PE Tool for creating patches

[WildBill]

I've got a new v13 of KB2393802 up, which fixes one bug and adds a bunch of new kernel functions:

ntdll.dll

Bugfixes:

RtlRandomEx -- Fixed a bug that would cause an exception (and would return an incorrect result anyway)

New additions:

NtOpenProcessTokenEx

NtOpenThreadTokenEx

ZwOpenProcessTokenEx

ZwOpenThreadTokenEx

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

New additions:

RtlHashUnicodeString

RtlRandomEx

RtlInitializeGenericTableAvl

RtlInsertElementGenericTableFullAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlLookupElementGenericTableFullAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExW

RtlIpv4StringToAddressA

RtlIpv4StringToAddressExA

RtlIpv4AddressToStringA

RtlIpv4AddressToStringExA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringExA

RtlIpv6StringToAddressA

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExW

ExGetCurrentProcessorCpuUsage

ExGetCurrentProcessorCounts

ExfInterlockedCompareExchange64

FsRtlIncrementCcFastReadNoWait

FsRtlIncrementCcFastReadNotPossible

FsRtlIncrementCcFastReadResourceMiss

FsRtlIncrementCcFastReadWait

Existing routines added to the export table:

ExVerifySuite

HalExamineMBR

Edited October 7, 2012 by WildBill

[discdude]

WildBill,

Thanks for all your hard work. I installed the updated KB2393802 and KB2508429 and everything seems to be working fine.

[WildBill]

Thanks! It's become apparent to me that in the long run we've got to rewrite these in C if we're ever going to get compatibility past a certain point (I don't just want to match XP, I want to eventually surpass it). I'm well past the 95% point of starting to have my first rev of kernel32 rewritten, but all this ntoskrnl work is keeping me away from it. I ve amassed enough info from reverse-engineering ntoskrnl that I could rewrite large portions of it with little difficulty, but the files are so huge that a complete rewrite would likely be a 2-year proposition (as it stands I'm coming up on a year for kernel32). I'm happy to do it since it's my OS of choice and I use it every day, but I think I could use some advice on how to break some of the effort up. Besides, it's always going to be easier to rewrite and test small portions at a time, but I'm not sure how to do it). Csrsrv and basesrv were small enough that I could rewrite them all at once but the kernel files aren't).

On a related note, I'm trying to assist someone with getting SEP (Symantec Endpoint Protection) working with the new kernel. It's resulting with STOP errors (IRQL not less or equal, happening in IoGetAttachedDevice), and I'm not all that knowledgeable enough with WinDbg that I might be enough of a help. I managed to generate an updated .DBG file with the correct symbols for the uniprocessor ntoskrnl.exe, but that isn't helping all that much (and I can provide accurate .MAP files using a customized Ida Pro script I use). Would anyone be able to help diagnose this? Compatibility is of course the primary goal of extending the kernel, but it's causing me to put the kernel32 rewrite on hold.

One of the things I think I need to add is an Ida script to generate .DBG files in addition to .MAP files (the built-in Ida function generates incorrect .MAP files, which is why I use my own script). If I can find the source to map2dbg or if someone can point me to it I should be able to add it to my Ida script. I also need to write an Ida script that can import a .MAP file and update the Ida database. That would be huge.

If there are any Ida users who woukd like to use my .idc scripts just say the word. For me they've been critical to getting this far,

[erpdude8]

Can you make a KB955704 exFAT patch?

unfortunately, that is not possible as the exFAT drivers from KB955704 didn't work on my Win2000 SP4 + UR1 (update rollup 1) machine as I've recently tested myself with an 8Gb exFAT formatted USB flash drive. exfat.sys driver loaded on w2k but can't recognize my exFAT formatted USB flash drive as win2000 explorer tells me the flash drive is not formatted.

thus the exfat drivers from KB955704 won't work on anything older than XP.

only hope for exfat support on win2k & older is a 3rd party driver of some sort.

EDIT: I found out that the exfat.sys and uexfat.dll files are useless without an exFAT-ready shell32.dll file.

see attached picture below:

this is a WinXP shell32.dll file with exFAT support. until exFAT support is implemented into the shell32.dll library file for Win2k, the exFAT SYS and DLL files won't do any good.

Edited October 13, 2012 by erpdude8

[WildBill]

exFAT support might also be in win32k.sys...don't hold me to that, but I have a nagging feeling that I might have seen some support for it there. It might be worth a quick search.

How large is exfat.sys? If it's really smsll it might be worth rewriting.

[tomasz86]

How large is exfat.sys? If it's really smsll it might be worth rewriting.

exfat.sys 5.1.2600.3453 133,632 bytes

[WildBill]

Hmm that's not *too* bad, but it depends a whole lot on what's in it. If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out. I paid for the Ida decompiler, so I can generate (albeit very messy) C code. It won't be recompilable out of the box, but it's step 1, as it were. At least it might shed some light on some of the logic.

For me, the two most painful parts of the rewriting process have been reverse-engineering the structures and then figuring out what the really large and complex routines are trying to do. I've figured out a ton of internal structures in rewriting kernel32, but who knows how much that might overlap with a driver. If someone wants to take a stab at rewriting it (or even just the easier parts), I can probably provide enough information to get them at least something useful to start with.

One caveat, though, the generated C code isn't always correct. I can also generate .asm files and .map files that are also useful. Often I have to correlate the two when something looks fishy in the generated C code.

[tomasz86]

If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out.

It's in this update:

http://www.microsoft.com/en-us/download/details.aspx?id=19364

[jimmsta]

If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out.

It's in this update:

http://www.microsoft...s.aspx?id=19364

That extracts out to a directory containing the following:

 Volume in drive G is DATA
 Volume Serial Number is 7A4C-636C

 Directory of G:\exfat

10/16/2012  06:58 PM    <DIR>          .
10/16/2012  06:58 PM    <DIR>          ..
10/16/2012  06:58 PM                 0 dirlist.txt
10/16/2012  06:55 PM    <DIR>          SP2GDR
10/16/2012  06:55 PM    <DIR>          SP2QFE
10/16/2012  06:55 PM    <DIR>          SP3GDR
10/16/2012  06:55 PM    <DIR>          SP3QFE
11/30/2007  07:18 AM            17,272 spmsg.dll
11/30/2007  07:18 AM           231,288 spuninst.exe
10/16/2012  06:55 PM    <DIR>          update
               3 File(s)        248,560 bytes

 Directory of G:\exfat\SP2GDR

10/16/2012  06:55 PM    <DIR>          .
10/16/2012  06:55 PM    <DIR>          ..
09/29/2008  05:58 AM           133,632 exfat.sys
09/30/2008  02:44 AM            18,944 fmifs.dll
09/29/2008  05:59 AM            30,720 format.com
09/29/2008  05:58 AM             9,216 fs_rec.sys
09/30/2008  02:44 AM            77,824 ifsutil.dll
09/30/2008  02:44 AM         8,455,168 shell32.dll
09/30/2008  02:44 AM            57,344 uexfat.dll
09/30/2008  02:44 AM           278,528 ulib.dll
               8 File(s)      9,061,376 bytes

 Directory of G:\exfat\SP2QFE

10/16/2012  06:55 PM    <DIR>          .
10/16/2012  06:55 PM    <DIR>          ..
09/29/2008  05:53 AM           133,632 exfat.sys
09/30/2008  02:05 AM            18,944 fmifs.dll
09/29/2008  05:54 AM            30,720 format.com
09/29/2008  05:53 AM             9,216 fs_rec.sys
09/30/2008  02:05 AM            77,824 ifsutil.dll
09/30/2008  11:35 AM         8,461,312 shell32.dll
09/30/2008  02:05 AM            57,344 uexfat.dll
09/30/2008  02:05 AM           278,528 ulib.dll
09/29/2008  05:46 AM           351,744 xpsp3res.dll
               9 File(s)      9,419,264 bytes

 Directory of G:\exfat\SP3GDR

10/16/2012  06:55 PM    <DIR>          .
10/16/2012  06:55 PM    <DIR>          ..
09/29/2008  06:21 AM           133,632 exfat.sys
09/30/2008  02:19 AM            18,944 fmifs.dll
09/29/2008  06:22 AM            30,720 format.com
09/29/2008  06:20 AM             9,216 fs_rec.sys
09/30/2008  02:19 AM            77,824 ifsutil.dll
09/30/2008  02:19 AM         8,461,824 shell32.dll
09/30/2008  02:19 AM            57,344 uexfat.dll
09/30/2008  02:19 AM           278,528 ulib.dll
               8 File(s)      9,068,032 bytes

 Directory of G:\exfat\SP3QFE

10/16/2012  06:55 PM    <DIR>          .
10/16/2012  06:55 PM    <DIR>          ..
09/29/2008  06:51 AM           133,632 exfat.sys
09/30/2008  01:56 AM            18,944 fmifs.dll
09/29/2008  06:52 AM            30,720 format.com
09/29/2008  06:50 AM             9,216 fs_rec.sys
09/30/2008  01:56 AM            77,824 ifsutil.dll
09/30/2008  01:56 AM         8,462,336 shell32.dll
09/30/2008  01:56 AM            57,344 uexfat.dll
09/30/2008  01:56 AM           278,528 ulib.dll
               8 File(s)      9,068,544 bytes

 Directory of G:\exfat\update

10/16/2012  06:55 PM    <DIR>          .
10/16/2012  06:55 PM    <DIR>          ..
09/30/2008  02:32 AM               926 branches.inf
11/30/2007  10:17 AM               804 eula.txt
09/30/2008  06:29 AM            22,668 KB955704.CAT
11/30/2007  07:18 AM            26,488 spcustom.dll
11/30/2007  07:18 AM           755,576 update.exe
09/30/2008  04:49 PM             3,028 update.ver
09/30/2008  02:32 AM               678 updatebr.inf
09/30/2008  06:36 AM            24,318 update_SP2GDR.inf
09/30/2008  06:32 AM            25,523 update_SP2QFE.inf
09/30/2008  06:38 AM            27,395 update_SP3GDR.inf
09/30/2008  06:29 AM            27,395 update_SP3QFE.inf
07/09/2008  03:38 AM           382,840 updspapi.dll
              12 File(s)      1,297,639 bytes

     Total Files Listed:
              48 File(s)     38,163,415 bytes
              17 Dir(s)  402,366,476,288 bytes free

So it looks like it's a _lot_ more than just the exfat.sys driver file

Maybe in code, it's just a function or two ?

[WildBill]

Oh, no, its a lot of functions. With a lot of help from Google I've made a little sense of it, but it's still about 400 functions (a handful of which are rather large). The first problem with the sys I found is that one function uses SetFilterToken from ntoskrnl, which my kernel doesn't have. I suspect, though, that the biggest incompatibilities are in the data structures involved. It accesses some system-level data structures that tend to differ between XP and 2k (though I'd have to completely reverse-engineer the data structures to be sure). It might be possible to rewrite it as a 2k-compatible version, but it would involve quite a bit of effort. I haven't even looked at the other files.

[WildBill]

There are 310 functions in the XPSP2 version of exfat.sys. I don't have the time to fully reverse-engineer it, but here is what Ida spits out after a few days of trying to figure it out and plugging in whatever info I can find by Googling. It's at least a starting point if anyone wants to take a crack at rewriting it. One caveat: the C code that Ida generates never shows try...except or try...finally blocks so be sure to use the generated asm file for that logic.

Edited October 17, 2012 by WildBill

[WildBill]

I finally have all of the required kernel32 functions written in C and I've started writing unit tests...

AreFileApisANSI                   PASSED
FreeEnvironmentStringsA           PASSED
FreeEnvironmentStringsW           PASSED
GetACP                            PASSED
GetCommandLineA                   PASSED
GetCommandLineW                   PASSED
GetComputerNameA                  PASSED
GetComputerNameW                  PASSED
GetConsoleAliasExesLengthA        PASSED
GetConsoleAliasExesLengthW        PASSED
GetConsoleCP                      PASSED
GetConsoleDisplayMode             PASSED
GetConsoleInputExeNameA           PASSED
GetConsoleInputExeNameW           PASSED
GetConsoleKeyboardLayoutNameA     PASSED
GetConsoleKeyboardLayoutNameW     PASSED
GetConsoleOutputCP                PASSED
GetConsoleTitleA                  PASSED
GetConsoleTitleW                  PASSED
GetConsoleWindow                  PASSED
GetCurrentDirectoryA              PASSED
GetCurrentDirectoryW              PASSED
GetCurrentProcess                 PASSED
GetCurrentProcessId               PASSED
GetCurrentThread                  PASSED
GetCurrentThreadId                PASSED
GetDefaultSortkeySize             PASSED
GetDllDirectoryA                  PASSED
GetDllDirectoryW                  PASSED
GetEnvironmentStringsA            PASSED
GetEnvironmentStringsW            PASSED
GetLinguistLangSize               PASSED
GetLogicalDrives                  PASSED
GetModuleFileNameA                PASSED
GetModuleFileNameW                PASSED
GetModuleHandleA                  PASSED
GetModuleHandleW                  PASSED
GetNumberOfConsoleFonts           PASSED
GetNumberOfConsoleMouseButtons    PASSED
GetOEMCP                          PASSED
GetPriorityClass                  PASSED
GetProcessAffinityMask            PASSED
GetProcessHandleCount             PASSED
GetProcessHeap                    PASSED
GetProcessPriorityBoost           PASSED
GetProcessShutdownParameters      PASSED
GetProcessVersion                 PASSED
GetProcessWorkingSetSize          PASSED
GetSystemDefaultLangID            PASSED
GetSystemDefaultLCID              PASSED
GetSystemDefaultUILanguage        PASSED
GetSystemPowerStatus              PASSED
GetSystemWindowsDirectoryA        PASSED
GetSystemWindowsDirectoryW        PASSED
GetTempPathA                      PASSED
GetTempPathW                      PASSED
GetThreadLocale                   PASSED
GetThreadPriority                 PASSED
GetTickCount                      PASSED
GetUserDefaultLangID              PASSED
GetUserDefaultLCID                PASSED
GetUserDefaultUILanguage          PASSED
GetVersion                        PASSED
GetVersionExA                     PASSED
GetVersionExW                     PASSED
GetWindowsDirectoryA              PASSED
GetWindowsDirectoryW              PASSED
GlobalMemoryStatus                PASSED
InterlockedCompareExchange        PASSED
InterlockedDecrement              PASSED
InterlockedExchange               PASSED
InterlockedExchangeAdd            PASSED
InterlockedIncrement              PASSED
IsDebuggerPresent                 PASSED
lstrcatA                          PASSED
lstrcatW                          PASSED
lstrcpyA                          PASSED
lstrcpyW                          PASSED
lstrcpynA                         PASSED
lstrcpynW                         PASSED
lstrlenA                          PASSED
lstrlenW                          PASSED
NlsGetCacheUpdateCount            PASSED
Sleep                             PASSED
TermsrvAppInstallMode             PASSED

Edited October 21, 2012 by WildBill

[tomasz86]

Hey WildBill,

How is your work on the new kernel32.dll going?

I wonder if you could implement some of the APIs which BlackWingCat has added to his kernel (the newest version is KB935839-v22j and also KB979683-v11b). His kernel is capable of running applications compiled in VS2012 and also all dependencies related to .NET Framework 3.5 and 4.0 are fixed in it. He also "patched" the kernel exe files (ntoskrnl.exe and the three other files) so that it's possible to use more cores in Win2k Pro / Server (the number can be set manually through the registry - download KB979683-CoreChg.zip) and you can also enable PAE in Win2k Pro / Server so that the system can use up to 8 GB of RAM.

If you want to test .NET Framework then you can check my installer from here. It's a combined installer of all .NET Frameworks (from 1.0 to 4.0).

I'm really looking forward to try the new rewritten kernel. At the moment I'm using the BlackWingCat's version but I used yours before and actually found it much more stable.

[tomasz86]

I've just compared ntkrnlmp.exe from WildBill and BlackWingCat.

APIs present only in WB ntkrnlmp.exe 5.0.2195.7384:

CcMdlWriteAbort
DbgQueryDebugFilterState
DbgSetDebugFilterState
ExVerifySuite
FsRtlIncrementCcFastReadNotPossible
FsRtlIncrementCcFastReadNoWait
FsRtlIncrementCcFastReadResourceMiss
FsRtlIncrementCcFastReadWait
HalExamineMBR
IoForwardAndCatchIrp
IoForwardIrpSynchronously
IoQueryFileDosDeviceName
KeAcquireInterruptSpinLock
KeQueryActiveProcessorCount
KeReleaseInterruptSpinLock
MmProtectMdlSystemAddress
NtOpenProcessTokenEx
NtOpenThreadToken
NtOpenThreadTokenEx
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplayingAvl
RtlGetElementGenericTableAvl
RtlHashUnicodeString
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlInsertElementGenericTableFullAvl
RtlInt64ToUnicodeString
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsGenericTableEmptyAvl
RtlLookupElementGenericTableAvl
RtlLookupElementGenericTableFullAvl
RtlNumberGenericTableElementsAvl
RtlTestBit
vDbgPrintEx
vDbgPrintExWithPrefix
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
ZwQueryInformationThread

APIs present only in BWC ntkrnlmp.exe 5.0.2195.7386:

IoCsqInitialize
IoCsqInsertIrp
IoCsqRemoveIrp
IoCsqRemoveNextIrp
IoSetCompletionRoutineEx
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeDeregisterBugCheckReasonCallback
KeGetRecommendedSharedDataAlignment
KeRegisterBugCheckReasonCallback
KeReleaseInStackQueuedSpinLockFromDpcLevel
ObSetSecurityObjectByPointer
PsGetCurrentThreadStackBase
PsGetCurrentThreadStackLimit
PsGetProcessWin32Process
PsGetThreadId
PsGetThreadProcessId
PsGetThreadWin32Thread
SeTokenObjectType
_alloca_probe

Same thing for kernel32.dll.

APIs present only in WB kernel32.dll 5.0.2195.7154:

AddLocalAlternateComputerNameA
AddLocalAlternateComputerNameW
CopyLZFile
CreateNlsSecurityDescriptor
CreateSocketHandle
EnumerateLocalComputerNamesA
EnumerateLocalComputerNamesW
GetCPFileNameFromRegistry
GetExpandedNameA
GetExpandedNameW
IsValidUILanguage
LZClose
LZCloseFile
LZCopy
LZCreateFileW
LZDone
LZInit
LZOpenFileA
LZOpenFileW
LZRead
LZSeek
LZStart
RemoveLocalAlternateComputerNameA
RemoveLocalAlternateComputerNameW
SetClientTimeZoneInformation
SetLocalPrimaryComputerNameA
SetLocalPrimaryComputerNameW

APIs present only in BWC kernel32.dll 5.0.2195.7193:

ActivateActCtx
AddRefActCtx
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
BaseCheckAppcompatCache
CheckForReadOnlyResource
CheckRemoteDebuggerPresent
CompareStringEx
ConvertFiberToThread
CreateActCtxA
CreateActCtxW
CreateSemaphoreExA
CreateSemaphoreExW
DeactivateActCtx
DebugActiveProcessStop
DecodeSystemPointer
EncodeSystemPointer
EnumSystemGeoID
EnumSystemLocalesEx
FindActCtxSectionGuid
FindActCtxSectionStringA
FindActCtxSectionStringW
FindFirstStreamW
FindNextStreamW
FindNLSString
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
GetCurrentActCtx
GetDateFormatEx
GetFirmwareEnvironmentVariableA
GetFirmwareEnvironmentVariableW
GetGeoInfoA
GetGeoInfoW
GetLocaleInfoEx
GetNLSVersion
GetNLSVersionEx
GetProcessDEPPolicy
GetSystemDEPPolicy
GetThreadId
GetThreadIOPendingFlag
GetThreadPreferredUILanguages
GetTickCount64
GetTimeFormatEx
GetUserGeoID
InitializeCriticalSectionEx
InitOnceExecuteOnce
IsProcessInJob
IsValidLocaleName
LCMapStringEx
QueryActCtxW
RegisterApplicationRecoveryCallback
RegisterApplicationRestart
ReleaseActCtx
SetFirmwareEnvironmentVariableA
SetFirmwareEnvironmentVariableW
SetProcessDEPPolicy
SetThreadPreferredUILanguages
SetThreadStackGuarantee
WTSGetActiveConsoleSessionId
ZombifyActCtx

And ntdll.dll...

APIs present only in WB ntdll.dll 5.0.2195.7085:

CsrCaptureMessageMultiUnicodeStringsInPlace
LdrAccessOutOfProcessResource
LdrAddRefDll
LdrCreateOutOfProcessImage
LdrDestroyOutOfProcessImage
LdrEnumerateLoadedModules
LdrFindCreateProcessManifest
LdrGetDllHandleEx
LdrInitShimEngineDynamic
LdrSetAppCompatDllRedirectionCallback
LdrSetDllManifestProber
NtOpenProcessTokenEx
NtOpenThreadTokenEx
NtSetDebugFilterState
RtlActivateActivationContext
RtlActivateActivationContextEx
RtlActivateActivationContextUnsafeFast
RtlAddRefActivationContext
RtlAddRefMemoryStream
RtlAddressInSectionTable
RtlAddVectoredExceptionHandler
RtlAppendPathElement
RtlCloneMemoryStream
RtlCommitMemoryStream
RtlComputeCrc32
RtlComputePrivatizedDllName_U
RtlCopyMemoryStreamTo
RtlCopyOutOfProcessMemoryStreamTo
RtlCreateActivationContext
RtlCreateBootStatusDataFile
RtlDeactivateActivationContext
RtlDeactivateActivationContextUnsafeFast
RtlDecodePointer
RtlDecodeSystemPointer
RtlDeleteElementGenericTableAvl
RtlDosApplyFileIsolationRedirection_Ustr
RtlDosSearchPath_Ustr
RtlDuplicateUnicodeString
RtlEncodePointer
RtlEncodeSystemPointer
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplayingAvl
RtlFinalReleaseOutOfProcessMemoryStream
RtlFindActivationContextSectionGuid
RtlFindActivationContextSectionString
RtlFreeThreadActivationContextStack
RtlGetActiveActivationContext
RtlGetElementGenericTableAvl
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlGetLengthWithoutTrailingPathSeperators
RtlGetNtVersionNumbers
RtlGetSetBootStatusData
RtlInitializeGenericTableAvl
RtlInitMemoryStream
RtlInitOutOfProcessMemoryStream
RtlInsertElementGenericTableAvl
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsActivationContextActive
RtlIsGenericTableEmptyAvl
RtlLockBootStatusData
RtlLockMemoryStreamRegion
RtlLookupElementGenericTableAvl
RtlMultiAppendUnicodeStringBuffer
RtlNumberGenericTableElementsAvl
RtlpApplyLengthFunction
RtlpNotOwnerCriticalSection
RtlQueryInformationActivationContext
RtlQueryInformationActiveActivationContext
RtlQueryInterfaceMemoryStream
RtlReadMemoryStream
RtlReadOutOfProcessMemoryStream
RtlReleaseActivationContext
RtlReleaseMemoryStream
RtlRemoveVectoredExceptionHandler
RtlRestoreLastWin32Error
RtlRevertMemoryStream
RtlSeekMemoryStream
RtlSetMemoryStreamSize
RtlStatMemoryStream
RtlUnlockBootStatusData
RtlUnlockMemoryStreamRegion
RtlWriteMemoryStream
RtlZombifyActivationContext
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
ZwQueryDebugFilterState
ZwSetDebugFilterState
_alldvrm
_aulldvrm

APIs present only in BWC ntdll.dll 5.0.2195.7103:

IVerSC
NtAddBootEntry
NtDeleteBootEntry
NtEnumerateBootEntries
NtEnumerateSystemEnvironmentValuesEx
NtLockProductActivationKeys
NtModifyBootEntry
NtQueryBootEntryOrder
NtQueryBootOptions
NtQuerySystemEnvironmentValueEx
NtSetBootEntryOrder
NtSetBootOptions
NtSetSystemEnvironmentValueEx
NtTranslateFilePath
RtlApplicationVerifierStop
RtlDllShutdownInProgress
RtlGetLastNtStatus
RtlInterlockedPushListSList
RtlLogStackBackTrace
RtlQueryTickCountEx
RtlRunOnceBeginInitialize
RtlRunOnceComplete
RtlRunOnceExecuteOnce
SetExKernelConfig
WinSqmAddToStream
_EVH

[WildBill]

I think I'm going to need some help with my kernel32 rewrite. I have it passing 130 unit tests, but I can't seem to get WinExec working. I've loaded up most of the routines involved with debugging output and I can't find anything wrong, but it doesn't properly spawn the process. I can post the project sources if anyone would like to help tracking the problem down.

The way I test it is to copy the new kernel32 to kernel32_new.dll, and have my test program perform tests against the normal kernel32 and the rewritten one and compare the results. My WinExec test attempts to spawn calc.exe from both of them. It works with the normal kernel32, but the rewritten one doesn't fully spawn the process. I get a running calc.exe in Task Manager but the window never appears and it seems to want to consume about 5% CPU until I kill it. I've been fighting with this for a couple of weeks and I'm stumped.

Testing this way lets me protect my system since I don't have to replace kernel32, though so far I haven't tested any kernel32 routines that change anything--only the ones that read info or do things that don't affect the system.