Jump to content

NTOSKRNL Emu_Extender for Windows XP/2003


Recommended Posts

microsoft released the source code of windows xp/2003

having the source code gives a big adventage in speed, analyze speed, quicker understanding, code can be copy pasted, assembly analyze is very reduced

the source code release from microsoft was for students but then quickly gone viral public

i do not really understand why vista code doesnt get released, students have to work with a old code of xp

vista would be old too, but at least some code could be made use of, so why not ? it would be possible for microsoft doing that


the windows 2000 vs windows xp rather remembers the fight between vista and windows 7

with one diffrense win 2000 didnt have bad things so directly

so you could use vista instead of 7 that could be done but i rather would use windows 7 over vista

many used windows 98 se because when windows nt apeared a lot of compatibility was lost and a lot of older apps didnt work anymore


in other directions to have some fun with modding or code or creating coding stuff you could choose all of operating systems

 

  • Upvote 1
Link to comment
Share on other sites


Posted (edited)
On 3/3/2022 at 1:12 AM, Club Sportif Sfaxien 1912 said:

Why was Windows 2000 not included in the update ?

First made for XP only,  then added W2003, at end added XP/W2003 x64 and little Vista/W7 support. i just dont had motivation to support W2000,  too much similar systems -  W2000/XP/W2003...

Edited by Mov AX, 0xDEAD
  • Like 1
Link to comment
Share on other sites

@Mov AX, 0xDEAD

If not 2000 then ME?

I think Windows 2000 and Windows ME are on par to each other in terms of WDM driver model support. As in Windows ME's NTKERN.VXD has the same functionality implemented as 2000, unless I'm mistaken.

I think it'd be cool to have storport/ahci/nvme and usb3 support in ME.

But then I doubt you're that interested in supporting any of Windows 9x/ME

  • Upvote 1
Link to comment
Share on other sites

1 hour ago, Damnation said:

@Mov AX, 0xDEAD

If not 2000 then ME?

I think Windows 2000 and Windows ME are on par to each other in terms of WDM driver model support. As in Windows ME's NTKERN.VXD has the same functionality implemented as 2000, unless I'm mistaken.

I think it'd be cool to have storport/ahci/nvme and usb3 support in ME.

But then I doubt you're that interested in supporting any of Windows 9x/ME

I think the 2000 supporting would be better because 2000/XP is much better than ME/9x in terms of compatibility with hardware and software :) 

Link to comment
Share on other sites

On 3/20/2022 at 12:03 PM, Damnation said:

@Mov AX, 0xDEAD

If not 2000 then ME?

I think Windows 2000 and Windows ME are on par to each other in terms of WDM driver model support. As in Windows ME's NTKERN.VXD has the same functionality implemented as 2000, unless I'm mistaken.

I think it'd be cool to have storport/ahci/nvme and usb3 support in ME.

But then I doubt you're that interested in supporting any of Windows 9x/ME

 It is impossible to run WDF 1.11 in Windows 98 and Me, so it would be impossible for this extender to work in them maybe it works in 2000 because it's similar to XP and 2003.

WinWord2000 Grazie a tutti !

Link to comment
Share on other sites

  • Mov AX, 0xDEAD changed the title to NTOSKRNL Emu_Extender for Windows XP/2003
  • 1 month later...

@Mov AX, 0xDEAD

I just compiled as Windows 7 x64 target and after that I modded driver to fix missing exports using ntoskrn8.sys. After using it new missing export appeared.

In ntoskrnl_edirects.h I have added this line under Windows 7 x86/x64 exports

bypass(EtwSetInformation)

Now it's compiled again and no missing exports for my driver test

Link to comment
Share on other sites

Posted (edited)

Well, 2000 are more a artifact that boots until dies. More im interested in /bit OT/ w10 stuff, replacing the window manager or recompile an ui as app. Drivers are hopefully still possible force unsigned. Unfortunately HW support is the issue.

Dll stuff was easy solve by fake stubs and or even replace IAT of unsupported calls often by something similar. Jst HiDPI is awful...

Edited by jmeno
Link to comment
Share on other sites

Posted (edited)

@Mov AX, 0xDEAD I have checked Windows 7 ntoskrnl.exe v6.1.7601.25920 (win7sp1_ldr_escrow.220316-1740) exports vs compiled ntoskrn8.sys

This is full list of missing kernel functions that needs to be bypassed.

	x64 missing
EtwSetInformation
FsRtlPrepareToReuseEcp
FsRtlRegisterUncProviderEx2
IoEnumerateRegisteredFiltersListEx
IoRegisterFsRegistrationChangeMountAwareEx
KeConnectInterruptForHal
KeFlushCurrentTbImmediately
PsDereferenceKernelStack
PsReferenceKernelStack
RtlIsSandboxedToken
SeGetLogonSessionToken
	
	x86 missing
EtwSetInformation
FsRtlPrepareToReuseEcp
FsRtlRegisterUncProviderEx2
IoEnumerateRegisteredFiltersListEx
IoRegisterFsRegistrationChangeMountAwareEx
KeConnectInterruptForHal
KiMcaExceptionHandlerWrapper
PsDereferenceKernelStack
PsReferenceKernelStack
RtlIsSandboxedToken
SeGetLogonSessionToken
	

 

Next I will check Vista kernel exports to see if there are some forgotten exports too.

Edited by George King
Link to comment
Share on other sites

Posted (edited)

@Mov AX, 0xDEADAnd here is same check with Vista ntoskrnl.exe v6.0.6003.21442 (vistasp2_ldr_escrow.220307-1719) vs compiled ntoskrn8.sys

 

	x64 missing
FsRtlInitializeExtraCreateParameter
FsRtlInitializeExtraCreateParameterList
FsRtlPrepareToReuseEcp
FsRtlRegisterUncProviderEx2
IoRegisterFsRegistrationChangeMountAware
KeConnectInterruptForHal
KeFlushCurrentTbImmediately
PsDereferenceKernelStack
PsReferenceKernelStack
RtlIsSandboxedToken
 
	 
	x86 missing
FsRtlInitializeExtraCreateParameter
FsRtlInitializeExtraCreateParameterList
FsRtlPrepareToReuseEcp
FsRtlRegisterUncProviderEx2
IoRegisterFsRegistrationChangeMountAware
KeConnectInterruptForHal
KiMcaExceptionHandlerWrapper
PsDereferenceKernelStack
PsReferenceKernelStack
RtlIsSandboxedToken

 

Should I create merge request on GitHub project?

Edited by George King
Link to comment
Share on other sites

On 5/7/2022 at 9:23 PM, George King said:

@Mov AX, 0xDEAD I have checked Windows 7 ntoskrnl.exe v6.1.7601.25920 (win7sp1_ldr_escrow.220316-1740) exports vs compiled ntoskrn8.sys

This is full list of missing kernel functions that needs to be bypassed.

	x64 missing
EtwSetInformation
FsRtlPrepareToReuseEcp
FsRtlRegisterUncProviderEx2
IoEnumerateRegisteredFiltersListEx
IoRegisterFsRegistrationChangeMountAwareEx
KeConnectInterruptForHal
KeFlushCurrentTbImmediately
PsDereferenceKernelStack
PsReferenceKernelStack
RtlIsSandboxedToken
SeGetLogonSessionToken
	
	x86 missing
EtwSetInformation
FsRtlPrepareToReuseEcp
FsRtlRegisterUncProviderEx2
IoEnumerateRegisteredFiltersListEx
IoRegisterFsRegistrationChangeMountAwareEx
KeConnectInterruptForHal
KiMcaExceptionHandlerWrapper
PsDereferenceKernelStack
PsReferenceKernelStack
RtlIsSandboxedToken
SeGetLogonSessionToken
	

 

Next I will check Vista kernel exports to see if there are some forgotten exports too.

Thats less than i thought. But it can lead to many other dependencies, I think x64 should get priority. Good work. Never used 8 so this idea didnt came on my mind

Link to comment
Share on other sites

  • 1 month later...

@Mov AX, 0xDEAD I have created Pull request on GitHub with latest Vista / 7 kernel redirect changes.

Plus I have added new missing function IoSynchronousCallDriver as it's needed to get Windows 8.0 build 8056 Generic MMC / SD work under XP in future.

Edited by George King
Link to comment
Share on other sites

  • 4 weeks later...
On 6/14/2022 at 11:42 PM, George King said:

@Mov AX, 0xDEAD I have created Pull request on GitHub with latest Vista / 7 kernel redirect changes.

Plus I have added new missing function IoSynchronousCallDriver as it's needed to get Windows 8.0 build 8056 Generic MMC / SD work under XP in future.

@George King

IoSynchronousCallDriver is a fake, it works as usual ASYNC IofCallDriver

Right SYNC implementation based on win8.1 decompiled code:

Quote

NTSTATUS
SmKmGenericCompletion(
    PDEVICE_OBJECT DeviceObject,
    PIRP Irp,
    PVOID Context)
{
  KeSetEvent((PRKEVENT) Context, 0, FALSE);
  return STATUS_MORE_PROCESSING_REQUIRED;
}


NTSTATUS
IoSynchronousCallDriver_k8(
    PDEVICE_OBJECT DeviceObject,
    PIRP Irp
    )
{
    PIO_STACK_LOCATION IrpSp;
    NTSTATUS Status;
    KEVENT Event;

    KeInitializeEvent(&Event, NotificationEvent, FALSE);
    IrpSp = IoGetNextIrpStackLocation(Irp);
    IrpSp->Context           = &Event;
    IrpSp->CompletionRoutine = (PIO_COMPLETION_ROUTINE) SmKmGenericCompletion;
    IrpSp->Control           = SL_INVOKE_ON_ERROR | SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_CANCEL; // 0xE0

    Status = IofCallDriver(DeviceObject, Irp);
    if (Status == STATUS_PENDING) {
        KeWaitForSingleObject(&Event, Suspended, KernelMode, FALSE, NULL);
        Status = Irp->IoStatus.Status;
    }

    return Status;
}

Quote

 

//         < Win8 x32/x64 Extender        //
#if (NTDDI_VERSION < NTDDI_WIN8)          //
...
k8_win8(    IoSynchronousCallDriver,            8)

#endif  // < Win8 x32/x64 Extender

 

 

  • Like 1
Link to comment
Share on other sites

On 5/8/2022 at 12:23 AM, George King said:

@Mov AX, 0xDEAD I have checked Windows 7 ntoskrnl.exe v6.1.7601.25920 (win7sp1_ldr_escrow.220316-1740) exports vs compiled ntoskrn8.sys

This is full list of missing kernel functions that needs to be bypassed.

	x64 missing
EtwSetInformation
FsRtlPrepareToReuseEcp
...
	
	x86 missing
EtwSetInformation
FsRtlPrepareToReuseEcp
...

 

@George King

I feel these functions don't used in real drivers, so it is not necessary to add every new function from updated kernel

Link to comment
Share on other sites

23 minutes ago, Mov AX, 0xDEAD said:

@George King

I feel these functions don't used in real drivers, so it is not necessary to add every new function from updated kernel

I just tried to port sdbus.sys + sdstor.sys from Windows 8 build 8056 (first true Generic SD/MMC driver) to Windows 7 and XP and on Windows 7 are these functions needed to add into extender, otherwise there will be missing imports. Sad is there are more functions needed to get it work properly on XP or 7.

 

These functions are needed for 8056. For RTM there are much more missing imports.

	PoFxIdleComponent
	IoSynchronousCallDriver
	PoFxSetDeviceIdleTimeout
	PoFxUnregisterDevice
	PoFxStartDevicePowerManagement
	PoUnregisterPowerSettingCallback
	PoFxActivateComponent
	KeLeaveGuardedRegion
	KeEnterGuardedRegion
	PoFxCompleteIdleCondition
	PoFxCompleteIdleState
	PoFxReportDevicePoweredOn
	PoFxCompleteDevicePowerNotRequired
	PoFxRegisterDevice
	IoGetActivityIdIrp
	RtlQueryRegistryValuesEx

 

It would be really nice if we can get this SD/MMC Generic driver under XP and 7.

 

EDIT: I have only prepared template for code.

 

	////////////////////////////////////////////
//         < Win8 x32/x64 Extender        //
#if (NTDDI_VERSION < NTDDI_WIN8)          //
k8_win8(    ExGetFirmwareEnvironmentVariable,   20)
k8_win8(    ExSetFirmwareEnvironmentVariable,   20)
k8_win8(    IoGetActivityIdIrp,                 8)
k8_win8(    IoSetActivityIdIrp,                 8)
k8_win8(    MmAllocateContiguousNodeMemory,     36)
k8_win8(    RtlCheckPortableOperatingSystem,    4)
k8_win8(    RtlQueryRegistryValuesEx,           20)
k8_win8(    RtlSetPortableOperatingSystem,      4)
k8_win8(       IoSynchronousCallDriver,            8)
k8_win8(       PoFxRegisterDevice,                    12)
k8_win8(       PoFxUnregisterDevice,                4)
k8_win8(       PoFxSetComponentLatency,            16)
k8_win8(       PoFxSetComponentResidency,            16)
k8_win8(       PoFxStartDevicePowerManagement,        4)
k8_win8(       PoFxCompleteIdleState,                8)
k8_win8(       PoFxCompleteIdleCondition,            8)
k8_win8(       PoFxReportDevicePoweredOn,            4)
k8_win8(       PoFxCompleteDevicePowerNotRequired,    4)
k8_win8(       PoFxActivateComponent,                12)
k8_win8(       PoFxIdleComponent,                    12)
#endif  // < Win8 x32/x64 Extender
 
	

 

and 

	
typedef PO_FX_DEVICE, *PPO_FX_DEVICE;
	DECLARE_HANDLE(POHANDLE);
	
/* 8.0 8056 */
	NTSTATUS
PoFxRegisterDevice_k8 (
    PDEVICE_OBJECT Pdo,
    PPO_FX_DEVICE Device,
    POHANDLE *Handle
    )
    
    {
    return STATUS_SUCCESS;        
    }
    
	
VOID
PoFxUnregisterDevice_k8 (
    POHANDLE Handle
    ){
        
    }
    
VOID
PoFxSetComponentLatency_k8 (
    POHANDLE Handle,
    ULONG Component,
    ULONGLONG Latency
    ){
        
    }
    
VOID
PoFxSetComponentResidency_k8 (
    POHANDLE Handle,
    ULONG Component,
    ULONGLONG Residency
    ){
        
    }    
    
VOID
PoFxStartDevicePowerManagement_k8 (
    POHANDLE Handle
    ){
        
    }
	VOID
PoFxCompleteIdleState_k8 (
    POHANDLE Handle,
    ULONG Component
    ){
        
    }
	
VOID
PoFxCompleteIdleCondition_k8 (
    POHANDLE Handle,
    ULONG Component
    ){
        
    }
	VOID
PoFxReportDevicePoweredOn_k8 (
    POHANDLE Handle
    ){
        
    }
    
VOID
PoFxCompleteDevicePowerNotRequired_k8 (
    POHANDLE Handle
    ){
        
    }
	VOID
PoFxActivateComponent_k8 (
    POHANDLE Handle,
    ULONG Component,
    ULONG Flags
    ){
        
    }
	VOID
PoFxIdleComponent_k8 (
    POHANDLE Handle,
    ULONG Component,
    ULONG Flags
    ){
        
    }
	
Edited by George King
Link to comment
Share on other sites

9 minutes ago, George King said:

I just tried to port sdbus.sys + sdstor.sys from Windows 8 build 8056 (first true Generic SD/MMC driver) to Windows 7 and XP and on Windows 7 are these functions needed to add into extender, otherwise there will be missing imports.

If user still uses Win7 RTM/SP1 without last updates, this Win7 kernel doesnt have for example new EtwSetInformation from your list, what is point to redirect non-exist function ? Depend  Walker will still shows missed imports "driver->ntoskr8->ntoskrnl.exe"

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...