[WIP] Windows Vista Extended Kernel

[win32]

7 minutes ago, windows2 said:

I mean for the imports do they need modifications? If yes, how do I do that? What are the tasks that must be done? What are the necessary tools?

Imports are really hard to work with, if they are not there in the file already.

There are a couple of things you can do. Either you get the imported function from the imported file and try implementing it in the target file, if it's simple. Or you take other import entries to simple functions, reimplement the simple functions in the file itself and rename the now unused import to the one you want. However, you have to make sure the new import name is not too long as the import names are packed together very close.

[windows2]

27 minutes ago, win32 said:

Imports are really hard to work with, if they are not there in the file already.

There are a couple of things you can do. Either you get the imported function from the imported file and try implementing it in the target file, if it's simple. Or you take other import entries to simple functions, reimplement the simple functions in the file itself and rename the now unused import to the one you want. However, you have to make sure the new import name is not too long as the import names are packed together very close.

Well thank you I will do everything you told me  .

Please if you have time in the future. Explain the method of adding a simple function, and processing imports, and send it in a link from Drive.

Maybe I will need it if I can't implement your words correctly.

I don't force you to make a video, I say if you can, otherwise, thank you. I benefited a lot with your informations  .

Edited December 17, 2021 by windows2

[windows2]

Hi @win32 , I try to make an extended kernel for Windows NT 4.0 

I have add this function : GetProcessIoCounters

But i found an error : I don’t found the function in IDA list of functions !

But in export table tester and export directory in CFFExplorer the function exist !

I found the code in IDA in the HEX view and IDA view in .xdata segment  : I don’t know how to resolve this problem

Give me a way to solve this problem please. I documented everything I did, using several pictures to illustrate every step I took in this link:  https://mega.nz/file/4k0iCYiJ#3CaHXrnEUnsdRqMB3IMiMeuJpxbFp24bm1Rp7Kf75RA

[win32]

 

34 minutes ago, windows2 said:

Hi @win32 , I try to make an extended kernel for Windows NT 4.0 

I have add this function : GetProcessIoCounters

But i found an error : I don’t found the function in IDA list of functions !

But in export table tester and export directory in CFFExplorer the function exist !

I found the code in IDA in the HEX view and IDA view in .xdata segment  : I don’t know how to resolve this problem

Give me a way to solve this problem please. I documented everything I did, using several pictures to illustrate every step I took in this link:  https://mega.nz/file/4k0iCYiJ#3CaHXrnEUnsdRqMB3IMiMeuJpxbFp24bm1Rp7Kf75RA

You put the memory address of the function in the wrong place (00000040 is near the beginning of the file; not the end where .xdata is located).

In IDA Pro you will notice two numbers on the status bar:

The one on the left, 0005B840 is the offset memory address and the one that Export Table Tester uses, as well as hex editors. So that is where you want to put the address of the function.

And then there are a few other concerns, especially with regards to the export table: if you do not move it to an empty space in the file, such as farther down as .xdata, with lots of expansion room, you may end up running into other code or data.

[windows2]

1 hour ago, win32 said:

if you do not move it to an empty space in the file

I don't understand why there is a code with an new section (empty space).

So if I deleted the added code alone (strange thing with a new empty space) Does an error occur?

Edited December 20, 2021 by windows2

[windows2]

2 hours ago, win32 said:

 

You put the memory address of the function in the wrong place (00000040 is near the beginning of the file; not the end where .xdata is located).

In IDA Pro you will notice two numbers on the status bar:

The one on the left, 0005B840 is the offset memory address and the one that Export Table Tester uses, as well as hex editors. So that is where you want to put the address of the function.

And then there are a few other concerns, especially with regards to the export table: if you do not move it to an empty space in the file, such as farther down as .xdata, with lots of expansion room, you may end up running into other code or data.

I have finally added it successfully, Thanks a lot

Edited December 20, 2021 by windows2

[windows2]

@win32 I had a small problem which is that the two addresses do not match the addresses that should be called, how do I fix this please.

[win32]

7 minutes ago, windows2 said:

@win32 I had a small problem which is that the two addresses do not match the addresses that should be called, how do I fix this please.

 

IDA Pro does not like to assemble things very well, so you will have to go into the hex view to modify the import calls. In x86, the import calls directly reference the memory address of the import table entry as opposed to an offset. So the hex codes for the import call instruction will be (in little-endian notation):

FF 15 B8 C0 F3 77

Local function calls remain offset based, so you can just go to edit -> patch program -> assemble and type in "call 77f01762h".

[windows2]

9 minutes ago, win32 said:

IDA Pro does not like to assemble things very well, so you will have to go into the hex view to modify the import calls. In x86, the import calls directly reference the memory address of the import table entry as opposed to an offset. So the hex codes for the import call instruction will be (in little-endian notation):

FF 15 B8 C0 F3 77

Local function calls remain offset based, so you can just go to edit -> patch program -> assemble and type in "call 77f01762h".

Thank you very much, I will try it tomorrow.

[windows2]

13 hours ago, win32 said:

IDA Pro does not like to assemble things very well, so you will have to go into the hex view to modify the import calls. In x86, the import calls directly reference the memory address of the import table entry as opposed to an offset. So the hex codes for the import call instruction will be (in little-endian notation):

FF 15 B8 C0 F3 77

Local function calls remain offset based, so you can just go to edit -> patch program -> assemble and type in "call 77f01762h".

Hi, do I save my kernel32.dll patch with this method?

 

Edited December 21, 2021 by windows2

[win32]

Yes.

[windows2]

2 hours ago, win32 said:

Yes.

Please, how do I test the new kernel32 .dll?

 

Edited December 21, 2021 by Tripredacus
removed link

[win32]

2 hours ago, windows2 said:

Please, how do I test the new kernel32 .dll?

Install NT 4 SP5 in a VM (better in a VM because you can take snapshots) or on a real PC and replace kernel32 with that one.

I will remind you that the PE checksum must be corrected before using it or else you will bugcheck.

And you cannot redistribute these files publicly in the forum.

Edited December 21, 2021 by win32

[windows2]

27 minutes ago, win32 said:

And you cannot redistribute these files publicly in the forum.

Sorry, I didn't know before that it was forbidden

 

36 minutes ago, win32 said:

I will remind you that the PE checksum must be corrected before using it or else you will bugcheck.

i don' t know how to correct PE checksum. do you explain to me more please.
 

[win32]

Just now, windows2 said:

i don' t know how to correct PE checksum. do you explain to me more please.

You can do it in CFF Explorer. Go to rebuilder, only check "Update Checksum", "Rebuild" then save.