win32 Posted December 17, 2021 Author Share Posted December 17, 2021 7 minutes ago, windows2 said: I mean for the imports do they need modifications? If yes, how do I do that? What are the tasks that must be done? What are the necessary tools? Imports are really hard to work with, if they are not there in the file already. There are a couple of things you can do. Either you get the imported function from the imported file and try implementing it in the target file, if it's simple. Or you take other import entries to simple functions, reimplement the simple functions in the file itself and rename the now unused import to the one you want. However, you have to make sure the new import name is not too long as the import names are packed together very close. 3 Link to comment Share on other sites More sharing options...
windows2 Posted December 17, 2021 Share Posted December 17, 2021 (edited) 27 minutes ago, win32 said: Imports are really hard to work with, if they are not there in the file already. There are a couple of things you can do. Either you get the imported function from the imported file and try implementing it in the target file, if it's simple. Or you take other import entries to simple functions, reimplement the simple functions in the file itself and rename the now unused import to the one you want. However, you have to make sure the new import name is not too long as the import names are packed together very close. Well thank you I will do everything you told me . Please if you have time in the future. Explain the method of adding a simple function, and processing imports, and send it in a link from Drive. Maybe I will need it if I can't implement your words correctly. I don't force you to make a video, I say if you can, otherwise, thank you. I benefited a lot with your informations . Edited December 17, 2021 by windows2 1 Link to comment Share on other sites More sharing options...
windows2 Posted December 20, 2021 Share Posted December 20, 2021 Hi @win32 , I try to make an extended kernel for Windows NT 4.0 I have add this function : GetProcessIoCounters But i found an error : I don’t found the function in IDA list of functions ! But in export table tester and export directory in CFFExplorer the function exist ! I found the code in IDA in the HEX view and IDA view in .xdata segment : I don’t know how to resolve this problem Give me a way to solve this problem please. I documented everything I did, using several pictures to illustrate every step I took in this link: https://mega.nz/file/4k0iCYiJ#3CaHXrnEUnsdRqMB3IMiMeuJpxbFp24bm1Rp7Kf75RA 2 Link to comment Share on other sites More sharing options...
win32 Posted December 20, 2021 Author Share Posted December 20, 2021 34 minutes ago, windows2 said: Hi @win32 , I try to make an extended kernel for Windows NT 4.0 I have add this function : GetProcessIoCounters But i found an error : I don’t found the function in IDA list of functions ! But in export table tester and export directory in CFFExplorer the function exist ! I found the code in IDA in the HEX view and IDA view in .xdata segment : I don’t know how to resolve this problem Give me a way to solve this problem please. I documented everything I did, using several pictures to illustrate every step I took in this link: https://mega.nz/file/4k0iCYiJ#3CaHXrnEUnsdRqMB3IMiMeuJpxbFp24bm1Rp7Kf75RA You put the memory address of the function in the wrong place (00000040 is near the beginning of the file; not the end where .xdata is located). In IDA Pro you will notice two numbers on the status bar: The one on the left, 0005B840 is the offset memory address and the one that Export Table Tester uses, as well as hex editors. So that is where you want to put the address of the function. And then there are a few other concerns, especially with regards to the export table: if you do not move it to an empty space in the file, such as farther down as .xdata, with lots of expansion room, you may end up running into other code or data. 3 Link to comment Share on other sites More sharing options...
windows2 Posted December 20, 2021 Share Posted December 20, 2021 (edited) 1 hour ago, win32 said: if you do not move it to an empty space in the file I don't understand why there is a code with an new section (empty space). So if I deleted the added code alone (strange thing with a new empty space) Does an error occur? Edited December 20, 2021 by windows2 Link to comment Share on other sites More sharing options...
windows2 Posted December 20, 2021 Share Posted December 20, 2021 (edited) 2 hours ago, win32 said: You put the memory address of the function in the wrong place (00000040 is near the beginning of the file; not the end where .xdata is located). In IDA Pro you will notice two numbers on the status bar: The one on the left, 0005B840 is the offset memory address and the one that Export Table Tester uses, as well as hex editors. So that is where you want to put the address of the function. And then there are a few other concerns, especially with regards to the export table: if you do not move it to an empty space in the file, such as farther down as .xdata, with lots of expansion room, you may end up running into other code or data. I have finally added it successfully, Thanks a lot Edited December 20, 2021 by windows2 Link to comment Share on other sites More sharing options...
windows2 Posted December 21, 2021 Share Posted December 21, 2021 @win32 I had a small problem which is that the two addresses do not match the addresses that should be called, how do I fix this please. Link to comment Share on other sites More sharing options...
win32 Posted December 21, 2021 Author Share Posted December 21, 2021 7 minutes ago, windows2 said: @win32 I had a small problem which is that the two addresses do not match the addresses that should be called, how do I fix this please. IDA Pro does not like to assemble things very well, so you will have to go into the hex view to modify the import calls. In x86, the import calls directly reference the memory address of the import table entry as opposed to an offset. So the hex codes for the import call instruction will be (in little-endian notation): FF 15 B8 C0 F3 77 Local function calls remain offset based, so you can just go to edit -> patch program -> assemble and type in "call 77f01762h". 2 Link to comment Share on other sites More sharing options...
windows2 Posted December 21, 2021 Share Posted December 21, 2021 9 minutes ago, win32 said: IDA Pro does not like to assemble things very well, so you will have to go into the hex view to modify the import calls. In x86, the import calls directly reference the memory address of the import table entry as opposed to an offset. So the hex codes for the import call instruction will be (in little-endian notation): FF 15 B8 C0 F3 77 Local function calls remain offset based, so you can just go to edit -> patch program -> assemble and type in "call 77f01762h". Thank you very much, I will try it tomorrow. Link to comment Share on other sites More sharing options...
windows2 Posted December 21, 2021 Share Posted December 21, 2021 (edited) 13 hours ago, win32 said: IDA Pro does not like to assemble things very well, so you will have to go into the hex view to modify the import calls. In x86, the import calls directly reference the memory address of the import table entry as opposed to an offset. So the hex codes for the import call instruction will be (in little-endian notation): FF 15 B8 C0 F3 77 Local function calls remain offset based, so you can just go to edit -> patch program -> assemble and type in "call 77f01762h". Hi, do I save my kernel32.dll patch with this method? Edited December 21, 2021 by windows2 1 Link to comment Share on other sites More sharing options...
win32 Posted December 21, 2021 Author Share Posted December 21, 2021 Yes. 2 Link to comment Share on other sites More sharing options...
windows2 Posted December 21, 2021 Share Posted December 21, 2021 (edited) 2 hours ago, win32 said: Yes. Please, how do I test the new kernel32 .dll? Edited December 21, 2021 by Tripredacus removed link Link to comment Share on other sites More sharing options...
win32 Posted December 21, 2021 Author Share Posted December 21, 2021 (edited) 2 hours ago, windows2 said: Please, how do I test the new kernel32 .dll? Install NT 4 SP5 in a VM (better in a VM because you can take snapshots) or on a real PC and replace kernel32 with that one. I will remind you that the PE checksum must be corrected before using it or else you will bugcheck. And you cannot redistribute these files publicly in the forum. Edited December 21, 2021 by win32 2 Link to comment Share on other sites More sharing options...
windows2 Posted December 21, 2021 Share Posted December 21, 2021 27 minutes ago, win32 said: And you cannot redistribute these files publicly in the forum. Sorry, I didn't know before that it was forbidden 36 minutes ago, win32 said: I will remind you that the PE checksum must be corrected before using it or else you will bugcheck. i don' t know how to correct PE checksum. do you explain to me more please. Link to comment Share on other sites More sharing options...
win32 Posted December 21, 2021 Author Share Posted December 21, 2021 Just now, windows2 said: i don' t know how to correct PE checksum. do you explain to me more please. You can do it in CFF Explorer. Go to rebuilder, only check "Update Checksum", "Rebuild" then save. 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now