XP ntoskrnl replace?

[Artificial]

I have a problem replacing ntoskrnl.exe on XP SP2.

Each time i replace it the system file protection copys original file over it.

I tried replacing ntoskrnl.exe in windows\system32, windows\Driver Cache\i386, windows\Driver Cache\i386\sp2.cab, windows\system32\dllcache. They all stayed modified, and when i replaced the system32 one it changed again! It is the only copy of that file in the system. I even tried disconnecting from internet if it was pulling file from win update, but that was not the case.

What can i do?

[damian666]

here man, use my replacer.

that will force the replacement on the next reboot.

So before file protection is running

damian666

Replacer

Edited April 21, 2008 by damian666

[Artificial]

I don't normally like downloading .exes from forums . Couldn't you do that with .bat?

Isn't file protection checking the file version? So timing when the file is replaced shouldn't matter.

[damian666]

he, i dont force you to trust me man...

i dont care what you do with it.

i am just trying to help, and no, it does not only check fileversion, but also size and stuff.

It will work man, it always does so...

Damian666

btw, its a zipfile man, scan before opening it

[Artificial]

Lol, scanning wouldn't help

Tnx, for that. I'll try it now.

[Artificial]

the file gets now replaced, but the changes aren't visible.

Do you know of any way how to replace the windows hibernating screen? The one with black background, windows logo and "hibernating..." below the logo. It seems like ntoskrnl doesn't control it, or am i doing something wrong?

[damian666]

it takes 2 reboots to be visible man

thats because the bootscreen is in use on reboot.

try it...

juts reboot again.

Damian666

[Artificial]

restarted several times, but it is always the same. The file in system32 is the modified one.

[damian666]

well, i do know that there are two files like that.

look for ntkrnlmp.exe, or ntkrnlpa.exe.

those have the same bmp's as the ntoskrnl so maybe thats it man...

let me know ok?

Damian666

Edited April 22, 2008 by damian666

[Artificial]

edited ntkrnlpa.exe, and now i get no image at all. Just black when going into hibernation.

Everything seems to work with no problem other than that. It wakes up normally and everything works.

[Artificial]

I found the problem... It was that when i edited the 16 color image and saved it the image editing program automatically saved it as 32bit :/

Working now with original ntoskrnl and modified ntkrnlpa.

Thank you for your help.

[damian666]

well, then you did find out what file to modify...

now only to make it work

have fun man

damian666

[Kelsenellenelvian]

I don't normally like downloading .exes from forums . Couldn't you do that with .bat?

Isn't file protection checking the file version? So timing when the file is replaced shouldn't matter.

HAHAAHH You REALLY are missing out on a lot of good stuff then m8.

Any and I mean ANY half decent antivirus will scan a compressed file and tell you if there is a virus in it.

[Artificial]

I am not missing a lot of good stuff I just dont trust just anyone who offer me a *system file* replacer in a .exe. (Posted by a user with 666 in his nick ) And especially on forum like this where most of things is done manually.

YOU are the one who is naive

Antivirus only scans for KNOWN viruses. This exe could just delete original file, and replace it with an empty file. Or even replace the MBR or ntldr, or anything else. Antivirus would just say there is no virus here.

Thank you again, damian666.

[damian666]

hahahahaha, relax guys, i must say he does has a point there...

666 is not something that invokes trust in people

And about the virus warning, a good Av would find it man, it does that good for autoit

applications.

But if you looked around the forum, you would have seen that i am trusted here man...

I dont moderate a forum for nothing...

but hee, just have fun man

damian666