Dibya Posted August 26, 2016 Share Posted August 26, 2016 Friends i need some help. Few av Softwares are detecting my modified kernel32.dll as virus see here https://www.virustotal.com/en/file/a2439d8c0091223280077c926d1e5da9dc7a247b857db47d9734d9573e977d79/analysis/1472194004/ Link to comment Share on other sites More sharing options...
Dave-H Posted August 26, 2016 Share Posted August 26, 2016 If you're absolutely sure that it's a false positive, I suspect it's being flagged simply because the file has been modified. I've made really simple modifications to files with Resource Hacker, and my AV (Trend Internet Security) has started flagging them as suspicious files. I'm not sure what you can do about that. Link to comment Share on other sites More sharing options...
jaclaz Posted August 26, 2016 Share Posted August 26, 2016 I don't want to seem more grumpy than usual but what (the heck) is the problem? IF your modified kernel32.dll is tested, stable, verified to be working, etc. you can report the fact to the anti-virus vendors and - unless there is actually something malicious - they will normally whitelist the file. IF instead it is a half-@§§ed, temporary, untested, only partially working version (let's call it Alpha or Beta) the (I presume restricted number of ) testers will know that it is a false positive and trust you more than the antivirus detection heuristics. jaclaz 1 Link to comment Share on other sites More sharing options...
Dibya Posted August 26, 2016 Share Posted August 26, 2016 . There is no malicious things but some code from kernel32.dll of server 2008 sp2 r1 I got worried out , 360 Av which i installed in my test vm , it eaten all my modified files causing my pc to not start Thanks a lot helping me . I donot know what wrong with AV softwares Link to comment Share on other sites More sharing options...
Dave-H Posted August 26, 2016 Share Posted August 26, 2016 Unfortunately, modified system files are one thing that they are designed to check, as that could be a symptom of a virus attack of course. Apart for manually white-listing the files in the AV software, I suspect that there is no ideal solution to this, the AV software is only doing its job! 1 Link to comment Share on other sites More sharing options...
Dibya Posted August 26, 2016 Share Posted August 26, 2016 6 hours ago, Dave-H said: Unfortunately, modified system files are one thing that they are designed to check, as that could be a symptom of a virus attack of course. Apart for manually white-listing the files in the AV software, I suspect that there is no ideal solution to this, the AV software is only doing its job! They should do their job... Link to comment Share on other sites More sharing options...
dencorso Posted August 26, 2016 Share Posted August 26, 2016 That's just one more reason to encapsulate modifications in a new executable and redirect/inject those in real time, without modifying system files. Don't ask me how to do it: I don't know, but I do know it can be done. And that's the beauty of how Xeno86 implemented kEx in for 98/ME. 2 Link to comment Share on other sites More sharing options...
Dibya Posted August 28, 2016 Share Posted August 28, 2016 On 8/27/2016 at 1:51 AM, dencorso said: That's just one more reason to encapsulate modifications in a new executable and redirect/inject those in real time, without modifying system files. Don't ask me how to do it: I don't know, but I do know it can be done. And that's the beauty of how Xeno86 implemented kEx in for 98/ME. I wished to do like that unfortunately Xeno86 was not active since long Link to comment Share on other sites More sharing options...
blackwingcat Posted September 1, 2016 Share Posted September 1, 2016 36.0.2130.80 :3 2 Link to comment Share on other sites More sharing options...
sdfox7 Posted September 1, 2016 Author Share Posted September 1, 2016 18 hours ago, blackwingcat said: 36.0.2130.80 :3 @Blackwingcat Did you use the update mechanism within the Opera browser to get that 36.0.2130.80 version? The website is still serving the 36.0.2130.65 standalone version (at least to XP machines): http://www.opera.com/computer/windows http://www.opera.com/download/get/?id=39357&location=410¬hanks=yes&sub=marine Link to comment Share on other sites More sharing options...
Dave-H Posted September 1, 2016 Share Posted September 1, 2016 My Opera 36 didn't update automatically, but it did update when I did a manual check by going to the "About Opera" page in the menu. If that doesn't work for you, the latest version can be downloaded here. You need the file whose name ends with "setup.exe". Link to comment Share on other sites More sharing options...
blackwingcat Posted September 2, 2016 Share Posted September 2, 2016 You can also install it from opera xp.exe :3 Link to comment Share on other sites More sharing options...
Dibya Posted September 2, 2016 Share Posted September 2, 2016 I have made a Comp ability layer with following components kernel32.dll with following function DecodePointer EncodePointer FlsAlloc FlsFree FlsGetValue FlsSetValue GetThreadId InitializeCriticalSectionEx InitOnceExecuteOnce SetThreadStackGuarantee GetTickCount64 Prevented not a valid win32 Application Updated C Run-time Components i.Windows NT C++ Runtime Library DLL 7.0.6002.18005 ii.MFCDLL Shared Library - Retail Version 4.1.6151(ALL 4 DLLS) iii.Windows NT IOStreams DLL 7.0.6000.16386 iv. Windows NT CRT DLL 7.0.6002.22755 I have to now debug this files then i have to test it in vm , if it work tomorrow surely i will post it here. few more functions i have added :- K32EnumProcesses K32EmptyWorkingSet K32EnumDeviceDrivers K32EnumProcesses K32EnumProcessModules K32GetDeviceDriverBaseNameW K32GetDeviceDriverFileNameA K32GetDeviceDriverFileNameW K32GetMappedFileNameA K32GetMappedFileNameW K32GetModuleBaseNameA K32GetModuleBaseNameW K32GetModuleFileNameExA K32GetModuleFileNameExW K32GetModuleInformation K32GetPerformanceInfo K32GetProcessImageFileNameA K32GetProcessImageFileNameW K32GetProcessMemoryInfo K32GetWsChanges K32InitializeProcessForWsWatch K32QueryWorkingSet Quite easy so added i donot know which app require this only added in case someone need it. I wanna add more function , if you guys and gals share some dependency issues 2 Link to comment Share on other sites More sharing options...
Dibya Posted September 3, 2016 Share Posted September 3, 2016 Unfortunately my Kernel mod not working . I will send files to BWC let him check what wrong I am asking many kernel modding experts for help. I believe they can help me to fix problem. Link to comment Share on other sites More sharing options...
LuckyCrydiaa Posted November 13, 2020 Share Posted November 13, 2020 (edited) 3-4 Years later...... I found the code which is related to that GetThreadId error in kernel32.dll, using CFF Explorer i got to locate the API call, but however changing the name or function will still get me error "Entry Point Not Found", which means unlike the Extended Kernel in Vista which you can edit the functions on the Firefox executable, but on XP, not at all! I am using Windows XP Anime Edition SP4 upgraded for this investigation on Chrome 50 Edited November 13, 2020 by LuckyCrydiaa 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now