Jump to content

Compiling ACPI v2.0 driver for Windows XP SP3 and Windows 2003 SP2 (x32/x64)


Mov AX, 0xDEAD

Recommended Posts


There are even more good news about XP SP2 bit 64.

Now we have brandnew acpi.sys, intelppm.sys and hal.dll.

The timer problem is gone, the big powerconsumption from 54 watt  ==> 1.6 Watt on 0% load

and the crazy Bsod C0000034, which needs hard work as much as possible with interpreting results of Windbg over COM1 connection

Dietmar

Edited by Dietmar
Link to comment
Share on other sites

Here is the patch for hal.dll  5.2.3790.6912 (srv03_sp2_qfe.190711-0601)

 XP SP2 bit64 , which solves the timer problem

 

Modd vs original

138:    2C    B4
139:    F3    7A
38881:  EB    73
40186:  EB    73 

 

Edited by Dietmar
Link to comment
Share on other sites

And here is the patch for intelppm.sys version 5.2.3790.4143 (srv03_sp2_qfe.070831-1432)

Modd vs original

128:	CC	4E
129:	7B	FC
12A:	01	00
65F2:	4A	8A
65F9:	43	03
65FA:	A1	A2
7C1E:	1E	5E
7CD3:	69	29
7CD4:	8A	8B

 

Dietmar

Edited by Dietmar
Link to comment
Share on other sites

Hi All

I found serious issue with compiled ACPI.SYS for x64 platform - mismatched kernel headers, e.g. ke.h

We have two version of .h files:

1) Leaked W2003 source tree

2) W2003 Windows Research Kernel(WRK)

None of these two options match official XP/W2003 x64 SP2 kernels. Issue in the fact is that acpi.sys reads incorrect fields of windows threads.

For fixing this issue need to review kernel headers and change it to match MS official x64 kernels

Link to comment
Share on other sites

23 minutes ago, Dietmar said:

what does this mean for the acpi.sys for x64 SP2 and can I help you with testing

This mean this acpi.sys x64 can be used only with kernel, compiled from W2003 RTM or WRK.

It run with XP SP2 too, but it may read/write wrong values of kernel structs - process/thread/peb/teb/...

Real x64 SP2 decompiled header, struct _KTHREAD, what KeGetCurrentThread() returns:

Quote

    struct _LIST_ENTRY QueueListEntry;// Offset=0x1b8 Size=0x10
    struct _KTRAP_FRAME *TrapFrame;// Offset=0x1c8 Size=0x8
    void *CallbackStack;// Offset=0x1d0 Size=0x8
    unsigned char ApcStateIndex;// Offset=0x1d8 Size=0x1
    unsigned char IdealProcessor;// Offset=0x1d9 Size=0x1
    unsigned char Preempted;// Offset=0x1da Size=0x1
    unsigned char ProcessReadyQueue;// Offset=0x1db Size=0x1
    unsigned char KernelStackResident;// Offset=0x1dc Size=0x1
    char BasePriority;// Offset=0x1dd Size=0x1
    char PriorityDecrement;// Offset=0x1de Size=0x1

    char Saturation;// Offset=0x1df Size=0x1

w2003 rtm:

Quote

    LIST_ENTRY QueueListEntry;
    UCHAR ApcStateIndex;
    BOOLEAN ApcQueueable;
    BOOLEAN Preempted;
    BOOLEAN ProcessReadyQueue;
    BOOLEAN KernelStackResident;
    CHAR Saturation;

w2003 WRK:

Quote

    LIST_ENTRY QueueListEntry;
    PKTRAP_FRAME TrapFrame;
    PVOID CallbackStack;
    PVOID ServiceTable;
#if defined(_AMD64_)
    ULONG KernelLimit;
#endif
    UCHAR ApcStateIndex;
    UCHAR IdealProcessor;
    BOOLEAN Preempted;
    BOOLEAN ProcessReadyQueue;
#if defined(_AMD64_)
    PVOID Win32kTable;
    ULONG Win32kLimit;

#endif
    BOOLEAN KernelStackResident;
    SCHAR BasePriority;
    SCHAR PriorityDecrement;
    CHAR Saturation;

 

Edited by Mov AX, 0xDEAD
Link to comment
Share on other sites

@Mov AX, 0xDEAD

Does the Bsod 0xC0000034 with the HIDD device in XP SP2 bit64 and load only one SSDT table instead of all, belongs to this

Dietmar

PS: I just compare the ke.h from Sources for XP SP1 with the ke.h of the Win2k3 Sources.

There are differences.

Edited by Dietmar
Link to comment
Share on other sites

12 minutes ago, Dietmar said:

PS: I just compare the ke.h from Sources for XP SP1 with the ke.h of the Win2k3 Sources.

XP SP1 used only for x32 XP compilation, no point compare with w2003 sorces

w2003 soures used for compilation w2003 x32/w2003 x64/XP x64

Link to comment
Share on other sites

structs_acpi.txt - compiled structs (KTHREAD already reverted)

structs_kernel.txt - structs from real ntkrnlmp.exe 5.2.3790.3959

most important kernel things match(TEB/PEB//ETHREAD/KTHREAD), but need to look at all

structs_acpi.txt structs_kernel.txt

p.s. many kernels structs missed at structs_kernel.txt(.pdb is not full), so this is not 100% way to find mismatches

Edited by Mov AX, 0xDEAD
Link to comment
Share on other sites

1 hour ago, Dietmar said:

@Mov AX, 0xDEAD

what the header structure tells in this very last update of XP SP2 bit 64

I think same as first release of SP2 x64

Small updates of ntoskrnl.exe doesn't change .h fields

Fields usual changed between sevice packs, so almost files recompiled because kernel offset changes

W2003 x64 rtm headers from leak are too old, we need WRK() as base and additional patches to match SP2 kernel

I suprised why WRK is not same as SP2, official description:

Quote

WRK v1.2 includes most of the NTOS kernel sources from the latest released
version of Windows, which supports the AMD64 architecture on the Desktop.
The kernel sources excluded from the kit are primarily in the areas of
plug-and-play, power management, the device verifier, kernel debugger
interface, and virtual dos machine.  The primary modifications to WRK
from the released kernel are related to cleanup and removal of server
support, such as code related to the Intel IA64.

p.s. WRK is 2003 SP1 sources

Edited by Mov AX, 0xDEAD
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...