[WIP] Windows Vista Extended Kernel

[D.Draker]

13 hours ago, burd said:

Thanks for your find.

Thank you, I try to do my best. I know this software and what are you talking about . But I'm going to write a tutorial and some might not like the use of additional software that may or may not be flagged by their KGB/FSB "antivirus". So I'm looking for an official way to switch it off without the use of third party apps. As for me , I solved this issue and currently using 376.11 for myself . That's why I asked win32 about self-signing (maybe, as a solution) the drivers before this tutorial.

EDIT for @win32 :

Win32 , just so you know, you suggested

84C0740AB8BB0000C0

replacing with

84C0EB0AB8BB0000C0 because there's no first line in the later drivers (after 376.11).

Unfortunately it results in BSOD , not always , but frequent.

But the first solution worked !

Any ideas what to patch here in the nvlddmkm.sys , so I could include in the tutorilal also ?

I mean besides the obvious memcpy_s KeQueryLogicalProcessorRelationship.

I only ask about this one dll because I already patched the other four needed to be patched. Thanks . Link:

https://catalog.s.download.windowsupdate.com/d/msdownload/update/driver/drvs/2017/01/af7be83e-225c-46a1-8114-1f80f2b96027_5017e2509def8c6ae40e1668f0de20e02a8cf1d2.cab

Edited June 19, 2022 by D.Draker

[winvispixp]

23 minutes ago, D.Draker said:

some might not like the use of additional software that may or may not be flagged by their KGB/FSB "antivirus"

you could just write a disclaimer or warning of false positives 

[SigmaTel71]

22 hours ago, D.Draker said:

I'm sorry man , I'm not into discussing the games in the ex-kernel topic.

Sorry for that as well, but I wasn't disuccing games in particular but interesting in conditions you made things run. Don't you mind if I switch to PMs to continue on this topic?

[D.Draker]

@win32, the same question about patching the .sys dll in x86 so I could finish the tutorial. Thanks.

376.11

https://drivers.softpedia.com/get/GRAPHICS-BOARD/NVIDIA-GeForce-iCafe-Graphics-Driver-37611.shtml

376.53

https://catalog.s.download.windowsupdate.com/c/msdownload/update/driver/drvs/2017/01/09bbba90-cd9e-4d71-ba33-8e39ef592e62_e10b0f9502ad039a23bbf8b913230c827b0b437a.cab

[win32]

3 hours ago, D.Draker said:

@win32, the same question about patching the .sys dll in x86 so I could finish the tutorial. Thanks.

For 376.11 x86, the version check can be bypassed by finding the line:

53 FF D6 E8 86 97 4E FF 84 C0 74 0A B8 BB 00 00

Change it to this:

53 FF D6 E8 86 97 4E FF EB 0C 74 0A B8 BB 00 00

376.53 is very similar:

53 FF D6 E8 82 55 4E FF 84 C0 74 0A B8 BB 00 00

to

53 FF D6 E8 82 55 4E FF EB 0C 74 0A B8 BB 00 00

Edited June 19, 2022 by win32

[D.Draker]

On 6/19/2022 at 9:57 PM, win32 said:

For 376.11 x86, the version check can be bypassed by finding the line:

53 FF D6 E8 86 97 4E FF 84 C0 74 0A B8 BB 00 00

Change it to this:

53 FF D6 E8 86 97 4E FF EB 0C 74 0A B8 BB 00 00

376.53 is very similar:

53 FF D6 E8 82 55 4E FF 84 C0 74 0A B8 BB 00 00

to

53 FF D6 E8 82 55 4E FF EB 0C 74 0A B8 BB 00 00

Thanks , I tried . None of these fixes for 32-bit worked . None. Instant BSOD. Only 64-bit versions of certain drivers with certain combinations of replaced functions work . I'm currently testing a newer version . It's Quadro driver 376.84 64-bit and it works flawlessly , only after I got the replacements right (certain combination again) . I had to use software that signs the driver files , otherwise - no loading at all.

Upon issuing all of the well known commands to stop the checks , it allows me to load the pathced driver only one time if I bypass it in the f8 menu, but the software - self-signed work!

So why 32-bit not working even if signed ? They should ! 32 bit OS supposed to have less integrity checks , no ?

[D.Draker]

On 6/19/2022 at 10:45 AM, winvispixp said:

you could just write a disclaimer or warning of false positives 

Done .

@win32, the tutorial is finished . Yet the question about the BSODding 32 bit drivers remains open.

[win32]

I do not have a good answer for the 32 bit driver issues. I presume that the same functions are called as on 64 bit, right? If so they should work equally as well, unless there was an obscure issue specific to the architecture (in the last XP x64 NVIDIA drivers, multi monitor capability is broken because of an signed 32 bit integer becoming a unsigned 64 bit integer, iirc).

Edited June 23, 2022 by win32

[D.Draker]

On 6/23/2022 at 8:39 PM, win32 said:

1 - I do not have a good answer for the 32 bit driver issues.

2 - I presume that the same functions are called as on 64 bit, right?

3 - If so they should work equally as well, unless there was an obscure issue specific to the architecture (in the last XP x64 NVIDIA drivers, multi monitor capability is broken because of an signed 32 bit integer becoming a unsigned 64 bit integer, iirc).

1 - I tested 64bit on a board from 2010 and 32bit on a bloody kabylake from 2017. I can't test both on kabylake due to the well known bloody bug with the startup.

2- Right.

3 - Well , earlier I wrote that the first solution worked . I mean patching to EB24 worked , but the second not . By the second I mean EB0C.

What's the difference between ?  EB24 and EB0C ? 9451 vs 3307 ?

[win32]

12 minutes ago, D.Draker said:

3 - Well , earlier I wrote that the first solution worked . I mean patching to EB24 worked , but the second not . By the second I mean EB0C.

What's the difference between ?  EB24 and EB0C ? 9451 vs 3307 ?

I see that EB 24 is from my x64 patching instructions for 376.11, while EB 0C is from x86. The difference is that the x64 patch would "jump" over more code than x86, but I think they should actually be equivalent, as the x86 and x64 compilers arranged the version checking code differently. I'm not sure about 94 51 / 33 07, as I don't seem to have encountered them.

You could alternatively take the 74 0A next to the 84 C0 and make that EB 0A, but I am not sure if it would make a difference. I suspect there is a deeper issue on x86.

[D.Draker]

18 hours ago, win32 said:

 I'm not sure about 94 51 / 33 07, as I don't seem to have encountered them.

But you did , lol. Invert, then do Hexadecimal - Decimal

EB24 --> 24EB --> 9451 

EB0C --> 0CEB --> 3307

[SigmaTel71]

So I've managed to install the the June 10 release of Extended kernel, and... everything goes wrong. First, I got kernelol.dll error. Is it supposed to be the old kernel32.dll hanging in System32 and SysWOW64 directories?

At least I can confirm that Vivaldi 4.0 installer is starting with some issues, if I set 6.1.7601 version in osver.ini to global section, it starts up correctly, but says that the installer's archive was damaged and the installation will be aborted. Anyway, the extracted one from the installer works fine. I have even reverted the changes made to osver.ini to have correct version showing in the properties.

Crash details of Vivaldi update notifier (it crashes twice at launch):

Сигнатура проблемы:
  Имя события проблемы:    APPCRASH
  Имя приложения:    update_notifier.exe
  Версия приложения:    4.0.2312.36
  Штамп времени приложения:    60dcf375
  Имя модуля с ошибкой:    webservices.dll
  Версия модуля с ошибкой:    6.0.6002.19623
  Штамп времени модуля с ошибкой:    56ec4641
  Код исключения:    c0000135
  Смещение исключения:    00000000000b7e68
  Версия ОС:    6.1.7601.2.2.0.256.1
  Код языка:    1049
  Дополнительные сведения 1:    fa3e
  Дополнительные сведения 2:    ac0507478d1c5bd693cfc4fe3987e900
  Дополнительные сведения 3:    fa3e
  Дополнительные сведения 4:    ac0507478d1c5bd693cfc4fe3987e900

Discord client installed through DiscordSetup crashes at startup.

Сигнатура проблемы:
  Имя события проблемы:    BEX
  Имя приложения:    Discord.exe
  Версия приложения:    1.0.9005.0
  Штамп времени приложения:    6255d9bd
  Имя модуля с ошибкой:    StackHash_9c79
  Версия модуля с ошибкой:    0.0.0.0
  Штамп времени модуля с ошибкой:    00000000
  Смещение исключения:    0a56f176
  Код исключения:    c0000005
  Данные исключения:    badc0de1
  Версия ОС:    6.1.7601.2.2.0.256.1
  Код языка:    1049
  Дополнительные сведения 1:    9c79
  Дополнительные сведения 2:    18d391556384f03f39cb1810be4919d6
  Дополнительные сведения 3:    cbd8
  Дополнительные сведения 4:    7823eb2f440e23b0eb8dcc58dcf1c44e

To what I've noticed is that almost every application had been crashing with BEX until I disabled DEP through bcdedit. Could the renamed kernel32.dll to kernelol.dll be the issue?

[winvispixp]

1 hour ago, SigmaTel71 said:

Is it supposed to be the old kernel32.dll hanging in System32 and SysWOW64 directories?

had the same issue. copy kernel32.dll.bak (if you already have the ex kernel) from SysWOW64 to SysWOW64(yea same folder) and rename it to kernelol.dll

[Sergiaws]

in that case, deactivating DEP is the solution for the ExKernel problems?

[SigmaTel71]

12 hours ago, Sergiaws said:

deactivating DEP is the solution for the ExKernel problems?

Fifty-fifty. In some cases, applications continue to crash with BEX error at WerFault log.