Jump to content
MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×

KernelXE - My Unofficial Windows 2000 Kernel


Recommended Posts

I have big request. Please update these DLLS to port ADMINTOOLS from 2k3 to 2k SERVER version

DCPROMO.EXE (Active Directory) ;) :)
 NETAPI32:
  DsRoleIfmHandleFree
  NetValidatePasswordPolicy
  DsRoleGetDatabaseFacts

ADPROP.DLL
 advapi32:
  LsaQueryForestTrustInformation
  LsaSetForestTrustInformation
 netapi32:
  DsMergeForestTrustInformationW
  DsGetForestTrustInformationW
 dsprop:
  ADsPropShowErrorDialog
  ADsPropSendErrorMessage
  ADsPropSetHwndWithTitle
  FindSheet
 
CERTADM.DLL
 CERTCLI: ORDINALS 249, 251, 254, 256, 260
 
CERTMMC.DLL
 CERTCLI: ORDINALS 247, 253, 254, 255, 256, 260
 
CERTPDEF.DLL
 CERTCLI: ORDINALS 253, 256, 260
  CACertTypeQuery
  CACertTypeUnregisterQuery
  CACertTypeRegisterQuery
  CAGetCertTypeFlagsEx
  CAGetCertTypePropertyEx
 
CERTREQ.EXE
 CERTCLI: ORDINALS 256, 260
  CAGetCertTypePropertyEx

CERTTMPL.DLL
 CERTCLI:
  CAIsCertTypeCurrent
  CAOIDFreeProperty
  CAInstallDefaultCertType
  CAOIDGetProperty
  CAOIDAdd
  CAOIDSetProperty
  CASetCertTypeFlagsEx
  CAGetCertTypePropertyEx
  CASetCertTypePropertyEx
  CAGetCertTypeFlagsEx
  CACloneCertType
  CAOIDDelete
  CAOIDCreateNew
 
DNSMGR.DLL
 dnsapi:
  DnsQueryConfigAllocEx
 
DSADMIN.DLL
 ADVAPI32:
  ConvertStringSDToSDDomainW
 
MPRSNAP.DLL
 MPRAPI:
  MprAdminServerGetCredentials
  MprAdminServerSetCredentials
 
NTDSBSRV.DLL
 NTDSA:
  DBDsReplBackupUpdate
  THGetErrorString
  DBUpdateBackupTimeStamps
 
WINSMON.DLL
 NETSH.EXE:
  RegisterContext
  MatchToken
  RegisterHelper
  PrintMessageFromModule
  MatchCmdLine

 

Edited by piotrhn
Link to post
Share on other sites

8 hours ago, piotrhn said:

I have big request. Please update these DLLS to port ADMINTOOLS from 2k3 to 2k SERVER version

DCPROMO.EXE (Active Directory) ;) :)
 NETAPI32:
  DsRoleIfmHandleFree
  NetValidatePasswordPolicy
  DsRoleGetDatabaseFacts

ADPROP.DLL
 advapi32:
  LsaQueryForestTrustInformation
  LsaSetForestTrustInformation
 netapi32:
  DsMergeForestTrustInformationW
  DsGetForestTrustInformationW
 dsprop:
  ADsPropShowErrorDialog
  ADsPropSendErrorMessage
  ADsPropSetHwndWithTitle
  FindSheet
 
CERTADM.DLL
 CERTCLI: ORDINALS 249, 251, 254, 256, 260
 
CERTMMC.DLL
 CERTCLI: ORDINALS 247, 253, 254, 255, 256, 260
 
CERTPDEF.DLL
 CERTCLI: ORDINALS 253, 256, 260
  CACertTypeQuery
  CACertTypeUnregisterQuery
  CACertTypeRegisterQuery
  CAGetCertTypeFlagsEx
  CAGetCertTypePropertyEx
 
CERTREQ.EXE
 CERTCLI: ORDINALS 256, 260
  CAGetCertTypePropertyEx

CERTTMPL.DLL
 CERTCLI:
  CAIsCertTypeCurrent
  CAOIDFreeProperty
  CAInstallDefaultCertType
  CAOIDGetProperty
  CAOIDAdd
  CAOIDSetProperty
  CASetCertTypeFlagsEx
  CAGetCertTypePropertyEx
  CASetCertTypePropertyEx
  CAGetCertTypeFlagsEx
  CACloneCertType
  CAOIDDelete
  CAOIDCreateNew
 
DNSMGR.DLL
 dnsapi:
  DnsQueryConfigAllocEx
 
DSADMIN.DLL
 ADVAPI32:
  ConvertStringSDToSDDomainW
 
MPRSNAP.DLL
 MPRAPI:
  MprAdminServerGetCredentials
  MprAdminServerSetCredentials
 
NTDSBSRV.DLL
 NTDSA:
  DBDsReplBackupUpdate
  THGetErrorString
  DBUpdateBackupTimeStamps
 
WINSMON.DLL
 NETSH.EXE:
  RegisterContext
  MatchToken
  RegisterHelper
  PrintMessageFromModule
  MatchCmdLine

 

I will keep this in mind, but I want to spend all my time on kernel32 right now, since I need to fix CreateActCtxW, which is an important function that lots of programs use.

I also want to figure out the generated errors messages when trying to open CFF Explorer and Dependency Walker.

When using IDA 5.0, I found the errors they generated.

CFF Explorer: The instruction at 0x0 referenced memory at 0x0. The memory could not be read (0x00000000 -> 0x00000000)

Dependency Walker: The instruction at 0x893 referenced memory at 0x893. The memory could not be read (0x00000893 -> 0x00000893)

Link to post
Share on other sites
34 minutes ago, Ximonite said:

I also want to figure out the generated errors messages when trying to open CFF Explorer and Dependency Walker.

When using IDA 5.0, I found the errors they generated.

CFF Explorer: The instruction at 0x0 referenced memory at 0x0. The memory could not be read (0x00000000 -> 0x00000000)

Dependency Walker: The instruction at 0x893 referenced memory at 0x893. The memory could not be read (0x00000893 -> 0x00000893)

When that dialog appears, dump files are erratically written. You can view them in Dr Watson (drwtsn32.exe). They can be helpful, but in this case they're just as useless as those.

As we have no idea what is causing these issues based on dumps and dialogs, we can use local redirection to help us. Go to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs and delete most entries (except for the DllDirectory one or else you will get a BSOD on bootup), including the one for kernel32, reboot and then copy/paste the stable kernel32 to the CFF explorer folder, make a file named CFF Explorer.exe.local, so you will be able to use it.

Then find a known broken program, copy the unstable kernel32 to its folder and do the .local thingy again. Comment out its calls in the same way using CFF or similar utility until you can get it to launch again.

I've had this red herring crash problem before. Chromium 73+ was shown to have crashed on an import call to RtlOemUnicodeString or something like that on Vista originally, but it turned out to be a few incorrect call near ptrs (those can only be done if calling a routine within the same section, when they were indeed calling routines in other sections).

Edited by win32
  • Like 1
Link to post
Share on other sites
22 hours ago, win32 said:

When that dialog appears, dump files are erratically written. You can view them in Dr Watson (drwtsn32.exe). They can be helpful, but in this case they're just as useless as those.

As we have no idea what is causing these issues based on dumps and dialogs, we can use local redirection to help us. Go to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs and delete most entries (except for the DllDirectory one or else you will get a BSOD on bootup), including the one for kernel32, reboot and then copy/paste the stable kernel32 to the CFF explorer folder, make a file named CFF Explorer.exe.local, so you will be able to use it.

Then find a known broken program, copy the unstable kernel32 to its folder and do the .local thingy again. Comment out its calls in the same way using CFF or similar utility until you can get it to launch again.

I've had this red herring crash problem before. Chromium 73+ was shown to have crashed on an import call to RtlOemUnicodeString or something like that on Vista originally, but it turned out to be a few incorrect call near ptrs (those can only be done if calling a routine within the same section, when they were indeed calling routines in other sections).

I used your advice and discovered what could be the problem.

I found that GetSystemInfo and QueryPeformanceCounter are called by functions in a different section in my kernel32, but not BlackWingCat's kernel32, and every program that crashes calls these functions.

I tried moving GetSystemInfo to .patch and QueryUnbiasedInterruptTime to .text and see if that fixes the issue, and now some new programs generate these errors. One of them happens to be winlogon.exe :thumbdown

Then, I found an empty area in .text so I put everything that calls GetSystemInfo in this blank space. This fixed the winlogon.exe error, but not the original errors with Dependency Walker and CFF Explorer.

Edited by Ximonite
Link to post
Share on other sites
On 11/18/2020 at 4:58 AM, Ximonite said:

CFF Explorer: The instruction at 0x0 referenced memory at 0x0. The memory could not be read (0x00000000 -> 0x00000000)

Dependency Walker: The instruction at 0x893 referenced memory at 0x893. The memory could not be read (0x00000893 -> 0x00000893)

Hi,

Seems you are messed with arguments/stack at return, "ret x"  must take return adress to parent, but it take from stack random arg and jump to it :)

Link to post
Share on other sites

Status Update:

I am mostly ready to release Beta 3 of KernelXE. Here is what I have done so far:

kernel32:
Removed "mov   edi, edi" from the beginning of some functions.

ntdll:
I reset development for ntdll and started from "scratch" (WildBill's ntdll).

Added exports for:
NtLockProductActivationKeys
RtlLogStackBackTrace
_swprintf

Added functions:
NtDeleteBootEntry
NtModifyBootEntry
NtAddBootEntry
NtEnumerateBootEntries
NtQueryBootEntryOrder
NtQueryBootOptions
NtSetBootEntryOrder
NtSetBootOptions
NtEnumerateSystemEnvironmentValuesEx
NtTranslateFilePath
NtQuerySystemEnvironmentValueEx
NtSetSystemEnvironmentValueEx
RtlDllShutdownInProgress
RtlInterlockedCompareExchange64
RtlInterlockedPushListSList
RtlIsCriticalSectionLockedByThread
RtlNewSecurityObjectWithMultipleInheritance
RtlGetLastNtStatus
RtlGetLastWin32Error
EtwEventRegister
EtwpCreateEtwThread
RtlRunOnceComplete
Nt/ZwReleaseKeyedEvent (Code redirection to ntoskrnl)
RtlInitializeConditionVariable
RtlInitializeSRWLock
RtlRunOnceInitialize
RtlWakeAllConditionVariable
RtlWakeConditionVariable
_CIcos
_CIlog
_CIsin
_CIsqrt
_alloca_probe_16
_alloca_probe_8

ntoskrnl:

Added functions:
Nt/ZwReleaseKeyedEvent (Not exported, added to KiServiceTable)
ExfAcquirePushLockExclusive
ExfAcquirePushLockShared
ExfReleasePushLock

Added exports for:
ObSetSecurityObjectByPointer
SeTokenObjectType
NtAssignProcessToJobObject
NtCreateJobObject
NtOpenJobObject
NtQueryFullAttributesFile
NtQueryInformationJobObject
NtQueryInformationThread
NtSetInformationJobObject
NtTerminateJobObject
ZwAssignProcessToJobObject
ZwCreateJobObject
ZwOpenJobObject
ZwQueryFullAttributesFile
ZwQueryInformationJobObject
ZwSetInformationJobObject
ZwTerminateJobObject
NtOpenThread

To-do before release:

kernel32:
Try a few things to maybe fix CreateActCtxW

ntkrnlmp, ntkrnlpa, ntkrpamp:
Everything done to ntoskrnl

Plans for future:

Fix Dependency Walker and CFF Explorer crashes (this one has been around since the original KernelXE and I still haven't figured out why they happen)
Add PAE through "/PAE" in boot.ini

Edited by Ximonite
  • Like 2
Link to post
Share on other sites
2 hours ago, Ximonite said:

Status Update:

I am mostly ready to release Beta 3 of KernelXE. Here is what I have done so far:

kernel32:
Removed "mov   edi, edi" from the beginning of some functions.

ntdll:
I reset development for ntdll and started from "scratch" (WildBill's ntdll).

Added exports for:
NtLockProductActivationKeys
RtlLogStackBackTrace
_swprintf

Added functions:
NtDeleteBootEntry
NtModifyBootEntry
NtAddBootEntry
NtEnumerateBootEntries
NtQueryBootEntryOrder
NtQueryBootOptions
NtSetBootEntryOrder
NtSetBootOptions
NtEnumerateSystemEnvironmentValuesEx
NtTranslateFilePath
NtQuerySystemEnvironmentValueEx
NtSetSystemEnvironmentValueEx
RtlDllShutdownInProgress
RtlInterlockedCompareExchange64
RtlInterlockedPushListSList
RtlIsCriticalSectionLockedByThread
RtlNewSecurityObjectWithMultipleInheritance
RtlGetLastNtStatus
RtlGetLastWin32Error
EtwEventRegister
EtwpCreateEtwThread
RtlRunOnceComplete
Nt/ZwReleaseKeyedEvent (Code redirection to ntoskrnl)
RtlInitializeConditionVariable
RtlInitializeSRWLock
RtlRunOnceInitialize
RtlWakeAllConditionVariable
RtlWakeConditionVariable
_CIcos
_CIlog
_CIsin
_CIsqrt
_alloca_probe_16
_alloca_probe_8

ntoskrnl:

Added functions:
Nt/ZwReleaseKeyedEvent (Not exported, added to KiServiceTable)
ExfAcquirePushLockExclusive
ExfAcquirePushLockShared
ExfReleasePushLock

Added exports for:
ObSetSecurityObjectByPointer
SeTokenObjectType
NtAssignProcessToJobObject
NtCreateJobObject
NtOpenJobObject
NtQueryFullAttributesFile
NtQueryInformationJobObject
NtQueryInformationThread
NtSetInformationJobObject
NtTerminateJobObject
ZwAssignProcessToJobObject
ZwCreateJobObject
ZwOpenJobObject
ZwQueryFullAttributesFile
ZwQueryInformationJobObject
ZwSetInformationJobObject
ZwTerminateJobObject
NtOpenThread

To-do before release:

kernel32:
Try a few things to maybe fix CreateActCtxW

ntkrnlmp, ntkrnlpa, ntkrpamp:
Everything done to ntoskrnl

Plans for future:

Fix Dependency Walker and CFF Explorer crashes (this one has been around since the original KernelXE and I still haven't figured out why they happen)
Add PAE through "/PAE" in boot.ini

add to KERNEL32:

SetUserGeoID

EnumSystemGeoID

 

Edited by piotrhn
Link to post
Share on other sites

add to:

Quote

KERNEL32 (2k3 SP2 blackwingcat):

CheckNameLegalDOS8Dot3A

CheckNameLegalDOS8Dot3W

ConvertThreadToFiberEx

CreateJobSet

DebugActiveProcessStop

DebugBreakProcess

DebugSetProcessKillOnExit

EnumSystemFirmwareTables

FindFirstStreamW

FindNextStreamW

GetComPlusPackageInstallStatus

GetConsoleProcessList

GetConsoleSelectionInfo

GetLargePageMinimum

GetNLSVersion

GetProcessIdOfThread

GetProcessWorkingSetSizeEx

GetSystemFileCacheSize

GetSystemFirmwareTable

IsNLSDefinedString

IsTimeZoneRedirectionEnabled

NeedCurrentDirectoryForExePatchA

NeedCurrentDirectoryForExePatchW

ReOpenFile

SetComPlusPackageInstallStatus

SetEnvironmentStringsA

SetEnvironmentStringsW

SetFileCompletionNotificationModes

SetFileShortNameA

SetFileShortNameW

SetFileValidData

SetProcessWorkingSetSizeEx

SetSearchPathMode

SetSystemFileCacheSize

Wow64DisableWow64FsRedirection

Wow64EnableWow64FsRedirection

Wow64RevertWow64FsRedirection

 

Quote

NTDLL / NTOSKRNL (2k3 SP2 blackwingcat):

DbgQueryDebugFilterState
DbgSetDebugFilterState
DbgUiConvertStateChangeStructure
DbgUiDebugActiveProcess
DbgUiGetThreadDebugObject
DbgUiIssueRemoteBreakin
DbgUiRemoteBreakin
DbgUiSetThreadDebugObject
DbgUiStopDebugging
ExpInterlockedPopEntrySListEnd
ExpInterlockedPopEntrySListFault
ExpInterlockedPopEntrySListResume
KiFastSystemCall
KiFastSystemCallRet
KiIntSystemCall
LdrFindResourceEx_U
LdrHotPatchRoutine
LdrOpenImageFileOptionsKey
LdrQueryImageFileExecutionOptionsEx
LdrQueryImageFileKeyOption
NtAddDriverEntry
NtApphelpCacheControl
NtCompactKeys
NtCompressKey
NtCreateDebugObject
NtCreateJobSet
NtCreateKeyedEvent
NtCreateProcessEx
NtDebugActiveProcess
NtDebugContinue
NtDeleteDriverEntry
NtEnumerateDriverEntries
NtGetCurrentProcessorNumber
NtLoadKeyEx
NtLockRegistryKey
NtMakePermanentObject
NtModifyDriverEntry
NtOpenKeyedEvent
NtQueryDriverEntryOrder
NtQueryOpenSubKeysEx
NtQueryPortInformationProcess
NtReleaseKeyedEvent
NtRemoveProcessDebug
NtRenameKey
NtResumeProcess
NtSetDriverEntryOrder
NtSetEventBoostPriority
NtSetInformationDebugObject
NtSuspendProcess
NtUnloadKey2
NtUnloadKeyEx
NtWaitForDebugEvent
NtWaitForKeyedEvent
NtWaitForMultipleObjects32
RtlAcquirePrivilege
RtlAddVectoredContinueHandler
RtlAllocateActivationContextStack
RtlCaptureStackContext
RtlCheckProcessParameters
RtlComputeImportTableHash
RtlCopyMappedMemory
RtlCreateServiceSid
RtlCreateSystemVolumeInformationFolder
RtlDosPathNameToNtPathName_U_WithStatus
RtlDosPathNameToRelativeNtPathName_U
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlExitUserThread
RtlFindClearRuns
RtlFormatMessageEx
RtlFreeActivationContextStack
RtlGetCriticalSectionRecursionCount
RtlGetCurrentPeb
RtlGetCurrentProcessorNumber
RtlGetFullPathName_UstrEx
RtlGetNativeSystemInformation
RtlGetThreadErrorMode
RtlGetUnloadEventTrace
RtlImageNtHeaderEx
RtlInitAnsiStringEx
RtlInsertElementGenericTableFull
RtlInsertElementGenericTableFullAvl
RtlIsCriticalSectionLocked
RtlLookupElementGenericTableFull
RtlLookupElementGenericTableFullAvl
RtlMapSecurityErrorToNtStatus
RtlMultipleAllocateHeap
RtlMultipleFreeHeap
RtlQueueApcWow64Thread
RtlReleasePrivilege
RtlReleaseRelativeName
RtlRemoveVectoredContinueHandler
RtlSetEnvironmentStrings
RtlSetProcessIsCritical
RtlSetThreadErrorMode
RtlSetThreadIsCritical
RtlSetUnhandledExceptionFilter
RtlWow64EnableFsRedirection
RtlWow64EnableFsRedirectionEx
_vscwprintf
_wcstoui64
ZwAddBootEntry
ZwAddDriverEntry
ZwApphelpCacheControl
ZwCompactKeys
ZwCompareTokens
ZwCompressKey
ZwCreateDebugObject
ZwCreateJobSet
ZwCreateKeyedEvent
ZwCreateProcessEx
ZwDebugActiveProcess
ZwDebugContinue
ZwDeleteBootEntry
ZwDeleteDriverEntry
ZwEnumerateBootEntries
ZwEnumerateDriverEntries
ZwEnumerateSystemEnvironmentValuesEx
ZwGetCurrentProcessorNumber
ZwLoadKeyEx
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwMakePermanentObject
ZwModifyBootEntry
ZwModifyDriverEntry
ZwOpenKeyedEvent
ZwQueryBootEntryOrder
ZwQueryBootOptions
ZwQueryDriverEntryOrder
ZwQueryOpenSubKeysEx
ZwQueryPortInformationProcess
ZwQuerySystemEnvironmentValueEx
ZwReleaseKeyedEvent
ZwRemoveProcessDebug
ZwRenameKey
ZwResumeProcess
ZwSetBootEntryOrder
ZwSetBootOptions
ZwSetDriverEntryOrder
ZwSetEventBoostPriority
ZwSetInformationDebugObject
ZwSetSystemEnvironmentValueEx
ZwSuspendProcess
ZwTraceEvent
ZwTranslateFilePath
ZwUnloadKey2
ZwUnloadKeyEx
ZwWaitForDebugEvent
ZwWaitForKeyedEvent
ZwWaitForMultipleObjects32

Edited by piotrhn
ntdll/ntoskrnl
Link to post
Share on other sites
On 11/29/2020 at 10:48 AM, Ximonite said:

Plans for future:

Fix Dependency Walker and CFF Explorer crashes (this one has been around since the original KernelXE and I still haven't figured out why they happen)
Add PAE through "/PAE" in boot.ini

If I'm not mistaken, @Mov AX, 0xDEAD was addressing precisely those DepWalker and CFFExp issues, when he said:

On 11/20/2020 at 8:35 AM, Mov AX, 0xDEAD said:

Seems you are messed with arguments/stack at return, "ret x"  must take return adress to parent, but it take from stack random arg and jump to it :)

So, please, double-check the clean-ups at return time (= the value of x at the RET x instructions), on the functions/procedures you've added. :)

Link to post
Share on other sites
36 minutes ago, dencorso said:

If I'm not mistaken, @Mov AX, 0xDEAD was addressing precisely those DepWalker and CFFExp issues, when he said:

So, please, double-check the clean-ups at return time (= the value of x at the RET x instructions), on the functions/procedures you've added. :)

I am currently checking to see if this is the issue, which I have a feeling it is, since this sounds like something that could cause these kinds of issues. In my other post, I am just saying that I haven't confirmed anything as definitely causing the issue.

Edited by Ximonite
  • Like 1
Link to post
Share on other sites

PAE Update:

I have decided that I will add PAE support to KernelXE v0.2.3 instead of saving it for v0.2.4. This means the expected release of KernelXE will be pushed back, but I think PAE is worth the wait.

Here is some decompiled code for one of the modifications I have already made to try to add PAE support:

Original:

    LessThan16Mb = 1;
    for ( i = *(_UNICODE_STRING **)&RegistryPath[1].Length;
          i != &RegistryPath[1];
          i = *(_UNICODE_STRING **)&i->Length )
    {
      v10 = *(_DWORD *)&i[1].Length;
      if ( v10 != 6 && v10 != 22 && (unsigned int)i[1].Buffer + *(_DWORD *)&i[2].Length > 0x1000 )
      {
        LessThan16Mb = 0;
        break;
      }
    }
    dword_8001A4E4 = 0x40;
    v11 = 0x10000;
    v12 = HalpAllocPhysicalMemory(RegistryPath, 0x1000000, 0x10, 1);
    if ( !v12 )
      v11 = 0;
    PhysicalAddress.QuadPart = v12;
    dword_8001A4F4 = 0;
    NumberOfBytes = v11;
    if ( MEMORY[0xFFDF027D] )
    {
      dword_8001A504 = 0x4000;
      v13 = 0x30000;
      v14 = HalpAllocPhysicalMemory(RegistryPath, 0xFFFFFFFF, 0x30, 1);
      if ( !v14 )
        v13 = 0;
      dword_8001A510 = v14;
      dword_8001A514 = 0;
      dword_8001A508 = v13;
    }
    HalpCallbackRecord.State = 0;
    KeRegisterBugCheckCallback(&HalpCallbackRecord, HalpBugCheckCallback, 0, 0, "ACPI 1.0 - APIC platform MP");
  }
  result = HalpInitMP(DriverObject, RegistryPath);
  if ( DriverObject == (PDRIVER_OBJECT)1 )
    result = HalpEnableNMI();
  LOBYTE(result) = 1;
  return result;
}

Modified:

    LessThan16Mb = 1;
    for ( i = *(_UNICODE_STRING **)&RegistryPath[1].Length;
          i != &RegistryPath[1];
          i = *(_UNICODE_STRING **)&i->Length )
    {
      v10 = *(_DWORD *)&i[1].Length;
      if ( v10 != 6 && v10 != 22 && (unsigned int)i[1].Buffer + *(_DWORD *)&i[2].Length > 0x1000 )
      {
        LessThan16Mb = 0;
        break;
      }
    }
    dword_8001A4E4 = 0x4000;
    v11 = 0x30000;
    v12 = HalpAllocPhysicalMemory(RegistryPath, 0xFFFFFFFF, 0x30, 1);
    if ( !v12 )
      v11 = 0;
    PhysicalAddress.QuadPart = v12;
    dword_8001A4F4 = 0;
    NumberOfBytes = v11;
    HalpCallbackRecord.State = 0;
    KeRegisterBugCheckCallback(&HalpCallbackRecord, HalpBugCheckCallback, 0, 0, "ACPI 1.0 - APIC platform MP");
  }
  result = HalpInitMP(DriverObject, RegistryPath);
  if ( DriverObject == (PDRIVER_OBJECT)1 )
    result = HalpEnableNMI();
  LOBYTE(result) = 1;
  return result;
}

 

  • Like 2
Link to post
Share on other sites

Hello sir, If in the future you want to introduce the umdf feature in Windows 2000. Here is the link for the umdf 1.0 file https://mega.nz/file/Y581BIqK#rHuL93SAeQ-5iURYBj3iwB-aynhN_JdmXx7j_zDrgH8

 You can also find it with Windows Media Player 11. Be careful when trying it. Because it immediately causes BSoD, for unknown reasons

 

Link to post
Share on other sites
5 hours ago, windows2 said:

Hello sir, If in the future you want to introduce the umdf feature in Windows 2000. Here is the link for the umdf 1.0 file https://mega.nz/file/Y581BIqK#rHuL93SAeQ-5iURYBj3iwB-aynhN_JdmXx7j_zDrgH8

 You can also find it with Windows Media Player 11. Be careful when trying it. Because it immediately causes BSoD, for unknown reasons

 

I have already looked at what functions it needs and there were only a few missing in ntoskrnl. I also noticed that it requires WinUSB. Both of these will be added to KernelXE when they are confirmed working.

  • Like 1
  • Upvote 1
Link to post
Share on other sites
12 hours ago, Ximonite said:

I have already looked at what functions it needs and there were only a few missing in ntoskrnl. I also noticed that it requires WinUSB. Both of these will be added to KernelXE when they are confirmed working.

Thank you sir.

Regarding WinUSB, I found that (BWC) modified it this year. See this link http://blog.livedoor.jp/blackwingcat/archives/1996953.html

The changes he made :
Improvements to the WinUSB 1.0 installer included in WinUSBCoInstaller.dll
Improvements to the WinUSB 2.0 installer included in WinUSBCoInstaller2.dll

 Here is the update link http://win2k.org/wlu/wluen.htm (Update for Windows 2000 WinUSB 2.0(v3a))

Link to post
Share on other sites
On 11/4/2020 at 11:45 PM, Ximonite said:

The big issue is that ntdll and kernel32 cannot be mixed, forcing people to choose between a better kernel32 or a better ntdll. The main goal of KernelXE is to eliminate this issue.

Downloads:

KernelXE v0.2.3

WildBill Update Collection

XMNTCert

Hi sir, now can I confuse BlackWinCat Extended kernel with KernelXE v0.2.3? Or do I have to reinstall Windows 2000 again ? Because I have BlackWinCat Extended kernel installed.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...