Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


win32

[WIP] Windows Vista Extended Kernel

Recommended Posts


Posted (edited)
2 hours ago, win32 said:

Attention Windows Vista x64 users!

Did you feel wounded by the way your OS was surpassed by NT 6.1? And felt salt being poured into those wounds when BlackWingCat implemented some of those NT 6.1+ functions in his extended kernel for NT 5.0?

Now I'm here to give Windows Vista the leg up it has always deserved! All you need is CFF Explorer and ExportTableTester. (rules prohibit the distribution of modified MS binaries)

First, enter X:\Windows\System32 (where X: is the letter of your system partition) and copy kernel32.dll (for this experiment, I'm using version 6.00.6002.19623) to another folder. Open that copy of kernel32.dll in CFF Explorer and click "Section Headers [x]" on the left sidebar.

Keep your attention on the .text section and scroll down to the bottom of the hex representation of the section, where you will find a portion filled with zeros. Then starting at offset 000BCF50, add all of the non-zero code shown in the image below:

1473306471_vistaI.thumb.png.ab072725eb204b8409be22795a947335.png

 

 

my values arent 0 beforehand , should i still copy yours? how should i edit them?

Edited by burd

Share this post


Link to post
Share on other sites
Posted (edited)
31 minutes ago, burd said:

my values arent 0 beforehand , should i still copy yours? how should i edit them?

Which version of kernel32.dll do you have? I was quite concerned about this possibility, given that Vista has multiple update paths (through April 2017 EOL, Server 2008 updates until the one that changes the build to 6003, Server 2008 EOL and ongoing ESU). I decided to forgo all updates after Vista's EOL, and the kernel32.dll I have was actually updated in March 2016 (I know there is a later one numbered 6.0.6003.20489), so I was hoping that frequent updates to the file wouldn't take place.

In any event, start adding the code on the first line with all zeros. And accordingly adjust the function addresses in ExportTableTester,

Edited by win32

Share this post


Link to post
Share on other sites
Posted (edited)
4 minutes ago, win32 said:

Which version of kernel32.dll do you have? I was quite concerned about this possibility, given that Vista has multiple update paths (through April 2017 EOL, Server 2008 updates until the one that changes the build to 6003, Server 2008 EOL and ongoing ESU). I decided to forgo all updates after Vista's EOL, and the kernel32.dll I have was actually updated in March 2016 (I know there is a later one numbered 6.0.6003.20489), so I was hoping that frequent updates to the file wouldn't take place.

In any event, start adding the code on the first line with all zeros. And accordingly adjust the function addresses in ExportTableTester,

mine is 6.0.6003.20825 , by first line you mean 000BCF50 right? ill just copy your code ditto with zeros? most of us here arent really experienced with this coding sorry for too many questions :D

Edited by burd

Share this post


Link to post
Share on other sites
1 minute ago, burd said:

mine is 6.0.6003.20825 , by first line you mean 000BCF50 right? ill just copy your code ditto with zeros? most of us here arent really experienced with this coding sorry for too many questions :D

Unfortunately, it appears that starting with 6.0.6003.20731, they ate up most of the zeros in .txt. :( So the solution to that will be to add a new section, which I was intending on doing for later updates to the initial version.

So right click in section headers view, click "Add Section (Empty Space)", make the size 0000B100 (looking forward to many new API functions!) and then name it .xdata. And then add the code in that section, though the offsets reset themselves per-section in section headers view so you will be telling ExportTableTester that your functions will be located at 00128E00, 00128E10, 00128E20...

Given that kernel extending is typically seen as an "elite" activity in the world of Microsoft Windows, and this is the very first go of it for NT 6.x, I'm not surprised to see this level of questioning, considering that this could open up the art of kernel extension to a far wider audience than before. Though it will be for the greater good, as Vista has certainly been held back win2k-style by MS.

NB: the procedure for modifying the file should be the same through 6.0.6003.20686 as in the OP though.

  • Like 1

Share this post


Link to post
Share on other sites
10 minutes ago, win32 said:

Unfortunately, it appears that starting with 6.0.6003.20731, they ate up most of the zeros in .txt. :( So the solution to that will be to add a new section, which I was intending on doing for later updates to the initial version.

So right click in section headers view, click "Add Section (Empty Space)", make the size 0000B100 (looking forward to many new API functions!) and then name it .xdata. And then add the code in that section, though the offsets reset themselves per-section in section headers view so you will be telling ExportTableTester that your functions will be located at 00128E00, 00128E10, 00128E20...

Given that kernel extending is typically seen as an "elite" activity in the world of Microsoft Windows, and this is the very first go of it for NT 6.x, I'm not surprised to see this level of questioning, considering that this could open up the art of kernel extension to a far wider audience than before. Though it will be for the greater good, as Vista has certainly been held back win2k-style by MS.

NB: the procedure for modifying the file should be the same through 6.0.6003.20686 as in the OP though.

hmm, this is far more complicated than expected , i hope there will be an easier way in the future although this certainly opens up multiple possibilities and its really impressive what you have achieved here.

  • Upvote 1

Share this post


Link to post
Share on other sites
1 minute ago, burd said:

does this look correct to you?

You need to set the characteristics of .xdata to 60000020. Also did you type the H in the section or was it just there?

Besides those 2 things, it looks correct.

Share this post


Link to post
Share on other sites
Posted (edited)
5 minutes ago, burd said:

@win32 
 
does this look correct to you?

https://imgur.com/a/UTYkcTj

ofc i still need to fill in the code

You are on the right track. :thumbup and what @Ximonite said. I forgot about section flags/characteristics. The 48 is part of the first function of course.

Edited by win32
  • Like 1

Share this post


Link to post
Share on other sites
2 minutes ago, win32 said:

You are on the right track. :thumbup and what @Ximonite said. I forgot about section flags. The 48 is part of the first function of course.

 

3 minutes ago, Ximonite said:

You need to set the characteristics of .xdata to 60000020. Also did you type the H in the section or was it just there?

Besides those 2 things, it looks correct.

thank you.

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, Ximonite said:

You need to set the characteristics of .xdata to 60000020. Also did you type the H in the section or was it just there?

Besides those 2 things, it looks correct.

i typed 48 which made H show up

Edited by burd

Share this post


Link to post
Share on other sites
Posted (edited)

@win32

all good i hope,also thanks for your guidance once again.

https://imgur.com/a/gfURGam

 

EDIT:- i've done it , how can i test if it works?

Edited by burd

Share this post


Link to post
Share on other sites
3 hours ago, burd said:

@win32

all good i hope,also thanks for your guidance once again.

https://imgur.com/a/gfURGam

Yes, those are all correct.

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)
4 minutes ago, win32 said:

Yes, those are all correct.

i did everything , then realised i forgot to make the 000BCF50 back to normal which was crashing explorer, redid everything its all stable now, but i still dont know if it works or not do you know of any way that can confirm it. :unsure:

Edited by burd

Share this post


Link to post
Share on other sites
Posted (edited)
11 minutes ago, burd said:

i did everything , then realised i forgot to make the 000BCF50 back to normal which was crashing explorer, redid everything its all stable now, but i still dont know if it works or not do you know of any way that can confirm it. :unsure:

We are only two functions away from getting GIMP 2.10.18 to possibly work - SetThreadErrorMode and K32GetModuleFileNameExA. So the first test of the extended kernel will be very soon. If anyone can find other x64 programs that were only prevented from running on Vista by the lack of the functions that have been implemented already, that would also be good.

Edited by win32

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...