsafe to me.

    Other than that, the functionality is identical.


  15. Hey everyone, I have three new updates available. They add a bunch of new API calls:






    NtQueryInformationProcess: added support for PROCESSINFOCLASS.ProcessImageFileName (0x1B), required by psapi additions below








    In kernel32, I implemented the GetGeoInfo functionality by adding GEOINFO resources to the file with Resource Hacker. They're a set of $-delimited Unicode strings that contain the returned values for Geo info types 1 through 11 (everything that I could dump from a Win7 box). If you need to make a localized version, I strongly recommend adding new localized entries and leaving the existing 1033 (en-US) strings in place: this is because the code that I added will substitute locale 1033 (0x409: en-US) if a program asks for the invariant locale 0x7F (which Win2k doesn't have).

    At some point I want to add a way to override the OS version information that applications receive: I wanted to try out the Neverwinter MMO, and I was only able to get it to install by trapping a call to GetVersionEx in a debugger and changing the returned values to tell it the build was 5.1.2600 (XP). I hate it when apps try to protect you from yourself! Anyway, once you get past the installation process, it runs just fine with these patches installed.

    I was also able to play The Witcher, but you have to grab dbghelp.dll from XP SP3 and put it in the game's folder. I've started looking at trying to upgrade 2k's dbghelp.dll to support the API calls it needs, but it's not a trivial process.

  • Create New...