KernelEx for Windows XP?

[Joaquim]

i'm trying, but i can't find a kernellex.. is there any for windows xp?

[mina7601]

There's One-Core-API, a compatibility layer made by @Skulltrail, which aims to run Vista+ applications on XP. It's currently a Work In Progress (WIP). Unfortunately, I can't link to it, as it has modified Windows binaries, and that's against MSFN rules.

Edited September 29, 2023 by mina7601

[Dibya]

One i made in past ,

https://web.archive.org/web/20191108101116/http://ryanvm.net/forum/viewtopic.php?f=25&t=10631&

But is has not been updated, though shared source of my API implementation & PEPatcher Toolkit [It automate somethings, which are missing in @blackwingcat's PEMAKER >3

[Zorba the Geek]

Kernelex uses dll injection, whereas One Core API uses patched Microsoft binaries.  It also includes new binaries from the developer and has linked the Microsoft binaries in new ways which makes it more like a new operating system.  The main drawback of one Core API for me is that it is built on the last SP3 updates rather than POSReady 2009 which makes it less secure.  Dibya's Extended XP package also provides patched Microsoft binaries, but it merely extends the API of the kernel,so that things like Python, GTK, and OpenSSL can be run under XP.  It also has the advantage of being built on POSReady 2009 which made it as secure as possible when it was released.  The package includes an update installer which will update existing Microsoft binaries and provide a security catalog, so that they are not flagged by SFP.  The package also includes the tools he used to make the extended binaries with a sample rebuilt binary and it's source code in the form of an .asm file.  I am still waiting for an update.

Edited November 26, 2023 by Zorba the Geek

[Zorba the Geek]

Dibya cannot receive messages, so I am requesting here that he provide me with the source code for his Extended XP, so that I can update it.

[abbodi1406]

On 11/26/2023 at 6:25 PM, Zorba the Geek said:

Dibya cannot receive messages, so I am requesting here that he provide me with the source code for his Extended XP, so that I can update it.

Scroll towards the end of the archived ryanvm link he posted above, and you will find link for BuildEnviroment.7z
 

[Dibya]

On 11/26/2023 at 8:55 PM, Zorba the Geek said:

Dibya cannot receive messages, so I am requesting here that he provide me with the source code for his Extended XP, so that I can update it.

I lost the source myself, but i can help you with making a Extended Kernel,  i think i fixed my PM

[Damnation]

Out of curiosity, how is exkernel.dll supposed to work?

[Dibya]

Easiest way to provide a Extended Kernel or Extended XP successor today will be to provide a build environment,

KernelCore.dll to store Kernel32 api , shecore for shell32 and so on , Open Source under BSD Clause 3 License ,

Codecaving is complicated , their no point smashing your head with Hex Editor and Disassembler, Extension dll will be much easier to maintain

and debug bug.

Then use Rudy's modexp and provide a patching script for forwarding missing api to it,

or use ExportTable Tester [This way @Zorba the Geek or some other community member can make both x86/x64 Kernel Extension for Server2003/XP].

Unfortunately nowadays i get very little time to work on anything , their other project and university to attend.

In January i will be free and make and present  a KernelExtention maker to community.

Someone among you can maintain it , i will be really happy and grateful that my baby extended XP continue to live.

Whoever going to maintain it , get your C++ skills polished and manage to get a copy of IDA Pro [Don't ask me how],

[Just basics, mostly you will be copying code from Wine and other opensource places anyway]

Here is great start how to get started reversing Microsoft's API and get handy with debugger of Visual Studio 2010

I might forget , someone knock me on 10th of January,

[Zorba the Geek]

Here are some links to tools that maybe useful for developing Extended XP

• IDA Disassembler 6.6 Demo This requires patching of idaq.exe to remove the message "Sorry, the evaluation version has expired".  Forum rule 1a prevents me from providing instructions on how to do this, so you need to send me PM.
• PEMaker by Blackwingcat.  When run under XP text is garbled due to incompatible imagehlp.dll.
• Export Table Tester.  Read forum topic here.
• gdb.exe from MinGW-W64 GCC-8.1.0 to disassemble specific functions.
• Ollydbg 1.10 with OllySymbolServer at OllyDbg1plugins
• pefille Python module to analyse and overwrite parts of PE file header
• pepatch Python module for patching PE format binaries

I cannot find a download link for Rudy's modexp.  Can someone upload it so that we can share it?

Edited December 16, 2023 by Zorba the Geek

[Dibya]

Rudy is @rloew

http://lonecrusader.x10host.com/rloew/rloew.html

I will post his modexp , proprietary tool thanks to permission provided by his son.

 

I have to turn on my old laptop and find a local copy ,

 

Edited December 17, 2023 by Dibya

[Joaquim]

Dibya please reshare the link

[Zorba the Geek]

I thought that I ought to push things along with this project with this post.  The objective is to update Dibya's last patched binaries so that they are based on the last POSReady 2009 updates of these modules.  It ought to be possible to patch other system files using the same techniques.

The approach that Dibya has used is to patch the export table of these binaries so that API calls to NT6 functions are forwarded to an external dynamic link library that acts as a container for all the additional NT6 functions for the patched kernel32.dll, advapi32.dll, ole32.dll, shell32.dll and user32.dll.  This external dynamic link library is called ExKernel.dll.  I have provided a screen shot of the patched advapi32.dll opened in PE Maker here:

Exkernel.dll is built by dissasembling Microsoft and Wine binaries to extract the subroutines for the additional NT6 functions to make the asm file ExKernel.asm which is then assembled with nasm.exe to produce the object file ExKernel.obj.  ExKernel.obj is passed to golink.exe to link Exkernel to advapi32.dll, shell32.dll, kernel32.dll, and ntdll.dll.

The ExKernel.asm file contains a table for imports as in the sample below:

; IMPORT TABLE 
EXTERN RtlEnterCriticalSection
EXTERN RtlLeaveCriticalSection
EXTERN WaitForSingleObject
;EXTERN _alloca_probe
EXTERN RtlInitializeCriticalSection
EXTERN SetEvent
EXTERN RtlSetLastWin32Error
EXTERN RtlTryEnterCriticalSection
EXTERN GetLastError
EXTERN GetProcessHeap
EXTERN RtlAllocateHeap
EXTERN ExitThread
EXTERN CreateEventA
EXTERN LoadLibraryA

The table for exports is shown in the sample below:

; EXPORT TABLE 
GLOBAL AcquireSRWLockExclusive
EXPORT AcquireSRWLockExclusive
GLOBAL AcquireSRWLockShared
EXPORT AcquireSRWLockShared
GLOBAL InitializeSRWLock
EXPORT InitializeSRWLock
GLOBAL ReleaseSRWLockExclusive
EXPORT ReleaseSRWLockExclusive
GLOBAL ReleaseSRWLockShared
EXPORT ReleaseSRWLockShared
GLOBAL TryAcquireSRWLockExclusive
EXPORT TryAcquireSRWLockExclusive
GLOBAL TryAcquireSRWLockShared
EXPORT TryAcquireSRWLockShared
GLOBAL InterlockedCompareExchange64
EXPORT InterlockedCompareExchange64

Here is a sample of a subroutine in assembly included in ExKernel.asm

FindNextStreamW:        ;blackwingcat KB935839 2017.04
          push    ebp
          mov    ebp,esp
          mov    ecx,[ebp+08h]
          mov    edx,[ecx+04h]
          add    edx,[ecx+0Ch]
          mov    eax,[ecx+08h]
          cmp    eax,edx
          jnz    L77EA5881
          push    3221225489 ;C0000011h
          call    SUB_L77E5826D
          xor    eax,eax
          jmp    L77EA58D4
L77EA5881:
          mov    ecx,[eax+08h]
          mov    edx,[ebp+0Ch]
          mov    [edx],ecx
          mov    ecx,[eax+0Ch]
          mov    [edx+04h],ecx
          mov    ecx,[eax+04h]
          push    ebx
          push    esi
          mov    ebx,ecx
          push    edi
          shr    ecx,02h
          lea    esi,[eax+18h]
          lea    edi,[edx+08h]
          rep movsd
          mov    ecx,ebx
          and    ecx,00000003h
          rep movsb
          mov    ecx,[eax+04h]
          shr    ecx,1
          and    word [edx+ecx*2+08h],0000h
          mov    eax,[eax]
          test    eax,eax
          pop    edi
          pop    esi
          pop    ebx
          jbe    L77EA58C5
          mov    ecx,[ebp+08h]
          add    [ecx+08h],eax
          jmp    L77EA58D1
L77EA58C5:
          mov    eax,[ebp+08h]
          mov    ecx,[eax+04h]
          add    ecx,[eax+0Ch]
          mov    [eax+08h],ecx
L77EA58D1:
          xor    eax,eax
          inc    eax
L77EA58D4:
          pop    ebp
          retn    0008h

Here are some issues that I am unclear about and I would like Dibya or someone to clarify:

• Can someone supply instructions on how to use PE Maker to add additional entries to the export table?
• How do you know if there is sufficient space in the binary to be patched to accommodate these new entries in the export table without over-writing some of the existing code?  Is there some way of creating extra space in the binary to to accommodate these new entries?
• What tool is recommended to extract functions as assembly from Microsoft and Wine binaries?
• Why criteria  would you use to choose either Microsoft, Wine or BWC binaries as a source for these extracted functions?
• If you decide not to use an external dynamic link library as a container for the additional NT6 functions how would you insert them into the binary to be patched?  Would you dissasemble the binary to be patched and paste the dissasembled NT6 functions into it's asm file then assemble it, or could you extract the NT6 functions as hex and paste them into a hex dump of the binary to be patched?

ExKernel.asm

Edited March 3 by Zorba the Geek

[Zorba the Geek]

Dibya please reply to this question.

I have been investigating how I could update your Kernelex for Windows XP, and I am uncertain about which disassembler to use which gives an output compatible with NASM.  I have been able to extract the assembly code for particular functions in BlackWingCat's build of kernel32.dll using the GNU disassembler gdb, and IDA Pro 6.8, but there are differences in the syntax compared to your source code in kernelex.asm which may or may not be significant.  Here are some examples:

Dibya: mov    eax,[ebp+0Ch]
gdb:   mov    eax,DWORD PTR [ebp+0xc]
IDA:   mov    eax, [ebp+arg_4]

Dibya: mov    word [ebp-08h],0008h
gdb:   mov    WORD PTR [ebp-0x8],0x8
IDA:   mov    [ebp+var_8], 8

Is it it possible that NASM would recognize DWORD PTR and trailing h after numerals even though they are not present in the output of NDISASM?  What about the number formats like 0008 compared to 0x8?

I have tried x64dbg and Ollydbg, but I could not get them to work in this application.

[Damnation]

@Zorba the Geek

Try Relyze disassembler, or ghidra disassembler, and see if what they output is suitable. Both are free.