Jump to content

[WIP] Windows Vista Extended Kernel


Recommended Posts

I brought BWC's PE Maker to its knees. It appears that the gigantic export table of my 32 bit ntext with about 1850 functions and about 109 000 (decimal) bytes in size is too much for the application. It only seems to write the first 100 000 bytes of it. And having the export table below rsrc/reloc is a no-go with PE32 of course (need to redirect to a kernel32 pointing to ntdll or OG ntext for x86 software to work at all on my system right now :lol:).

So I looked at the problematic x86 K32* functions again. It appears that any upgrading of Nt/Zw* functions will need to be done in ntoskrnl, and some of those are very complex. But there are other ways to look at the situation, like comparing the changes between the original psapi functions and the K32 equivalents (simply forwarding a K32* to psapi doesn't work in many cases). And guess what, the only differences I saw between psapi's GetProcessMemoryInfo and K32GetProcessMemoryInfo were quite minor. All of them were like this:

NT 6.0 psapi!GetProcessMemoryInfo

jz routine1

if not zero, go to routine2

NT 6.1 kernel32!K32GetProcessMemoryInfo

jnz routine2

if zero, go to routine1

Every routine was the exact same!! A change in strategy is needed.

  • Like 2
Link to post
Share on other sites

6 hours ago, dencorso said:

Have you ever heard about binary ninja ? I've never had the opportunity to test it myself, but maybe it can be of help in your project... 

No I haven't, but looking at it, it seems that it will fill the disassembly niche moreso than the PE editing niche (there are no references to PE in the documentation). And I also need to get Qt 5.10+ working before I can use it. :lol:

At least they don't actively block users from installing/running it on unsupported platforms. I can't believe that more and more software only supports Windows 10 now.

Export Table Tester crunches through the larger export tables easily (some people have complained of corruption but I never had problems) and is the only name in the game for PE32+. A masochist could probably modify/expand export tables in a hex editor though.

Link to post
Share on other sites
23 minutes ago, win32 said:

And I also need to get Qt 5.10+ working before I can use it. :lol:

At least they don't actively block users from installing/running it on unsupported platforms. I can't believe that more and more software only supports Windows 10 now.

Is this the issue for logitech ghub? the qt plugin error thingy

Link to post
Share on other sites
1 hour ago, burd said:

Is this the issue for logitech ghub? the qt plugin error thingy

Yes it is. It turns out that Qt does not discriminate against Vista, and I just updated user32 so that Qt 5.10+ will work. The Qt 5.15 application that @dencorso mentioned is working. It seems more interesting than I thought it would be, but I shouldn't need a 1200 USD licence to use multithreading, when 12 thread CPUs are dirt cheap.

Bugfixes for kernel32 have been made that allow browsers such as Brave 83 to load, but it appears that something else has broken page rendering in all Chromium browsers on my end.

3ds max 2021 starts, but now it complains about there being no IE10. If you run it through dependency walker then it doesn't, but then the licensing service whines and brings everything to a halt. (it relies on IE). Perhaps the IE10 platform preview could work.

Edited by win32
  • Upvote 1
Link to post
Share on other sites
9 minutes ago, win32 said:

Yes it is. It turns out that Qt does not discriminate against Vista, and I just updated user32 so that Qt 5.10+ will work. Bugfixes for kernel32 have been made that allow browsers such as Brave 83 to load, but it appears that something else has broken page rendering in all Chromium browsers on my end.

Sounds positive

 

9 minutes ago, win32 said:

3ds max 2021 starts, but now it complains about there being no IE10. If you run it through dependency walker then it doesn't, but then the licensing service whines and brings everything to a halt. (it relies on IE). Perhaps the IE10 platform preview could work.

I doubt ie10 platform preview would work though i could be wrong , its very early based with a few minor improvements to ie9 

Link to post
Share on other sites
1 minute ago, burd said:

I doubt ie10 platform preview would work though i could be wrong , its very early based with a few minor improvements to ie9 

I was going by this thread:

 

Link to post
Share on other sites
1 minute ago, win32 said:

I was going by this thread:

 

what i meant is that , Ofc the platform preview itself works , but it has so less improvements over IE9 that would possibly still not work , idk.

Link to post
Share on other sites
Just now, burd said:

what i meant is that , Ofc the platform preview itself works , but it has so less improvements over IE9 that would possibly still not work , idk.

In this case, it would only be needed for the licensing component of one application. At the very least it would satisfy the version check. And less risky than say, putting IE7 on win2k since they started to decouple IE from the shell in Vista. Web applications that rely on IE probably don't use its most cutting edge features.

Since it's a licensing service issue, maybe there are other ways to fix it, but I will not talk about them.

  • Like 1
Link to post
Share on other sites
1 hour ago, win32 said:

Yes it is. It turns out that Qt does not discriminate against Vista, and I just updated user32 so that Qt 5.10+ will work. The Qt 5.15 application that @dencorso mentioned is working.

Definitely working on my end too , latest LGHUB , absolutely amazing.

lghub.jpg

lghub2.jpg

  • Like 1
Link to post
Share on other sites
6 hours ago, win32 said:

Export Table Tester crunches through the larger export tables easily (some people have complained of corruption but I never had problems) and is the only name in the game for PE32+. A masochist could probably modify/expand export tables in a hex editor though.

I think the corruption problems may be present in an older version of ExportTableTester. I have no way of confirming because the version on my website is the only one I have been able to get my hands on.

I also have 2 questions for @win32:
Have you tried ExpX64?
Why does your version of kernel32.dll has 4 export tables in 4 different sections with the same name?

Edited by Ximonite
Link to post
Share on other sites
1 hour ago, Ximonite said:

I think the corruption problems may be present in an older version of ExportTableTester. I have no way of confirming because the version on my website is the only one I have been able to get my hands on.

Since I said that, I found that an x86 dll broke after renaming both a forwarded export and its pointer to the recipient function/dll. Simply changing the latter did not causes problems. I don't believe that this problem exists with PE32+.

1 hour ago, Ximonite said:

I also have 2 questions for @win32:
Have you tried ExpX64?
Why does your version of kernel32.dll has 4 export tables in 4 different sections with the same name?

No, but I heard of it a long time ago. Didn't use it though considering the stability of exporttabletester with PE32+ and your statement that the regular ExpX corrupted one of your files. Though it seems pretty nice.

Most of the work in kernel32 was done in late June and early July, almost immediately after gaining the bare minimum knowledge necessary to add functions to PEs. So horrific messes like that occurred because I kept running out of room in each new export table and didn't think of expanding the current one. Reason? CFF Explorer would never enlarge a section even if I had changed the virtual and raw sizes of it afterward. Now I know enough to make sure such a cluster.... never happens again.

  • Like 1
Link to post
Share on other sites

Has anyone gotten Intel Graphics to work on Intel Haswell/Broadwell processors? I have a Celeron N3050, which is derived from one of those, and can't seem to get anything to work. Win32 DMed me a Windows XP Haswell driver, but nothing.

Also, FireFox 81 works as a charm. Setup.exe didn't work, so you have to uninstall your existing FireFox, recreate the Mozilla Firefox folder in Program Files (x86), and then copy the files over. You can then create a shortcut to Firefox.exe by right clicking it and clicking create shortcut, at which point it will be put automatically on the desktop. You can also remove the .exe - shortcut stuff that gets added to the name so it is just Firefox.

To pull this off, do the following, which was obtained from this video by WinClient5270 and this thread by TatsuyaSou:

1. Go to the FireFox website and act like you're going to download it. Cancel the download prompt that pops up and scroll down. There should be a link called "Download FireFox for a different OS". Click it, leave all the options the same (Windows, x64, etc), and it should download FireFox 81.

1.5 (Optional). If you don't have 7zip, grab it now from the 7zip site and set it up. If you also don't have CFF Explorer, grab that now as well. A link to that is available in the YouTube Video I linked above.

2. Right click the Firefox installer, hover over 7zip, and then click Open Archive. Extract everything there to the desktop.

3. Open the folder you just extracted and in the search bar type in *.exe This will show only the exe's, and files that have .exe, but which otherwise end in a different extension (such as .config).

4. Right click each exe and click on open in CFF Explorer. Navigate to Optional Header and you should see two fields that have 0006 and a 0001 under MajorOperatingSystemVersion, MinorOperatingSystemVersion, MajorSubsystemVersion, and MinorSubsystemVersion. This refers to the version number. Leave the 6 intact, but change the 0001 to 0000. Do this to the other 0001 as well, and then save. If the exe has a 0004 and a 0000 in place of the 0006 0001, don't edit that. Check every exe except the ones that end in .exe.InsertFileExtensionHere. Those were included in the search as they include .exe even though that is not the files official extension.

5. Afterwards, open back up Firefox.exe, navigate to Import Table, then to ntdll.dll, and then change the entry RtlQueryPerformanceCounter to NtQueryInformationProcess. Save the file and test it out

6. Open Firefox and it should open up just fine.

7. If you wish, you can uninstall your current Firefox installation and move the files for the new one to the Mozilla Firefox folder in Program Files (x86) (you will have to recreate the folder since the other one got deleted), and then create a shortcut to the Firefox.exe, which will automatically get placed on the desktop. If you want it to look official, you can remove the .exe - Shortcut junk from the name so it reads simply Firefox instead of Firefox.exe - Shortcut.

8. Credit goes to WinClient5270 and TatsuyaSou for these methods. I am just posting it here so people don't have to hunt all over for this information. I should note that I have no idea if Firefox 81 has any major problems as I only went to Google, but I imagine videos would be a problem since people reported those in prior versions beyond the 60's I think.

 

Edited by Jakob99
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...