Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Ximonite

KernelXE R2 Public Beta

Recommended Posts

I have big request. Please update these DLLS to port ADMINTOOLS from 2k3 to 2k SERVER version

DCPROMO.EXE (Active Directory) ;) :)
 NETAPI32:
  DsRoleIfmHandleFree
  NetValidatePasswordPolicy
  DsRoleGetDatabaseFacts

ADPROP.DLL
 advapi32:
  LsaQueryForestTrustInformation
  LsaSetForestTrustInformation
 netapi32:
  DsMergeForestTrustInformationW
  DsGetForestTrustInformationW
 dsprop:
  ADsPropShowErrorDialog
  ADsPropSendErrorMessage
  ADsPropSetHwndWithTitle
  FindSheet
 
CERTADM.DLL
 CERTCLI: ORDINALS 249, 251, 254, 256, 260
 
CERTMMC.DLL
 CERTCLI: ORDINALS 247, 253, 254, 255, 256, 260
 
CERTPDEF.DLL
 CERTCLI: ORDINALS 253, 256, 260
  CACertTypeQuery
  CACertTypeUnregisterQuery
  CACertTypeRegisterQuery
  CAGetCertTypeFlagsEx
  CAGetCertTypePropertyEx
 
CERTREQ.EXE
 CERTCLI: ORDINALS 256, 260
  CAGetCertTypePropertyEx

CERTTMPL.DLL
 CERTCLI:
  CAIsCertTypeCurrent
  CAOIDFreeProperty
  CAInstallDefaultCertType
  CAOIDGetProperty
  CAOIDAdd
  CAOIDSetProperty
  CASetCertTypeFlagsEx
  CAGetCertTypePropertyEx
  CASetCertTypePropertyEx
  CAGetCertTypeFlagsEx
  CACloneCertType
  CAOIDDelete
  CAOIDCreateNew
 
DNSMGR.DLL
 dnsapi:
  DnsQueryConfigAllocEx
 
DSADMIN.DLL
 ADVAPI32:
  ConvertStringSDToSDDomainW
 
MPRSNAP.DLL
 MPRAPI:
  MprAdminServerGetCredentials
  MprAdminServerSetCredentials
 
NTDSBSRV.DLL
 NTDSA:
  DBDsReplBackupUpdate
  THGetErrorString
  DBUpdateBackupTimeStamps
 
WINSMON.DLL
 NETSH.EXE:
  RegisterContext
  MatchToken
  RegisterHelper
  PrintMessageFromModule
  MatchCmdLine

 

Edited by piotrhn

Share this post


Link to post
Share on other sites

8 hours ago, piotrhn said:

I have big request. Please update these DLLS to port ADMINTOOLS from 2k3 to 2k SERVER version

DCPROMO.EXE (Active Directory) ;) :)
 NETAPI32:
  DsRoleIfmHandleFree
  NetValidatePasswordPolicy
  DsRoleGetDatabaseFacts

ADPROP.DLL
 advapi32:
  LsaQueryForestTrustInformation
  LsaSetForestTrustInformation
 netapi32:
  DsMergeForestTrustInformationW
  DsGetForestTrustInformationW
 dsprop:
  ADsPropShowErrorDialog
  ADsPropSendErrorMessage
  ADsPropSetHwndWithTitle
  FindSheet
 
CERTADM.DLL
 CERTCLI: ORDINALS 249, 251, 254, 256, 260
 
CERTMMC.DLL
 CERTCLI: ORDINALS 247, 253, 254, 255, 256, 260
 
CERTPDEF.DLL
 CERTCLI: ORDINALS 253, 256, 260
  CACertTypeQuery
  CACertTypeUnregisterQuery
  CACertTypeRegisterQuery
  CAGetCertTypeFlagsEx
  CAGetCertTypePropertyEx
 
CERTREQ.EXE
 CERTCLI: ORDINALS 256, 260
  CAGetCertTypePropertyEx

CERTTMPL.DLL
 CERTCLI:
  CAIsCertTypeCurrent
  CAOIDFreeProperty
  CAInstallDefaultCertType
  CAOIDGetProperty
  CAOIDAdd
  CAOIDSetProperty
  CASetCertTypeFlagsEx
  CAGetCertTypePropertyEx
  CASetCertTypePropertyEx
  CAGetCertTypeFlagsEx
  CACloneCertType
  CAOIDDelete
  CAOIDCreateNew
 
DNSMGR.DLL
 dnsapi:
  DnsQueryConfigAllocEx
 
DSADMIN.DLL
 ADVAPI32:
  ConvertStringSDToSDDomainW
 
MPRSNAP.DLL
 MPRAPI:
  MprAdminServerGetCredentials
  MprAdminServerSetCredentials
 
NTDSBSRV.DLL
 NTDSA:
  DBDsReplBackupUpdate
  THGetErrorString
  DBUpdateBackupTimeStamps
 
WINSMON.DLL
 NETSH.EXE:
  RegisterContext
  MatchToken
  RegisterHelper
  PrintMessageFromModule
  MatchCmdLine

 

I will keep this in mind, but I want to spend all my time on kernel32 right now, since I need to fix CreateActCtxW, which is an important function that lots of programs use.

I also want to figure out the generated errors messages when trying to open CFF Explorer and Dependency Walker.

When using IDA 5.0, I found the errors they generated.

CFF Explorer: The instruction at 0x0 referenced memory at 0x0. The memory could not be read (0x00000000 -> 0x00000000)

Dependency Walker: The instruction at 0x893 referenced memory at 0x893. The memory could not be read (0x00000893 -> 0x00000893)

Share this post


Link to post
Share on other sites
34 minutes ago, Ximonite said:

I also want to figure out the generated errors messages when trying to open CFF Explorer and Dependency Walker.

When using IDA 5.0, I found the errors they generated.

CFF Explorer: The instruction at 0x0 referenced memory at 0x0. The memory could not be read (0x00000000 -> 0x00000000)

Dependency Walker: The instruction at 0x893 referenced memory at 0x893. The memory could not be read (0x00000893 -> 0x00000893)

When that dialog appears, dump files are erratically written. You can view them in Dr Watson (drwtsn32.exe). They can be helpful, but in this case they're just as useless as those.

As we have no idea what is causing these issues based on dumps and dialogs, we can use local redirection to help us. Go to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs and delete most entries (except for the DllDirectory one or else you will get a BSOD on bootup), including the one for kernel32, reboot and then copy/paste the stable kernel32 to the CFF explorer folder, make a file named CFF Explorer.exe.local, so you will be able to use it.

Then find a known broken program, copy the unstable kernel32 to its folder and do the .local thingy again. Comment out its calls in the same way using CFF or similar utility until you can get it to launch again.

I've had this red herring crash problem before. Chromium 73+ was shown to have crashed on an import call to RtlOemUnicodeString or something like that on Vista originally, but it turned out to be a few incorrect call near ptrs (those can only be done if calling a routine within the same section, when they were indeed calling routines in other sections).

Edited by win32
  • Like 1

Share this post


Link to post
Share on other sites
22 hours ago, win32 said:

When that dialog appears, dump files are erratically written. You can view them in Dr Watson (drwtsn32.exe). They can be helpful, but in this case they're just as useless as those.

As we have no idea what is causing these issues based on dumps and dialogs, we can use local redirection to help us. Go to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs and delete most entries (except for the DllDirectory one or else you will get a BSOD on bootup), including the one for kernel32, reboot and then copy/paste the stable kernel32 to the CFF explorer folder, make a file named CFF Explorer.exe.local, so you will be able to use it.

Then find a known broken program, copy the unstable kernel32 to its folder and do the .local thingy again. Comment out its calls in the same way using CFF or similar utility until you can get it to launch again.

I've had this red herring crash problem before. Chromium 73+ was shown to have crashed on an import call to RtlOemUnicodeString or something like that on Vista originally, but it turned out to be a few incorrect call near ptrs (those can only be done if calling a routine within the same section, when they were indeed calling routines in other sections).

I used your advice and discovered what could be the problem.

I found that GetSystemInfo and QueryPeformanceCounter are called by functions in a different section in my kernel32, but not BlackWingCat's kernel32, and every program that crashes calls these functions.

I tried moving GetSystemInfo to .patch and QueryUnbiasedInterruptTime to .text and see if that fixes the issue, and now some new programs generate these errors. One of them happens to be winlogon.exe :thumbdown

Then, I found an empty area in .text so I put everything that calls GetSystemInfo in this blank space. This fixed the winlogon.exe error, but not the original errors with Dependency Walker and CFF Explorer.

Edited by Ximonite

Share this post


Link to post
Share on other sites
On 11/18/2020 at 4:58 AM, Ximonite said:

CFF Explorer: The instruction at 0x0 referenced memory at 0x0. The memory could not be read (0x00000000 -> 0x00000000)

Dependency Walker: The instruction at 0x893 referenced memory at 0x893. The memory could not be read (0x00000893 -> 0x00000893)

Hi,

Seems you are messed with arguments/stack at return, "ret x"  must take return adress to parent, but it take from stack random arg and jump to it :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...