Jump to content

Will Dr. Watson tell you why a DLL load failed?


Nomen

Recommended Posts

I'm looking into the differences between the version 02 and 18 of opera.dll and was wondering if the Watson thing will tell you (in detail) why a dll fails to load.

There are about 130 functions being called in the version 12.18 that are not being called by the 12.02 file that are flagged by DW, and another 100 that are also flagged but are called by both versions (so I'm thinking they're not the problem).  If Watson is of no use in this case - is there anything else?
 

Link to comment
Share on other sites


Misssing functions:


IPHLPAPI.DLL
CancelIPChangeNotify
GetAdaptersAddresses


KERNEL32.DLL
CreateTimerQueueTimer
DeleteTimerQueueTimer
GetGeoInfoW
GetUserGeoID
SetProcessDEPPolicy


SECUR32.DLL
InitSecurityInterfaceW
LsaEnumerateLogonSessions
LsaFreeReturnBuffer
LsaGetLogonSessionData

Link to comment
Share on other sites

This is what Import Patcher is telling me:

[Secur32.dll]
LsaGetLogonSessionData=
LsaEnumerateLogonSessions=
InitSecurityInterfaceW=
LsaFreeReturnBuffer=

[KERNEL32.dll]
GetUserGeoID=
GetGeoInfoW=

[USER32.dll]
SetLayeredWindowAttributes=

[IPHLPAPI.DLL]
CancelIPChangeNotify=

Which you will note is a little bit different than what abcdefg posted above. This is for the 12.18 dll file. I am using import patcher with Start dependency search in local, Test by loading (Kex), and Process delay imports checked. I get *No Problems Found* when running the same analysis on the 12.02 opera.dll.

Why so few issues (or no issues in the case of 12.02) when Dependency Walker shows many issues (missing functions) ??
 

Link to comment
Share on other sites

^

1. It depends on which Kex version is in use, i use v4.5.2015.9 and i check this manually.

2. Dependency Walker shows all missing functions but some of them are "implemented" in Kex, but Dependency Walker don't "know" that because these "implemented"

functions are "delivered" by API Hooking.

 

Edited by ABCDEFG
Link to comment
Share on other sites

All of those functions except SetProcessDEPPolicy are now supported by the latest KernelEx 2016.17. And SetProcessDEPPolicy will be supported by Kex 2016.18 (I just now added it). For now, use Kexstubs.dll with the definition:
  SetProcessDEPPolicy=f1e50

Do not check "Process delay imports" in ImportPatcher. It is unrelated to KernelEx support.

Link to comment
Share on other sites

I downloaded Kexbeta.17 and copied the 7 files it contained over into my c:\windows\kernelex folder (over-writing the existing files).  Restarted, and ran IP.41 on the opera.dll (12.18).  I get this:

[Secur32.dll]
LsaGetLogonSessionData=
LsaEnumerateLogonSessions=
InitSecurityInterfaceW=
LsaFreeReturnBuffer=

[KERNEL32.dll]
GetUserGeoID=
GetGeoInfoW=

[USER32.dll]
SetLayeredWindowAttributes=

[IPHLPAPI.DLL]
CancelIPChangeNotify=

My stubs.ini (and kstub730.ini) contains

GetGeoInfoW=z5e
GetUserGeoID=t1

My kstub730.ini contains

InitSecurityInterfaceW=z0
LsaEnumerateLogonSessions=t2
LsaFreeReturnBuffer=t1

So I shouldn't be seeing those in Import Patcher - right?  But I am.

> For now, use Kexstubs.dll with the definition: SetProcessDEPPolicy=f1e50

Where do I put that?


 


 

Link to comment
Share on other sites

> So I shouldn't be seeing those in Import Patcher - right? But I am.
Put ImportPatcher in Vista (or higher) compatibility mode in the KernelEx Properties tab.

> Where do I put that?
Doesn't look like you need it, but it would go in the [Kernel32.dll] section of stubs.ini.

Link to comment
Share on other sites

I've set Kex compatibility mode for IP.41 to be Vista. Kex compatibility mode for opera.dll (12.18) is set to default (should it be forced to something else?). This is what I get now. I put (in brackets) any functions that exist in kex stub files:

[Patches needed]
opera.dll=Functions

[Secur32.dll]
LsaGetLogonSessionData= (kstub822, kstub730)
LsaEnumerateLogonSessions= (kstub822, kstub730)
InitSecurityInterfaceW= (kstub822, kstub730)
LsaFreeReturnBuffer= (kstub822, kstub730)

[KERNEL32.dll]
GetUserGeoID= (kstub822, kstub730, stubs.ini)
GetGeoInfoW= (kstub822, kstub730, stubs.ini)

[USER32.dll]
SetLayeredWindowAttributes= (not present in any .ini file)

[IPHLPAPI.DLL]
CancelIPChangeNotify= (not present in any .ini file)

Why are the above functions in Secur32 and Kernel32 being flagged by IP? They are not being picked up, even though they exist in the stub files. 
What about SetLayeredWindowAttributes and CancelIPChangeNotify?
(edit):  If I select Walk Dependencies in IP, it looks like PSAPI.DLL has an issue, and I see 9 functions that show up under ntdll.dll that I didn't see before.  I still see the same 8 functions that are listed above.
 

Edited by Nomen
Link to comment
Share on other sites

Do Verify.exe and the KernelEx Properties tab both report "v4.5.2016"?

At this time, the ImportPatcher executable must be named "ImportPatcher.exe" or be UPX'd to be able to delay-load most stubs.

Link to comment
Share on other sites

Verify.exe is 4.05.2016.17 and when run it says "Kernelex has been successfully installed and is now ..."
Don't know if this is a factor, but my "c:\windows\" folder is really "c:\win98\" (ie, %windir% = c:\win98). kernelex.dll is version 4.05.2016.17.

> At this time, the ImportPatcher executable must be named "ImportPatcher.exe" or ...

Ah, that must be it. Mine was named "ImportPatcher.41.exe". I renamed it to ImportPatcher.exe. It is located in c:\win98\sendto.

Running IP again against opera.dll v12.18, I get this:

[Patches needed]
opera.dll=Functions

[Secur32.dll]
InitSecurityInterfaceW=

[IPHLPAPI.DLL]
CancelIPChangeNotify=

Running IP with Walk Dependencies + Link to patched copies gives the above, plus this:

PSAPI.DLL=Functions

[ntdll.dll]
NtStopProfile=
NtSetIntervalProfile=
NtStartProfile=
NtWriteFile=
NtQueryVirtualMemory=

 

Link to comment
Share on other sites

I don't know if this is just new to me, or anyone else, but replacing Secur32.dll and IPhlpAPI.dll with XP-SP3 version does actually result in a workable win-98 system. I found one problem with an OCX file used by Trendnet IPviewSE program (web-cam software) is caused by IPhlpAPI, but Opera 12 and FF2 seem to work just fine.  Swapping those files doesn't quite fix the issues with Opera.dll version 12.18 - I get a missing library error instead of "a device attached to the system is not functioning".  So now I'm going to look into what file (looks like a DLL file) is missing.

Also - note this:  Win-98 version of secur32.dll is about 59 kb, and XP-SP3 is actually 3kb  smaller, yet the XP version impliments more than double the number of functions.  Almost all the extra functions are unicode (W) versions that the 98 dll doesn't (naturally) impliment.  Has anyone thought of adding an ascii <-> unicode translator into Kex so that when a (W) function is called, Kex translates the call to Ascii and performs the function call using a native module (if present) ?  Maybe there's a way to use unicows to do this?

Edit:

Ok, so ImportPatcher is saying "no problems found" with the 12.18 opera.dll, but if I walk dependencies I get:

[Patches needed]
PSAPI.DLL=Functions
IPHLPAPI.DLL=Functions

[ntdll.dll]
NtStopProfile=
NtSetIntervalProfile=
NtStartProfile=
NtWriteFile=
NtQueryVirtualMemory=
RtlGetNtProductType=
RtlCreateUnicodeString=
RtlxAnsiStringToUnicodeSize=
NtDuplicateObject=
NlsMbCodePageTag=
RtlxUnicodeStringToAnsiSize=
RtlAcquireResourceShared=
RtlAcquireResourceExclusive=
RtlReleaseResource=
NtFreeVirtualMemory=
NtSetInformationThread=
NtQueryEvent=
RtlCreateUnicodeStringFromAsciiz=
ZwReplyWaitReplyPort=
RtlCopyUnicodeString=
ZwRequestWaitReplyPort=
NtOpenEvent=
ZwFreeVirtualMemory=
RtlGUIDFromString=

I have 2 different versions of psapi.dll. One in \windows (5kb, no version info) and one in windows\system (45kb, v 4.00). No idea if I should be using something else, or where it goes.  Running IP against the 45kb version of psapi.dll gives these problems:

[ntdll.dll]
NtStopProfile=
NtSetIntervalProfile=
NtStartProfile=
NtWriteFile=
NtQueryVirtualMemory=

Running IP against the XP version of IPhlpapi.dll gives these problems:

[ntdll.dll]
RtlReleaseResource=
RtlAcquireResourceShared=
RtlAcquireResourceExclusive=
RtlGUIDFromString=


 

Edited by Nomen
Link to comment
Share on other sites

Regarding Opera.dll 12.18, I'm at the point now where IP.41 is telling me:
[Patches needed]
opera.dll=Functions
[IPHLPAPI.DLL]
CancelIPChangeNotify=
GetAdaptersAddresses=

I get the same output regardless the setting for Process Delay imports. This is in my kex core.ini:
[DCFG1]
contents=Kstub822,std,kexbases,kexbasen,K452stub
desc=Default mode

I can see GetAdaptersAddresses is mentioned in kstub822.ini:
[Iphlpapi.dll]
GetAdaptersAddresses=>iphlpapi4:
GetPerAdapterInfo=>iphlpapi4:

iphlpapi4.dll is located in \windows\kernelex folder.
I can see CancelIPChangeNotify is mentioned in Kexbases.dll and iphlpapi4.dll.
I see *\IPHLPAPI.DLL in this registry key: HKEY_LOCAL_MACHINE\Software\KernelEx\AppSettings\Flags

I see iphlpapi.dll in these registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\InstalledFiles
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs

The data value for IPHLPAPI for the KnownDLLs key is IPHLPAPI.JMP.
I'm not sure if I'm supposed to keep that reference to IPHLPAPI.JMP or delete the key. I have the file IPHLPAPI.JMP located in \windows\system folder (should it be in kernelex folder?).
 

Edited by Nomen
Link to comment
Share on other sites

Secur32.dll and Iphlpapi.dll from XP-SP3 cause more problems than they solve. Do not try to use them in any way on Win9x.

Psapi.dll should not be present in the Windows or System folders. The 4KB version from KernelEx Auxiliary DLL Updates should be in the KernelEx folder.

> contents=Kstub822,std,kexbases,kexbasen,K452stub

Oh my! No one should still be using K452stub! Post the results from the K452stub.log file in Kext: DIY KernelEx extensions, then remove K452stub as intended. While you're at it, also post results from the Kstub822.log. :)

> The data value for IPHLPAPI for the KnownDLLs key is IPHLPAPI.JMP.

This setting is preventing KernelEx from providing any extensions to Iphlpapi.dll. Your IPHLPAPI.JMP is a renamed version of Iphlpapi.dll that doesn't contain CancelIPChangeNotify. This .jmp technique from 4-1/2 years ago requires manual updates that have not been done. Instead, just change the KnownDLLs key value back to IPHLPAPI.DLL and delete IPHLPAPI.JMP.

> Has anyone thought of adding an ascii <-> unicode translator into Kex so that when a (W) function is called, Kex translates the call to Ascii and performs the function call using a native module (if present) ?

This is exactly how KernelEx and Unicows implement most of the "W" functions.

> Maybe there's a way to use unicows to do this?
KernelEx does make heavy use of Unicows by forwarding functions to it. That's why Unicows.dll (1.1.3790.0) is a KernelEx system requirement.

Edited by jumper
Link to comment
Share on other sites

I seem to have several psapi.dll files that don't give version information (files-properties):

4,608 bytes, created june 1/2015
5,120 bytes, created dec 14/2008 (this is in \windows)
12,288 bytes, created may 27/2015 (this is in \windows\kernelex)

The psapi.dll contained in psapi3b.7z is 4096 bytes (and also has no version info) so I'm not sure where the above 3 that I have came from. I take it that this is the file I should have in \windows\kernelex ?

I have a few other psapi.dll files, with version info, scattered around the system:

18,192 bytes (version 4.00) Windows NT
28,944 bytes (version 5.00.2134.1) Windows 2000
45,136 bytes (version 4.00) Windows NT (this is in \windows\system)

Strange to see 2 different 4.00/NT versions. The 18kb one seems to be associated with InstallAware 8\plug-ins\MDAC.

Here is what's in my k452stub.log file. The file was over 1500 lines - I sorted it and removed the duplicates:

[K452stub]
= Advapi32.dll:CryptAcquireContextW=z5 ;? =
= Kernel32.dll:HeapSetInformation=z4 ;? =
= Kernel32.dll:IsValidLanguageGroup=z2 ;? =
= Kernel32.dll:SetDllDirectoryA=z1 ;? =

I don't seem to have a Kstub822.log file.
 

Edited by Nomen
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...