• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

It's innotek VirtualBox 1.5.6 on my side.

0

Share this post


Link to post
Share on other sites

Well, so far I haven't been able to track down what's corrupting the heap. I think the best strategy is to finish the kernel32 rewrite since I'm so close to the end, and then perhaps move on to rewriting ntdll (which is smaller). That way I can try to put in better heap corruption detection and maybe find out what's going on.

0

Share this post


Link to post
Share on other sites

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler ;)

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

0

Share this post


Link to post
Share on other sites

Can you run CurrPorts with KB2508429-v8 ?

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler ;)

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

Does Nirsoft Currport work ?

Our iphlpapi.dll seems problem on GetUdpExTable2FromStack/GetTcpExTable2FromStack

I found iphlpapi v5.0.2195.7097 requires KB957579(Minimum require is KB951798)

I've got a couple of updates posted:

iphlpapi.dll

0

Share this post


Link to post
Share on other sites

I was taking a look at the IE6 SP1 version of the MS12-052 fix that BlackWingCat found on the Microsoft Security ISO and I decided to run it through IDA Pro and TurboDiff (I compared against the last pre-EOL fix, MS10-035/KB982381) and TurboDiff found no changes to any function in BROWSEUI.DLL between the two versions. Since WildBill's notes for MS10-071 show that changes to BROWSEUI.DLL were required to fully close up the AutoComplete vulnerability, I also compared the XP versions of MS10-035 and MS10-071 and functions did show up as changed.

This tells me that Microsoft is doing the same thing with these "Extended Support fixes" that they did with Windows 98's extended support in that they only fixed vulnerabilities marked as "Critical." I remember that WildBill had said that MS11-003 would be a pain to backport but it looks like M$ did the hard work for us for that bulletin (all of its CVE's are marked as "Critical") and an easier solution for that update might be to use the Microsoft MS11-003 or MS12-052 IE6 SP1 patch and add the other changes from the previous unofficial IE updates as necessary.

On another note, I noticed some issues with MS11-012 where FileZilla's toolbar has the same white splotches where the shadows are supposed to be that we had before adding the ShellIconBPP setting.

How FileZilla's toolbar looks on stock Win2k:

post-307433-0-43602500-1346910793_thumb.

How FileZilla's toolbar looks with MS11-012 installed:

post-307433-0-43926600-1346910807_thumb.

How FileZilla's toolbar looks on Windows XP:

post-307433-0-60888500-1346911265_thumb.

This is a minor issue, so no rush on fixing this or doing any of the IE updates (I use Firefox 10 ESR on 2000, so the vulnerabilities don't concern me too much.)

PS I'm trying to learn some of this patch analysis stuff so that maybe I could help with the load at some point.

Edited by MacLover
0

Share this post


Link to post
Share on other sites

hi WildBill. can you make the unofficial August 2012 Cumulative Time Zone KB2732052 Updates for Windows 2000?

MS KB article 2732052:

http://support.microsoft.com/kb/2732052/

supersedes and replaces previously released Time Zone hotfixes as well as the December 2011 Cumulative Time Zone updates.

I see a definite pattern of how and when MS releases new Time Zone updates for Windows for several years now, usually in August and in December of each year.

Edited by erpdude8
0

Share this post


Link to post
Share on other sites

hi WildBill. can you make the unofficial August 2012 Cumulative Time Zone KB2732052 Updates for Windows 2000?

MS KB article 2732052:

http://support.microsoft.com/kb/2732052/

supersedes and replaces previously released Time Zone hotfixes as well as the December 2011 Cumulative Time Zone updates.

I see a definite pattern of how and when MS releases new Time Zone updates for Windows for several years now, usually in August and in December of each year.

acus has already done it :whistle:

http://www.ryanvm.net/forum/viewtopic.php?p=126872#126872

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

thanks, tomasz86. i haven't been here that much lately.

btw, do you know by any chance if anyone got the KB2476490 oleaut32.dll v2.40.4535.0 security patch blackwingcat mentioned here?

I didn't realize that MS is still secretly making some new security fixes for win2000, even after extended support for Win2k ended mid-July 2010.

Edited by erpdude8
0

Share this post


Link to post
Share on other sites

thanks, tomasz86. i haven't been here that much lately.

btw, do you know by any chance if anyone got the KB2476490 oleaut32.dll v2.40.4535.0 security patch blackwingcat mentioned here?

I didn't realize that MS is still secretly making some new security fixes for win2000, even after extended support for Win2k ended mid-July 2010.

I don't think it's available publicly. Only a few of the updates mentioned on the BWC's blog leaked. The IE Cumulative one has been recently replaced by the newly (officially) released CU (KB2722913). The two others are included in Update Rollup 2. Only the one for MDAC 2.8 SP1 (KB983838) still needs to be applied separately.

0

Share this post


Link to post
Share on other sites

I've got a new installment of MS11-011 (KB2393802) posted (v12). By request, it adds a number of kernel-level functions:

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

KeAreApcsDisabled

IoQueryFileDosDeviceName

MmProtectMdlSystemAddress

KeQueryActiveProcessorCount

PsDereferenceImpersonationToken

PsDereferencePrimaryToken

NtOpenProcessTokenEx

NtOpenThreadTokenEx

ZwOpenProcessTokenEx

ZwOpenThreadTokenEx

CcMdlWriteAbort

Enjoy... :hello:

0

Share this post


Link to post
Share on other sites

KB2508429 v9 is up, which should fix a STOP error when copying files over a network share...

0

Share this post


Link to post
Share on other sites

I've got a new v13 of KB2393802 up, which fixes one bug and adds a bunch of new kernel functions:

ntdll.dll

Bugfixes:

RtlRandomEx -- Fixed a bug that would cause an exception (and would return an incorrect result anyway)

New additions:

NtOpenProcessTokenEx

NtOpenThreadTokenEx

ZwOpenProcessTokenEx

ZwOpenThreadTokenEx

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

New additions:

RtlHashUnicodeString

RtlRandomEx

RtlInitializeGenericTableAvl

RtlInsertElementGenericTableFullAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlLookupElementGenericTableFullAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExW

RtlIpv4StringToAddressA

RtlIpv4StringToAddressExA

RtlIpv4AddressToStringA

RtlIpv4AddressToStringExA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringExA

RtlIpv6StringToAddressA

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExW

ExGetCurrentProcessorCpuUsage

ExGetCurrentProcessorCounts

ExfInterlockedCompareExchange64

FsRtlIncrementCcFastReadNoWait

FsRtlIncrementCcFastReadNotPossible

FsRtlIncrementCcFastReadResourceMiss

FsRtlIncrementCcFastReadWait

Existing routines added to the export table:

ExVerifySuite

HalExamineMBR

Edited by WildBill
0

Share this post


Link to post
Share on other sites

WildBill,

Thanks for all your hard work. I installed the updated KB2393802 and KB2508429 and everything seems to be working fine.

0

Share this post


Link to post
Share on other sites

Thanks! It's become apparent to me that in the long run we've got to rewrite these in C if we're ever going to get compatibility past a certain point (I don't just want to match XP, I want to eventually surpass it). I'm well past the 95% point of starting to have my first rev of kernel32 rewritten, but all this ntoskrnl work is keeping me away from it. I ve amassed enough info from reverse-engineering ntoskrnl that I could rewrite large portions of it with little difficulty, but the files are so huge that a complete rewrite would likely be a 2-year proposition (as it stands I'm coming up on a year for kernel32). I'm happy to do it since it's my OS of choice and I use it every day, but I think I could use some advice on how to break some of the effort up. Besides, it's always going to be easier to rewrite and test small portions at a time, but I'm not sure how to do it). Csrsrv and basesrv were small enough that I could rewrite them all at once but the kernel files aren't).

On a related note, I'm trying to assist someone with getting SEP (Symantec Endpoint Protection) working with the new kernel. It's resulting with STOP errors (IRQL not less or equal, happening in IoGetAttachedDevice), and I'm not all that knowledgeable enough with WinDbg that I might be enough of a help. I managed to generate an updated .DBG file with the correct symbols for the uniprocessor ntoskrnl.exe, but that isn't helping all that much (and I can provide accurate .MAP files using a customized Ida Pro script I use). Would anyone be able to help diagnose this? Compatibility is of course the primary goal of extending the kernel, but it's causing me to put the kernel32 rewrite on hold.

One of the things I think I need to add is an Ida script to generate .DBG files in addition to .MAP files (the built-in Ida function generates incorrect .MAP files, which is why I use my own script). If I can find the source to map2dbg or if someone can point me to it I should be able to add it to my Ida script. I also need to write an Ida script that can import a .MAP file and update the Ida database. That would be huge.

If there are any Ida users who woukd like to use my .idc scripts just say the word. For me they've been critical to getting this far,

0

Share this post


Link to post
Share on other sites

Can you make a KB955704 exFAT patch?

unfortunately, that is not possible as the exFAT drivers from KB955704 didn't work on my Win2000 SP4 + UR1 (update rollup 1) machine as I've recently tested myself with an 8Gb exFAT formatted USB flash drive. exfat.sys driver loaded on w2k but can't recognize my exFAT formatted USB flash drive as win2000 explorer tells me the flash drive is not formatted. :no:

thus the exfat drivers from KB955704 won't work on anything older than XP.

only hope for exfat support on win2k & older is a 3rd party driver of some sort.

EDIT: I found out that the exfat.sys and uexfat.dll files are useless without an exFAT-ready shell32.dll file.

see attached picture below:

shell32-winxp-exfat-support_zps8e56f589.jpg

this is a WinXP shell32.dll file with exFAT support. until exFAT support is implemented into the shell32.dll library file for Win2k, the exFAT SYS and DLL files won't do any good.

Edited by erpdude8
0

Share this post


Link to post
Share on other sites

exFAT support might also be in win32k.sys...don't hold me to that, but I have a nagging feeling that I might have seen some support for it there. It might be worth a quick search.

How large is exfat.sys? If it's really smsll it might be worth rewriting.

0

Share this post


Link to post
Share on other sites

How large is exfat.sys? If it's really smsll it might be worth rewriting.

exfat.sys 5.1.2600.3453 133,632 bytes

0

Share this post


Link to post
Share on other sites

Hmm that's not *too* bad, but it depends a whole lot on what's in it. If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out. I paid for the Ida decompiler, so I can generate (albeit very messy) C code. It won't be recompilable out of the box, but it's step 1, as it were. At least it might shed some light on some of the logic.

For me, the two most painful parts of the rewriting process have been reverse-engineering the structures and then figuring out what the really large and complex routines are trying to do. I've figured out a ton of internal structures in rewriting kernel32, but who knows how much that might overlap with a driver. If someone wants to take a stab at rewriting it (or even just the easier parts), I can probably provide enough information to get them at least something useful to start with.

One caveat, though, the generated C code isn't always correct. I can also generate .asm files and .map files that are also useful. Often I have to correlate the two when something looks fishy in the generated C code.

0

Share this post


Link to post
Share on other sites

If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out.

It's in this update:

http://www.microsoft...s.aspx?id=19364

That extracts out to a directory containing the following:



Volume in drive G is DATA
Volume Serial Number is 7A4C-636C

Directory of G:\exfat

10/16/2012 06:58 PM <DIR> .
10/16/2012 06:58 PM <DIR> ..
10/16/2012 06:58 PM 0 dirlist.txt
10/16/2012 06:55 PM <DIR> SP2GDR
10/16/2012 06:55 PM <DIR> SP2QFE
10/16/2012 06:55 PM <DIR> SP3GDR
10/16/2012 06:55 PM <DIR> SP3QFE
11/30/2007 07:18 AM 17,272 spmsg.dll
11/30/2007 07:18 AM 231,288 spuninst.exe
10/16/2012 06:55 PM <DIR> update
3 File(s) 248,560 bytes

Directory of G:\exfat\SP2GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:58 AM 133,632 exfat.sys
09/30/2008 02:44 AM 18,944 fmifs.dll
09/29/2008 05:59 AM 30,720 format.com
09/29/2008 05:58 AM 9,216 fs_rec.sys
09/30/2008 02:44 AM 77,824 ifsutil.dll
09/30/2008 02:44 AM 8,455,168 shell32.dll
09/30/2008 02:44 AM 57,344 uexfat.dll
09/30/2008 02:44 AM 278,528 ulib.dll
8 File(s) 9,061,376 bytes

Directory of G:\exfat\SP2QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:53 AM 133,632 exfat.sys
09/30/2008 02:05 AM 18,944 fmifs.dll
09/29/2008 05:54 AM 30,720 format.com
09/29/2008 05:53 AM 9,216 fs_rec.sys
09/30/2008 02:05 AM 77,824 ifsutil.dll
09/30/2008 11:35 AM 8,461,312 shell32.dll
09/30/2008 02:05 AM 57,344 uexfat.dll
09/30/2008 02:05 AM 278,528 ulib.dll
09/29/2008 05:46 AM 351,744 xpsp3res.dll
9 File(s) 9,419,264 bytes

Directory of G:\exfat\SP3GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:21 AM 133,632 exfat.sys
09/30/2008 02:19 AM 18,944 fmifs.dll
09/29/2008 06:22 AM 30,720 format.com
09/29/2008 06:20 AM 9,216 fs_rec.sys
09/30/2008 02:19 AM 77,824 ifsutil.dll
09/30/2008 02:19 AM 8,461,824 shell32.dll
09/30/2008 02:19 AM 57,344 uexfat.dll
09/30/2008 02:19 AM 278,528 ulib.dll
8 File(s) 9,068,032 bytes

Directory of G:\exfat\SP3QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:51 AM 133,632 exfat.sys
09/30/2008 01:56 AM 18,944 fmifs.dll
09/29/2008 06:52 AM 30,720 format.com
09/29/2008 06:50 AM 9,216 fs_rec.sys
09/30/2008 01:56 AM 77,824 ifsutil.dll
09/30/2008 01:56 AM 8,462,336 shell32.dll
09/30/2008 01:56 AM 57,344 uexfat.dll
09/30/2008 01:56 AM 278,528 ulib.dll
8 File(s) 9,068,544 bytes

Directory of G:\exfat\update

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/30/2008 02:32 AM 926 branches.inf
11/30/2007 10:17 AM 804 eula.txt
09/30/2008 06:29 AM 22,668 KB955704.CAT
11/30/2007 07:18 AM 26,488 spcustom.dll
11/30/2007 07:18 AM 755,576 update.exe
09/30/2008 04:49 PM 3,028 update.ver
09/30/2008 02:32 AM 678 updatebr.inf
09/30/2008 06:36 AM 24,318 update_SP2GDR.inf
09/30/2008 06:32 AM 25,523 update_SP2QFE.inf
09/30/2008 06:38 AM 27,395 update_SP3GDR.inf
09/30/2008 06:29 AM 27,395 update_SP3QFE.inf
07/09/2008 03:38 AM 382,840 updspapi.dll
12 File(s) 1,297,639 bytes

Total Files Listed:
48 File(s) 38,163,415 bytes
17 Dir(s) 402,366,476,288 bytes free

So it looks like it's a _lot_ more than just the exfat.sys driver file :(

Maybe in code, it's just a function or two ?

0

Share this post


Link to post
Share on other sites

Oh, no, its a lot of functions. With a lot of help from Google I've made a little sense of it, but it's still about 400 functions (a handful of which are rather large). The first problem with the sys I found is that one function uses SetFilterToken from ntoskrnl, which my kernel doesn't have. I suspect, though, that the biggest incompatibilities are in the data structures involved. It accesses some system-level data structures that tend to differ between XP and 2k (though I'd have to completely reverse-engineer the data structures to be sure). It might be possible to rewrite it as a 2k-compatible version, but it would involve quite a bit of effort. I haven't even looked at the other files.

0

Share this post


Link to post
Share on other sites

There are 310 functions in the XPSP2 version of exfat.sys. I don't have the time to fully reverse-engineer it, but here is what Ida spits out after a few days of trying to figure it out and plugging in whatever info I can find by Googling. It's at least a starting point if anyone wants to take a crack at rewriting it. One caveat: the C code that Ida generates never shows try...except or try...finally blocks so be sure to use the generated asm file for that logic.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I finally have all of the required kernel32 functions written in C and I've started writing unit tests...

AreFileApisANSI                   PASSED
FreeEnvironmentStringsA PASSED
FreeEnvironmentStringsW PASSED
GetACP PASSED
GetCommandLineA PASSED
GetCommandLineW PASSED
GetComputerNameA PASSED
GetComputerNameW PASSED
GetConsoleAliasExesLengthA PASSED
GetConsoleAliasExesLengthW PASSED
GetConsoleCP PASSED
GetConsoleDisplayMode PASSED
GetConsoleInputExeNameA PASSED
GetConsoleInputExeNameW PASSED
GetConsoleKeyboardLayoutNameA PASSED
GetConsoleKeyboardLayoutNameW PASSED
GetConsoleOutputCP PASSED
GetConsoleTitleA PASSED
GetConsoleTitleW PASSED
GetConsoleWindow PASSED
GetCurrentDirectoryA PASSED
GetCurrentDirectoryW PASSED
GetCurrentProcess PASSED
GetCurrentProcessId PASSED
GetCurrentThread PASSED
GetCurrentThreadId PASSED
GetDefaultSortkeySize PASSED
GetDllDirectoryA PASSED
GetDllDirectoryW PASSED
GetEnvironmentStringsA PASSED
GetEnvironmentStringsW PASSED
GetLinguistLangSize PASSED
GetLogicalDrives PASSED
GetModuleFileNameA PASSED
GetModuleFileNameW PASSED
GetModuleHandleA PASSED
GetModuleHandleW PASSED
GetNumberOfConsoleFonts PASSED
GetNumberOfConsoleMouseButtons PASSED
GetOEMCP PASSED
GetPriorityClass PASSED
GetProcessAffinityMask PASSED
GetProcessHandleCount PASSED
GetProcessHeap PASSED
GetProcessPriorityBoost PASSED
GetProcessShutdownParameters PASSED
GetProcessVersion PASSED
GetProcessWorkingSetSize PASSED
GetSystemDefaultLangID PASSED
GetSystemDefaultLCID PASSED
GetSystemDefaultUILanguage PASSED
GetSystemPowerStatus PASSED
GetSystemWindowsDirectoryA PASSED
GetSystemWindowsDirectoryW PASSED
GetTempPathA PASSED
GetTempPathW PASSED
GetThreadLocale PASSED
GetThreadPriority PASSED
GetTickCount PASSED
GetUserDefaultLangID PASSED
GetUserDefaultLCID PASSED
GetUserDefaultUILanguage PASSED
GetVersion PASSED
GetVersionExA PASSED
GetVersionExW PASSED
GetWindowsDirectoryA PASSED
GetWindowsDirectoryW PASSED
GlobalMemoryStatus PASSED
InterlockedCompareExchange PASSED
InterlockedDecrement PASSED
InterlockedExchange PASSED
InterlockedExchangeAdd PASSED
InterlockedIncrement PASSED
IsDebuggerPresent PASSED
lstrcatA PASSED
lstrcatW PASSED
lstrcpyA PASSED
lstrcpyW PASSED
lstrcpynA PASSED
lstrcpynW PASSED
lstrlenA PASSED
lstrlenW PASSED
NlsGetCacheUpdateCount PASSED
Sleep PASSED
TermsrvAppInstallMode PASSED

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Hey WildBill,

How is your work on the new kernel32.dll going?

I wonder if you could implement some of the APIs which BlackWingCat has added to his kernel (the newest version is KB935839-v22j and also KB979683-v11b). His kernel is capable of running applications compiled in VS2012 and also all dependencies related to .NET Framework 3.5 and 4.0 are fixed in it. He also "patched" the kernel exe files (ntoskrnl.exe and the three other files) so that it's possible to use more cores in Win2k Pro / Server (the number can be set manually through the registry - download KB979683-CoreChg.zip) and you can also enable PAE in Win2k Pro / Server so that the system can use up to 8 GB of RAM.

If you want to test .NET Framework then you can check my installer from here. It's a combined installer of all .NET Frameworks (from 1.0 to 4.0).

I'm really looking forward to try the new rewritten kernel. At the moment I'm using the BlackWingCat's version but I used yours before and actually found it much more stable.

0

Share this post


Link to post
Share on other sites

I've just compared ntkrnlmp.exe from WildBill and BlackWingCat.

APIs present only in WB ntkrnlmp.exe 5.0.2195.7384:

CcMdlWriteAbort
DbgQueryDebugFilterState
DbgSetDebugFilterState
ExVerifySuite
FsRtlIncrementCcFastReadNotPossible
FsRtlIncrementCcFastReadNoWait
FsRtlIncrementCcFastReadResourceMiss
FsRtlIncrementCcFastReadWait
HalExamineMBR
IoForwardAndCatchIrp
IoForwardIrpSynchronously
IoQueryFileDosDeviceName
KeAcquireInterruptSpinLock
KeQueryActiveProcessorCount
KeReleaseInterruptSpinLock
MmProtectMdlSystemAddress
NtOpenProcessTokenEx
NtOpenThreadToken
NtOpenThreadTokenEx
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplayingAvl
RtlGetElementGenericTableAvl
RtlHashUnicodeString
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlInsertElementGenericTableFullAvl
RtlInt64ToUnicodeString
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsGenericTableEmptyAvl
RtlLookupElementGenericTableAvl
RtlLookupElementGenericTableFullAvl
RtlNumberGenericTableElementsAvl
RtlTestBit
vDbgPrintEx
vDbgPrintExWithPrefix
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
ZwQueryInformationThread

APIs present only in BWC ntkrnlmp.exe 5.0.2195.7386:

IoCsqInitialize
IoCsqInsertIrp
IoCsqRemoveIrp
IoCsqRemoveNextIrp
IoSetCompletionRoutineEx
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeDeregisterBugCheckReasonCallback
KeGetRecommendedSharedDataAlignment
KeRegisterBugCheckReasonCallback
KeReleaseInStackQueuedSpinLockFromDpcLevel
ObSetSecurityObjectByPointer
PsGetCurrentThreadStackBase
PsGetCurrentThreadStackLimit
PsGetProcessWin32Process
PsGetThreadId
PsGetThreadProcessId
PsGetThreadWin32Thread
SeTokenObjectType
_alloca_probe

Same thing for kernel32.dll.

APIs present only in WB kernel32.dll 5.0.2195.7154:

AddLocalAlternateComputerNameA
AddLocalAlternateComputerNameW
CopyLZFile
CreateNlsSecurityDescriptor
CreateSocketHandle
EnumerateLocalComputerNamesA
EnumerateLocalComputerNamesW
GetCPFileNameFromRegistry
GetExpandedNameA
GetExpandedNameW
IsValidUILanguage
LZClose
LZCloseFile
LZCopy
LZCreateFileW
LZDone
LZInit
LZOpenFileA
LZOpenFileW
LZRead
LZSeek
LZStart
RemoveLocalAlternateComputerNameA
RemoveLocalAlternateComputerNameW
SetClientTimeZoneInformation
SetLocalPrimaryComputerNameA
SetLocalPrimaryComputerNameW

APIs present only in BWC kernel32.dll 5.0.2195.7193:

ActivateActCtx
AddRefActCtx
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
BaseCheckAppcompatCache
CheckForReadOnlyResource
CheckRemoteDebuggerPresent
CompareStringEx
ConvertFiberToThread
CreateActCtxA
CreateActCtxW
CreateSemaphoreExA
CreateSemaphoreExW
DeactivateActCtx
DebugActiveProcessStop
DecodeSystemPointer
EncodeSystemPointer
EnumSystemGeoID
EnumSystemLocalesEx
FindActCtxSectionGuid
FindActCtxSectionStringA
FindActCtxSectionStringW
FindFirstStreamW
FindNextStreamW
FindNLSString
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
GetCurrentActCtx
GetDateFormatEx
GetFirmwareEnvironmentVariableA
GetFirmwareEnvironmentVariableW
GetGeoInfoA
GetGeoInfoW
GetLocaleInfoEx
GetNLSVersion
GetNLSVersionEx
GetProcessDEPPolicy
GetSystemDEPPolicy
GetThreadId
GetThreadIOPendingFlag
GetThreadPreferredUILanguages
GetTickCount64
GetTimeFormatEx
GetUserGeoID
InitializeCriticalSectionEx
InitOnceExecuteOnce
IsProcessInJob
IsValidLocaleName
LCMapStringEx
QueryActCtxW
RegisterApplicationRecoveryCallback
RegisterApplicationRestart
ReleaseActCtx
SetFirmwareEnvironmentVariableA
SetFirmwareEnvironmentVariableW
SetProcessDEPPolicy
SetThreadPreferredUILanguages
SetThreadStackGuarantee
WTSGetActiveConsoleSessionId
ZombifyActCtx

And ntdll.dll...

APIs present only in WB ntdll.dll 5.0.2195.7085:

CsrCaptureMessageMultiUnicodeStringsInPlace
LdrAccessOutOfProcessResource
LdrAddRefDll
LdrCreateOutOfProcessImage
LdrDestroyOutOfProcessImage
LdrEnumerateLoadedModules
LdrFindCreateProcessManifest
LdrGetDllHandleEx
LdrInitShimEngineDynamic
LdrSetAppCompatDllRedirectionCallback
LdrSetDllManifestProber
NtOpenProcessTokenEx
NtOpenThreadTokenEx
NtSetDebugFilterState
RtlActivateActivationContext
RtlActivateActivationContextEx
RtlActivateActivationContextUnsafeFast
RtlAddRefActivationContext
RtlAddRefMemoryStream
RtlAddressInSectionTable
RtlAddVectoredExceptionHandler
RtlAppendPathElement
RtlCloneMemoryStream
RtlCommitMemoryStream
RtlComputeCrc32
RtlComputePrivatizedDllName_U
RtlCopyMemoryStreamTo
RtlCopyOutOfProcessMemoryStreamTo
RtlCreateActivationContext
RtlCreateBootStatusDataFile
RtlDeactivateActivationContext
RtlDeactivateActivationContextUnsafeFast
RtlDecodePointer
RtlDecodeSystemPointer
RtlDeleteElementGenericTableAvl
RtlDosApplyFileIsolationRedirection_Ustr
RtlDosSearchPath_Ustr
RtlDuplicateUnicodeString
RtlEncodePointer
RtlEncodeSystemPointer
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplayingAvl
RtlFinalReleaseOutOfProcessMemoryStream
RtlFindActivationContextSectionGuid
RtlFindActivationContextSectionString
RtlFreeThreadActivationContextStack
RtlGetActiveActivationContext
RtlGetElementGenericTableAvl
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlGetLengthWithoutTrailingPathSeperators
RtlGetNtVersionNumbers
RtlGetSetBootStatusData
RtlInitializeGenericTableAvl
RtlInitMemoryStream
RtlInitOutOfProcessMemoryStream
RtlInsertElementGenericTableAvl
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsActivationContextActive
RtlIsGenericTableEmptyAvl
RtlLockBootStatusData
RtlLockMemoryStreamRegion
RtlLookupElementGenericTableAvl
RtlMultiAppendUnicodeStringBuffer
RtlNumberGenericTableElementsAvl
RtlpApplyLengthFunction
RtlpNotOwnerCriticalSection
RtlQueryInformationActivationContext
RtlQueryInformationActiveActivationContext
RtlQueryInterfaceMemoryStream
RtlReadMemoryStream
RtlReadOutOfProcessMemoryStream
RtlReleaseActivationContext
RtlReleaseMemoryStream
RtlRemoveVectoredExceptionHandler
RtlRestoreLastWin32Error
RtlRevertMemoryStream
RtlSeekMemoryStream
RtlSetMemoryStreamSize
RtlStatMemoryStream
RtlUnlockBootStatusData
RtlUnlockMemoryStreamRegion
RtlWriteMemoryStream
RtlZombifyActivationContext
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
ZwQueryDebugFilterState
ZwSetDebugFilterState
_alldvrm
_aulldvrm

APIs present only in BWC ntdll.dll 5.0.2195.7103:

IVerSC
NtAddBootEntry
NtDeleteBootEntry
NtEnumerateBootEntries
NtEnumerateSystemEnvironmentValuesEx
NtLockProductActivationKeys
NtModifyBootEntry
NtQueryBootEntryOrder
NtQueryBootOptions
NtQuerySystemEnvironmentValueEx
NtSetBootEntryOrder
NtSetBootOptions
NtSetSystemEnvironmentValueEx
NtTranslateFilePath
RtlApplicationVerifierStop
RtlDllShutdownInProgress
RtlGetLastNtStatus
RtlInterlockedPushListSList
RtlLogStackBackTrace
RtlQueryTickCountEx
RtlRunOnceBeginInitialize
RtlRunOnceComplete
RtlRunOnceExecuteOnce
SetExKernelConfig
WinSqmAddToStream
_EVH

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.