Jump to content

fwd: DLL Forwarder and Checksum Corrector


jumper

Recommended Posts

I played around a little bit with ExportTableTester !
98SE's and ME's NTDLL.DLL do not have vDbgPrintExWithPrefix so I took the export infos from ntdll.dll (5.1.2600.0 (xpclient.010817-1148)) and added to ME's ntdll.dll:

Ordinal: 056F
Adress of function:  0000B6A6
Function name:  vDbgPrintExWithPrefix

A reboot with this updated dll went fine and all KernelEx depending apps are working as they should.
Is there a way to find out if this is really O.K. ?
 

Link to comment
Share on other sites


@Dibya: Just search on "code cave tutorial"--look for one that helps you identify or create available space within a PE file.

@MiKl:
Use KTree to see if your installation of KernelEx already supports vDbgPrintExWithPrefix (recent versions do). If so, KernelEx will override any other definitions of vDbgPrintExWithPrefix with its own stub. That means your new implementation is not getting used or tested. You can add a line to Core.ini to make KernelEx use the version (yours) from the standard library.

The address of function needs to point to code in Ntdll.dll that will function without crashing. Try the "c2 14 00 ret 20" at the end of RtlLargeIntegerDivide or NtCreateFile (those complete functions themselves will probably crash).

I've only seen vDbgPrintExWithPrefix being called as part of the error reporting process after an app has already suffered a fatal error, so a crash dialog might actually be better than a silent app termination.

I seem to recall that a few DLL's from ReactOS and possibly other 2K+ OS'es only have this one unresolved dependency preventing them from loading on 9x.

Link to comment
Share on other sites

@jumper

Thanks Jumper.

I have modified few xp files if you have time can you check them?

@MiKl

An Entrypoint is not enough always . You have to add some extra function code inside your dll.

for example AllocConsole of kernel32.dll has following extra function code

68 70 04 00 00 68 70 35 87 7C E8 4E F2 F8 FF A1
CC 66 88 7C 89 45 E4 33 DB 89 9D D4 FB FF FF 68
A0 66 88 7C FF 15 DC 10 80 7C 89 5D FC 64 A1 18
00 00 00 89 85 C4 FB FF FF 8B 40 30 8B 40 10 39
58 10 74 12 6A 05 E8 70 1D 01 00 89 9D D4 FB FF
FF E9 4E 01 00 00 8D 85 DC FB FF FF 50 53 8D 85
D8 FB FF FF 50 53 8D 85 C8 FB FF FF 50 53 E8 03
A2 FB FF E8 F8 7B FA FF BE 0A 02 00 00 89 B5 D0
FB FF FF C7 85 CC FB FF FF 00 01 00 00 8D 85 E4
FE FF FF 50 8D 85 CC FB FF FF 50 8D 85 D8 FC FF
FF 50 8D 85 D0 FB FF FF 50 E8 68 7C FA FF 8D 85
80 FB FF FF 50 E8 22 EB F8 FF 39 9D 8C FB FF FF
75 0A C7 85 8C FB FF FF EC F3 84 7C FF B5 8C FB
FF FF E8 59 67 F9 FF 8D 44 00 02 0F B7 C0 89 85
C8 FB FF FF 3B C6 72 02 8B C6 0F B7 F8 89 BD C8
FB FF FF 8B 85 88 FB FF FF 3B C3 74 29 66 39 18
74 24 50 E8 28 67 F9 FF 8D 44 00 02 0F B7 C0 89
85 D8 FB FF FF 3B C6 72 02 8B C6 0F B7 C0 89 85
D8 FB FF FF EB 06 89 9D D8 FB FF FF 8D 85 DC FB
FF FF 50 68 69 31 87 7C 68 08 73 87 7C FF B5 CC
FB FF FF 8D 85 E4 FE FF FF 50 FF B5 D0 FB FF FF
8D 85 D8 FC FF FF 50 FF B5 D8 FB FF FF FF B5 88
FB FF FF 57 FF B5 8C FB FF FF E8 85 F9 FF FF 89
85 D4 FB FF FF 3B C3 74 2B 8D 85 DC FB FF FF 50
E8 A6 A2 FB FF E8 6E 41 FA FF 8B 85 E0 FB FF FF
A3 34 60 88 7C E8 42 7A FA FF C7 85 D4 FB FF FF
01 00 00 00 83 4D FC FF E8 19 00 00 00 8B 85 D4
FB FF FF 8B 4D E4 E8 76 63 F9 FF E8 D8 F0 F8 FF
C3 90 90 90 90 90 68 A0 66 88 7C FF 15 D8 10 80
7C C3 90 90 90 90 90 FF FF FF FF 00 00 00 00 5F
35 87 7C 90 90 90 90 90 68 18 01 00 00 68 70 36
87 7C E8 66 F0 F8 FF A1 CC 66 88 7C 89 45 E4 33
F6 89 B5 E4 FE FF FF 68 A0 66 88 7C FF 15 DC 10
80 7C 89 75 FC 64 A1 18 00 00 00 89 85 D8 FE FF
FF 8B 40 30 8B 40 10 39 70 10 74 0F 6A 05 E8 88
1B 01 00 89 B5 E4 FE FF FF EB 6B 8D 85 E8 FE FF
FF 50 56 8D 85 E0 FE FF FF 50 56 8D 85 DC FE FF
FF 50 56 E8 1E A0 FB FF 8D 85 E8 FE FF FF 50 68
69 31 87 7C 68 08 73 87 7C FF 75 08 E8 0F FC FF
FF 89 85 E4 FE FF FF 3B C6 74 2B 8D 85 E8 FE FF
FF 50 E8 A4 A1 FB FF E8 6C 40 FA FF 8B 85 EC FE
FF FF A3 34 60 88 7C E8 40 79 FA FF C7 85 E4 FE
FF FF 01 00 00 00 83 4D FC FF E8 1B 00 00 00 8B
85 E4 FE FF FF 8B 4D E4 E8 74 62 F9 FF E8 D6 EF
F8 FF C2 04 00 90 90 90 90 90 68 A0 66 88 7C FF
15 D8 10 80 7C C3 90 FF FF FF FF 00 00 00 00 63
36 87 7C 90 90 90 90 90 A1 34 60 88 7C C3 90 90
90 90 90 68 AC 00 00 00 68 40 37 87 7C E8 5B EF
F8 FF A1 CC 66 88 7C 89 45 E4 8B 75 0C 64 A1 18
00 00 00 8B 40 30 8B 40 10 8B 40 10 89 85 6C FF
FF FF 8B 45 08 89 85 70 FF FF FF 6A 0C 68 20 02
02 00 33 FF 57 8D 85 44 FF FF FF 50 FF 15 34 10
80 7C 39 BD 64 FF FF FF 7C 32 89 7D FC 8B 85 74
FF FF FF 89 06 83 4D FC FF 33 C0 40 EB 32 90 90
90 90 90 33 C0 40 C3 90 90 90 90 90 8B 65 E8 6A
0C E8 45 1A 01 00 83 4D FC FF EB 12 FF B5 64 FF
FF FF FF 15 6C 10 80 7C 50 E8 2D 1A 01 00 33 C0
8B 4D E4 E8 99 61 F9 FF E8 FB EE F8 FF C2 08 00
90 90 90 90 90 90 90 FF FF FF FF FC 36 87 7C 05
37 87 7C 90 90 90 90 90 8B FF 55 8B EC 81 EC A4
00 00 00 A1 CC 66 88 7C 89 45 FC 64 A1 18 00 00
00 8B 40 30 8B 40 10 8B 40 10 89 45 84 8B 45 08
89 45 88 8B 45 0C 6A 10 89 45 8C 8B 45 10 68 21
02 02 00 89 45 90 6A 00 8D 85 5C FF FF FF 50 FF
15 34 10 80 7C 83 BD 7C FF FF FF 00 7C 05 33 C0
40 EB 14 FF B5 7C FF FF FF FF 15 6C 10 80 7C 50
E8 96 19 01 00 33 C0 8B 4D FC E8 02 61 F9 FF C9
C2 0C 00 90 90 90 90 90 68 C8 00 00 00 68 88 3A
87 7C E8 16 EE F8 FF A1 CC 66 88 7C 89 45 E4 8B
45 0C 89 85 34 FF FF FF 8B 45 14 89 85 2C FF FF
FF 8B 5D 18 8B 75 24 64 A1 18 00 00 00 8B 40 30
8B 40 10 8B 40 10 89 85 6C FF FF FF 8B 45 08 89
85 70 FF FF FF 66 8B 45 20 66 89 85 74 FF FF FF
0F B7 C8 8D BD 76 FF FF FF 8B C1 C1 E9 02 F3 A5
8B C8 83 E1 03 F3 A4 8A 45 1C 88 45 E0 8B 75 10
8D 04 36 89 45 CC 89 45 D0 83 F8 50 76 2D 50 6A
01 FF 15 EC 11 80 7C 89 85 40 FF FF FF 33 FF 3B
C7 75 07 6A 08 E9 A3 01 00 00 8D 4D C8 51 FF 75
D0 57 50 FF 15 F4 15 80 7C EB 12 8D 85 76 FF FF
FF 89 45 C8 83 A5 40 FF FF FF 00 33 FF 89 9D 38 
Edited by Dibya
Link to comment
Share on other sites

15 hours ago, Dibya said:

An Entrypoint is not enough always . You have to add some extra function code inside your dll.

for example AllocConsole of kernel32.dll has following extra function code

Well, what you called "extra function code" is *THE* function code (= that's actually what the function does!).
The problems you're having with some functions is that not all function code can be simply transplanted from another NT-OS kernel32 as is.
That's because some code may reference variables which are located at different addresses from one kernel32 to the other, or even variables that do not exist on the XP kernel32, not to mention variables residing on other modules, referenced by using hardcoded addresses ... So, in fact, one needs to figure out what the function code actually does (= that's the true meaning of "reverse engineering") before deciding to transplant code, to transplant, then modify code, just to stub the function to always reply either "success" or "failure", or even to implement ex-novo some functionality onto XP. I hope this helps you understand why sometimes you have success and sometimes you don't. I just wish I were able to help you more, but helping understand what's happening is about all I can do for you, at this point. And wish you good luck, of course!

Link to comment
Share on other sites

20 hours ago, Dibya said:

..modified few xp files..

Dibya, while we all wish you success with your projects it might be better if you started a new thread (or used one of your older ones) in the XP forum for them so that everything can be kept together and organized. Right now you have discussion of your mods going on in three or more different threads and it will soon become difficult to keep track of what information is where. If you need to consult with other developers or project maintainers in their threads you can always include a link back to your main thread that contains the relevant information. :)

Link to comment
Share on other sites

  • 4 weeks later...

@jumper Can you please help me to make a wrapper library for forwarding in my ExtendedXP project?

How to make wrapper library with real function code? Is it alright to make a ProxyDll then replacing the function code with real one from vista with stud pe?

Link to comment
Share on other sites

  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...