Jump to content

[WIP] Windows Vista Extended Kernel


win32

Recommended Posts


48 minutes ago, WindowsVista said:

Hello,

sorry if this is off topic but is there a way to change the Windows Vista boot animation?

I mean the sliding green bar.

Thank you.

Yes, but like XP, it uses a custom palette which means that it will appear as completely black in Resource Hacker (it's in ntoskrnl.exe). The palette data is stored in ntoskrnl as well.

In fact, the palette is the same as XP so everything (except for maybe the progress bar parameters) in this guide applies:

http://www.virtualplastic.net/html/logo_scr.html#winxp

Edited by win32
Link to comment
Share on other sites

1 hour ago, win32 said:

Yes, but like XP, it uses a custom palette which means that it will appear as completely black in Resource Hacker (it's in ntoskrnl.exe). The palette data is stored in ntoskrnl as well.

In fact, the palette is the same as XP so everything (except for maybe the progress bar parameters) in this guide applies:

http://www.virtualplastic.net/html/logo_scr.html#winxp

Thank You!

Now i can change it from green to pink?

Link to comment
Share on other sites

14 minutes ago, WindowsVista said:

 

Now i can change it from green to pink?

Sure. But you will have to change the colour palette in ntoskrnl by changing some of the applicable hex values. On the page I mentioned above, you will find the ones that are green. You will have to find the RGB colour values for the two (or three?) shades of pink you want to use, and then put them where the green shades were, in hex format and reversed. So, for example, RGB colour value 32 26 21 will become 15 1A 20.

Edited by win32
Link to comment
Share on other sites

5 minutes ago, win32 said:

Sure. But you will have to change the colour palette in ntoskrnl by changing some of the applicable hex values. On the page I mentioned above, you will find the ones that are green. You will have to find the RGB colour values for the two (or three?) shades of pink you want to use, and then put them where the green shades were, in hex format and reversed. So, for example, RGB colour value 32 26 21 will become 15 1A 20.

Unfortunately it seems that the software by JJoelC has been taken down or the link has been removed.

and when i type the string in my hex editor (which is hex workshop hex editor) is says no matches found.

It's been a while since i last used it so i've forgotten a few things.

Link to comment
Share on other sites

1 hour ago, WindowsVista said:

 

and when i type the string in my hex editor (which is hex workshop hex editor) is says no matches found.

Strange. I typed the full hex string into HxD's search and got a match.

And you can find that page here: http://web.archive.org/web/20030605104342/http://www.geocities.com/thejjoelc/XPbootcolors.html

But I'm not sure if it would work well with x64 executables or Vista itself (for one thing, boot.ini has been deprecated). If you only need to change the colour of the progress bar, you only really need to change the appropriate hex values.

As for my winload/ntoskrnl combo, it appears that all a user will have to do is bcdedit /set nointegritychecks 1, then copy over my versions outside of the OS, or set up an alternative boot menu entry with my files renamed while the OS is running. My patched files are stable, but I need to test modified ntdlls.

Edited by win32
Link to comment
Share on other sites

15 hours ago, Jaguarek62 said:

i've seen you're using new steam? how did you do that? Thank you

On 7/29/2020 at 7:32 AM, win32 said:

You can use an hex editor like HxD. Search for a sequence of bytes that goes

6A 00 6A 01 6A 06

And change the 6A 01 to 6A 00.

 

Change those bytes for steam.exe, steam.dll, and steamservice.dll

 

Edited by asdf2345
Link to comment
Share on other sites

After winload and ntoskrnl were successfully cracked, I decided to try loading custom ntdlls, with new sections added to their ends. It failed to load them. So if even a modified winload/ntoskrnl couldn't load them, perhaps some signature checking routine exists in ntdll as well? And much like in the kernelmode files, it may have been something that could only be picked up on with the debugging symbols.

You can get the full debug symbol packages for Windows 2000 to 7 SP1 from here: http://web.archive.org/web/20110903004616/http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx

They took down the offline packages because of Windows 10's frequent updates making its symbols outdated rapidly.

Since there has always been a desire to experiment with drivers and kernelmode code, no one has had the same drive to manipulate ntdll in such a way (exploits notwithstanding). So there isn't much information on the subject.

First I see a function named LdrpCheckCorImage. It seems to be linked to .NET Framework 2.0. Not very interesting.

But I do see RtlCreateUserStack which calls RtlImageNtHeader. The latter is also called by LdrpSetProtection.

But most interesting of all may be RtlpCheckHeapSignature and RtlpGetColdpatchDebugSignature.

And now I wonder about how other usermode files have their signatures checked in NT 6.2 and up.

UPDATE: it appears that the ntdll failure was not directly related to digital signatures, but to the way the file was modified. After testing with 2012R2's explorer.exe, I found that you must use another tool to remove the digital certificate before modifying the file, or else it will be broken.

Once the signature was removed with this tool, and a miniature section was added to the explorer.exe, Windows complained about the lack of a digital signature. Booting with DSE disabled allowed the modified explorer.exe to run. Now I need to replicate these results with Vista's ntdlls, but it will be six days before I can return to an appropriate testing environment.

Edited by win32
Link to comment
Share on other sites

Hit an issue opening Firefox 78.0 and 78.1. I tried both versions of your kernel32.dll, and didn't modify any x86 files. I had it working fine in a vm (think the files changed since), but on my friend's testbed this is the error I receive:

Problem Event Name:    APPCRASH
  Application Name:    firefox.exe
  Application Version:    78.0.0.7481
  Application Timestamp:    5ef4dbb9
  Fault Module Name:    ntdll.dll!RtlQueryPerformanceCounter
  Fault Module Version:    6.0.6003.20749
  Fault Module Timestamp:    5e4026a5
  Exception Code:    c0000139
  Exception Offset:    00000000000b6688
  OS Version:    6.0.6003.2.2.0.256.1
  Locale ID:    1033
  Additional Information 1:    fa3e
  Additional Information 2:    ac0507478d1c5bd693cfc4fe3987e900
  Additional Information 3:    fa3e
  Additional Information 4:    ac0507478d1c5bd693cfc4fe3987e900

Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...