Jump to content

Kext: DIY KernelEx extensions


Recommended Posts

I have looked into it several years ago and it is when SHLWAPI goes to load URLMON then there is a problem. There is little to no benefit from running IE7 over IE6. JSCRIPT can be updated as shown in the IE6 upload. MSXML3 also can be updated to recent version which is not shown in the upload. IE6 modules are an integral part of the OS and if a second version is to be run along side then it could cause severe problems. IE7 would need to be safe mode compatible. I was foolish to mention 2454 GDI32 as it would not run along side ME's version even though it loads. The 2454 UXTHEME has only one function missing in ME's GDI32 anyway and it is accounted for by KEX. I am running IE7 executable as shown in the upload but it does not make any difference. Trust BWC's Windows2000-KB935839-v30e-ex86-extendedkernel 2019 updates for IE6 as I have done. In the proposed CORE.ini I sent in, the Verify Version setting needs the other two 2K missing APIs namely GDI32.GetCharABCWidthsI=kexbasen.0 and probably NTDLL.LdrUnloadDll=kexbases.0. When registering a module with missing GetCharABCWidthsI it knocked out KernelEx completely so that is why if Verify Version is to be used more wide spread the two BASE.names mentioned should be included. Once adding GetCharABCWidthsI the module registered no problems.

I have changed CORE_8.zip to have the updated BASE.names as mentioned above.

Edited by Goodmaneuver
JSCRIPT not MSJAVA
Link to comment
Share on other sites


  • 2 weeks later...
On 9/27/2022 at 12:57 PM, Goodmaneuver said:

There seems a module total number of active - in RAM API functions limit that can be used in KernelEx and or the OS.

There is no trouble with the large total number of active - in RAM API functions when using new Kstub825 as I have tried it without making a mistake. Thank you.

On 11/8/2022 at 10:34 PM, jumper said:

Multiple definitions are allowed and can be accessed individually in Core.ini by different profiles.

I am not sure as to what you mean? By making ExKernel available for programs that only work as seen below with MIN setting cover all of your statement?

[MIN]
contents=std
desc=Minimal load help (subsystem + KnownDlls)

[MIN.names]
KERNEL32.K32_NtStatusToDosError=Kstub01
KERNEL32.NtCreateFile=Kstub01
KERNEL32.NtFsControlFile=Kstub01
KERNEL32.NtPowerInformation=Kstub01
KERNEL32.NtQueryInformationFile=Kstub01
KERNEL32.NtQueryInformationThread=Kstub01
SHELL32.ILFree=kexbases.0
SHELL32.SHCreateShellItem=kexbases.0
SHELL32.SHParseDisplayName=kexbasen.0

Link to comment
Share on other sites

  • 4 weeks later...

Kstub825 is good for one INI but when strung together with many INIs the amount of kB that can be placed in each INI has to be reduced. Roughly 8k each for 7 linked INIs. To make more redirects possible I have used Kstub824 up to the last one which is Kstub825 so that I can use the ordinal redirection in the last one. Kstub823 was better in certain respects as well as at the time it allowed redirecting back to MSVCRT as I explained before. The new features are much preferred though. Perhaps a Word sort lstrcmpiW would be better than a Bubble sort because of the special characters like under scores _ .

Edited by Goodmaneuver
spell check mistake
Link to comment
Share on other sites

Kstubs825 does not behave properly as it confuses User32 with Uxtheme as see in the Kstub07.zip. Evidence in upload zip and Ktree11 picture. As can be see in picture that there is no reference to Uxtheme for UnregisterTouchWindow and Kstub824 in the log zip redirects all 3 Touch Window functions from their rightful caller :- User32.

Ktree02.png

KSTUB07.zip

Link to comment
Share on other sites

Good use of Ktree.11 and the log file. But remember: Kexstubs is a tool, not a solution. Without seeing the full definitions file, I suspect you're pushing Kexstubs too hard, resulting in a buffer overrun. Likely cause: unsorted definitions greatly reducing how many can be correctly handled.

Thanks for the report and clear documentation. I will look into this further.

 

Link to comment
Share on other sites

  • 1 month later...
4 hours ago, SuperPou said:

i still get the error about missing export in kernel32 dll:interlockedpopentrylist, can someone help me?

Using KernelEx Verify.exe make sure the message window says "KernelEx has been successfully installed and is now enabled for all applications". If not reinstall 4.5.2 with it enabled.

The Singularly Listed functions do not need stubbing. Using 4.5.2 + Kstubs with later KernelEx.dll, these Kstub entries work. Do not confuse SL with LS, use entries as shown. 

GetSystemWow64DirectoryW=>KERNEL32:GetWindowsDirectoryW
HeapQueryInformation=>KERNEL32:HeapSize
InitializeSListHead=>KERNEL32:MapHModuleLS
InterlockedFlushSList=>KERNEL32:UnMapLS
InterlockedPopEntrySList=>KERNEL32:FreeLSCallback
InterlockedPushEntrySList=>KERNEL32:AllocLSCallback
QueryDepthSList=>KERNEL32:GetLSCallbackTemplate

Edited by Goodmaneuver
Link to comment
Share on other sites

"All extensions, by address" in Ktree.11 lists Kexstubs api's in reverse-sorted order. Useful for verifying that they are efficiently defined in sorted order.

 

Edited by jumper
Link to comment
Share on other sites

Over the last few months I have been experimenting with 4.5.2 with the emphasis on non-stubbing. Started with exact same OS build as I had for KernelEx25. Kstub825 behaves correctly with this arrangement as far as not mixing up User32 with Uxtheme. It came back again and only happens with UnregisterTouchWindow and Userenv module is named by Kstub825 log also as having UnregisterTouchWindow redirection. Using Kstub824 for months and it does not happen. The size limit of a stringed Kstub825 as mentioned before still remains.

On 4/8/2023 at 7:05 AM, jumper said:

All extensions, by address" in Ktree.11 lists Kexstubs api's in reverse-sorted order.

I have included a screen shot of address order of part of NTDLL. A simple Bubble sort did not use an algorithm that recognized special characters. This is what Dependency Walker uses to sort out the functions in order. It ignores the underscores. This is why I mentioned list string compare lstrcmpi as a sort method which uses a word sort. If your statement is 100% correct than I have the Kstub.ini not sorted correctly. Looking at my picture and the reverse address sort would be

ZwWaitForsingleObject
_Clpow
__isascii
__iscsym
__iscsymf
__toascii
_alldiv

So this is a correct sort as Ktree shows? I used to sort with MS Excel and have recently sorted having underscores precedence over uppercase and lowercase but Ktree says question mark then numerals then uppercase then underscore then lowercase. Sort orders can vary where numbers are before symbols for example?

KtreeSort.png

Edited by Goodmaneuver
Purple info.
Link to comment
Share on other sites

I have duplication of addressing shown in Ktree. Is this a correct phenomenon? See picture for example. Has Kstubs got a limited range of memory it can allocate? Max address as shown in Ktree is 0x19881dc7 and Min is 0x02371bd8. I have Kstub825 in use with Kstub02 and Kstub08. If I use all Kstub824 modules I get 7x duplication of the same address shown in Ktree where as using the 2x Kstub825 modules I get only 4 duplicates. The duplication occurs at the maximum addresses. If I use all Kstub825 modules then KernelEx is broken and does not work as explained before :- the size limit of the INI files needs to be reduced with a stringed sequence of Kstub825s.

KtreeAddressing.png

Edited by Goodmaneuver
Had Max and Min addressing muddled up
Link to comment
Share on other sites

19 hours ago, Goodmaneuver said:

stringed Kstub825 as mentioned before

I still don't know what you mean by this.

19 hours ago, Goodmaneuver said:

A simple Bubble sort did not use an algorithm that recognized special characters.

There are no special characters. All are ASCII. The sort is correct.

19 hours ago, Goodmaneuver said:

Dependency Walker ... ignores the underscores.

Sort by Hint, not Function.

 

Link to comment
Share on other sites

Kstub825 is good for use singularly ie one kstub.ini but when strung together with many kstub.inis the amount of kB of legitimate entries that can be placed in each kstub.ini has to be reduced. Roughly 8k each for 7 linked kstub.ini and gets less and less the more kstubs.ini that are in use. Kstub824 does this to a lesser degree and I am able to use 18kB with 8 x kstub.ini but it will stop KernelEx from functioning if using over 23kB roughly in each.

On 4/9/2023 at 1:00 PM, jumper said:

I still don't know what you mean by this.

Strung together or linked means using more than one kstub in core.ini.

What do you think of the duplication of addressing in last post. The maximum address is close to the preferred base address of Kstub824 which is 0x19980000.

On 4/9/2023 at 1:00 PM, jumper said:

Sort by Hint, not Function.

That is an improvement to the sort but it still ignores the underscores. See picture. Excel places precedence of underscores over alphanumeric characters. Sorting will need to be done manually as no software that I know obey the question mark then numbers then uppercase then underscore then lowercase sort. Remember numbers come before question mark in ASCII character order. A special character is one that is not considered a number or letter.

DWsort.png

Edited by Goodmaneuver
Kstub824 stops kernelex at about 23k; a more precise figure.
Link to comment
Share on other sites

Reread my last post until you understand it. If you still can't figure out how to ASCII sort, keep your definition files very small and let Kexstubs do the sorting for you.

Blank definitions are no longer needed. There is no problem with using multiple renamed copies of the latest Kexstubs.dll.

Ktree loads each module individually and shows addresses based on each module's preferred address. Ktree can't predict how the loader will rebase them on-the-fly when they are used together. This is why you are seeing multiple api's at some addresses when using multiple copies of Kexstubs. A future version of Kexstubs might allow selection of a base address in the definition file.

 

Link to comment
Share on other sites

18 hours ago, jumper said:

Reread my last post until you understand it. If you still can't figure out how to ASCII sort,

Your inferred assumptions are incorrect.

18 hours ago, jumper said:

keep your definition files very small and let Kexstubs do the sorting for you.

There is little or no benefit from using more than one Kstub then and it is not the sort that creates the issue. Having ordinal functioning in Kstub is a good improvement but  I would like to see ordinals implemented into Kstub824 without the other changes that were implemented creating Kstub825.

18 hours ago, jumper said:

Ktree loads each module individually and shows addresses based on each module's preferred address. Ktree can't predict how the loader will rebase them on-the-fly when they are used together. This is why you are seeing multiple api's at some addresses when using multiple copies of Kexstubs.

Assuming that you are talking about kstub modules only I understand. It seems ktree is only guessing where kstub loads the redirection of APIs or does kstub need a free range of memory just below its base address.

On 1/3/2023 at 9:17 AM, schwups said:

XP file (MSGina) was another main culprit. I added this file a while ago, but I don't know anymore which program it was for. Until then the file was unremarkable and forgotten. After renaming Msgina some messages were gone (using KernelEx.dllpre1).

Cisco Systems made a GINA module that is completely compatible with WinMe. It is called CSGINA.dll and a web search will find a download. Rename it MSGINA or tell registry that MSGINA is CSGINA in system KnownDlls. MSGINA will load every time the OS goes to restart or shutdown.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...