Nomen Posted July 29, 2017 Share Posted July 29, 2017 I'm looking into the differences between the version 02 and 18 of opera.dll and was wondering if the Watson thing will tell you (in detail) why a dll fails to load. There are about 130 functions being called in the version 12.18 that are not being called by the 12.02 file that are flagged by DW, and another 100 that are also flagged but are called by both versions (so I'm thinking they're not the problem). If Watson is of no use in this case - is there anything else? Link to comment Share on other sites More sharing options...
jumper Posted July 30, 2017 Share Posted July 30, 2017 Analyze in ImportPatcher with "Test by loading (KernelEx)" option enabled. Link to comment Share on other sites More sharing options...
ABCDEFG Posted July 30, 2017 Share Posted July 30, 2017 Misssing functions: IPHLPAPI.DLL CancelIPChangeNotify GetAdaptersAddresses KERNEL32.DLL CreateTimerQueueTimer DeleteTimerQueueTimer GetGeoInfoW GetUserGeoID SetProcessDEPPolicy SECUR32.DLL InitSecurityInterfaceW LsaEnumerateLogonSessions LsaFreeReturnBuffer LsaGetLogonSessionData Link to comment Share on other sites More sharing options...
Nomen Posted July 30, 2017 Author Share Posted July 30, 2017 This is what Import Patcher is telling me: [Secur32.dll] LsaGetLogonSessionData= LsaEnumerateLogonSessions= InitSecurityInterfaceW= LsaFreeReturnBuffer= [KERNEL32.dll] GetUserGeoID= GetGeoInfoW= [USER32.dll] SetLayeredWindowAttributes= [IPHLPAPI.DLL] CancelIPChangeNotify= Which you will note is a little bit different than what abcdefg posted above. This is for the 12.18 dll file. I am using import patcher with Start dependency search in local, Test by loading (Kex), and Process delay imports checked. I get *No Problems Found* when running the same analysis on the 12.02 opera.dll. Why so few issues (or no issues in the case of 12.02) when Dependency Walker shows many issues (missing functions) ?? Link to comment Share on other sites More sharing options...
ABCDEFG Posted July 30, 2017 Share Posted July 30, 2017 (edited) ^ 1. It depends on which Kex version is in use, i use v4.5.2015.9 and i check this manually. 2. Dependency Walker shows all missing functions but some of them are "implemented" in Kex, but Dependency Walker don't "know" that because these "implemented" functions are "delivered" by API Hooking. Edited July 30, 2017 by ABCDEFG 1 Link to comment Share on other sites More sharing options...
jumper Posted July 31, 2017 Share Posted July 31, 2017 All of those functions except SetProcessDEPPolicy are now supported by the latest KernelEx 2016.17. And SetProcessDEPPolicy will be supported by Kex 2016.18 (I just now added it). For now, use Kexstubs.dll with the definition: SetProcessDEPPolicy=f1e50 Do not check "Process delay imports" in ImportPatcher. It is unrelated to KernelEx support. Link to comment Share on other sites More sharing options...
Nomen Posted August 2, 2017 Author Share Posted August 2, 2017 I downloaded Kexbeta.17 and copied the 7 files it contained over into my c:\windows\kernelex folder (over-writing the existing files). Restarted, and ran IP.41 on the opera.dll (12.18). I get this: [Secur32.dll] LsaGetLogonSessionData= LsaEnumerateLogonSessions= InitSecurityInterfaceW= LsaFreeReturnBuffer= [KERNEL32.dll] GetUserGeoID= GetGeoInfoW= [USER32.dll] SetLayeredWindowAttributes= [IPHLPAPI.DLL] CancelIPChangeNotify= My stubs.ini (and kstub730.ini) contains GetGeoInfoW=z5e GetUserGeoID=t1 My kstub730.ini contains InitSecurityInterfaceW=z0 LsaEnumerateLogonSessions=t2 LsaFreeReturnBuffer=t1 So I shouldn't be seeing those in Import Patcher - right? But I am. > For now, use Kexstubs.dll with the definition: SetProcessDEPPolicy=f1e50 Where do I put that? Link to comment Share on other sites More sharing options...
jumper Posted August 2, 2017 Share Posted August 2, 2017 > So I shouldn't be seeing those in Import Patcher - right? But I am. Put ImportPatcher in Vista (or higher) compatibility mode in the KernelEx Properties tab. > Where do I put that? Doesn't look like you need it, but it would go in the [Kernel32.dll] section of stubs.ini. Link to comment Share on other sites More sharing options...
Nomen Posted August 2, 2017 Author Share Posted August 2, 2017 (edited) I've set Kex compatibility mode for IP.41 to be Vista. Kex compatibility mode for opera.dll (12.18) is set to default (should it be forced to something else?). This is what I get now. I put (in brackets) any functions that exist in kex stub files: [Patches needed] opera.dll=Functions [Secur32.dll] LsaGetLogonSessionData= (kstub822, kstub730) LsaEnumerateLogonSessions= (kstub822, kstub730) InitSecurityInterfaceW= (kstub822, kstub730) LsaFreeReturnBuffer= (kstub822, kstub730) [KERNEL32.dll] GetUserGeoID= (kstub822, kstub730, stubs.ini) GetGeoInfoW= (kstub822, kstub730, stubs.ini) [USER32.dll] SetLayeredWindowAttributes= (not present in any .ini file) [IPHLPAPI.DLL] CancelIPChangeNotify= (not present in any .ini file) Why are the above functions in Secur32 and Kernel32 being flagged by IP? They are not being picked up, even though they exist in the stub files. What about SetLayeredWindowAttributes and CancelIPChangeNotify? (edit): If I select Walk Dependencies in IP, it looks like PSAPI.DLL has an issue, and I see 9 functions that show up under ntdll.dll that I didn't see before. I still see the same 8 functions that are listed above. Edited August 2, 2017 by Nomen Link to comment Share on other sites More sharing options...
jumper Posted August 2, 2017 Share Posted August 2, 2017 Do Verify.exe and the KernelEx Properties tab both report "v4.5.2016"? At this time, the ImportPatcher executable must be named "ImportPatcher.exe" or be UPX'd to be able to delay-load most stubs. Link to comment Share on other sites More sharing options...
Nomen Posted August 2, 2017 Author Share Posted August 2, 2017 Verify.exe is 4.05.2016.17 and when run it says "Kernelex has been successfully installed and is now ..." Don't know if this is a factor, but my "c:\windows\" folder is really "c:\win98\" (ie, %windir% = c:\win98). kernelex.dll is version 4.05.2016.17. > At this time, the ImportPatcher executable must be named "ImportPatcher.exe" or ... Ah, that must be it. Mine was named "ImportPatcher.41.exe". I renamed it to ImportPatcher.exe. It is located in c:\win98\sendto. Running IP again against opera.dll v12.18, I get this: [Patches needed] opera.dll=Functions [Secur32.dll] InitSecurityInterfaceW= [IPHLPAPI.DLL] CancelIPChangeNotify= Running IP with Walk Dependencies + Link to patched copies gives the above, plus this: PSAPI.DLL=Functions [ntdll.dll] NtStopProfile= NtSetIntervalProfile= NtStartProfile= NtWriteFile= NtQueryVirtualMemory= Link to comment Share on other sites More sharing options...
Nomen Posted August 4, 2017 Author Share Posted August 4, 2017 (edited) I don't know if this is just new to me, or anyone else, but replacing Secur32.dll and IPhlpAPI.dll with XP-SP3 version does actually result in a workable win-98 system. I found one problem with an OCX file used by Trendnet IPviewSE program (web-cam software) is caused by IPhlpAPI, but Opera 12 and FF2 seem to work just fine. Swapping those files doesn't quite fix the issues with Opera.dll version 12.18 - I get a missing library error instead of "a device attached to the system is not functioning". So now I'm going to look into what file (looks like a DLL file) is missing. Also - note this: Win-98 version of secur32.dll is about 59 kb, and XP-SP3 is actually 3kb smaller, yet the XP version impliments more than double the number of functions. Almost all the extra functions are unicode (W) versions that the 98 dll doesn't (naturally) impliment. Has anyone thought of adding an ascii <-> unicode translator into Kex so that when a (W) function is called, Kex translates the call to Ascii and performs the function call using a native module (if present) ? Maybe there's a way to use unicows to do this? Edit: Ok, so ImportPatcher is saying "no problems found" with the 12.18 opera.dll, but if I walk dependencies I get: [Patches needed] PSAPI.DLL=Functions IPHLPAPI.DLL=Functions [ntdll.dll] NtStopProfile= NtSetIntervalProfile= NtStartProfile= NtWriteFile= NtQueryVirtualMemory= RtlGetNtProductType= RtlCreateUnicodeString= RtlxAnsiStringToUnicodeSize= NtDuplicateObject= NlsMbCodePageTag= RtlxUnicodeStringToAnsiSize= RtlAcquireResourceShared= RtlAcquireResourceExclusive= RtlReleaseResource= NtFreeVirtualMemory= NtSetInformationThread= NtQueryEvent= RtlCreateUnicodeStringFromAsciiz= ZwReplyWaitReplyPort= RtlCopyUnicodeString= ZwRequestWaitReplyPort= NtOpenEvent= ZwFreeVirtualMemory= RtlGUIDFromString= I have 2 different versions of psapi.dll. One in \windows (5kb, no version info) and one in windows\system (45kb, v 4.00). No idea if I should be using something else, or where it goes. Running IP against the 45kb version of psapi.dll gives these problems: [ntdll.dll] NtStopProfile= NtSetIntervalProfile= NtStartProfile= NtWriteFile= NtQueryVirtualMemory= Running IP against the XP version of IPhlpapi.dll gives these problems: [ntdll.dll] RtlReleaseResource= RtlAcquireResourceShared= RtlAcquireResourceExclusive= RtlGUIDFromString= Edited August 4, 2017 by Nomen Link to comment Share on other sites More sharing options...
Nomen Posted August 5, 2017 Author Share Posted August 5, 2017 (edited) Regarding Opera.dll 12.18, I'm at the point now where IP.41 is telling me: [Patches needed] opera.dll=Functions [IPHLPAPI.DLL] CancelIPChangeNotify= GetAdaptersAddresses= I get the same output regardless the setting for Process Delay imports. This is in my kex core.ini: [DCFG1] contents=Kstub822,std,kexbases,kexbasen,K452stub desc=Default mode I can see GetAdaptersAddresses is mentioned in kstub822.ini: [Iphlpapi.dll] GetAdaptersAddresses=>iphlpapi4: GetPerAdapterInfo=>iphlpapi4: iphlpapi4.dll is located in \windows\kernelex folder. I can see CancelIPChangeNotify is mentioned in Kexbases.dll and iphlpapi4.dll. I see *\IPHLPAPI.DLL in this registry key: HKEY_LOCAL_MACHINE\Software\KernelEx\AppSettings\Flags I see iphlpapi.dll in these registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\InstalledFiles HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs The data value for IPHLPAPI for the KnownDLLs key is IPHLPAPI.JMP. I'm not sure if I'm supposed to keep that reference to IPHLPAPI.JMP or delete the key. I have the file IPHLPAPI.JMP located in \windows\system folder (should it be in kernelex folder?). Edited August 5, 2017 by Nomen Link to comment Share on other sites More sharing options...
jumper Posted August 7, 2017 Share Posted August 7, 2017 (edited) Secur32.dll and Iphlpapi.dll from XP-SP3 cause more problems than they solve. Do not try to use them in any way on Win9x. Psapi.dll should not be present in the Windows or System folders. The 4KB version from KernelEx Auxiliary DLL Updates should be in the KernelEx folder.> contents=Kstub822,std,kexbases,kexbasen,K452stub Oh my! No one should still be using K452stub! Post the results from the K452stub.log file in Kext: DIY KernelEx extensions, then remove K452stub as intended. While you're at it, also post results from the Kstub822.log. :)> The data value for IPHLPAPI for the KnownDLLs key is IPHLPAPI.JMP. This setting is preventing KernelEx from providing any extensions to Iphlpapi.dll. Your IPHLPAPI.JMP is a renamed version of Iphlpapi.dll that doesn't contain CancelIPChangeNotify. This .jmp technique from 4-1/2 years ago requires manual updates that have not been done. Instead, just change the KnownDLLs key value back to IPHLPAPI.DLL and delete IPHLPAPI.JMP.> Has anyone thought of adding an ascii <-> unicode translator into Kex so that when a (W) function is called, Kex translates the call to Ascii and performs the function call using a native module (if present) ? This is exactly how KernelEx and Unicows implement most of the "W" functions.> Maybe there's a way to use unicows to do this? KernelEx does make heavy use of Unicows by forwarding functions to it. That's why Unicows.dll (1.1.3790.0) is a KernelEx system requirement. Edited August 7, 2017 by jumper Link to comment Share on other sites More sharing options...
Nomen Posted August 7, 2017 Author Share Posted August 7, 2017 (edited) I seem to have several psapi.dll files that don't give version information (files-properties): 4,608 bytes, created june 1/2015 5,120 bytes, created dec 14/2008 (this is in \windows) 12,288 bytes, created may 27/2015 (this is in \windows\kernelex) The psapi.dll contained in psapi3b.7z is 4096 bytes (and also has no version info) so I'm not sure where the above 3 that I have came from. I take it that this is the file I should have in \windows\kernelex ? I have a few other psapi.dll files, with version info, scattered around the system: 18,192 bytes (version 4.00) Windows NT 28,944 bytes (version 5.00.2134.1) Windows 2000 45,136 bytes (version 4.00) Windows NT (this is in \windows\system) Strange to see 2 different 4.00/NT versions. The 18kb one seems to be associated with InstallAware 8\plug-ins\MDAC. Here is what's in my k452stub.log file. The file was over 1500 lines - I sorted it and removed the duplicates: [K452stub] = Advapi32.dll:CryptAcquireContextW=z5 ;? = = Kernel32.dll:HeapSetInformation=z4 ;? = = Kernel32.dll:IsValidLanguageGroup=z2 ;? = = Kernel32.dll:SetDllDirectoryA=z1 ;? = I don't seem to have a Kstub822.log file. Edited August 7, 2017 by Nomen Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now