Jump to content

PE Tool for creating patches


WildBill

Recommended Posts

I've got a new v13 of KB2393802 up, which fixes one bug and adds a bunch of new kernel functions:

ntdll.dll

Bugfixes:

RtlRandomEx -- Fixed a bug that would cause an exception (and would return an incorrect result anyway)

New additions:

NtOpenProcessTokenEx

NtOpenThreadTokenEx

ZwOpenProcessTokenEx

ZwOpenThreadTokenEx

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

New additions:

RtlHashUnicodeString

RtlRandomEx

RtlInitializeGenericTableAvl

RtlInsertElementGenericTableFullAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlLookupElementGenericTableFullAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExW

RtlIpv4StringToAddressA

RtlIpv4StringToAddressExA

RtlIpv4AddressToStringA

RtlIpv4AddressToStringExA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringExA

RtlIpv6StringToAddressA

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExW

ExGetCurrentProcessorCpuUsage

ExGetCurrentProcessorCounts

ExfInterlockedCompareExchange64

FsRtlIncrementCcFastReadNoWait

FsRtlIncrementCcFastReadNotPossible

FsRtlIncrementCcFastReadResourceMiss

FsRtlIncrementCcFastReadWait

Existing routines added to the export table:

ExVerifySuite

HalExamineMBR

Edited by WildBill
Link to comment
Share on other sites


Thanks! It's become apparent to me that in the long run we've got to rewrite these in C if we're ever going to get compatibility past a certain point (I don't just want to match XP, I want to eventually surpass it). I'm well past the 95% point of starting to have my first rev of kernel32 rewritten, but all this ntoskrnl work is keeping me away from it. I ve amassed enough info from reverse-engineering ntoskrnl that I could rewrite large portions of it with little difficulty, but the files are so huge that a complete rewrite would likely be a 2-year proposition (as it stands I'm coming up on a year for kernel32). I'm happy to do it since it's my OS of choice and I use it every day, but I think I could use some advice on how to break some of the effort up. Besides, it's always going to be easier to rewrite and test small portions at a time, but I'm not sure how to do it). Csrsrv and basesrv were small enough that I could rewrite them all at once but the kernel files aren't).

On a related note, I'm trying to assist someone with getting SEP (Symantec Endpoint Protection) working with the new kernel. It's resulting with STOP errors (IRQL not less or equal, happening in IoGetAttachedDevice), and I'm not all that knowledgeable enough with WinDbg that I might be enough of a help. I managed to generate an updated .DBG file with the correct symbols for the uniprocessor ntoskrnl.exe, but that isn't helping all that much (and I can provide accurate .MAP files using a customized Ida Pro script I use). Would anyone be able to help diagnose this? Compatibility is of course the primary goal of extending the kernel, but it's causing me to put the kernel32 rewrite on hold.

One of the things I think I need to add is an Ida script to generate .DBG files in addition to .MAP files (the built-in Ida function generates incorrect .MAP files, which is why I use my own script). If I can find the source to map2dbg or if someone can point me to it I should be able to add it to my Ida script. I also need to write an Ida script that can import a .MAP file and update the Ida database. That would be huge.

If there are any Ida users who woukd like to use my .idc scripts just say the word. For me they've been critical to getting this far,

Link to comment
Share on other sites

Can you make a KB955704 exFAT patch?

unfortunately, that is not possible as the exFAT drivers from KB955704 didn't work on my Win2000 SP4 + UR1 (update rollup 1) machine as I've recently tested myself with an 8Gb exFAT formatted USB flash drive. exfat.sys driver loaded on w2k but can't recognize my exFAT formatted USB flash drive as win2000 explorer tells me the flash drive is not formatted. :no:

thus the exfat drivers from KB955704 won't work on anything older than XP.

only hope for exfat support on win2k & older is a 3rd party driver of some sort.

EDIT: I found out that the exfat.sys and uexfat.dll files are useless without an exFAT-ready shell32.dll file.

see attached picture below:

shell32-winxp-exfat-support_zps8e56f589.jpg

this is a WinXP shell32.dll file with exFAT support. until exFAT support is implemented into the shell32.dll library file for Win2k, the exFAT SYS and DLL files won't do any good.

Edited by erpdude8
Link to comment
Share on other sites

exFAT support might also be in win32k.sys...don't hold me to that, but I have a nagging feeling that I might have seen some support for it there. It might be worth a quick search.

How large is exfat.sys? If it's really smsll it might be worth rewriting.

Link to comment
Share on other sites

Hmm that's not *too* bad, but it depends a whole lot on what's in it. If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out. I paid for the Ida decompiler, so I can generate (albeit very messy) C code. It won't be recompilable out of the box, but it's step 1, as it were. At least it might shed some light on some of the logic.

For me, the two most painful parts of the rewriting process have been reverse-engineering the structures and then figuring out what the really large and complex routines are trying to do. I've figured out a ton of internal structures in rewriting kernel32, but who knows how much that might overlap with a driver. If someone wants to take a stab at rewriting it (or even just the easier parts), I can probably provide enough information to get them at least something useful to start with.

One caveat, though, the generated C code isn't always correct. I can also generate .asm files and .map files that are also useful. Often I have to correlate the two when something looks fishy in the generated C code.

Link to comment
Share on other sites

If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out.

It's in this update:

http://www.microsoft...s.aspx?id=19364

That extracts out to a directory containing the following:



Volume in drive G is DATA
Volume Serial Number is 7A4C-636C

Directory of G:\exfat

10/16/2012 06:58 PM <DIR> .
10/16/2012 06:58 PM <DIR> ..
10/16/2012 06:58 PM 0 dirlist.txt
10/16/2012 06:55 PM <DIR> SP2GDR
10/16/2012 06:55 PM <DIR> SP2QFE
10/16/2012 06:55 PM <DIR> SP3GDR
10/16/2012 06:55 PM <DIR> SP3QFE
11/30/2007 07:18 AM 17,272 spmsg.dll
11/30/2007 07:18 AM 231,288 spuninst.exe
10/16/2012 06:55 PM <DIR> update
3 File(s) 248,560 bytes

Directory of G:\exfat\SP2GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:58 AM 133,632 exfat.sys
09/30/2008 02:44 AM 18,944 fmifs.dll
09/29/2008 05:59 AM 30,720 format.com
09/29/2008 05:58 AM 9,216 fs_rec.sys
09/30/2008 02:44 AM 77,824 ifsutil.dll
09/30/2008 02:44 AM 8,455,168 shell32.dll
09/30/2008 02:44 AM 57,344 uexfat.dll
09/30/2008 02:44 AM 278,528 ulib.dll
8 File(s) 9,061,376 bytes

Directory of G:\exfat\SP2QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:53 AM 133,632 exfat.sys
09/30/2008 02:05 AM 18,944 fmifs.dll
09/29/2008 05:54 AM 30,720 format.com
09/29/2008 05:53 AM 9,216 fs_rec.sys
09/30/2008 02:05 AM 77,824 ifsutil.dll
09/30/2008 11:35 AM 8,461,312 shell32.dll
09/30/2008 02:05 AM 57,344 uexfat.dll
09/30/2008 02:05 AM 278,528 ulib.dll
09/29/2008 05:46 AM 351,744 xpsp3res.dll
9 File(s) 9,419,264 bytes

Directory of G:\exfat\SP3GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:21 AM 133,632 exfat.sys
09/30/2008 02:19 AM 18,944 fmifs.dll
09/29/2008 06:22 AM 30,720 format.com
09/29/2008 06:20 AM 9,216 fs_rec.sys
09/30/2008 02:19 AM 77,824 ifsutil.dll
09/30/2008 02:19 AM 8,461,824 shell32.dll
09/30/2008 02:19 AM 57,344 uexfat.dll
09/30/2008 02:19 AM 278,528 ulib.dll
8 File(s) 9,068,032 bytes

Directory of G:\exfat\SP3QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:51 AM 133,632 exfat.sys
09/30/2008 01:56 AM 18,944 fmifs.dll
09/29/2008 06:52 AM 30,720 format.com
09/29/2008 06:50 AM 9,216 fs_rec.sys
09/30/2008 01:56 AM 77,824 ifsutil.dll
09/30/2008 01:56 AM 8,462,336 shell32.dll
09/30/2008 01:56 AM 57,344 uexfat.dll
09/30/2008 01:56 AM 278,528 ulib.dll
8 File(s) 9,068,544 bytes

Directory of G:\exfat\update

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/30/2008 02:32 AM 926 branches.inf
11/30/2007 10:17 AM 804 eula.txt
09/30/2008 06:29 AM 22,668 KB955704.CAT
11/30/2007 07:18 AM 26,488 spcustom.dll
11/30/2007 07:18 AM 755,576 update.exe
09/30/2008 04:49 PM 3,028 update.ver
09/30/2008 02:32 AM 678 updatebr.inf
09/30/2008 06:36 AM 24,318 update_SP2GDR.inf
09/30/2008 06:32 AM 25,523 update_SP2QFE.inf
09/30/2008 06:38 AM 27,395 update_SP3GDR.inf
09/30/2008 06:29 AM 27,395 update_SP3QFE.inf
07/09/2008 03:38 AM 382,840 updspapi.dll
12 File(s) 1,297,639 bytes

Total Files Listed:
48 File(s) 38,163,415 bytes
17 Dir(s) 402,366,476,288 bytes free

So it looks like it's a _lot_ more than just the exfat.sys driver file :(

Maybe in code, it's just a function or two ?

Link to comment
Share on other sites

Oh, no, its a lot of functions. With a lot of help from Google I've made a little sense of it, but it's still about 400 functions (a handful of which are rather large). The first problem with the sys I found is that one function uses SetFilterToken from ntoskrnl, which my kernel doesn't have. I suspect, though, that the biggest incompatibilities are in the data structures involved. It accesses some system-level data structures that tend to differ between XP and 2k (though I'd have to completely reverse-engineer the data structures to be sure). It might be possible to rewrite it as a 2k-compatible version, but it would involve quite a bit of effort. I haven't even looked at the other files.

Link to comment
Share on other sites

There are 310 functions in the XPSP2 version of exfat.sys. I don't have the time to fully reverse-engineer it, but here is what Ida spits out after a few days of trying to figure it out and plugging in whatever info I can find by Googling. It's at least a starting point if anyone wants to take a crack at rewriting it. One caveat: the C code that Ida generates never shows try...except or try...finally blocks so be sure to use the generated asm file for that logic.

Edited by WildBill
Link to comment
Share on other sites

I finally have all of the required kernel32 functions written in C and I've started writing unit tests...

AreFileApisANSI                   PASSED
FreeEnvironmentStringsA PASSED
FreeEnvironmentStringsW PASSED
GetACP PASSED
GetCommandLineA PASSED
GetCommandLineW PASSED
GetComputerNameA PASSED
GetComputerNameW PASSED
GetConsoleAliasExesLengthA PASSED
GetConsoleAliasExesLengthW PASSED
GetConsoleCP PASSED
GetConsoleDisplayMode PASSED
GetConsoleInputExeNameA PASSED
GetConsoleInputExeNameW PASSED
GetConsoleKeyboardLayoutNameA PASSED
GetConsoleKeyboardLayoutNameW PASSED
GetConsoleOutputCP PASSED
GetConsoleTitleA PASSED
GetConsoleTitleW PASSED
GetConsoleWindow PASSED
GetCurrentDirectoryA PASSED
GetCurrentDirectoryW PASSED
GetCurrentProcess PASSED
GetCurrentProcessId PASSED
GetCurrentThread PASSED
GetCurrentThreadId PASSED
GetDefaultSortkeySize PASSED
GetDllDirectoryA PASSED
GetDllDirectoryW PASSED
GetEnvironmentStringsA PASSED
GetEnvironmentStringsW PASSED
GetLinguistLangSize PASSED
GetLogicalDrives PASSED
GetModuleFileNameA PASSED
GetModuleFileNameW PASSED
GetModuleHandleA PASSED
GetModuleHandleW PASSED
GetNumberOfConsoleFonts PASSED
GetNumberOfConsoleMouseButtons PASSED
GetOEMCP PASSED
GetPriorityClass PASSED
GetProcessAffinityMask PASSED
GetProcessHandleCount PASSED
GetProcessHeap PASSED
GetProcessPriorityBoost PASSED
GetProcessShutdownParameters PASSED
GetProcessVersion PASSED
GetProcessWorkingSetSize PASSED
GetSystemDefaultLangID PASSED
GetSystemDefaultLCID PASSED
GetSystemDefaultUILanguage PASSED
GetSystemPowerStatus PASSED
GetSystemWindowsDirectoryA PASSED
GetSystemWindowsDirectoryW PASSED
GetTempPathA PASSED
GetTempPathW PASSED
GetThreadLocale PASSED
GetThreadPriority PASSED
GetTickCount PASSED
GetUserDefaultLangID PASSED
GetUserDefaultLCID PASSED
GetUserDefaultUILanguage PASSED
GetVersion PASSED
GetVersionExA PASSED
GetVersionExW PASSED
GetWindowsDirectoryA PASSED
GetWindowsDirectoryW PASSED
GlobalMemoryStatus PASSED
InterlockedCompareExchange PASSED
InterlockedDecrement PASSED
InterlockedExchange PASSED
InterlockedExchangeAdd PASSED
InterlockedIncrement PASSED
IsDebuggerPresent PASSED
lstrcatA PASSED
lstrcatW PASSED
lstrcpyA PASSED
lstrcpyW PASSED
lstrcpynA PASSED
lstrcpynW PASSED
lstrlenA PASSED
lstrlenW PASSED
NlsGetCacheUpdateCount PASSED
Sleep PASSED
TermsrvAppInstallMode PASSED

Edited by WildBill
Link to comment
Share on other sites

  • 3 weeks later...

Hey WildBill,

How is your work on the new kernel32.dll going?

I wonder if you could implement some of the APIs which BlackWingCat has added to his kernel (the newest version is KB935839-v22j and also KB979683-v11b). His kernel is capable of running applications compiled in VS2012 and also all dependencies related to .NET Framework 3.5 and 4.0 are fixed in it. He also "patched" the kernel exe files (ntoskrnl.exe and the three other files) so that it's possible to use more cores in Win2k Pro / Server (the number can be set manually through the registry - download KB979683-CoreChg.zip) and you can also enable PAE in Win2k Pro / Server so that the system can use up to 8 GB of RAM.

If you want to test .NET Framework then you can check my installer from here. It's a combined installer of all .NET Frameworks (from 1.0 to 4.0).

I'm really looking forward to try the new rewritten kernel. At the moment I'm using the BlackWingCat's version but I used yours before and actually found it much more stable.

Link to comment
Share on other sites

I've just compared ntkrnlmp.exe from WildBill and BlackWingCat.

APIs present only in WB ntkrnlmp.exe 5.0.2195.7384:

CcMdlWriteAbort
DbgQueryDebugFilterState
DbgSetDebugFilterState
ExVerifySuite
FsRtlIncrementCcFastReadNotPossible
FsRtlIncrementCcFastReadNoWait
FsRtlIncrementCcFastReadResourceMiss
FsRtlIncrementCcFastReadWait
HalExamineMBR
IoForwardAndCatchIrp
IoForwardIrpSynchronously
IoQueryFileDosDeviceName
KeAcquireInterruptSpinLock
KeQueryActiveProcessorCount
KeReleaseInterruptSpinLock
MmProtectMdlSystemAddress
NtOpenProcessTokenEx
NtOpenThreadToken
NtOpenThreadTokenEx
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplayingAvl
RtlGetElementGenericTableAvl
RtlHashUnicodeString
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlInsertElementGenericTableFullAvl
RtlInt64ToUnicodeString
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsGenericTableEmptyAvl
RtlLookupElementGenericTableAvl
RtlLookupElementGenericTableFullAvl
RtlNumberGenericTableElementsAvl
RtlTestBit
vDbgPrintEx
vDbgPrintExWithPrefix
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
ZwQueryInformationThread

APIs present only in BWC ntkrnlmp.exe 5.0.2195.7386:

IoCsqInitialize
IoCsqInsertIrp
IoCsqRemoveIrp
IoCsqRemoveNextIrp
IoSetCompletionRoutineEx
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeDeregisterBugCheckReasonCallback
KeGetRecommendedSharedDataAlignment
KeRegisterBugCheckReasonCallback
KeReleaseInStackQueuedSpinLockFromDpcLevel
ObSetSecurityObjectByPointer
PsGetCurrentThreadStackBase
PsGetCurrentThreadStackLimit
PsGetProcessWin32Process
PsGetThreadId
PsGetThreadProcessId
PsGetThreadWin32Thread
SeTokenObjectType
_alloca_probe

Same thing for kernel32.dll.

APIs present only in WB kernel32.dll 5.0.2195.7154:

AddLocalAlternateComputerNameA
AddLocalAlternateComputerNameW
CopyLZFile
CreateNlsSecurityDescriptor
CreateSocketHandle
EnumerateLocalComputerNamesA
EnumerateLocalComputerNamesW
GetCPFileNameFromRegistry
GetExpandedNameA
GetExpandedNameW
IsValidUILanguage
LZClose
LZCloseFile
LZCopy
LZCreateFileW
LZDone
LZInit
LZOpenFileA
LZOpenFileW
LZRead
LZSeek
LZStart
RemoveLocalAlternateComputerNameA
RemoveLocalAlternateComputerNameW
SetClientTimeZoneInformation
SetLocalPrimaryComputerNameA
SetLocalPrimaryComputerNameW

APIs present only in BWC kernel32.dll 5.0.2195.7193:

ActivateActCtx
AddRefActCtx
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
BaseCheckAppcompatCache
CheckForReadOnlyResource
CheckRemoteDebuggerPresent
CompareStringEx
ConvertFiberToThread
CreateActCtxA
CreateActCtxW
CreateSemaphoreExA
CreateSemaphoreExW
DeactivateActCtx
DebugActiveProcessStop
DecodeSystemPointer
EncodeSystemPointer
EnumSystemGeoID
EnumSystemLocalesEx
FindActCtxSectionGuid
FindActCtxSectionStringA
FindActCtxSectionStringW
FindFirstStreamW
FindNextStreamW
FindNLSString
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
GetCurrentActCtx
GetDateFormatEx
GetFirmwareEnvironmentVariableA
GetFirmwareEnvironmentVariableW
GetGeoInfoA
GetGeoInfoW
GetLocaleInfoEx
GetNLSVersion
GetNLSVersionEx
GetProcessDEPPolicy
GetSystemDEPPolicy
GetThreadId
GetThreadIOPendingFlag
GetThreadPreferredUILanguages
GetTickCount64
GetTimeFormatEx
GetUserGeoID
InitializeCriticalSectionEx
InitOnceExecuteOnce
IsProcessInJob
IsValidLocaleName
LCMapStringEx
QueryActCtxW
RegisterApplicationRecoveryCallback
RegisterApplicationRestart
ReleaseActCtx
SetFirmwareEnvironmentVariableA
SetFirmwareEnvironmentVariableW
SetProcessDEPPolicy
SetThreadPreferredUILanguages
SetThreadStackGuarantee
WTSGetActiveConsoleSessionId
ZombifyActCtx

And ntdll.dll...

APIs present only in WB ntdll.dll 5.0.2195.7085:

CsrCaptureMessageMultiUnicodeStringsInPlace
LdrAccessOutOfProcessResource
LdrAddRefDll
LdrCreateOutOfProcessImage
LdrDestroyOutOfProcessImage
LdrEnumerateLoadedModules
LdrFindCreateProcessManifest
LdrGetDllHandleEx
LdrInitShimEngineDynamic
LdrSetAppCompatDllRedirectionCallback
LdrSetDllManifestProber
NtOpenProcessTokenEx
NtOpenThreadTokenEx
NtSetDebugFilterState
RtlActivateActivationContext
RtlActivateActivationContextEx
RtlActivateActivationContextUnsafeFast
RtlAddRefActivationContext
RtlAddRefMemoryStream
RtlAddressInSectionTable
RtlAddVectoredExceptionHandler
RtlAppendPathElement
RtlCloneMemoryStream
RtlCommitMemoryStream
RtlComputeCrc32
RtlComputePrivatizedDllName_U
RtlCopyMemoryStreamTo
RtlCopyOutOfProcessMemoryStreamTo
RtlCreateActivationContext
RtlCreateBootStatusDataFile
RtlDeactivateActivationContext
RtlDeactivateActivationContextUnsafeFast
RtlDecodePointer
RtlDecodeSystemPointer
RtlDeleteElementGenericTableAvl
RtlDosApplyFileIsolationRedirection_Ustr
RtlDosSearchPath_Ustr
RtlDuplicateUnicodeString
RtlEncodePointer
RtlEncodeSystemPointer
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplayingAvl
RtlFinalReleaseOutOfProcessMemoryStream
RtlFindActivationContextSectionGuid
RtlFindActivationContextSectionString
RtlFreeThreadActivationContextStack
RtlGetActiveActivationContext
RtlGetElementGenericTableAvl
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlGetLengthWithoutTrailingPathSeperators
RtlGetNtVersionNumbers
RtlGetSetBootStatusData
RtlInitializeGenericTableAvl
RtlInitMemoryStream
RtlInitOutOfProcessMemoryStream
RtlInsertElementGenericTableAvl
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsActivationContextActive
RtlIsGenericTableEmptyAvl
RtlLockBootStatusData
RtlLockMemoryStreamRegion
RtlLookupElementGenericTableAvl
RtlMultiAppendUnicodeStringBuffer
RtlNumberGenericTableElementsAvl
RtlpApplyLengthFunction
RtlpNotOwnerCriticalSection
RtlQueryInformationActivationContext
RtlQueryInformationActiveActivationContext
RtlQueryInterfaceMemoryStream
RtlReadMemoryStream
RtlReadOutOfProcessMemoryStream
RtlReleaseActivationContext
RtlReleaseMemoryStream
RtlRemoveVectoredExceptionHandler
RtlRestoreLastWin32Error
RtlRevertMemoryStream
RtlSeekMemoryStream
RtlSetMemoryStreamSize
RtlStatMemoryStream
RtlUnlockBootStatusData
RtlUnlockMemoryStreamRegion
RtlWriteMemoryStream
RtlZombifyActivationContext
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
ZwQueryDebugFilterState
ZwSetDebugFilterState
_alldvrm
_aulldvrm

APIs present only in BWC ntdll.dll 5.0.2195.7103:

IVerSC
NtAddBootEntry
NtDeleteBootEntry
NtEnumerateBootEntries
NtEnumerateSystemEnvironmentValuesEx
NtLockProductActivationKeys
NtModifyBootEntry
NtQueryBootEntryOrder
NtQueryBootOptions
NtQuerySystemEnvironmentValueEx
NtSetBootEntryOrder
NtSetBootOptions
NtSetSystemEnvironmentValueEx
NtTranslateFilePath
RtlApplicationVerifierStop
RtlDllShutdownInProgress
RtlGetLastNtStatus
RtlInterlockedPushListSList
RtlLogStackBackTrace
RtlQueryTickCountEx
RtlRunOnceBeginInitialize
RtlRunOnceComplete
RtlRunOnceExecuteOnce
SetExKernelConfig
WinSqmAddToStream
_EVH

Link to comment
Share on other sites

  • 2 weeks later...

I think I'm going to need some help with my kernel32 rewrite. I have it passing 130 unit tests, but I can't seem to get WinExec working. I've loaded up most of the routines involved with debugging output and I can't find anything wrong, but it doesn't properly spawn the process. I can post the project sources if anyone would like to help tracking the problem down.

The way I test it is to copy the new kernel32 to kernel32_new.dll, and have my test program perform tests against the normal kernel32 and the rewritten one and compare the results. My WinExec test attempts to spawn calc.exe from both of them. It works with the normal kernel32, but the rewritten one doesn't fully spawn the process. I get a running calc.exe in Task Manager but the window never appears and it seems to want to consume about 5% CPU until I kill it. I've been fighting with this for a couple of weeks and I'm stumped.

Testing this way lets me protect my system since I don't have to replace kernel32, though so far I haven't tested any kernel32 routines that change anything--only the ones that read info or do things that don't affect the system.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...