Jump to content

Remodeling Windows XP Kernel32


Dibya

Recommended Posts

Dybia, that is perfectly "normal".

If you INSERT *any* byte ALL jump (or similar) instructions pointing to *any* address after the insert point will need to be re-based/re-calculated.

In any case you normally DO NOT insert 00's in an executable, but rather 90's (or NOP's).

jaclaz


 

Link to comment
Share on other sites


1 hour ago, jaclaz said:

Dybia, that is perfectly "normal".

If you INSERT *any* byte ALL jump (or similar) instructions pointing to *any* address after the insert point will need to be re-based/re-calculated.

In any case you normally DO NOT insert 00's in an executable, but rather 90's (or NOP's).

jaclaz


 

Which tool should i use ?

Link to comment
Share on other sites

17 minutes ago, Dibya said:

Which tool should i use ?

It doesn't work this way.

If you know HOW to use the needed tool(s) you don't ask about WHICH is/are the needed tool(s). CATCH 22.

You need to study and learn a lot about X86 assembly, Windows programming and interfaces, before starting to debug and disassemble successfully executables, and only once you will be familiar with all the mentioned topics, and I mean VERY familiar with all of them, you will be able to start some real reverse engineering, and finally you will be able to actually re-assemble and insert code "arbitrarily" in a pre-made executable.

Of course by then you will be familiar with all the "tools of the trade" (and possibly also write/code your own ones).

Anyway - usually AFAIK - codecaves are used instead, here is a good start for you:
http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves

jaclaz

Link to comment
Share on other sites

I have asked you my friend as cff is unable to fix base.

Being true i have never so much heck with any api as much i have with GetThreadID.

 

I use Visualstudio 2005 , Pe ChecKSum , LordPE, PE Detevtive, Flex Hex, Hex workSHop, IDA Pro, PEEXplorer, Chinese BAse alloc corrector, OllyDBG.

Link to comment
Share on other sites

Code is (generally) inserted at the end of an existing module and "somewhere" in it a "call" is made to the new code. The new code will save registers (among other things), calculate a Base Address, execute the code, restore registers (etc), then "return" the the immediate next instruction after the "call". Many smart programmers leave "NOP" somewhere in the Data areas for just that, i.e. (as example) at the point where "new" code must be executed, the "old" code is "patched" to "save" the original code in Data, "call" the "inserted new" code (which returns), and the "old code" is then "restored" and normal execution continues.

The above is an EXTREMELY loose example, of which many method are used. Bear in mind that (e.g.) C++ is HLL (High Level Language) that is run through an "interpreter" to translate into Machine Language (Assembly translates directly to it) Object Modules which in turn are Linked into Executables.

"Fix base" is not as simple as "using a tool". Executables are made of Objects, of which each recalculate it's own Base Address (depending on the design of the Executable). Without a correct Base Address (*and* Data Address) you' "blow up" or (maybe even) completely corrupt the OS (see "Test Bed").

Find these and study them to get an understanding Of Addressibility, Entry, Exit, etc.
IntelCodeTable.pdf
IntelPIIvolume1-Basic Architecture.pdf
IntelPIIvolume2-Instruction Set Manual.pdf
IntelPIIvolume3-System Programming.pdf

Programming in "real" languages (not "scripts" like Java or REXX, for example) is not for the faint of heart. Nor is "patching" preexisting modules. You might also want to learn a little C-language to understand the relationship to Assembly. Oh, and Code Signing (that MS uses for, e.g., SFC).

@jaclaz - "Code Cave" - I guess I must be *really* old to have not used/heard that term for my (extremely) "loose" (and somewhat inaccurate) example. Excellent article, BTW. I highly recommend Dibya study it as well (i.e. "Endorsed").

Link to comment
Share on other sites

1 hour ago, submix8c said:


 

@jaclaz - "Code Cave" - I guess I must be *really* old to have not used/heard that term for my (extremely) "loose" (and somewhat inaccurate) example. Excellent article, BTW. I highly recommend Dibya study it as well (i.e. "Endorsed").

Naah, not that much old ;), it is in the very introduction of that (now officially endorsed :)) article:

Quote

Introduction

A "code-what"? Unless you have spent some time working in the area of reverse engineering, chances are you have not heard of the term "codecave" before. If you have heard of it, you might not have read a clear definition of it or quite understand what it is or why it is useful. I have even asked seasoned assembly programmers about the term before and most of them had not heard of it. If it is new to you, do not worry, you are not the only one. It is a term that is scarcely used and is only useful in a reverse engineering context. Furthermore, is it "codecave" or "code cave"? I am not quite sure, but I will try my best to refer to it consistently as a "codecave". A space may sneak in there from time to time.

jaclaz
 

Link to comment
Share on other sites

thanks submix8c and jaclaz

I am leaving GetThreadID , This is breaking every thing.

Thanks a lot for those book.

I will study all those .

If any software exist that can break exe dll to C/c++/C# but nothing such exist in this material world

Link to comment
Share on other sites

Wouldn't it make more sense to make a wrapper for these functions instead of trying to modify kernel32 directly? Let us say that one day, @Dibya (or someone else) makes these required changes and XP will become more open. The problem then is that it is illegal to redistribute a Windows OS file. The only way you could release such a thing would be to either create a wrapper, or a program that patches the required changes for a user, or to provide exact instructions on how to do it.

Link to comment
Share on other sites

#include <Windows.h>
#include <winternl.h>
#include <stdio.h>

typedef struct _CLIENT_ID
{
    PVOID UniqueProcess;
    PVOID UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

typedef LONG KPRIORITY;
typedef struct _THREAD_BASIC_INFORMATION
{
    NTSTATUS                ExitStatus;
    PVOID                   TebBaseAddress;
    CLIENT_ID               ClientId;
    KAFFINITY               AffinityMask;
    KPRIORITY               Priority;
    KPRIORITY               BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

typedef NTSTATUS (NTAPI *NtQueryInformationThread_proc)(
    IN HANDLE ThreadHandle,
    IN THREADINFOCLASS ThreadInformationClass,
    OUT PVOID ThreadInformation,
    IN ULONG ThreadInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    );

DWORD __stdcall GetThreadID(HANDLE hThread)
{
    static NtQueryInformationThread_proc NtQueryInformationThreadPtr
        = (NtQueryInformationThread_proc)GetProcAddress(GetModuleHandleW(L"ntdll"), "NtQueryInformationThread");
    THREAD_BASIC_INFORMATION threadInfo;
    threadInfo.ClientId.UniqueThread = 0;
    NtQueryInformationThreadPtr(hThread, (THREADINFOCLASS)0, &threadInfo, sizeof(threadInfo), 0);
    return (DWORD)threadInfo.ClientId.UniqueThread;
}

int main()
{
    printf("%d\n", GetCurrentThreadId());
    //uncomment this line on vista or later
    //printf("%d\n", GetThreadId(GetCurrentThread()));
    printf("%d\n", GetThreadID(GetCurrentThread()));
}

@Dibya I assume, you know C...

Something like that should work on XP as a GetThreadId replacement... 

I take no credit to the code.. I found the it as a snippet somewhere a while ago (forgot, sorry..) and modified it a bit...

Link to comment
Share on other sites

  • 5 weeks later...

hi, Mates.

Here any one help me by making a app which can change all import of exe , dll to  ukernel32.dll from kernel32, ushell32.dll from shell32 (Later on give a big list.) also fix checksum and also that will set minimum version to 0. I will make wrapper library like Alky for Application.

Advantages :-

*No modification to System Files

*Higher Secuirity (WE are not fool to patch virus or exploit kit to make compatible)

*No need to update every time as per file changes in Windows updates.

*WRK \REactOS\WineHQ files can be used and customized as per need.

* No ligal issue as it is a wrapper no modification to ms files

* Easily Windows 8.1/10 Api s can be added by breaking into Assembly.

*Can be used in XP/XP64/Server2003/Vista (even in future 7 and 8.1)

*Custom SandBoxing can be used.

How it will be? If a virus got into a XP PC  but it failed to run due to missing api call in kernel32.dll but those mordern function are present in ukernel32.dll.  You can run good apps by patching but no virus will run

Edited by Dibya
Link to comment
Share on other sites

6 hours ago, Dibya said:

Here any one help me by making a app which can change all import of exe , dll to  ukernel32.dll from kernel32, ushell32.dll from shell32 (Later on give a big list.) also fix checksum and also that will set minimum version to 0. I will make wrapper library like Alky for Application.

Should the app also make some coffee? :unsure:

In case, it should be black, strong and with two cups of sugar for me, thanks.

Just to understand the theory, if (and when) such a program will be written, what would be the intended use of it? :dubbio:

jaclaz
 

Link to comment
Share on other sites

1 hour ago, jaclaz said:

Should the app also make some coffee? :unsure:

In case, it should be black, strong and with two cups of sugar for me, thanks.

Just to understand the theory, if (and when) such a program will be written, what would be the intended use of it? :dubbio:

jaclaz
 

main intent of the app to redirect to wrapper library.

for example changing kernel32.dll of acrobet reader to ukernel32.dll so that it get required api from ukernel32.dll as kernel32.dll donot have those api.

next , to set minimum version to 0 to make not a valid win32 pogram reside in hell

it will be like run vista app like right lick menu present in alky for application

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...