Jump to content

Kext: DIY KernelEx extensions


Recommended Posts

Merry Christmas! :w00t:

Version 3 of the zip.gifIphlpapi wrapper (2.55K) is now available with near XP-level support for GetAdaptersAddresses and partial support for GetPerAdapterInfo. (There is also a stub for GetTcpTable2.)

Hi jumper,

Happy New Year!

OK, I've just had a quick play with this. I copied to the System directory and commented out all the IpHlpApi section in "stub822.ini". Unfortunately, after a reboot, my computer was sluggish, with WinGuage showing CPU usage at 100% (normally it's about 33%). When I tried SAPGUI, it started up but then stalled when I tried connecting to the server. When I tried HoverIP, it never produced a GUI. In both cases, I had to terminate these apps via the Ctl-Alt-Del thingie

Joe.

PS. A small request for ktree9 : If it isn't too much trouble, would it be possible to sort the DLL names listed under, eg. 'kexbasen'?

Link to comment
Share on other sites


> I copied to the System directory...

My IPHLPAPI.DLL is a wrapper, not a replacement. The System directory is the one place it cannot go!

> ...and commented out all the IpHlpApi section in "stub822.ini".

This isn't necessary unless you use the "content= iphlpapi, Kstub822" method (currently suspect, testing requested!).

> PS. A small request for ktree9 : If it isn't too much trouble, would it be possible to sort the DLL names listed under, eg. 'kexbasen'?

Like in this Nov 4 test build? :angel

Ktree9h.7z

Pardon the 10-second hourglass--that's the slow built-in sorting taking place that I've been wanting to correct before release. All the apis in each dll are already sorted, so I just need to do a custom merge-sort in most cases. Three later builds correcting various minor issues also exist, but aren't as usable.

Link to comment
Share on other sites

I checked the SeaMonkey 2.61 package and didn't find any iphlpapi dependencies or even raw text references. I looked at the SeaMonkey sources and the only reference to iphlpapi is in nsNotifyAddrListener.cpp, the same version as used by FF2..20 and the 1.9.1 core, and the one I have already been using for reference. Apparently that file isn't linked into the 2.x builds of SeaMonkey.

So, any problem should also show up in FF2..20. But I've been running with no problems for the last week using the Core.ini method:


contents=std,iphlpapi,Kstub822,kexbases,kexbasen

You can try using the Kstub822.ini method and only add definitions for GetAdaptersAddresses and GetPerAdapterInfo as needed for other apps:


[Iphlpapi.dll] ;any or all of the following:
GetAdaptersAddresses=>iphlpapi:
GetPerAdapterInfo=>iphlpapi:

Iphlpapi.dll can also be renamed for testing in methods other than the local-app-directory method.

Thanks Jumper. I have tried the kstub822.ini method but I am not sure if it had any effect on my system.

SeaMonkey 2.0.14 does now start and works perfectly but SeaMonkey 2.14.1 still crashes 'blaming' msvcr100.dll.

To avoid misunderstandings - I just c&p the four lines from post #101 into kstub822 (I did put them between credui and kernel32) and re-start, correct ?

When you have the time could you test SeaMonkey 2.14.1 on your system ?

Edited by MiKl
Link to comment
Share on other sites

> I copied to the System directory...

My IPHLPAPI.DLL is a wrapper, not a replacement. The System directory is the one place it cannot go!

Doh!!! I knew it was a wrapper and still I made such a mistake - hmmm ... must do better!

Anyway, this time I renamed your DLL as IPHLPAPI.JMP and placed it in the System directory, then added the following registry entry :


REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs]
"IPHLPAPI"="IPHLPAPI.JMP"

Now HoverIP and SAPGUI work just fine! :)

Pardon the 10-second hourglass--that's the slow built-in sorting taking place that I've been wanting to correct before release.

Hmmm ... I've noticed you mention using Bubble Sort a couple of times previously, AFAIK, it's the world's slowest sorting algorithm. I've had dramatic improvement in another project where I converted a Bubble Sort into a Shell Sort, only slightly more complicated - I highly recommend it (I ported the example from Peter Grogono's book 'Programming in Pascal').

Joe.

Link to comment
Share on other sites

> Thanks Jumper.

And Thanks to you, MiKl. :) There have been 26 downloads of v3, but only you and jds have reported your finding. :unsure:

> I have tried the kstub822.ini method but I am not sure if it had any effect on my system.

"No" effect is the best effect when it is not needed!

> SeaMonkey 2.0.14 does now start and works perfectly

Good. This is back to the "no" effect when not needed.

>... but SeaMonkey 2.14.1 still crashes 'blaming' msvcr100.dll.

If this means missing exports, you need to update to the latest msvcr100.dll package.

> To avoid misunderstandings - I just c&p the four lines from post #101 into kstub822 (I did put them between credui and kernel32) and re-start, correct ?

Yes, but that was so "2012". :lol: The "2013" method (see updated post #101) is to rename it iphlpapi3.dll and edit Kstub822.ini to match. The change is immediate--no reboot needed!

>When you have the time could you test SeaMonkey 2.14.1 on your system ?

I can't risk my FF2 setup, but I'll download SM and check it out.

Link to comment
Share on other sites

>> The System directory is the one place it cannot go!

> ...this time I renamed your DLL as IPHLPAPI.JMP and placed it in the System directory, then added the following registry entry...

Well, yes, this advanced method is the exception, but it's a global solution that affects the OS and all apps! Test versions cannot override it either by local installation (requires clearing the KnownDLLs entry) or by KernelEx/Kstubs. I recommend using the iphlpapi3.dll name for easier upgrading when the time comes.

> Now HoverIP and SAPGUI work just fine! :)

Good, hopefully Opera now does too.

> Hmmm ... I've noticed you mention using Bubble Sort a couple of times previously, AFAIK, it's the world's slowest sorting algorithm.

Actually, it's the fastest in practice (and nearly in theory) when the dataset is very small or presorted (or nearly so). The slowest in practice is a pure quicksort on reverse-sorted (worst-case scenario) data! Standard quicksorts shuffle (or bit-reversed-index) the data first to vastly decrease the likelyhood of a worst case scenario at the cost of slower average performance. The simple methods have low overhead but don't scale well; the more complex the algorithm, the larger the dataset must be before it become faster. Hybrid implementions often bubblesort small datasets and do a brief analysis on larger sets before selecting what will hopefully be the fastest method.

> I've had dramatic improvement in another project where I converted a Bubble Sort into a Shell Sort, only slightly more complicated - I highly recommend it (I ported the example from Peter Grogono's book 'Programming in Pascal').

Ktree processes presorted lists of api names from get_api_table() calls and raw DLL export tables. For the "All API's by name" list, I can do an insertion sort as I process, or load all lists then do a merge sort.

Link to comment
Share on other sites

Good, hopefully Opera now does too.

Method:

add individual function(s) to Kstub822.ini:

[iphlpapi.dll] ;any or all of the following:

GetAdaptersAddresses=>iphlpapi3:

GetPerAdapterInfo=>iphlpapi3:

GetTcpTable2=>iphlpapi3:

Opera 12.10 and 12.12 crash on start.

Kstub822.log:

= Iphlpapi.dll:GetAdaptersAddresses=>iphlpapi3: =

Supplement: Also Opera versions 12.5 build 1546 and higher crash on start.

µTorrent 2.0.4 runs fine.

Edited by schwups
Link to comment
Share on other sites

> ...this time I renamed your DLL as IPHLPAPI.JMP and placed it in the System directory, then added the following registry entry...

Well, yes, this advanced method is the exception, but it's a global solution that affects the OS and all apps!

True, however, that's a reflection of my confidence level in your DLL. :angel

> Hmmm ... I've noticed you mention using Bubble Sort a couple of times previously, AFAIK, it's the world's slowest sorting algorithm.

Actually, it's the fastest in practice (and nearly in theory) when the dataset is very small or presorted (or nearly so). The slowest in practice is a pure quicksort on reverse-sorted (worst-case scenario) data! Standard quicksorts shuffle (or bit-reversed-index) the data first to vastly decrease the likelyhood of a worst case scenario at the cost of slower average performance. The simple methods have low overhead but don't scale well; the more complex the algorithm, the larger the dataset must be before it become faster. Hybrid implementions often bubblesort small datasets and do a brief analysis on larger sets before selecting what will hopefully be the fastest method.

I entirely agree about your comparison of simple vs. complex sorting methods. That's why I didn't even mention Quicksort. However, Bubble Sort also doesn't scale well with the size of the data elements, not just their quantity. It doesn't take much for its inefficiency to show. If it's taking 10 seconds to sort, then it's the wrong algorithm. Just my 2c.

Joe.

Link to comment
Share on other sites

Method:

add to core.ini contents: (with or without Kstub822)

contents=std,iphlpapi3,Kstub822,kexbases,kexbasen

KernelEX didn't work anymore. I reinstalled it.

After several attempts with different order it is sufficient to take iphlpapi3 out again. Usually reinstalling isn't necessary.

Edited by schwups
Link to comment
Share on other sites

Thanks to everyone for the testing and feedback. :)

In a slight change of plans, today I'm releasing Iphlpapi4 (Post #1 and Below) and updated Kexstubs.ini definitions (Below).


Iphlpapi wrapper

Usage with Kexstubs:

* Put iphlpapi4.dll in your Windows\KernelEx folder and activate the individual functions in Kstub822.ini:


[Iphlpapi.dll]
GetAdaptersAddresses=>iphlpapi4:
GetPerAdapterInfo=>iphlpapi4:

Usage without Kexstubs (or without KernelEx):

* Put a copy renamed to iphlpapi.dll in the folder with any app that needs it.

* Disable KnownDLLs redirection for Iphlpapi.dll by deleting this key in the registry:


  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs\IPHLPAPI

History:

:) Iphlpapi3 implemented GetAdaptersAddresses with information from GetAdapterInfo. Also stubs for GetPerAdapterInfo, GetTcpTable2.

:} Iphlpapi4 implements GetAdaptersAddresses with information from GetIfTable. This adds the Loopback interface to the results as well as real MTU, OperStatus, and link speeds. But lost is DhcpEnabled status (and potentially Gateway and DNS details that I hadn't implemented yet). Stubs for CancelIPChangeNotify, EnableRouter, FlushIpNetTable, GetBestInterfaceEx, GetExtendedTcpTable, GetExtendedUdpTable, GetIpStatisticsEx, GetPerAdapterInfo, GetTcpStatisticsEx, GetTcpTable2, GetUdpStatisticsEx, UnenableRouter.

:( Iphlpapi5 is to be the best of 3+4 and more. But I've been finding lots of errors in MS and third-party documentation and sample code, so I need empirical data to clarify how things should actually work. I will be converting a number of console test apps (based on MSDN samples) into one Win32 app that can be run on any 32-bit Windows platform. Results from dual-boot and VM systems should provide the needed clarity!


Updated Kexstubs.ini (Kstub822.ini):

* As of 730, definition values can be changed with just an app restart.

* Adding, Deleting, or Changing definition names requires an *immediate* OS restart!

* [;Zzzz.dll] --- see Lz32 ---

* requires "Zzzz=Lz32.dll" name-value pair in registry key:

* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs

* See also: Kstub_KnownDLLs.reg

[#prefs#]

Log=1 ;Enable logging to KstubNNN.log (816+)

~~~ Forwarding ~~~

library and function default to "this"

=>[[drive:\]path]library[.ext]:[function]

=>[function] ;search Msvcrt

~~~ Stubs ~~~

32/64-bit return value codes:

=r#s#[e[#]][?]

r# - value to return in edx:eax (required: int64 or hex64 (0x...))

s# - number of dwords to pop from stack (required: unsigned32)

e# - value for SetLastError (optional: unsigned32)

? - prompt for r and e, use s (or 0 if no s)

t -> r-1s

f -> r0s

z -> r0s

o -> r1s

p -> r{64-bit parameter1}s

Stack pop count:

0: 'C' function

0..99+: # of WINAPI parameters

Sample SetLastError value codes (only when needed):

e0: ERROR_SUCCESS 0

e,e1: ERROR_INVALID_FUNCTION 1

e120: ERROR_CALL_NOT_IMPLEMENTED 120

MSDN notes for return values:

STATUS_SUCCESS: 0

S_OK: 0

INVALID_HANDLE_VALUE: -1

STATUS_NOT_IMPLEMENTED: 0xC0000002

~~~ Definitions ~~~

[Advapi32.dll]

AddAccessAllowedAceEx=z5e

ChangeServiceConfig2A=z3e

ChangeServiceConfig2W=z3e

CloseTrace=t1

ControlTraceA=t4

ControlTraceW=t4

FlushTraceA=t3

FlushTraceW=t3

GetTraceLoggerHandle=t1e

LsaEnumerateAccountRights=t4

LsaFreeMemory=t1

LsaQueryInformationPolicy=t3

OpenTraceA=t1e

OpenTraceW=t1e

ProcessTrace=t4

QueryAllTracesW=t3

QueryTraceW=t3

QueryUsersOnEncryptedFile=o2

StartTraceA=t3

StartTraceW=t3

StopTraceW=t3

UpdateTraceW=t3

[Avicap32.dll]

capCreateCaptureWindowW=f8

capGetDriverDescriptionW=f5

[Comdlg32.dll]

PrintDlgExA=>ComDlgKs:

PrintDlgExW=>ComDlgKs:

[;Credui.dll] --- see Lz32 ---

CredUIPromptForCredentialsA=r0s10? ;0=OK, 1223=Cancel

CredUIPromptForCredentialsW=r0s10? ;0=OK, 1223=Cancel

[;Dbghelp.dll] --- see Lz32 ---

ImageNtHeader=>Imagehlp:

MiniDumpWriteDump=

[;Dnsapi.dll] --- see Lz32 ---

DnsQuery_A=

DnsRecordListFree=

[iphlpapi.dll]

GetAdaptersAddresses=>iphlpapi4:

GetPerAdapterInfo=>iphlpapi4:

[Kernel32.dll]

AddVectoredExceptionHandler=z2

GetGeoInfoA=z5e

GetGeoInfoW=z5e

GetSystemRegistryQuota=z2e

GetSystemWow64DirectoryA=z2e120

GetSystemWow64DirectoryW=z2e120

GetUserGeoID=t1

GetVolumeNameForVolumeMountPointA=z3e

GetVolumeNameForVolumeMountPointW=z3e

HeapQueryInformation=f5e

InitializeSListHead=f1

InterlockedFlushSList=f1

InterlockedPopEntrySList=f1

InterlockedPushEntrySList=f2

QueryDepthSList=f1

[Lz32.dll] --- all API's in functions that use KnownDLLs to forward to LZ32 ---

CredUIPromptForCredentialsA=r0s10? ;0=OK, 1223=Cancel

CredUIPromptForCredentialsW=r0s10? ;0=OK, 1223=Cancel

DnsQuery_A=

DnsRecordListFree=

ImageNtHeader=>Imagehlp:

MiniDumpWriteDump=

WinHttpCloseHandle=f1e

WinHttpGetIEProxyConfigForCurrentUser=

WinHttpGetProxyForUrl=

WinHttpOpen=

[Netapi32.dll]

NetAccessAdd=>Svrapi:

NetAccessCheck=>Svrapi:

NetAccessDel=>Svrapi:

NetAccessEnum=>Svrapi:

NetAccessGetInfo=>Svrapi:

NetAccessGetUserPerms=>Svrapi:

NetAccessSetInfo=>Svrapi:

NetApiBufferFree=o1

NetFileGetInfo=o4

NetGetAnyDCName=o3

NetGetDCName=o3

NetGroupEnum=o7

NetGroupGetInfo=o4

NetGroupGetUsers=o8

NetLocalGroupAddMembers=o5

NetMessageBufferSend=o5

NetMessageNameAdd=o2

NetMessageNameDel=o2

NetMessageNameEnum=o7

NetServerEnum=o9

NetShareEnum=>SvrApi:

NetShareGetInfo=>SvrApi:

NetUseAdd=o4

NetUseEnum=o7

NetUseGetInfo=o4

NetUserDel=o2

NetUserEnum=o8

NetUserGetGroups=o7

NetUserGetInfo=o4

NetUserGetLocalGroups=o8

NetWkstaGetInfo=o3

[Ntdll.dll]

CsrGetProcessId=>Kernel32:GetCurrentProcessId

NtAdjustPrivilegesToken=Advapi32:AdjustTokenPrivileges

NtAllocateVirtualMemory=t6

NtClose=>Kernel32:CloseHandle ;return is inverted: some apps may need "z1" but leak

NtCreateProfile=t9

NtOpenProcessToken=>Advapi32:OpenProcessToken

NtQueryInformationProcess=t5 ;internally static linked!

NtQueryInformationThread=t5

NtQuerySystemInformation=t4

NtShutdownSystem=t1 ;fail todo: =>User32:ExitWindowsEx(p,0)

RtlCompareMemory=s3?

RtlCreateUnicodeStringFromAsciiz=z2 ;fail

RtlEnterCriticalSection=s1?

RtlFreeUnicodeString=z1 ;leak, after RtlAnsiStringToUnicodeString, RtlUpcaseUnicodeString

RtlInitAnsiString=>Kstub822:IAS ;z2?

RtlInitString=s2?

RtlInitUnicodeString=>Kstub822:IUS ;z2?

RtlInitializeCriticalSection=t1 ;fail, z1 ok

RtlIpv6AddressToStringA=>Kstub822:I6A ;z2?

RtlLeaveCriticalSection=z1

RtlUniform=p1 ;forward to something more uniformly random!

_aullshr=s2?

_stricmp=>

_vsnprintf=>

_wcsicmp=>

_wcsnicmp=>

_wtoi=>

atoi=>

bsearch=>

isalnum=>

iswctype=>

memcmp=>

memcpy=>

memmove=>

memset=>

sprintf=>

sscanf=>

strcat=>

strchr=>

strcmp=>

strcpy=>

strcspn=>

strlen=>

swprintf=>

toupper=>

towupper=>

vDbgPrintExWithPrefix=t5 ;not just for kernel-mode drivers!

vsprintf=>

wcscat=>

wcschr=>

wcscmp=>

wcscpy=>

wcslen=>

wcsncat=>

wcsncmp

wcspbrk=>

wcsrchr=>

wcsstr=>

wcstol=>

wcstoul=>

[Ole32.dll]

CoAllowSetForegroundWindow=t2

[secur32.dll]

AcquireCredentialsHandleW=

DecryptMessage=

EncryptMessage=

GetUserNameExA=z3e

GetUserNameExW=z3e

InitSecurityInterfaceW=z0

InitializeSecurityContextW=

LsaEnumerateLogonSessions=t2

LsaFreeReturnBuffer=t1

LsaGetLogonSessionData=t2

QueryContextAttributesW=

[shell32.dll]

SHPathPrepareForWriteW=t4

StrChrA=>shlwapi32:

StrChrW=>shlwapi32:

[shlwapi.dll]

SHRegisterValidateTemplate=t2

StrCmpLogicalW=

[user32.dll]

UserRealizePalette=

[;Winhttp.dll] --- see Lz32 ---

WinHttpCloseHandle=

WinHttpGetIEProxyConfigForCurrentUser=

WinHttpGetProxyForUrl=

WinHttpOpen=

Kstub_KnownDLLs.reg


REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs]
"CREDUI"="LZ32.DLL"
"DBGHELP"="LZ32.DLL"
"DNSAPI"="LZ32.DLL"
"WINHTTP"="LZ32.DLL"

Edit: removed ActCtx / Active Context and Msvcr* definitions

Edit2: struck Kex from stubs.ini

Edited by jumper
Link to comment
Share on other sites

SeaMonkey 2.0.14 does now start and works perfectly but SeaMonkey 2.14.1 still crashes 'blaming' msvcr100.dll.

...

When you have the time could you test SeaMonkey 2.14.1 on your system ?

SeaMonkey 2.0.14 is an W2K-compatible version; SeaMonkey 2.14.1 is the latest XP+ version, is not W2K-compatible, and is NOT a minor upgrade to 2.0.14!

I suggest trying 2.6.1. It should work with the new Kexstubs definitions.

After that, try 2.9.1 -- it is the last W2K version. ImportPatcher.37 reports the following for SeaMonkey.exe and plugin-container.exe:


...
[DLL replacements]
RASDLG.dll=

[RASAPI32.dll]
RasGetAutodialAddressW=
RasGetAutodialEnableW=
RasGetAutodialParamW=
RasSetAutodialAddressW=

[RASDLG.dll]
RasDialDlgW=
RasPhonebookDlgW=
...

Thus it requires these additional Kstub definitions for SeaMonkey.exe and plugin-container.exe:


[Lz32.dll] --- all API's in functions that use KnownDLLs to forward to LZ32 ---
RasDialDlgW=
RasPhonebookDlgW=

[RASAPI32.dll]
RasGetAutodialAddressW=
RasGetAutodialEnableW=
RasGetAutodialParamW=
RasSetAutodialAddressW=

[;RASDLG.dll] --- see Lz32 ---
RasDialDlgW=
RasPhonebookDlgW=

(Note how easy that was to cut and paste from one .ini to another!)

and this addition to the registry:


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs]
"RASDLG"="LZ32.DLL"

Now back to 2.14.1 -- its plugin-container.exe requires many more new definitions that will probably be more difficult to implement. Its SeaMonkey.exe does not require the 1.9.1 additions, however, and should work with the new definitions. Try disabling plugin-container.exe (and thus plug-ins) by renaming or deleting it.

Finally, if someone could look up those Ras functions above and recommend proper definitions, that would be great! :yes:

Link to comment
Share on other sites

Ktree9 has been posted. :hello:

I was over-thinking the sorting thing. The solution was to do all inserting at the end, then make one call to TreeView_SortChildren for each group once the inserting was done. Load time is now less than one second :blushing: !

Link to comment
Share on other sites

My first results for post 116 (Kstub822.ini and iphlpapi4):

µTorrent 2.0.4: It doesn't start. Message: C:\Windows\System\iphlpapi.dll: IpHlpDll Entry not found (7b340000 0)

Kstub822.log:

[Kstub822]

= Iphlpapi.dll:GetAdaptersAddresses=>iphlpapi4: =

= Lz32.dll:MiniDumpWriteDump =

= Kernel32.dll:CreateActCtxW=t1e =

= Iphlpapi.dll:GetAdaptersAddresses=>iphlpapi4: =

OpenOffice 3.2.1: The Installation failed. Message: The E/A process was canceled because of a thread end or an application request.

Log => no entry.

Opera 12.5+: Still no success.

Version 12.5 build 1583 and 12.12 build 1707

Log:

[Kstub822]

= Iphlpapi.dll:GetAdaptersAddresses=>iphlpapi4: =

Thanks for your efforts. I hope. :)

Edited by schwups
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...