Jump to content

NTDLL-XEC - My enhanced version of NTDLL


Recommended Posts

Summary:

This project is a combination of NTDLL from BlackWingCat's Extended Kernel and NTDLL from WildBill's KB2479629-v3.

How this began:

This project began when I needed to run a program that required some functions that were only present in NTDLL from BlackWingCat's Extended Kernel and some functions that were only present in NTDLL from WildBill's KB2479629-v3.

The NTDLL file:

The first 3 versions of NTDLL-XEC (NTDLLx1-3(B)) are based on NTDLL from BlackWingCat's Extended Kernel v30e (latest version as of writing this) and contain some functions from WildBill's KB2479629-v3.

NTDLLx4 is based on NTDLL from WildBill's KB2479629-v3 and contains functions from BlackWingCat's Extended Kernel.

Downloads:

NTDLLx4: DLL | Installer

Changelog:

NTDLLx1:

Initial Release

NTDLLx2:

Code for new functions now stored in .xdata
ZwQueryDebugState no longer uses same code as NtQueryDebugState
Error in LdrCreateOutOfProcessImage fixed

NTDLLx3:

Test release for adding exports with PEMaker

NTDLLx3B:

Fixed issues in NTDLLx3
Changed file version to 5.0.2195.7133 to follow new file version rules

NTDLLx4:

File is now based on NTDLL from WildBill's KB2479629-v3.
Added ALL functions from NTDLL from BlackWingCat's Extended Kernel v30e.

Added Functions:

Click on each version to view the list of added functions in semi-alphabetical order.

NTDLLx1 | NTDLLx2/3(B) | NTDLLx4

File modification process:

  • Find required subroutines for functions with IDA
  • Move export table to new section before .rsrc (if needed)
  • Increase size of .patch with PEMaker (if needed)
  • Add code to blank space in .text and if needed, add code at end of .patch with HxD
  • Add exports to export table with PEMaker
  • Fix errors in code with IDA
  • Change file version and fix red text on main page of PEMaker

Name and version number info:

NTDLL-XEC:

X - Ximonite
E - Extension
C - Combo

File Version:

5.0.2195.71##

## = My version number + 30

Examples: NTDLLx4 - 5.0.2195.7134, NTDLLx12 - 5.0.2195.7142

IDA Tips and Tricks:

  • Press F2 while in Hex View to edit hex values.
  • Right click a location a function is calling and click "Manual" to change the location.
  • Go to Edit > Patch program > Assemble... to have IDA automatically modify hex values after changing location with Manual.
  • Save modifications made in IDA in Edit > Patch program > Apply patches to input file...

Archive:

NTDLLx3B: DLL | Installer

Older files: NTDLLx1 | NTDLLx2 | NTDLLx3 (no download on my website because of major issue in file) | NTDLLx3B First Installer

Edited by Ximonite
Minor edits
Link to comment
Share on other sites


 

It's a great idea. Adding all of those functions will certainly help with Process Hacker 2.x, which relies on many ntdll functions exclusive to XP and above. I wish I knew how to do this myself.

I gave your file a spin and unfortunately, it does pose instability. Serpent 52 2020-02-08 gets quite unstable and has difficulty launching at times (though enabling multiprocess mode helps). Many sites have difficulty loading. Even an attempt at loading the task manager gave me a 0xc142 error though it opened on the next attempt. This is what a Serpent instance/tab did when it loaded.

 

--------------------------------------------------------------------------------
Starting profile on 21/05/2020 at 10:48:13 PM
Operating System: Microsoft Windows 2000 Professional (32-bit), version 5.00.2195 Service Pack 4

Program Executable: e:\program files\basiliskx86\basilisk\BASILISK.EXE

Program Arguments: -contentproc --channel="1540.8.1871959286\2009179798" -greomni "e:\program files\basiliskx86\basilisk\omni.ja" -appomni "e:\program files\basiliskx86\basilisk\browser\omni.ja" -appdir "e:\program files\basiliskx86\basilisk\browser"  1540 tab

Starting Directory: E:\Program Files\basiliskx86\basilisk\

Search Path: E:\Program Files\Alias\Maya8.0\bin;E:\WINNT\system32;E:\WINNT;E:\WINNT\System32\Wbem;E:\Documents and Settings\win32\Local Settings\Application Data\Kingsoft\WPS Office\11.2.0.9327\office6

Options Selected:

     Log DllMain calls for process attach and process detach messages.
     Hook the process to gather more detailed dependency information.
     Log LoadLibrary function calls.
     Log GetProcAddress function calls.
     Log debug output messages.
     Automatically open and profile child processes.

--------------------------------------------------------------------------------
Started "BASILISK.EXE" (process 0x548) at address 0x00400000.  Successfully hooked module.
Loaded "NTDLL.DLL" at address 0x77F80000.  Successfully hooked module.
Loaded "MOZGLUE.DLL" at address 0x10000000.  Successfully hooked module.
Loaded "KERNEL32.DLL" at address 0x7C570000.  Successfully hooked module.
Loaded "ADVAPI32.DLL" at address 0x7C2D0000.  Successfully hooked module.
Loaded "RPCRT4.DLL" at address 0x77D30000.  Successfully hooked module.
Loaded "DBGHELP.DLL" at address 0x03000000.  Successfully hooked module.
Loaded "MSVCRT.DLL" at address 0x70860000.  Successfully hooked module.
Loaded "VERSION.DLL" at address 0x77820000.  Successfully hooked module.
Loaded "LZ32.DLL" at address 0x759B0000.  Successfully hooked module.
Loaded "USER32.DLL" at address 0x77E10000.  Successfully hooked module.
Loaded "GDI32.DLL" at address 0x77F40000.  Successfully hooked module.
Loaded "MSVCP140.DLL" at address 0x00170000.  Successfully hooked module.
Loaded "VCRUNTIME140.DLL" at address 0x001F0000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL" at address 0x00210000.  Successfully hooked module.
Loaded "UCRTBASE.DLL" at address 0x00220000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-STRING-L1-1-0.DLL" at address 0x00310000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL" at address 0x00320000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL" at address 0x00330000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-FILE-L1-1-0.DLL" at address 0x00340000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL" at address 0x00350000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-HANDLE-L1-1-0.DLL" at address 0x00360000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-FILE-L2-1-0.DLL" at address 0x00370000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-HEAP-L1-1-0.DLL" at address 0x00380000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL" at address 0x00390000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-SYNCH-L1-1-0.DLL" at address 0x003A0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL" at address 0x003B0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL" at address 0x003C0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-DATETIME-L1-1-0.DLL" at address 0x003D0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL" at address 0x003E0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL" at address 0x003F0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-SYNCH-L1-2-0.DLL" at address 0x00440000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL" at address 0x00450000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-DEBUG-L1-1-0.DLL" at address 0x00460000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL" at address 0x00470000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-FILE-L1-2-0.DLL" at address 0x00480000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-PROFILE-L1-1-0.DLL" at address 0x00490000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-MEMORY-L1-1-0.DLL" at address 0x004A0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-UTIL-L1-1-0.DLL" at address 0x004B0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL" at address 0x004C0000.  Successfully hooked module.
Loaded "API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL" at address 0x004D0000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-STRING-L1-1-0.DLL" at address 0x004E0000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-HEAP-L1-1-0.DLL" at address 0x004F0000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-STDIO-L1-1-0.DLL" at address 0x00500000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-CONVERT-L1-1-0.DLL" at address 0x00510000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-LOCALE-L1-1-0.DLL" at address 0x00520000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-MATH-L1-1-0.DLL" at address 0x00530000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-TIME-L1-1-0.DLL" at address 0x00540000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL" at address 0x00550000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL" at address 0x00560000.  Successfully hooked module.
Loaded "API-MS-WIN-CRT-UTILITY-L1-1-0.DLL" at address 0x00570000.  Successfully hooked module.

Entrypoint reached. All implicit modules have been loaded.
DllMain(0x7C570000, DLL_PROCESS_ATTACH, 0x0012FD30) in "KERNEL32.DLL" called.
DllMain(0x7C570000, DLL_PROCESS_ATTACH, 0x0012FD30) in "KERNEL32.DLL" returned 1 (0x1).
Injected "DEPENDS.DLL" at address 0x08370000.
DllMain(0x08370000, DLL_PROCESS_ATTACH, 0x00000000) in "DEPENDS.DLL" called.
DllMain(0x08370000, DLL_PROCESS_ATTACH, 0x00000000) in "DEPENDS.DLL" returned 1 (0x1).
DllMain(0x77D30000, DLL_PROCESS_ATTACH, 0x0012FD30) in "RPCRT4.DLL" called.
LoadLibraryA("kernel32.dll") called from "RPCRT4.DLL" at address 0x77D87E19.
LoadLibraryA("kernel32.dll") returned 0x7C570000.
GetProcAddress(0x7C570000 [KERNEL32.DLL], "InterlockedCompareExchange") called from "RPCRT4.DLL" at address 0x77D87E29 and returned 0x7C57B5FC.
DllMain(0x77D30000, DLL_PROCESS_ATTACH, 0x0012FD30) in "RPCRT4.DLL" returned 1 (0x1).
DllMain(0x7C2D0000, DLL_PROCESS_ATTACH, 0x0012FD30) in "ADVAPI32.DLL" called.
DllMain(0x7C2D0000, DLL_PROCESS_ATTACH, 0x0012FD30) in "ADVAPI32.DLL" returned 1 (0x1).
DllMain(0x70860000, DLL_PROCESS_ATTACH, 0x0012FD30) in "MSVCRT.DLL" called.
DllMain(0x70860000, DLL_PROCESS_ATTACH, 0x0012FD30) in "MSVCRT.DLL" returned 1 (0x1).
DllMain(0x03000000, DLL_PROCESS_ATTACH, 0x0012FD30) in "DBGHELP.DLL" called.
LoadLibraryA("kernel32.dll") called from "DBGHELP.DLL" at address 0x03055807.
LoadLibraryA("kernel32.dll") returned 0x7C570000.
DllMain(0x03000000, DLL_PROCESS_ATTACH, 0x0012FD30) in "DBGHELP.DLL" returned 1 (0x1).
DllMain(0x77E10000, DLL_PROCESS_ATTACH, 0x0012FD30) in "USER32.DLL" called.
GetProcAddress(0x7C570000 [KERNEL32.DLL], "IsBadWritePtr") called from "USER32.DLL" at address 0x77E655FB and returned 0x7C597E9F.
GetProcAddress(0x7C570000 [KERNEL32.DLL], "ReleaseMutex") called from "USER32.DLL" at address 0x77E6458D and returned 0x7C59A011.
GetProcAddress(0x7C570000 [KERNEL32.DLL], "CreateMutexA") called from "USER32.DLL" at address 0x77E6459A and returned 0x7C599DF3.
GetProcAddress(0x7C570000 [KERNEL32.DLL], "CreateEventA") called from "USER32.DLL" at address 0x77E645A7 and returned 0x7C59995E.
GetProcAddress(0x7C570000 [KERNEL32.DLL], "DefineDosDeviceA") called from "USER32.DLL" at address 0x77E645B4 and returned 0x7C584BA8.
GetProcAddress(0x7C570000 [KERNEL32.DLL], "DeviceIoControl") called from "USER32.DLL" at address 0x77E645C1 and returned 0x7C5CF6AB.

DllMain(0x77E10000, DLL_PROCESS_ATTACH, 0x0012FD30) in "USER32.DLL" returned 0 (0x0).
Second chance exception 0xC0000142 (DLL Initialization Failed) occurred in "NTDLL.DLL" at address 0x77FAC574.

Exited "BASILISK.EXE" (process 0x548) with code 128 (0x80).

 

You should also bump up the version number, as both BWC's latest ntdll and yours are 5.00.2195.7125.

Edited by win32
Link to comment
Share on other sites

12 hours ago, win32 said:

Second chance exception 0xC0000142 (DLL Initialization Failed) occurred in "NTDLL.DLL" at address 0x77FAC574.

IDA found an error in the code at this address in both my dll and the original BlackWingCat dll. Does this error occur with the original BlackWingCat dll?

Link to comment
Share on other sites

1 minute ago, Ximonite said:

IDA found an error in the code at this address in both my dll and the original BlackWingCat dll. Does this error occur with the original BlackWingCat dll?

No, but I did have occasional problems at 77f87eeb (RtlEnterCriticalSection).

Link to comment
Share on other sites

I noticed that there is a very similar error in LdrCreateOutOfProcessImage, which is one of the functions I added. Do you know of any programs that use that function that don't require other new functions from other files?

I don't know if this causes the issues, but I added the extra data for the new functions in some blank space in the section called "EDATA". Right now, I'm trying to figure out how to add a new section to a dll file properly. When I figure it out, my added functions will be in the new section.

Edit: ntdllx2 does not have the error in LdrCreateOutOfProcessImage and I figured out how to make a new section properly.

Edited by Ximonite
Link to comment
Share on other sites

On 5/21/2020 at 10:00 PM, win32 said:

I gave your file a spin and unfortunately, it does pose instability. Serpent 52 2020-02-08 gets quite unstable and has difficulty launching at times

Serpent 52 is perfectly stable on Windows 2000 with the new version of ntdll (x2).

Link to comment
Share on other sites

  • 2 weeks later...

Unfortunately, I've discovered an issue with ntdllx2.

When installing VMware Players 3.0.0 and 3.1.5, a total of roughly 12 services and drivers should be installed; but only one was installed (VMware Agent Service).

VMware Agent Service is also the only service listed in the ServiceInstall and ServiceControl tables in vmware player.msi (which is copied to a folder labelled vmware-xxxxx in Documents and Settings\%USER%\Local Settings\Temp\ when the installer is run). I don't know how the rest of the services got installed (the rest do get installed on XP x64).

The other services are also installed with BWC's latest version. Mind you, even though Player 3.x is supposed to support XP and up, the installer's contents reference Windows 2000 frequently, and it does some really deep checks to prevent itself from installing on 2000 (fcwin2k, NNN4NT5, appcomp,cmd all can't fool it, so the only workaround is dropping LaunchCondition table from the MSI). With what I know, it installs like it would on a Windows 2000 system, which it functionally no longer is. :w00t:

Luckily BWC's ntdll is a good temporary drop-in replacement yet I wonder why these installers only install one service and then leave the rest to something else which I can't find at present.

but still, yours has yet to give me trouble with RtlEnterCriticalSection!

Edited by win32
sorry, there is no 3,1,6!
Link to comment
Share on other sites

Unfortunately ntdllx3 is a dud. I tried to boot up with it and I got 0x6B BSoD with parameters 0xC00007B, 0x3, 0x0 and 0x0.

Or I meant it was a dud, since I decided to take it, change SectionAlignment back to 00001000 from 00000200 and it works just as well as x2. And it wasn't in vain since it's still slightly smaller than BWC's last ntdll.

Link to comment
Share on other sites

10 hours ago, win32 said:

Unfortunately ntdllx3 is a dud. I tried to boot up with it and I got 0x6B BSoD with parameters 0xC00007B, 0x3, 0x0 and 0x0.

Or I meant it was a dud, since I decided to take it, change SectionAlignment back to 00001000 from 00000200 and it works just as well as x2. And it wasn't in vain since it's still slightly smaller than BWC's last ntdll.

Interesting. I did the same and the BSoD didn't go away. The fixed ntdllx3 happens to be only a few kilobytes smaller than ntdllx2. I would like to look at your modified file and test it with my setup. I test my files in a virtual machine in VMware Workstation Pro 15.5.5.

Link to comment
Share on other sites

6 minutes ago, Ximonite said:

Interesting. I did the same and the BSoD didn't go away. The fixed ntdllx3 happens to be only a few kilobytes smaller than ntdllx2. I would like to look at your modified file and test it with my setup. I test my files in a virtual machine in VMware Workstation Pro 15.5.5.

https://mega.nz/file/4hsATIiC#Nu-mOrPbXiFOnbHZ5QJRC4pDYSY2cvXPTMm-Hbwyg9c

Link to comment
Share on other sites

24 minutes ago, win32 said:

So the file actually works almost properly. The export table overwrote __eEmulatorInit, __eFINIT, __eCommonExceptions, and about 3/4 of sub_77FC509E. Also, RtlSetLastWin32Error is missing from the export table, but that was because I forgot to add it.

Link to comment
Share on other sites

On 4/11/2020 at 2:55 AM, Ximonite said:

it is recommended to double check that the files are actually updated after installing the update.

hotfix confirmed working. Now running 5.00.2195.7133. :thumbup

Link to comment
Share on other sites

Don't use Export table tester to add export .it will cause certain tables to break . Never add a section after resources table in NT system files

Use Petools to move Table to new section before .reloc then add anything you like.

If you are not using vanilla file , then wildbill/bwc shall have enough space .

Use the blank space inside .TXT , no need to add another section for code

Edited by Dibya
Link to comment
Share on other sites

15 hours ago, Dibya said:

Don't use Export table tester to add export .it will cause certain tables to break .

Export table tester is the only tool I found that can add exports. ExpX corrupted the entire file when I tried it, and PETools can edit existing exports, but not add new ones.

Also, I plan to keep using export table tester because it can make a new section for the export table, and I am currently working on replacing the export table in .text with the new code I want to add. If you know of any other tools that can add exports, please tell me about them.

Link to comment
Share on other sites

55 minutes ago, Ximonite said:

PETools can edit existing exports, but not add new ones.

WildBill's PETool 0.0.5 can add exported functions. Under "Directories", there is an option to "Add exported function". And then its name can be added separately through the option "Add exported function name".

But it is very buggy in that respect. I can't get it to show the new test function I made in the table unless I make other functions below it or do other changes and when I try adding function names, it doesn't actually do so for the selected function; I have to select the one above it to get it to add the function name. And sometimes I can get it to do stuff to the functions that are actually selected! So keep verifying with export table tester and other tools.

And you can also add exports with BWC's PEMaker by inserting the necessary parameters in the fields below the export table and then pressing "Change".

Edited by win32
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...