Jump to content

NTDLL-XEC - My enhanced version of NTDLL


Recommended Posts

On 6/7/2020 at 11:19 PM, win32 said:

WildBill's PETool 0.0.5 can add exported functions. Under "Directories", there is an option to "Add exported function". And then its name can be added separately through the option "Add exported function name".

But it is very buggy in that respect. I can't get it to show the new test function I made in the table unless I make other functions below it or do other changes and when I try adding function names, it doesn't actually do so for the selected function; I have to select the one above it to get it to add the function name. And sometimes I can get it to do stuff to the functions that are actually selected! So keep verifying with export table tester and other tools.

And you can also add exports with BWC's PEMaker by inserting the necessary parameters in the fields below the export table and then pressing "Change".

When adding an export with WildBill's PETool 0.0.5, I get an error that says "Address out of range".

PEMaker works how I want it to and I will use it when creating ntdllx4 and newer versions.

On 6/7/2020 at 7:17 AM, Dibya said:

Don't use Export table tester to add export .it will cause certain tables to break . Never add a section after resources table in NT system files

Use Petools to move Table to new section before .reloc then add anything you like.

If you are not using vanilla file , then wildbill/bwc shall have enough space .

Use the blank space inside .TXT , no need to add another section for code

When using the blank space in .text, explorer crashes every 10 seconds.

I will try to expand EDATA and add my code to it.

Update: Figured out .text issue. Using blank space in .text works properly.

Edited by Ximonite
Updated info
Link to comment
Share on other sites


On 6/8/2020 at 2:33 AM, piotrhn said:

Plese add to ntdll these functions, to use on 2k sysdm.cpl from xp/2k3. thx:

RtlGetSetBootStatusData
RtlLockBootStatusData
RtlUnlockBootStatusData

These functions will be added to NTDLLx4, which should be ready for release soon :D 

Update: sysdm.cpl from Windows XP works on Windows 2000.

Edited by Ximonite
Link to comment
Share on other sites

On 6/19/2020 at 8:58 AM, Ximonite said:

These functions will be added to NTDLLx4, which should be ready for release soon :D 

Update: sysdm.cpl from Windows XP works on Windows 2000.

Big thanks:). My next request is bigger:

 

ntdll:
EtwNotificationRegistrationW
NtQueryOpenSubKeysEx
NtUnloadKeyEx
NtLoadKeyEx
RtlDosPathNameToRelativeNtPathName_U
RtlGetNativeSystemInformation
RtlReleaseRelativeName
_vscwprintf


advapi32:
CredProfileLoaded
GetLocalManagedApplicationData


user32: (for replace desk.cpl+themeui{uxtheme} etc... :) )
RegisterUserApiHook
UnregisterUserApiHook
IsServerSideWindow
PaintMenuBar
CalcMenuBar


gdi32:
ClearBitmapAttributes

kernel32:
IsValidUILanguage
IsTimeZoneRedirectionEnabled
SetFileShortNameW
SetUserGeoID


apphelp, uxtheme, appwiz.cpl, shsvcs.dll, intl.cpl, timedate.cpl, ntbackup

 

Edited by piotrhn
Link to comment
Share on other sites

On 4/11/2020 at 2:55 AM, Ximonite said:
  • Right click a location a function is calling and click "Manual" to change the location.

That doesn't actually change any hex values, just the way it is displayed to IDA. So it doesn't actually change locations.

And I'm unable to run New Moon/Serpent with ntdllx4 as they throw exceptions in kernel32. :(

Edited by win32
Link to comment
Share on other sites

On 7/2/2020 at 1:23 PM, win32 said:

That doesn't actually change any hex values, just the way it is displayed to IDA. So it doesn't actually change locations.

And I'm unable to run New Moon/Serpent with ntdllx4 as they throw exceptions in kernel32. :(

I corrected the IDA Tips and Tricks. Also, does New Moon or Serpent work with WildBill's NTDLL?

Link to comment
Share on other sites

14 hours ago, Ximonite said:

Also, does New Moon or Serpent work with WildBill's NTDLL?

No. It doesn't have enough functions for BWC's kernel32.dll (so it can't boot with it) and his extended kernel doesn't have enough functions for New Moon/Serpent either.

Edited by win32
Link to comment
Share on other sites

What really surprises me is that Windows 2000's ntdll works with the export table at the end of the file, while putting the export table at the end of a Vista x86 system file breaks it.

There is a lot more freedom on Windows 2000 than with other proprietary OSes.

And it's only 4 functions away from running Pale Moon 28.11!

Link to comment
Share on other sites

On 7/4/2020 at 2:08 PM, win32 said:

No. It doesn't have enough functions for BWC's kernel32.dll (so it can't boot with it) and his extended kernel doesn't have enough functions for New Moon/Serpent either.

Bit confused here,

I am running the latest version of New Moon 28 on W2K with no issues.

W2K x64?... I must be missing something!

Link to comment
Share on other sites

46 minutes ago, Dylan Cruz said:

Bit confused here,

I am running the latest version of New Moon 28 on W2K with no issues.

It works fine with BWC's files. Ximonite made his latest ntdll based on WildBill's ntdll and added all of BWC's functions to it. But it doesn't mix well with BWC's kernel32. And WildBill stopped working on his extended kernel files years ago, so they don't have nearly as much functions as BWC, so they can't run roytam1's browsers.

Link to comment
Share on other sites

18 minutes ago, win32 said:

It works fine with BWC's files. Ximonite made his latest ntdll based on WildBill's ntdll and added all of BWC's functions to it. But it doesn't mix well with BWC's kernel32. And WildBill stopped working on his extended kernel files years ago, so they don't have nearly as much functions as BWC, so they can't run roytam1's browsers.

Gotcha, I didn't know there were other kernels out there.

What is the advantage over those over BWC these days?

Link to comment
Share on other sites

Just now, win32 said:

WildBill's ntdll has more functions than BWC's.

Huh? But I thought you said "And WildBill stopped working on his extended kernel files years ago, so they don't have nearly as much functions as BWC"

Any chance they can be reconciled so that one has all the functions? It's probably more complicated than that it sounds like, I've never done any kernel patching! 

Link to comment
Share on other sites

52 minutes ago, Dylan Cruz said:

Huh? But I thought you said "And WildBill stopped working on his extended kernel files years ago, so they don't have nearly as much functions as BWC"

There are some functions that are present in WildBill's ntdll but not BWC's ntdll.

2 hours ago, win32 said:

It works fine with BWC's files. Ximonite made his latest ntdll based on WildBill's ntdll and added all of BWC's functions to it. But it doesn't mix well with BWC's kernel32. And WildBill stopped working on his extended kernel files years ago, so they don't have nearly as much functions as BWC, so they can't run roytam1's browsers.

I have been working on adding all of BWC's functions to WildBill's kernel32. It should be ready for release in the next few days, and there will also be a few new functions that don't exist in either WildBill or BWC's extended kernels. :)

Link to comment
Share on other sites

1 hour ago, Ximonite said:

I have been working on adding all of BWC's functions to WildBill's kernel32. It should be ready for release in the next few days, and there will also be a few new functions that don't exist in either WildBill or BWC's extended kernels. :)

cool. I had actually forked your ntdllx3 (so I could use XP's sysdm.cpl, 2003 SP2's service engine and Whistler 2419's theme engine) and made my own with a few extra functions that no others had. I don't have a lot of my win2k stuff with me now so I forgot what they were, but just open up 2003 SP2's services.exe in dependency walker and the functions that are missing are the ones that I put in mine.

The attempt to backport the service engine and the theme engine failed though. :thumbdown But I just copied the functions verbatim from 2003 SP2.

But it would be great to use your ntdll since it has support for SxS (manifest/local) files which is important to my Vista extended kernel, and would help for the few older programs that have compatibility issues with the win2k extended kernel (for example, WindowBlinds 3.5 thinks I'm running XP and that makes it... not work - fcwin2k/nnn4nt5 doesn't help and I haven't found a way to patch it to bypass the error).

Edited by win32
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...