Jump to content

Kext: DIY KernelEx extensions


Recommended Posts


I mentioned it here when KEX18 was made https://msfn.org/board/topic/173233-kernelex-45-core-updates-45201617/?do=findComment&comment=1159232 In relation to that post I do not normally have trouble with SetFilePointerEx but that was the case as mentioned. Broken Sword - Secrets of the Ark the game is downloadable to try it and also Titan Quest also said virtual memory not enabled until I manually changed the string GlobalMemoryStatusEx >> GlobalMemoryStatus. I do not think that GlobalMemoryStatusEx in KEX4.5.2 works either but I will have to check.

I have checked and GlobalMemoryStatusEx does not work with KernelEx 4.5.2. The test I have done is a reliable method unless every single occurrence of  GlobalMemoryStatusEx has to be written into KEXBASES but I would not think this is a good procedure.

Edited by Goodmaneuver
Link to comment
Share on other sites

  • 3 months later...

@jumper

LsaAddAccountRights is stubbed but we need LsaRemoveAccountRights stubbed as they go together in numerous cases or we can redirect functions to Pkmws.dll or Mssws.dll. Mssws is the better one vs 10.109.3705.2 original name "mssws9x.dll" from properties. They have these along with other sort after functions.

LsaAddAccountRights
LsaClose
LsaEnumerateAccountRights
LsaFreeMemory
LsaNtStatusToWinError
LsaOpenPolicy
LsaRemoveAccountRights
LsaRetrievePrivateData
LsaStorePrivateData 

Radmin32 has these

LsaAddPrivilegesToAccount
LsaClearAuditLog
LsaClose
LsaCreateAccount
LsaCreateSecret
LsaCreateTrustedDomain
LsaDelete
LsaEnumerateAccounts
LsaEnumeratePrivileges
LsaEnumeratePrivilegesOfAccount
LsaEnumerateTrustedDomains
LsaFreeMemory
LsaGetQuotasForAccount
LsaGetSystemAccessAccount
LsaICLookupNames
LsaICLookupSids
LsaLookupNames
LsaLookupPrivilegeDisplayName
LsaLookupPrivilegeName
LsaLookupPrivilegeValue
LsaLookupSids
LsaOpenAccount
LsaOpenPolicy
LsaOpenSecret
LsaOpenTrustedDomain
LsaQueryInformationPolicy
LsaQueryInfoTrustedDomain
LsaQuerySecret
LsaQuerySecurityObject
LsaRemovePrivilegesFromAccount
LsaSetInformationPolicy
LsaSetInformationTrustedDomain
LsaSetQuotasForAccount
LsaSetSecret
LsaSetSecurityObject
LsaSetSystemAccessAccount

NtFsControlFile is stubbed but I think from memory Kernel32 > DeviceIoControl will work.

Edited by Goodmaneuver
More related info
Link to comment
Share on other sites

  • 3 weeks later...

What does the contents line in core.ini mean? I have this in core.ini

[BASE]
contents=Kexstubs,std,kexbasen,kexbases

Kstub824

desc=Base enhancements (api fixes + extensions)

 

Are those supposed to be names of dlls, ini files, or something else? Also why should there be a newline before Kstub842? I'm trying to get Firefox 45 running, and I don't really understand what I'm doing with Kext. Ktree9 says <error code: 2> <not found> for Kexstubs. Is there supposed to be a Kexstubs.dll that I'm missing?

Link to comment
Share on other sites

The line under BASE is so that it is configurable and that the order of which the libraries are loaded makes/can make a difference from left to right. MIN is also loaded with BASE. MIN is required for Adobe reader 9. Kstub824 is not released just yet and it should be changed to Kstub823. This is what the error is I think and you should have Kstub823.dll and Kstub823.ini in your KernelEx folder. I posted as I would like to know if the order should be consistent or not kexbasen,kexbases as it changes in the Core.ini further down to the other way around.

Link to comment
Share on other sites

I eventually figured it out. It seems that (with the exception of std) those are names of DLL files, and Kexstubs.dll requires a matching Kexstubs.ini file, or else it won't work.

What is the difference between kexbases.dll and kexbasen.dll?

Link to comment
Share on other sites

One is used as a common setting system wide the other is specific for different applications/scenarios. I thought I read that Kexbasen was common but I am not 100% but because Kexbases has multiple functions of the same name then it suggests it is for specifics in my opinion.

Link to comment
Share on other sites

  • 1 month later...

Hello. A little while back, a friendly samaritan (not naming him because he did not give me permission to give out his name) had compiled a AIO installer for KernelEx + Jumper's updates. Would anyone mind testing it? I am currently testing the software myself at the moment!

https://drive.google.com/file/d/16wXXC5yL_dq_CWIJMfw-PaDWnTVEo09_/view?usp=sharing

Link to comment
Share on other sites

  • 3 months later...
  • 1 month later...

About Kexstubs and applying to 4.5.2 as well as 4.5.2016.24 and refers to Kstub823.dll and K452stub.dll:

There is a limit of about 15000 characters in kexstubs ini. In a just in case scenario this limit is easily exceeded and I would like this limit extended to at least trice this amount. Any file that has an underscore in it can not be redirected so for example, msvcr120_clr0400 has to be renamed like 120clr0400 to be compatible. Redirecting to NTDLL can not be done it does not work. I have redirected MSVCRT to MSVCRJ with registry conventional KnownDlls, not KEX KnownDLLs, so I have only MSVCRJ loaded as MSVCRT and is always the case. This is done so that Kexstubs is compatible. KnownDlls redirection will work in any mapped environmental location, here is an example :- AutoExec.bat SET PATH=C:\ME\JAVA\JDK\bin;C:\=(next environmental variable) If I have Definition named MSVCRT with the same module renamed back to MSVCRT and KnownDLLs MSVCRT redirect deleted, I get a red screen of death :- RSOD is System.ini MessageTextColor=0 MessageBackColor=4. Even though time, the function, is not listed in Ktree it cannot be redirected to in Kstubs. This idea was experimented on because Msvcr80 is acceptable to use in Safe Mode and it would have less redirects in a just in case scenario. Dllhook did not redirect time and others successfully when experimenting in Safe Mode either - it stalled the load from what I remember when directing to CRTDLL. In the Uploaded Kstub823.zip MSVCRJ is 8.0.31113.25 :- it does not cause any problems and has less functions to redirect. TRACEPRT is 5.1.2454.1. RADMIN32 is 3.51.867.1 note that the A has to be added on the end of some Kstub823.ini redirects as I have removed the A in my RADMIN32 to be compatible with some direct redirected modules. CFGMGRNT is CFGMGR32 5.0.1864.1. CRYPTROS is CRYPT32 ROS 2017. This module will work as CRYPT32 buy only with some programs. DNSAPI is 5.12296.1. DNS2KAPI is DNSAPI 5.0.2195.7284. MSVCRG is 7.0.3790.4341 but any MSVCRT that works renamed will do except one redirect will not be available unless Win2K3SP2 MSVCRT is used. MSVCRS is BWC's DLL wrapper msvcrt.dw7, see other posts about it. MSVCRX is 8.0.40607.52. SECUREXT is ROS 0.0.21.0 2002. UXTHEMEBASE see other post about it. Other Definitions are self explanatory or are WinME native. I would like KernelEx to be able to redirect DLL forwarding and many redirects in the upload are of those. I am not sure DLL forwarding redirect with Kstubs is working because DLL forwarding only happens if a module calls for the Dll forward function. I have not seen my Kstub823.ini load Kstub823.dll on a DLL forwarding function.

PS It has been a month or so since I have worked on this and I may have forgot some crucial issues about Kstubs. Lesson learnt about logging points and saving ini files as I accidentally saved Kstub823.dll instead of Kstubs823.ini so a more substantive list was lost.

Kstub823.zip

Edited by Goodmaneuver
There was 1 entry in the zip MSVCRD this should have been MSVCR90D
Link to comment
Share on other sites

Thanks, I'll take a look.

That character limit seems about right for unsorted definitions.  Properly presorting should double it. Definitions can be grouped and split across multiple files with Kstub824 (available soon). I'll look into the underscore and Ntdll problems.

>I have redirected MSVCRT to MSVCRJ with registry conventional KnownDlls, not KEX KnownDLLs

I don't understand. Please clarify.

 Don't do that. It prevents Kex from extending Msvcrt!

KernelEx intentionally does not work in Safe Mode.

KernelEx still has the limitation that a module must exist, be loadable, and not be defined in HKLM:KernelEx\KnownDlls before it can be extended. This is why Lz32 is used.

 

Edited by jumper
Link to comment
Share on other sites

7 hours ago, jumper said:

Don't do that. It prevents Kex from extending Msvcrt!

Yes but it is OK at the moment because you have not extended MSVCRT. There is extended NTDLL to MSVCRT which in my case at the moment will go to MSVCRJ.

 

7 hours ago, jumper said:

KernelEx intentionally does not work in Safe Mode.

Yes I intentionally used Safe Mode to eliminate KernelEx to test DllHook as DllHook did not seem to work at runtime and rLoew said it may not be compatible with latest KernelEx. I used MSVCR80 as MSVCRT, booted into Safe Mode then lauched DllHook then started a program that needed time an a few others I had redirected with DllHook.

7 hours ago, jumper said:

KernelEx still has the limitation that a module must exist, be loadable, and not be defined in HKLM:KernelEx\KnownDlls before it can be extended. This is why Lz32 is used.

Is LZ32 used because it has the same return values as a stub? It does not add up though if not as those stubbed function calls are not in LZ32 and besides one function call is not stubbed and it does not exist in LZ32.

Link to comment
Share on other sites

On 8/21/2021 at 5:53 AM, jumper said:

That character limit seems about right for unsorted definitions.  Properly presorting should double it.

I thought I had sorted it. Please say if I did it wrong. Thought thought wrong, I forgot to sort some definitions or more likely did not save it to the correct location which also meant the .DLL suffix from 19 entries were not done which would free up some more characters. It would be still nice to know if the MSVCRJ.DLL entries were sorted correctly as it was sorted and it is the most complex. There were some other errors, you need a keen eye so I thought best to update it again now to fix the sorting and errors. I might append to the zip file in time. The original size is 4.6kB. I could not test all redirects but majority are straight forward. The main one of concern is the NtCurrentTeb one as I could not find the Microsoft document page for the NlsMbOemCodePageTag and relied on my memory and it is not proven and is wrong from what I understand now. For reference purposes the NtCurrentTeb routine returns a pointer to the Thread Environment Block (TEB) of the current thread. I have removed it from the zip and the OEM code page tag could be language specific 1252 for western European. My OEM Code Page is 437. https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented Functions%2FNT Objects%2FThread%2FNtCurrentTeb.html has a Certificate error but is an interesting site about the functions. The IPHLPAPI.DLL ones do register fast. I do know of a module that did not register when it should have. the registration stalled. You may not like it but I think it is NtClose that caused it to lock. I have registered some with all function calls known that do register then tried registering a module where the only unknown was the addition of NtClose in an implicit linked DLL and the registration locked up. I know that registering is not the full test but it is a good start.

Edited by Goodmaneuver
The upload of 2 files with the same name caused proplems, could not delete original even if I wanted, It becomes unavailable
Link to comment
Share on other sites

On 8/21/2021 at 5:53 AM, jumper said:

That character limit seems about right for unsorted definitions.  Properly presorting should double it.

I have presorted it now with all errors fixed, hopefully. The Kstub823.ini is now running right on the limit and if I add another line then KernelEx stops running. I have made it easy for myself and added APPHELP.DLL definition functions redirect from bottom function names up alphabetically sorted till KernelEx stops. APPHELP is file vs 1.1.2599.4 BWC product vs 5.1.2600.5513. SDBAPI is WinME native.

Kstub823_1.zip

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...