[WIP] Windows Vista Extended Kernel

[Brickedandroid]

On 12/1/2021 at 10:26 PM, Sergiaws said:

I can't get the os spoofer working. I use extended kernel with local redirection and .exe.local files. I can't get waterfox working, it's still tell that it's not a valid Win32 application. What would I need to do in order to use the Extended Kernel with Os Spoofer with the local redirection as I did with the normal extended Kernel?

Try using CFF Explorer, load that exe file, go to Nt Headers\Optional Header, then change the MajorOperatingSystemVersion, MajorImageVersion, and MajorSubsystemVersion values to 0006, and change the MinorOperatingSystemVersion, MinorImageVersion, and MinorSubsystemVersion values to 0000

Edited December 4, 2021 by Brickedandroid

[Sergiaws]

can't use that program because it don't work with screen reading software. Maybe I'll install an English version of msdn's Vista SP0, update it and try to install there the extended kernel. However, I decided to answer here because @Win32 promised that the Os Spoofer would work with that kind of ExtendedKernel's installations, or that's what I understood.

[TSNH]

1 hour ago, Sergiaws said:

can't use that program because it don't work with screen reading software. Maybe I'll install an English version of msdn's Vista SP0, update it and try to install there the extended kernel. However, I decided to answer here because @Win32 promised that the Os Spoofer would work with that kind of ExtendedKernel's installations, or that's what I understood.

I don't think @win32 ever promised that

The main problem with using extended kernel with local redirection is that you can't redirect exe files. This makes it impossible to load extended kernel ntoskrnl.exe and winload.exe.

AFAIK the last version of Firefox you could run with local redirection was 64 (as showed in the @WinClient5270's video on the previous page).

[bromogatos309]

Hello !

How can I get the latest vista extended kernel ? And from where I can download it ?

 

[Sergiaws]

maybe you should send a pm to some user that post here. It is located on a mega folder, but we can't share it here as far as I know.

[bromogatos309]

Nah I found it myself...Got a bluescreen on restart but turns out I didn't install KB970158..Seems to be ok now

 

Edited December 6, 2021 by bromogatos309

[bromogatos309]

I tried Karlson and it worked !

 

[Brickedandroid]

In Windows Vista, IDM can't download files over HTTPS sites. How to fix that?

[windows2]

On 6/15/2020 at 4:13 PM, win32 said:

SetThreadErrorMode: 48 FF 25 D9 DC 05 00 CC
K32GetModuleFileNameExA: 48 FF 25 49 2D 04 00 CC

Hello Win32 ,I started yesterday to test the kernel extension based on your topic. Thank you for all these explanations. I want to ask you, where do you get these Hexa functions? I want to add some functions to kernel32 .dll for windows 2000. as an experience. Can I move the functions in the kernel32.dll export table for Windows XP or Vista 32bit? To the export table in the new kernel32.dll section for Windows 2000.?

[win32]

4 hours ago, windows2 said:

Hello Win32 ,I started yesterday to test the kernel extension based on your topic. Thank you for all these explanations. I want to ask you, where do you get these Hexa functions? I want to add some functions to kernel32 .dll for windows 2000. as an experience. Can I move the functions in the kernel32.dll export table for Windows XP or Vista 32bit? To the export table in the new kernel32.dll section for Windows 2000.?

Those are stubs that I deprecated a long time ago. I now grab my code from newer versions of Windows using IDA pro or write my own (you can do it in C, then disassemble if you don't know asm well).

SetThreadErrorMode calls RtlSetThreadErrorMode in ntdll. Perhaps you can call RtlSetThreadErrorMode locally by putting it in kernel32.

K32GetModuleFileNameExA is the same as GetModuleFileNameExA in psapi.dll. In fact every function that starts with "K32" was originally in there. But I don't believe kernel32 can call psapi because psapi relies on kernel32.

[windows2]

1 hour ago, win32 said:

Ce sont des bouts que j'ai déconseillés il y a longtemps. Je récupère maintenant mon code à partir de versions plus récentes de Windows à l'aide d'IDA pro ou j'écris le mien (vous pouvez le faire en C, puis le désassembler si vous ne le connaissez pas bien).

 

This means I have to rewrite kernel32 .dll using IDA to browse to a newer code, for example XP  kernel32.dll code, and then rewrite it with C. Example open kernel32 .dll for Windows XP and rewrite it to C, but this is very difficult. Will functions in this way preserve their addresses, which other .dll files use for the request? . Do you mean like this, or do you mean to transfer a specific function code from IDA and then arrange it in C. Then turn it into an ASM code. Then to hexa and then add it to the new section in the export table. Do you mean like this?

Please simplify the talk for me. Because I hardly understand English, sorry 

[win32]

3 minutes ago, windows2 said:

This means I have to rewrite kernel32 .dll using IDA to browse to a newer code, for example XP  kernel32.dll code, and then rewrite it with C. Example open kernel32 .dll for Windows XP and rewrite it to C, but this is very difficult. Will functions in this way preserve their addresses, which other .dll files use for the request? . Do you mean like this, or do you mean to transfer a specific function code from IDA and then arrange it in C. Then turn it into an ASM code. Then to hexa and then add it to the new section in the export table. Do you mean like this?

Please simplify the talk for me. Because I hardly understand English, sorry 

Completely rewriting kernel32 will prove very difficult. And IDA's pseudocode is not always compilable without other changes, and may be incorrect.

But if you don't write anything in C, you can go into IDA, outline the entire function and go to "Edit -> export data". Then copy and paste that hex code into the target file, and find the starting address for the beginning of the hex code and then add an entry in the export table that references the starting address.

After pasting in the new function, you will have to fix up the imports, function calls and data references to ensure that will work somewhat.

[windows2]

14 minutes ago, win32 said:

you will have to fix up the imports, function calls and data references to ensure that will work somewhat

I understand, thank you very much I will try this method   

to fix up the imports, function calls and data references . Do I use rebuild in cff explorer? This is the only thing I don't understand yet.

Forgive me for bothering you with my questions which seem trivial to you .

But it is very important to me and I thank you for teaching me what I didn't know.

[win32]

9 minutes ago, windows2 said:

Do I use rebuild in cff explorer?

Rebuild the PE header? No. Just set the checksum but make sure you do not rebuild the header.

Warning: LordPE silently rebuilds PE headers when a file is saved.

[windows2]

4 minutes ago, win32 said:

Just set the checksum but make sure you do not rebuild the header.

Warning: LordPE silently rebuilds PE headers when a file is saved.

OK thank you

16 minutes ago, windows2 said:

to fix up the imports, function calls and data references This is the only thing I don't understand yet.

I mean for the imports do they need modifications? If yes, how do I do that? What are the tasks that must be done? What are the necessary tools?