Jump to content

PE Tool for creating patches


WildBill

Recommended Posts

Hi.

I don't think that it is important kernel32.dll function's order very much.

I want not to look Kernel32 function table but win32k.sys and ntoskrnl.exe System Call Table . :whistle:

This is what's in my kernel32.def file at present, which lists all of the exported functions currently implemented in C. I still have about 180 more to do before it contains everything in the latest V10 kernel. Also, until I have the first 830 or so all implemented I can't test or debug them, so crashes are likely until that point. Once I get everything working I can then put it through the hardening passes that I did for csrsrv and basesrv.

http://www.mediafire.com/download.php?1966gy8kokutq6p

I could post the full sources to my kernel32 project, but while it compiles it won't do anyone any good until it's complete enough to run in a 2k environment.

Link to comment
Share on other sites


I don't have a handy list of the functions in those files, though a tool like Ida could probably generate one. I'd love to eventually rewrite those in C as well, but first things first--rewriting kernel32 has already proven to be a much larger endeavor than I had envisioned...

Edited by WildBill
Link to comment
Share on other sites

Hi.

I found your code miss. ntdll.dll (5.0.2195.7084)

 77FD4A02  68F10000C0                		push	C00000F1h <- 
77FD4A07 E84C7BFDFF call RtlRaiseStatus
77FD4A0C L77FD4A0C:
77FD4A0C BEF00000C0 mov esi,C00000F0h
77FD4A11 EBCF jmp L77FD49E2

Edited by blackwingcat
Link to comment
Share on other sites

Hi.

I found your code miss. ntdll.dll (5.0.2195.7084)

 77FD4A02  68F10000C0                		push	C00000F1h <- 
77FD4A07 E84C7BFDFF call RtlRaiseStatus
77FD4A0C L77FD4A0C:
77FD4A0C BEF00000C0 mov esi,C00000F0h
77FD4A11 EBCF jmp L77FD49E2

Thanks! I found a separate issue in ntdll so I was going to release a new one anyway, so I'll put this fix in also.

Edited by WildBill
Link to comment
Share on other sites

@WildBill

There seems to be a bug in atmfd.dll from KB2507618:

I can't begin to describe how much I hate that DLL. There is no symbol info available for it, and it's hopelessly complicated. Do you know if the problem goes away with an earlier version of my patched DLL? That would help me narrow the problem down.

Link to comment
Share on other sites

The problem happens both in the older and the newer version. Can't just the XP file be used as it is? OTF fonts open properly with the XP atmfd.dll from KB2507618 installed.

Link to comment
Share on other sites

The problem happens both in the older and the newer version. Can't just the XP file be used as it is? OTF fonts open properly with the XP atmfd.dll from KB2507618 installed.

I tried it once and it refused to let any fonts show up in the Control Panel. I haven't tried it since...

Link to comment
Share on other sites

I tried it once and it refused to let any fonts show up in the Control Panel. I haven't tried it since...

I'm using it right now and all fonts are shown correctly.

The file is atmfd.dll 5.1.2.232.

Link to comment
Share on other sites

I've got a couple of updates posted:

Windows2000-KB2393802-v11-x86-ENU.exe

- A couple of ntdll bugfixes, and it should now be friendlier for slipstreaming.

Windows2000-KB2508429-v7-x86-ENU.exe

- Some new API functions added:

dnsapi.dll

NetInfo_Free

DnsFree

DnsFreeConfigStructure

iphlpapi.dll

GetTcpStatsFromStackEx

GetIpStatsFromStackEx

GetUdpStatsFromStackEx

GetIcmpStatsFromStackEx

GetTcpExTable2FromStack

GetUdpExTable2FromStack

GetExtendedTcpTable

GetExtendedUdpTable

GetBestInterfaceEx

The 2k iphlpapi only supports ipv4, so while the calls above will work for ipv4, they'll properly report an error code if called for ipv6.

My kernel32.dll rewrite is still proceeding apace...765 exported routines and counting.

Edited by WildBill
Link to comment
Share on other sites

Thanks WildBill :)

Is the ntdll.dll version same as in v10?

Edit: Something seems to be wrong in the new ntdll.dll :( Explorer.exe restarts itself each time when trying to open a folder.

Edited by tomasz86
Link to comment
Share on other sites

Does Nirsoft Currport work ?

Our iphlpapi.dll seems problem on GetUdpExTable2FromStack/GetTcpExTable2FromStack

I found iphlpapi v5.0.2195.7097 requires KB957579(Minimum require is KB951798)

I've got a couple of updates posted:

iphlpapi.dll

GetTcpStatsFromStackEx

GetIpStatsFromStackEx

GetUdpStatsFromStackEx

GetIcmpStatsFromStackEx

GetTcpExTable2FromStack

GetUdpExTable2FromStack

GetExtendedTcpTable

GetExtendedUdpTable

GetBestInterfaceEx

Edited by blackwingcat
Link to comment
Share on other sites

Thanks WildBill :)

Is the ntdll.dll version same as in v10?

Edit: Something seems to be wrong in the new ntdll.dll :( Explorer.exe restarts itself each time when trying to open a folder.

Really? There were only two extremely minor changes. One was to correct the error code that blackwingcat pointed out and the other was to fix a bug when initializing a process -- the location of a particular field is different in 2k vs. XP. The thing is, though, the code that's affected should never actually run since it only gets invoked if a process was using an activation context, and that functionality isn't active in my kernel yet. I'm not having any problems here...can you provide any more info?

Link to comment
Share on other sites

I've just done more tests and actually the same problem happens with both v10 and v11. The test machine is a VM (uses uniproc non-PAE kernel) with all official updates installed. I just added KB2479628 and KB2393802.

Link to comment
Share on other sites

I've just done more tests and actually the same problem happens with both v10 and v11. The test machine is a VM (uses uniproc non-PAE kernel) with all official updates installed. I just added KB2479628 and KB2393802.

Now that's interesting. I'm seeing the same thing in my VM, but not on real hardware. It must date back to v9, since the ntdll in v9 and v10 are the same. v9 was where I added a bunch of SxS API's to ntdll. I guess I'll have to look at it closely to see if I broke anything.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...