Kext: DIY KernelEx extensions

[schwups]

55 minutes ago, Goodmaneuver said:

13 hours ago, schwups said:

Does it make sense to split the ini so that we have one ini for every dll?

If you are referring to my Core_6.ini where you see one definition module in each Kstub. This was done to stretch out the number of plugins. I had 20 DLLs having redirected function calls.

I am not referring specifically to your ini. I have tested little last week. The question is general how can we use a large number?

 

1 hour ago, Goodmaneuver said:

13 hours ago, schwups said:

Test: Splitted my ini in three parts (A-I, J-N, O-Z)

If this means that you have made up 3 Kstub,inis then you also need three matching Kstub824.dlls renamed to suit the ini names. Your contents= does not show this though.

Yes, I have stubs.dll, Kextubs.dll and Kstub824.dll in my KernelEx folder. Stubs.dll and Kextubs.dll are renamed Kstub824 dll's to match the correct name.

[jumper]

When testing stubs/forwards for IE9, I use IE9.DLL + IE9.INI.

Add IE9 to the end of contents in profile Vista or a clone.

 

[Goodmaneuver]

We should have IsThreadAFiber function in KernelEx to match the other Fls stubs.

[Goodmaneuver]

I have a solution for NtClose. It can be directly linked to kernel32 _lclose which closes any file that it is pointed to.

[jumper]

NtClose closes handles of 15 types, but is superceded on WinNT by CloseHandle (19 types).

Unfortunately, on Win9x CloseHandle only supports about 8 types. We need to first beef up CloseHandle then use it to implement NtClose.

 

[Goodmaneuver]

I got Dibya's ExKernel.dll to work by making Ntdll point to Kernel32.

1) Create a system KnownDlls value to shorten Kernel32's name like KNL32 and make it have data KERNEL32.DLL so when ever Knl32 is called the module gets Kernel32.

2) Edit ExKernel: Replace NTDLL.dll with KNL32.dll. Still editing ExKernel rename these imported strings.

              before                       after

RtlEnterCriticalSection = EnterCriticalSection
RtlLeaveCritcalSection = LeaveCriticalSection
RtlInitializeCriticalSection = InitializeCriticalSection
RtlTryEnterCriticalSection = TryEnterCriticalSection
NtAllocateVirtualMemory = HeapAlloc
RtlRaiseException = RaiseException
RtlInitializeCriticalSectionAndSpinCount = InitializeCriticalSectionAndSpinCount

3) Create Kstub entries in [KERNEL32]

[KERNEL32.DLL]
K32_NtStatusToDosError=>KERNEL32:K32_RtlNtStatusToDosError
NtCreateFile=>KERNEL32:K32_NtCreateFile
NtFsControlFile=>KERNEL32:DeviceIoControl
NtPowerInformation=>POWRPROF:CallNtPowerInformation
NtQueryInformationFile=>PSAPI:GetModuleInformation
NtQueryInformationThread=>KERNEL32:GetThreadPriority

Here it is working

Edited September 24, 2022 by Goodmaneuver
Spelling mistake

[Goodmaneuver]

I have the DX modules working in BlackWingCat's Windows2000-KB935839-v30e-x86-extendedkernel.

Kstub824 does not work linking to GDI32 so here's what to do.

1) Edit the Dwrite module import strings.

    before                after

GetFontInfo = GetTextCharset
GetFontRealizationInfo = RealizePalette

I would have like to use GetTextCharsetInfo for GetFontInfo but it does not fit. Perhaps Jumper could add it to their Kexbase.

2) Add dll fowarding Kstub entries for D3D10_1.dll

[D3D10_1.DLL]
D3D10CompileEffectFromMemory=>D3D10:
D3D10CompileShader=>D3D10:
D3D10CreateBlob=>D3D10:
D3D10CreateEffectFromMemory=>D3D10:
D3D10CreateEffectPoolFromMemory=>D3D10:
D3D10CreateStateBlock=>D3D10:
D3D10DisassembleShader=>D3D10:
D3D10GetGeometryShaderProfile=>D3D10:
D3D10GetInputAndOutputSignatureBlob=>D3D10:
D3D10GetInputSignatureBlob=>D3D10:
D3D10GetOutputSignatureBlob=>D3D10:
D3D10GetPixelShaderProfile=>D3D10:
D3D10GetShaderDebugInfo=>D3D10:
D3D10GetVertexShaderProfile=>D3D10:
D3D10ReflectShader=>D3D10:
D3D10StateBlockMaskDifference=>D3D10:
D3D10StateBlockMaskDisableAll=>D3D10:
D3D10StateBlockMaskDisableCapture=>D3D10:
D3D10StateBlockMaskEnableAll=>D3D10:
D3D10StateBlockMaskEnableCapture=>D3D10:
D3D10StateBlockMaskGetSetting=>D3D10:
D3D10StateBlockMaskIntersect=>D3D10:
D3D10StateBlockMaskUnion=>D3D10:

3) Add these Kernel32 entries in Kstub.

[KERNEL32.DLL]
GetLocaleInfoEx=>EXKERNEL:
GetSystemDefaultLocaleName=>KERNEL32:GetGeoInfoW
IsValidLocaleName=>EXKERNEL:
LCIDToLocaleName=>EXKERNEL:

I think that GetGeoInfoW returns AU instead of Australia (for example) for GetSystemDefaultLocaleName. (not sure). It worked for SumatraPDF 3.2

Here is it working viewing an eBook.

Edited September 25, 2022 by Goodmaneuver
Picture did not accurately disolay my instructions

[Goodmaneuver]

It is OK to shorten the name Kernel32 and have KnownDlls have Knl32 pointing to kernel32 and use Kernel32 as module for redirection of functions in Kstubs but it is not necessarily OK to use the same technique for other modules. There can be only one instance of Kernel32, it can not be relocated. For example if Kernel32 is pointed to Knl32 in KnownDlls then Ntdll will load Kernel32 but then the registry tries to load Knl32 and that is as far as the OS will progress. If a module's import string Ntdll is replaced with Rad32 and KnownDlls redirect Rad32 to Radmin32, Radmin32 as [RADMIN32] module name in Kstubs gives trouble. I get a hard fault in explorer. If looking at Radmin32 it in DW it feeds back to itself from Rlocal32. The solution is not to redirect RAD32 to RADMIN32.DLL in system KnownDlls. There will be a separate instance in memory of RAD32 and RADMIN32. It is probably timed better with this arrangement. Have [RAD32] name definition in Kstub as [RADMIN32] name definition does not work. Ktree will show RAD32: in the "All extensions by, DLL" section.

Edited November 4, 2022 by Goodmaneuver
Better

[jumper]

When import patching, shorten names by removing the optional .dll suffix.

When redirecting whole DLLs, use Kernelex\KnownDLLs.

When redirecting only some APIs,  use Kexstubs. Also use System\...\KnownDLLs only if the DLL does not exist and only redirect to LZ32.DLL.

 

[Goodmaneuver]

System Knowndlls works for any mapped directory and for modules not in a mapped directory but are registered with a InprocServer32 Key and Data pointing to the module.

9 hours ago, jumper said:

Also use System\...\KnownDLLs only if the DLL does not exist and only redirect to LZ32.DLL.

That does not make sensibility and your 20i core upload contains such redirects that cannot be used. It also defies all other redirects we have used in KnownDls of which there are many. You did not answer my questions about LZ32 being used in Kexbases before. https://msfn.org/board/topic/157173-kext-diy-kernelex-extensions/?do=findComment&comment=1202395. Lz32 is loaded in my OS at runtime. Everyone OS is going to be different with different third party applications. This is inevitable. The use of [GDI32] in Kstubs does not work I just gave proof that. There seems a module total number of active - in RAM API functions limit that can be used in KernelEx and or the OS. I am not ready to write it up explaining it just yet but soon.

9 hours ago, jumper said:

When import patching, shorten names by removing the optional .dll suffix.

That is incorrect it does not work. The suffix has to be included. Try it and then use DW to see if it worked.

[jumper]

Please focus on the present. The present is .25 and I know what is coming in .26 and beyond.

When stripping the suffix, remember to also strip the dot (replace the dot with \0). Then DW_2.2.6000 (last for 9x)  handles the import correctly and the module loads/runs.

@Everyone - BTW, what is the highest version of Dependency Walker that will run with help from KernelEx?

 

[schwups]

Maybe DW Version 2.2.10011 built on 29 October 2015 is the latest and yes it requires KernelEx. So far I have only used the older version 2.2.6000.

https://zzz.buzz/2017/05/18/download-dependency-walker/

[Goodmaneuver]

6 hours ago, jumper said:

When stripping the suffix, remember to also strip the dot (replace the dot with \0). Then DW_2.2.6000 (last for 9x)  handles the import correctly and the module loads/runs.

That is incorrect. Are we talking the same thing here. If you alter the import sting of a module to point to a different module then the pointing needs to be accurate, it needs the full title.

[jumper]

Yes, same thing: implicit imports. Use ImportPatcher. I tested again on 98 and Me yesterday before posting. It works (as documented) if you follow my instructions correctly. Both implicit and explicit module loads add ".dll" as needed if there is no dot in the filename. Only if the extension is something other than ".dll" or there are multiple dots in the filename must the extension be included.

I don't know if later versions of DW will be useful, but I'm hoping to find one with a mechanism that can be leveraged into supporting KernelEx.

 

[Goodmaneuver]

Your ImportPatcher adds the .dll as a default then or the name had the same length and the the original .dll is still there.

2 hours ago, jumper said:

Both implicit and explicit module loads add ".dll" as needed if there is no dot in the filename.

The OS does not add a suffix so this comment I do not understand. The module's name must equal the module it is calling.

2 hours ago, jumper said:

I don't know if later versions of DW will be useful, but I'm hoping to find one with a mechanism that can be leveraged into supporting KernelEx.

Just map the KernelEx folder as a known environment and DW will work. That is all that is required. Add KernelEx folder path to AutoExec.bat line SET PATH=

Edited September 28, 2022 by Goodmaneuver