Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Ximonite

KernelXE R2 Public Beta

Recommended Posts

Summary:

For a long time, there have been 2 choices for extended kernels and both of them have their exclusives that aren't present in the other extended kernel. WildBill's extended kernel has many exclusive ntdll functions, SxS support, and a few exclusive functions in other files. BlackWingCat's extended kernel has many exclusive kernel32 functions (and some in other files). The big issue is that ntdll and kernel32 cannot be mixed, forcing people to choose between a better kernel32 or a better ntdll. The main goal of KernelXE is to eliminate this issue.

The original KernelXE had lots of issues and needed lots of work, so I completely reset development and used the knowledge I gained to make a new and improved KernelXE, now called KernelXE R2.

Download:

KernelXE R2 Public Beta 2

Changelog:

Public Beta 1:
Initial Public Release

Public Beta 1 rv2:
Added relocations to kernel32 and ntdll (messed up other parts of file)

Public Beta 2:
Exported real CreateActCtxW as CreateActCtxB to prevent explorer.exe crashing.
Added CreateActCtxW stub to take care of programs that call it while fixing the real function.
Moved QueryUnbiasedInterruptTime, SetThreadStackGuarantee, K32EmptyWorkingSet, and GetNativeSystemInfo to .text
Added idndl.dll, normaliz.dll, and the nls files normaliz.dll uses to the update package.

Public Beta 3 W.I.P. functions:

ntdll:
RtlRunOnceBeginInitialize
RtlRunOnceComplete
RtlRunOnceExecuteOnce
RtlRunOnceInitialize/RtlInitializeConditionVariable/RtlInitializeSRWLock (all same code)

ntoskrnl:
(Nt/Zw)ReleaseKeyedEvent
ExfAcquirePushLockExclusive
ExfAcquirePushLockShared
ExfReleasePushLock

Public Beta 3/4 plans:

New functions:

kernel32:
Redirects to ntdll functions below

ntdll:
RtlAcquireSRWLockExclusive
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlReleaseSRWLockShared
RtlSleepConditionVariableCS
RtlSleepConditionVariableSRW
RtlTryAcquireSRWLockExclusive
RtlTryAcquireSRWLockShared
RtlWakeAllConditionVariable
RtlWakeConditionVariable

ntoskrnl:
NtWaitForKeyedEvent

Other:
Remove space fillers from functions (nop, mov   edi, edi) - wastes CPU clock cycles.
Add documentation to update package.

Other information:

Programs I use:

Relocation Section Editor - Only one that handles huge relocation tables like the one in ntoskrnl.
Executable | Source Code

Beyond Compare - Super useful and feature rich comparison tool. Paid software.
Home Page

CFF Explorer - Useful for editing headers.
Home Page

PEMaker - Good import and export table editor. Also expands sections.
Home Page

Information:

Expanding .patch in ntoskrnl:
Since .patch is not directly above .rsrc and .reloc, it cannot directly be expanded.
The only section in between is .skin, which is empty space used for boot skin data.
It can be expanded, then the header can be changed to make .patch bigger and .skin the original size.

Staying consistent when modifying all 4 ntos files:
Since there are 4 ntos files, any changes must be made 4 times, and it may be hard to remember everything done.
I write instructions for every modification I make as I do them, so I know exactly what I did. This also helps when writing documentation.

Edited by Ximonite
Added lots of stuff
  • Like 2

Share this post


Link to post
Share on other sites

30 minutes ago, Mov AX, 0xDEAD said:

Hi Ximonite,

any source code available ? or all functions was ripped as disassembly ?

Almost all of the code was taken from other files, and the code that wasn't was written in IDA.
Yes, I actually wrote code in IDA.

Share this post


Link to post
Share on other sites

Sir, did you find a solution to match umdf 1.0 with windows 2000?

Share this post


Link to post
Share on other sites
58 minutes ago, windows2 said:

Sir, did you find a solution to match umdf 1.0 with windows 2000?

I have not tested UMDF 1.0 on Windows 2000, but it is something I plan to test at some point.

The next thing planned after KernelXE R2 is a feature pack update for Windows 2000. UMDF 1.0 is one of these components I plan to add to this feature pack update. For Windows 2000 updates, my main priority right now is KernelXE R2 and that will be my main priority until sometime (hopefully) early next year.

  • Like 1

Share this post


Link to post
Share on other sites
Just now, Ximonite said:

I have not tested UMDF 1.0 on Windows 2000, but it is something I plan to test at some point.

The next thing planned after KernelXE R2 is a feature pack update for Windows 2000. UMDF 1.0 is one of these components I plan to add to this feature pack update. For Windows 2000 updates, my main priority right now is KernelXE R2 and that will be my main priority until sometime (hopefully) early next year.

Please tell me when you are solving this problem. Thank you 

Share this post


Link to post
Share on other sites
10 minutes ago, Ximonite said:

I have not tested UMDF 1.0 on Windows 2000, but it is something I plan to test at some point.

The next thing planned after KernelXE R2 is a feature pack update for Windows 2000. UMDF 1.0 is one of these components I plan to add to this feature pack update. For Windows 2000 updates, my main priority right now is KernelXE R2 and that will be my main priority until sometime (hopefully) early next year.

Hi,

Please make KERNEL UPDATE for Windows NT 4.0, junior600 started but his project is dead... ;/ https://msfn.org/board/topic/176748-windows-nt-40-api-wrapper/

Edited by piotrhn

Share this post


Link to post
Share on other sites
2 minutes ago, piotrhn said:

Hi,

Please make KERNEL UPDATE for Windows NT 4.0, junior600 started but his project is dead... ;/ https://msfn.org/board/topic/176748-windows-nt-40-api-wrapper/

This is something I have thought of doing in the future. I may spend a bit of time on it now and see what I can do.

Share this post


Link to post
Share on other sites
16 hours ago, Ximonite said:

This is something I have thought of doing in the future. I may spend a bit of time on it now and see what I can do.

i have programmed some functions for NT4.0 in old KEX by xeno86 engine: look & see attached asm file. You can copy these and manually put to kernel DLL, ofcourse you must add new import to NTDLL ;/, new functions in my asm:

GetConsoleWindow
GetFileSizeEx
GetProcessHandleCount
GetProcessId
GetProcessIoCounters
OpenThread
ProcessIdToSessionId
SetFilePointerEx
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Toolhelp32ReadProcessMemory
Process32FirstW
Process32First
Process32NextW
Process32Next
Thread32First
Thread32Next
Module32FirstW
Module32First
Module32NextW
Module32Next

 

*My asm file is based on KERNEL version 4.0.1381.7227

kernel_nt4.asm

Edited by piotrhn
  • Upvote 1

Share this post


Link to post
Share on other sites

Guys. What is exactly this? As far as I know. There's an extended kernel for Win2K created by Blackwingcat.

Share this post


Link to post
Share on other sites
16 hours ago, Sergiaws said:

Guys. What is exactly this? As far as I know. There's an extended kernel for Win2K created by Blackwingcat.

It's my own Windows 2000 extended kernel. Since there are already 2 different extended kernels for Windows 2000 (not including mine) which have their own exclusive functions not found in the other, I made my own that includes everything from both existing extended kernels and a few extras.

The main goal of KernelXE is to remove the problem of losing any exclusive functions of one extended kernel by choosing the other one.

What I'm working on right now is the second release of KernelXE. The original KernelXE thread has information on what it is and this one will too once KernelXE R2 is released.

Edited by Ximonite

Share this post


Link to post
Share on other sites

Status Update:

The first public beta of KernelXE R2 is out.

I have been experiencing a very weird issue on my bare metal test system.

Once KernelXE R2 is installed, explorer refuses to launch, but almost every program works completely fine. I also experience the same issue with Dependency Walker "generating errors" that win32 found in the original KernelXE with BWC files present, but there aren't BWC files present in my test machine. I have no idea what causes this kind of stuff to happen and I don't know if anyone else here on MSFN does either. Also, the .idata section that displays in IDA but isn't actually a section appears in the initial Public Beta 1, but not rv2. :unsure:

Share this post


Link to post
Share on other sites

The launch explorer may need a source update.

Share this post


Link to post
Share on other sites

@Ximonite @win32 I have now tried Windows2000-KernelXE-x86-ENU.exe with newly installed Windows 2000 without any update BWC and the BsoD appeared. Even when I install a program Windows2000-KB2508429-v10-x86-ENU.exe and Windows2000-KB2479629-v3-x86-ENU.exe the same error occurs 

but sorry I noticed having a windows 2000 extended kernel option v30e (BWC) integrated with a Windows CD installed. Maybe that is why the blue screen appeared

Edited by windows2

Share this post


Link to post
Share on other sites
1 hour ago, windows2 said:

I have now tried Windows2000-KernelXE-x86-ENU.exe with newly installed Windows 2000 without any update BWC and the BsoD appeared.

You should install WildBill's updates before installing kernelxe as it's based on those files.

http://www.mediafire.com/download/vdbwx67dx34jezj/Windows2000-KB2479629-v3-x86-ENU.exe

http://www.mediafire.com/download/1agd8icjjbu5s4n/Windows2000-KB2508429-v17-x86-ENU.exe

I'm so excited just to have full raw input support. :) Just waiting for school stuff to quiet down and I will have an SSE-only test box.

Edited by win32
A rookie mistake.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...