Jump to content

leecher

Member
  • Posts

    14
  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    Austria

About leecher

Profile Information

  • OS
    XP Pro x86

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

leecher's Achievements

9

Reputation

  1. MSNP24 protocol is dead, unfortunately. So my MSN-Plugin for Miranda NG is also dead. From reversing the newer Skype 8 client, I know that only the web-based APIs are working. In fact, the new Skype-client is some Javascript Electron-blob wrapped in a windows-client now. Therefore I changed from MSN-plugin to SkypeWeb-plugin in Miranda and merged contacts via MetaContact. So I can keep using instant messaging via Skype (never needed voice call capability anyway).
  2. There certainly is a problem with this approach. For example, I have a German version of Windows XP and I don't want the messages from kernel32.dll to become English. So the XomPie-Approach is better with a replacement DLL that forwards all function calls to the original DLL and just contains the newly added functions. This way, you don't break i.e. language compatibility.It is easy to accomplish. For patching internal functions in the target DLL it may be better to write a patcher so that language DLL can be kept and just gets a patched copy. If you need internal structures from the target System DLL that you are patching, you can use Symbol server to resolve them, I did this in NTVDMx64 loader for instance.
  3. Currently I don't have a lot of time to test, unfortunately... :-/ What about putting your code and build environment on github so that people can contribute and add missing functions to let it grow faster? Or doesn't it build automatically?
  4. leecher

    XomPie

    Hi, I created a simple export driver, see attachment.. No idea if it is working, but you can try to play around with it. Regards. kernelext.zip
  5. leecher

    XomPie

    Not sure what you mean by it.. This is a kernel function exported from ntoskrnl for drivers, so it is ring 0 code. To run it, one could implement an export driver containing the code (https://msdn.microsoft.com/en-us/library/windows/hardware/ff542891(v=vs.85).aspx), but still, how do you get your driver that depends on this function being exported from ntoskrnl.exe to load the function from the "wrapper" driver that implements it? Would you patch the IAT of the requiring driver to point to the export driver?
  6. leecher

    XomPie

    I played around a bit with some loader code that I wrote which tries to patch the imports on loading in memory, but got stuck with it as loader modification needs to take place in the context of the target appliation as soon as it is loaded into memory, as IAT lookup etc. is running in its context, not in the context of the executing application... Anyway, would it be benifical if you could load an application with xompie by executing it via a seperate application that loads the target into memory and patches the imports accordingly so that it uses your wrapper DLLs for functions that are unavailable in original DLLs? I can share what I got so far, if you are interested, even though it's not working yet.
  7. Via a proxy DLL? I guess this has to run in Ring 0. This is pretty much the same code as in original Windows for this function: https://doxygen.reactos.org/db/d94/ntoskrnl_2ke_2apc_8c.html#a69decd8a97092be85121f4e4cbc48e73
  8. Basically it's just: errno_t memcpy_s( void *dest, size_t destSize, const void *src, size_t count ) { return memcpy(dest,src,min(destSize,count)); }
  9. 0xCC = INT 3 So this initiates a Debug Break when in Debugger. That's why this opcode is usually used as a filler, because then you end up in debugger when program execution for whatever reason gets there, which shoudldn't be the case.
  10. TpAllocCleanupGroup -> CreateThreadpoolCleanupGroup TpAllocIoCompletion -> CreateThreadpoolIo TpAllocPool -> CreateThreadpool TpAllocTimer -> CreateThreadpoolTimer TpAllocWait -> CreateThreadpoolWait TpAllocWork -> CreateThreadpoolWork TpCallbackMayRunLong -> CallbackMayRunLong TpCaptureCaller -> Used internally in SetThreadAffinityMask with paramter 2 TpQueryPoolStackInformation -> QueryThreadpoolStackInformation TpSetPoolMinThreads -> SetThreadpoolThreadMinimum TpSetPoolStackInformation -> SetThreadpoolStackInformation TpSimpleTryPost -> TrySubmitThreadpoolCallback ...
  11. leecher

    XomPie

    Hmn, you would need to patch BasepIsImageVersionOk() call in KERNEL32 for that... If you completely replace KERNEL32.DLL with your version (should work if you exclude kernel32.dll from SFP (http://www.rohitab.com/discuss/topic/27845-disable-windows-file-protection/) ),you could also replace this check, but that doesn't look like a clean solution. In my NTVDM x64 project, I used an additional DLL that gets loaded into every process and patches the NT loader according to my needs to re-enable startup of NTVDM on 64bit Windows, this would also be an option (see my sourcecode at https://github.com/leecher1337/ntvdmx64/blob/master/ntvdmpatch/src/ldntvdm/ldntvdm/ldntvdm.c), but maybe AppCompat wrapper DLL can do these patches too on load or something like that?
  12. leecher

    XomPie

    Hi, I'm don't really know a lot about AppCompat Shim Engine myself yet, but in LdrpMapDll, there is some code referencing an AppCompat redirect, which in turn allows the application to setup a DLL redirection path for a library on load: typedef NTSTATUS (NTAPI *PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION)( IN ULONG Flags, IN PCWSTR DllName, IN PCWSTR DllPath OPTIONAL, IN OUT PULONG DllCharacteristics OPTIONAL, IN PVOID CallbackData, OUT PWSTR *EffectiveDllPath ); NTSYSAPI NTSTATUS NTAPI LdrSetAppCompatDllRedirectionCallback( IN ULONG Flags, IN PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION CallbackFunction, IN PVOID CallbackData ); I think documentation is quite clear, check DllName in callback, if it is one of our system DLLs that need redirection and if so, fill EffectiveDllPath pointer accordingly with pointer to memory allocated with RtlAllocateHeap, caller will free. As I didn't find any direct reference to this function, my assumption is that it is designed to be used by some Shim-DLLs in the Notify-Routine in order to setup redirection. I just thought I should point into that direction, maybe it is useful, as this method circumvents KnownDLLs check.
  13. leecher

    XomPie

    What about AppCompat shims? I haven't reverse engineered the Windows XP Shim Engine yet, but some people attempted to do this and in my opinion it may be the "cleanest" way, as the compatibility settings for running applications in compatibility mode are also applied with the Shim Engine. So maybe we could do some research on it? This document sums up available documentation: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf Just an idea...
  14. leecher

    XomPie

    I guess you already know but Paragon GPT Loader works like a charm for me for years if you use the 2 patches I made for it: http://hardwarefetish.com/524-paragon-gpt_loadersys-bsod-analysis-and-fix http://hardwarefetish.com/612-gpt_loader-sys-revisited-file-read-problem
×
×
  • Create New...