Mov AX, 0xDEAD Posted June 17, 2020 Posted June 17, 2020 (edited) NTOSKRNL Emu_Extender Library of missing functions for Windows XP/2003/Vista/7 NTOSKRNL.EXE Project is intended to help in porting drivers from Windows 7/8/8.1/10 for work with Windows XP/2003/Vista/7 How-To: Compile sources to make ntoskrn8.sys Make corrections to target driver XXX.sys so that it loads ntoskrn8.sys instead of the original ntoskrnl.exe If XXX.sys is driver made for Windows 8, change security_cookie to random value, security_cookie is constant 0x4EE640BB(x32) / 0x32A2DF2D992B(x64) inside file, change only first match ! Place ntoskrn8.sys to X:/Windows/system32/drivers/ folder Compiling: 1) Install Windows 7 DDK v7.1.0 (download from Microsoft site) 1a) Original DDK header files has mistake with definintion of MmAllocateContiguousMemorySpecifyCacheNode, apply fix to two files \WinDDK\Win7\inc\ddk\ntddk.h and \WinDDK\Win7\inc\ddk\wdm.h: replace: #if (NTDDI_VERSION >= NTDDI_WIN2K) typedef ULONG NODE_REQUIREMENT; to: #if (NTDDI_VERSION >= NTDDI_VISTA) typedef ULONG NODE_REQUIREMENT; 2) Download project files to any local folder git clone https://github.com/MovAX0xDEAD/NTOSKRNL_Emu 3) Choose Target OS (XP, 2003, Vista or WIndows 7) for which OS Emu_Extender will be compiled. Keep in mind that depending on the target operating system the way of exporting the functions changes, if a function already exists in the kernel it will be simply redirected without injecting emulation code 4) Run shell: "Start Menu\Programs\Windows Driver Kits\Win7 7600.16385.1\Build Environments\Windows XXX\YYY Free Build Environment" (XXX - target OS, YYY - target CPU) 5) In shell change current directory to local project folder 6) Use shell command BLD to compile project 7) Compiled ntoskrn8.sys will be in ntoskrn8/objfre_XXX_x86/YYY folder STORPORT Windows 7 Emu_Extender This is Library of missing functions for Windows 7' STORPORT.SYS v6.1.7601.23403 to emulate Windows 8' STORPORT.SYS How-To: Compile ntoskrnl Emu_Extender Place storpor8.sys to X:/Windows/system32/drivers/ folder Make corrections to target xxx.sys so that it loads storpor8.sys instead of the original storport.sys Place backported storport.sys from Windows 7 to X:/Windows/system32/drivers/ folder Ported drivers: Windows 7's WDF 1.11 for Windows XP/2003 x32 Last version for Windows XP/2003 is 1.9, but possible to backport 1.11 version: 1) Get files from Windows 7 Updates (KB3125574): WDF01000.SYS v 1.11.9200.20755 WdfLdr.sys v 1.11.9200.16384 2) In WDF01000.SYS replace string ntoskrnl.exe to ntoskrn8.sys in import section 3) Recalc checksum If need coexist with original WDF1.9 drivers: 4) Rename WDF01000.SYS->WDF01_W8.SYS, WdfLdr.sys->WdfLdr8.sys 5) In WDF01_W8.SYS replace string WdfLdr.sys to WdfLdr8.sys in import section 6) In WdfLdr8.sys replace unicode string \Registry\Machine\System\CurrentControlSet\Services\Wdf%02d000 to \Registry\Machine\System\CurrentControlSet\Services\Wdf%02d_w8 7) In WdfLdr8.sys replace hex pattern F6 78 1B F6 to F6 EB 1B F6 (x32), ** ** to ** ** (x64) 8) In target driver XXX.sys replace string "WdfLdr.sys" to "WdfLdr8.sys" in import section 9) In .INF of ported driver add creating new service: AddService=WDF01_W8,, WDF.AddService .... [WDF.AddService] DisplayName = "Windows Driver Framework v1.11 for XP/2003" ServiceType = 1 ; SERVICE_KERNEL_DRIVER StartType = 3 ; SERVICE_DEMAND_START ErrorControl = 1 ; SERVICE_ERROR_NORMAL ServiceBinary = %12%\WDF01_W8.SYS LoadOrderGroup = Base Recalc checksum of all edited *.sys Windows 7's Storport.sys for Windows XP x32 Storport was released since Windows 2003, but possible to backport Windows 7 version: 1) Get files from Windows 7 Updates (KB3125574): storport.sys v 6.1.7600.23403 2) In storport.sys replace string ntoskrnl.exe to ntoskrn8.sys in import section, now storport.sys will import all kernel functions only from Emu_Extender 3) Storport uses MSI interrupts, need to force use only legacy/compatible interrupts x32 - replace hex pattern 8B 8E 3C 01 00 00 to B9 00 00 00 00 90 (mov ecx, [esi+13Ch] -> mov ecx, 0) x64 - replace hex pattern 8B 83 C0 01 00 00 to B8 00 00 00 00 90 (mov eax, [rbx+1C0h] -> mov eax, 0) 4) Recalc checksum Windows 7's NVMe driver for Windows XP x32 1) Get files from Windows 7 Updates (KB3125574): stornvme.sys v 6.1.7600.23403 2) MS Win7 NVMe driver require Win7 Storport.sys, use backported one Windows 8's USB3 driver for Windows XP x32 1) Get required files from Windows 8 (KB4534283/4556840, KB2984005, RTM ISO): ucx01000.sys v6.2.9200.22453 usbhub3.sys v6.2.9200.21180 usbxhci.sys v6.2.9200.22099 wpprecorder.sys v6.2.9200.16384 usbd.sys v6.2.9200.20761 from Vista Beta/Longhorn 5456.5: ksecdd.sys v6.0.5456.5 2) In files ucx01000.sys, usbhub3.sys, usbxhci.sys, wpprecorder.sys, usbd.sys change security_cookie to random value 3) In files ucx01000.sys, usbhub3.sys, usbxhci.sys, ksecdd.sys replace string name "ntoskrnl.exe" to "ntoskrn8.sys' in import section 4) Rename ksecdd.sys->ksecd8.sys, usbd.sys->usbd_w8.sys 5) In usbhub3.sys replace string name "ksecdd.sys" to "ksecd8.sys' in import section 6) In usbhub3.sys replace string name "usbd.sys" to "usbd_w8.sys' in import section, 7) recalc checksum Windows 8’s STORAHCI driver for Windows XP x32 STORAHCI driver requires storport.sys from Windows 8, but possible to use storport.sys v6.1.7601.23403 from Windows 7 Storport.sys from Windows 7 more compatible with Windows XP/2003 because it still call required PoStartNextPowerIrp when processing power IRPs. Microsoft removed calls to PoStartNextPowerIrp in Windows 8's storport.sys, without this call Windows XP/2003 kernel cannot finish current power IRP and start next IRP => it generate BSOD (0x0000009F). Also storport.sys from Windows 7 has compatibility mode to allow old XP/2003 kernels write crashdumps through storport based disk drivers. In storport.sys from Windows 8 compatibility mode was removed, writing crashdumps possible only with new kernels. Take attention: Windows 8's STORAHCI + Windows 7's STORPORT may have significal performance drop and high CPU usage, there is no fix yet 1) Get files from Windows 8 (RTM ISO): storahci.sys v 6.2.9200.16384 2) In storahci.sys replace string storport.sys to ntoskrn8.sys in import section 3) Storahci.sys was compiled with Windows 8 DDK's storport.h and writes values to new fields of _PORT_CONFIGURATION_INFORMATION struct, these fields not exist in Windows 7's storport.sys. Need to skip these writes to avoid damaging other structures in memory x32: Replace hex pattern 83 A6 C8 00 00 00 00 to 90 90 90 90 90 90 90 (and dword ptr [esi+0C8h], 0 -> nop) Replace hex pattern 83 8E CC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [esi+0CCh], 3 -> nop) x64:Replace hex pattern 44 89 B7 D8 00 00 00 to 90 90 90 90 90 90 90 (mov [rdi+0D8h], r14d -> nop) Replace hex pattern 83 8F DC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [rdi+0DCh], 3 -> nop) If you want compile storahci from sources (from Windows 8 DDK Samples), comment two lines ConfigInfo->BusResetHoldTime = 0; ConfigInfo->FeatureSupport |= STOR_ADAPTER_FEATURE_STOP_UNIT_DURING_POWER_DOWN; 4) In storahci.sys change security_cookie to random value 5) Recalc checksum Windows 7’s MSAHCI driver for Windows XP x32 1) Get files from Windows 7 Updates(KB3125574): atapi.sys v 6.1.7600.23403 ataport.sys v 6.1.7600.23403 msahci.sys v 6.1.7600.23403 pciidex.sys v 6.1.7600.23403 2) In ataport.sys, pciidex.sys replace string ntoskrnl.exe to ntoskrn8.sys in import section 3) Pciidex.sys uses MS Internal/Undocumented HalDispatchTable way to call functions from Kernel/HAL, for Windows XP/2003 need to use compatible variant: x32: Replace hex pattern FF 50 3C to FF 50 40 same in asm code: mov eax, ds:HalDispatchTable ... call dword ptr [eax+3Ch] => call dword ptr [eax+40h] x64: Replace hex pattern FF 50 78 to EB 2A 90 Replace hex pattern at offset +2Ch: CC CC CC CC CC CC CC CC to FF 90 80 00 00 00 EB CF, same in asm code: mov rax, cs:HalDispatchTable ... call qword ptr [rax+78h] => jmp patch orig: mov r10d, eax patch: call qword ptr [eax+80h] jmp orig 4) Recalc checksum 5) MSHDC.INF from Windows 7 conflict with original mshdc.inf from Windows XP/2003. msahci.sys enumerates IDE/SATA channels as "Internal_IDE_Channel" and compatible ID is "*PNP0600". Original mshdc.inf from Windows XP/2003 for compatible Device ID "*PNP0600" will install wrong "Standard IDE/ESDI Hard Disk Controller" driver Intel RSTe (Enterprise/Premium) AHCI/RAID driver 4.7.0.1098 for Windows XP/2003 Intel RST AHCI/RAID drivers (any version, last compatible is 16.8.3) for Windows XP/2003 These drivers require storport.sys from Windows 7, use backported version. 1) In file iaStorA.sys/iaStorAC.sys/iaStorAVC.sys replace string “ntoskrnl.exe” to “ntoskrn8.sys” in import section (do not change second string “NTOSKRNL.exe”) now these *.sys will import kernel functions only from Emu_Extender 3) Recalc checksum Implemented Func List v60: _chkstk _i64toa_s _i64tow_s _itoa_s _itow_s _ltoa_s _ltow_s _makepath_s _snprintf_s _snscanf_s _snwprintf_s _snwscanf_s _splitpath_s _strnset_s _strset_s _strtoui64 _swprintf _ui64toa_s _ui64tow_s _ultoa_s _ultow_s _vsnprintf_s _vsnwprintf_s _vswprintf _wcsnset_s _wcsset_s _wmakepath_s _wsplitpath_s _wtoi _wtol DbgkLkmdRegisterCallback EmClientQueryRuleState EtwActivityIdControl EtwEventEnabled EtwProviderEnabled EtwRegister EtwRegisterClassicProvider EtwUnregister EtwWrite EtwWriteString EtwWriteTransfer ExAcquireRundownProtectionCacheAware ExAcquireRundownProtectionCacheAwareEx ExAllocateCacheAwareRundownProtection ExDeleteLookasideListEx ExEnterCriticalRegionAndAcquireFastMutexUnsafe ExEnterCriticalRegionAndAcquireResourceExclusive ExEnterCriticalRegionAndAcquireResourceShared ExEnterPriorityRegionAndAcquireResourceExclusive ExEnterPriorityRegionAndAcquireResourceShared ExFreeCacheAwareRundownProtection ExfReleasePushLockShared ExfTryToWakePushLock ExGetFirmwareEnvironmentVariable ExInitializeLookasideListEx ExInitializeRundownProtectionCacheAware ExReInitializeRundownProtectionCacheAware ExReleaseFastMutexUnsafeAndLeaveCriticalRegion ExReleaseResourceAndLeaveCriticalRegion ExReleaseResourceAndLeavePriorityRegion ExReleaseRundownProtectionCacheAware ExReleaseRundownProtectionCacheAwareEx ExRundownCompletedCacheAware ExSetFirmwareEnvironmentVariable ExSizeOfRundownProtectionCacheAware ExWaitForRundownProtectionReleaseCacheAware IoAllocateSfioStreamIdentifier IoConnectInterruptEx IoDisconnectInterruptEx IoFreeSfioStreamIdentifier IoGetActivityIdIrp IoGetAffinityInterrupt IoGetDevicePropertyData IoGetIoPriorityHint IoGetSfioStreamIdentifier IoInitializeWorkItem IoQueueWorkItemEx IoSetActivityIdIrp IoSetDevicePropertyData IoSizeofWorkItem IoUninitializeWorkItem IoUnregisterPlugPlayNotificationEx KdRefreshDebuggerNotPresent KeAcquireGuardedMutex KeAcquireGuardedMutexUnsafe KeAlertThread KeAreAllApcsDisabled KeEnterGuardedRegion KeExpandKernelStackAndCallout KeGetCurrentNodeNumber KeGetCurrentProcessorNumberEx KeGetProcessorIndexFromNumber KeGetProcessorNumberFromIndex KeInitializeGuardedMutex KeInvalidateAllCaches KeInvalidateRangeAllCaches KeLeaveGuardedRegion KeQueryActiveGroupCount KeQueryActiveProcessorCount KeQueryActiveProcessorCountEx KeQueryDpcWatchdogInformation KeQueryGroupAffinity KeQueryHighestNodeNumber KeQueryLogicalProcessorRelationship KeQueryMaximumGroupCount KeQueryMaximumProcessorCount KeQueryMaximumProcessorCountEx KeQueryNodeActiveAffinity KeReleaseGuardedMutex KeReleaseGuardedMutexUnsafe KeRevertToUserAffinityThreadEx KeRevertToUserGroupAffinityThread KeSetActualBasePriorityThread KeSetCoalescableTimer KeSetSystemAffinityThreadEx KeSetSystemGroupAffinityThread KeSetTargetProcessorDpcEx KeTestAlertThread KeTryToAcquireGuardedMutex LdrResFindResource LdrResFindResourceDirectory LpcReplyWaitReplyPort LpcRequestWaitReplyPortEx LpcSendWaitReceivePort memcpy_s memmove_s MmAllocateContiguousMemorySpecifyCacheNode MmAllocateContiguousNodeMemory ObDeleteCapturedInsertInfo ObfDereferenceObjectWithTag ObfReferenceObjectWithTag ObGetObjectType ObQueryNameInfo PcwAddInstance PcwCloseInstance PcwCreateInstance PcwRegister PcwUnregister PoDisableSleepStates PoEndDeviceBusy PoGetSystemWake PoReenableSleepStates PoRegisterPowerSettingCallback PoSetDeviceBusyEx PoSetSystemWake PoStartDeviceBusy PoUnregisterPowerSettingCallback PoUserShutdownInitiated PsAcquireProcessExitSynchronization PsEnterPriorityRegion PsGetCurrentProcessWin32Process PsGetCurrentThreadProcess PsGetCurrentThreadProcessId PsGetCurrentThreadTeb PsGetCurrentThreadWin32Thread PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion PsGetProcessSessionIdEx PsIsProtectedProcess PsIsSystemProcess PsLeavePriorityRegion PsReleaseProcessExitSynchronization PsSetCreateProcessNotifyRoutineEx RtlCheckPortableOperatingSystem RtlGetIntegerAtom RtlGetThreadLangIdByIndex RtlIsNtDdiVersionAvailable RtlQueryElevationFlags RtlQueryRegistryValuesEx RtlSetPortableOperatingSystem SeReportSecurityEventWithSubCategory SeSetAuditParameter SeSetAuthorizationCallbacks sprintf_s sscanf_s strcat_s strcpy_s strncat_s strncpy_s strnlen strtok_s swprintf_s swscanf_s vsprintf_s vswprintf_s wcscat_s wcscpy_s wcsncat_s wcsncpy_s wcsnlen wcstoul ZwAllocateLocallyUniqueId ZwAlpcConnectPort ZwAlpcSendWaitReceivePort ZwQueryLicenseValue ZwQueryVirtualMemory Download Sources https://github.com/MovAX0xDEAD/NTOSKRNL_Emu Edited March 30, 2022 by Mov AX, 0xDEAD 20
genieautravail Posted June 18, 2020 Posted June 18, 2020 (edited) Nice, but do you have download links for already compiled drivers ? And how to install all these drivers on a already existing XP system ? I understand the purpose of the NVME or USB 3.0 drivers but what is the purpose of the WDF and storport.sys drivers ? Edited June 18, 2020 by genieautravail Correction 1
greenhillmaniac Posted June 19, 2020 Posted June 19, 2020 12 hours ago, genieautravail said: Nice, but do you have download links for already compiled drivers ? As you can guess, there could be some legal trouble in sharing modified MS driver files, so having instructions on how to do it is the best way. 12 hours ago, genieautravail said: I understand the purpose of the NVME or USB 3.0 drivers but what is the purpose of the WDF and storport.sys drivers ? WDF = Windows Driver Foundation has functions that allow newer drivers to work properly. WDF 1.11 was released with Windows 8.0 and as an update for Vista and 7. storport is a storage related driver that allows the generic AHCI drivers and NVMe to work.
genieautravail Posted June 20, 2020 Posted June 20, 2020 (edited) OK, I understand much better now. It is useful to install the NTOSKRNL Emu_Extender and storport.sys without moded AHCI drivers on a already existing XP system ? Edited June 20, 2020 by genieautravail
TrevMUN Posted June 26, 2020 Posted June 26, 2020 This is AMAZING! I should give this a try on my XP32 laptop and see what she can do. Out of curiosity, how difficult would it be to create a version of this for XP64? Is it just a matter of compiling a certain way? 1
win32 Posted June 26, 2020 Posted June 26, 2020 5 minutes ago, TrevMUN said: Out of curiosity, how difficult would it be to create a version of this for XP64? Is it just a matter of compiling a certain way? It successfully compiled in the Vista x64 build environment so it wouldn't hurt to try in the XP/2003 x64 one. 2
burd Posted July 7, 2020 Posted July 7, 2020 (edited) where can one find Vista Beta/Longhorn 5456.5's ksecdd.sys , doesnt seem to work on vista with 6003's ksecdd.sys for w8's usb 3.0 and where exactly is the "security_cookie" Edited July 7, 2020 by burd
Ximonite Posted July 7, 2020 Posted July 7, 2020 22 hours ago, burd said: where can one find Vista Beta/Longhorn 5456.5's ksecdd.sys , doesnt seem to work on vista with 6003's ksecdd.sys for w8's usb 3.0 and where exactly is the "security_cookie" Longhorn build 5456.5 is on WinWorld. 2
burd Posted July 7, 2020 Posted July 7, 2020 2 minutes ago, Ximonite said: Longhorn build 5456.5 is on WinWorld. Thanks
Mov AX, 0xDEAD Posted July 11, 2020 Author Posted July 11, 2020 On 7/7/2020 at 5:06 AM, burd said: where can one find Vista Beta/Longhorn 5456.5's ksecdd.sys , doesnt seem to work on vista with 6003's ksecdd.sys for w8's usb 3.0 and where exactly is the "security_cookie" security_cookie is constant 0x4EE640BB inside file
burd Posted July 11, 2020 Posted July 11, 2020 3 hours ago, Mov AX, 0xDEAD said: security_cookie is constant 0x4EE640BB inside file well i cant find it , im using CFF explorer
xrayer Posted August 13, 2020 Posted August 13, 2020 (edited) Cool, is there plan also for extender of userspace API (some kernelex ressurection for NT with e.g. a help of WINE codebase)? If I remember I saw some attempts but nothing alive... Edited August 13, 2020 by xrayer
Hunterw Posted January 3, 2021 Posted January 3, 2021 On 6/19/2020 at 6:45 AM, greenhillmaniac said: As you can guess, there could be some legal trouble in sharing modified MS driver files, so having instructions on how to do it is the best way. As it stands the instructions are such a huge pain to implement, and no substantive indication of what may be enabled by doing it. And no GetNumaModeProcessorMaskEx 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now