w2k with xp-kernel functions

[czerny]

Hallo,

I have in w2k once again the problem that the update of one of my favorite  programs don't run, because of not finding (of course) DecodePointer.

So I decided to do the following:

• Rename Kernel32.dll to Kernel32o.dll
• Write a DLL named Kernel32.dll which
  
  • passes all regular w2k functions on to Kernel32o.dll
  • implements a replacement of the missing functions

This is a rough concept!!!

So in the first step I am searching for information about this subject.
Any idea is wellcome!

I am also looking for a lightwight virtual machine to test this.

Hope, anybody could help

czerny

[czerny]

Seems to be too silly or too difficult

[jj2007]

It would mean to know, for all Kernel32 functions, the number and size of parameters, and to implement an interface to pass them on. Quite an overkill. Why don't you implement DecodePointer as a macro, and put that into the header file?

[czerny]

It would mean to know, for all Kernel32 functions, the number and size of parameters, and to implement an interface to pass them on. Quite an overkill. Why don't you implement DecodePointer as a macro, and put that into the header file?

I would like to run compiled third party software, not my own!

Edit: The pass through should word this way

Code: [Select]

LIBRARY Kernel32.dll

EXPORTS
MulDiv=KERNEL32ORG.MulDiv
.
.
.

without any knowledge about parameters.

[czerny]

I have just made a little research about ordinal values of kernel functions.

Result: They seem to vary between different os versions.

Can someone provide me with the ordinal of LocalAlloc in win7 and win8 resp.?

And an other question:

a statment like : Version 5.1.2600.5781

what is the 5781 here?

[frankie]

What you want to do is many times addressed as 'rootkit' and associated to malware or spy software, even if many AV, like kasperky, use that techniqe to intercept and control the whole system.
The job is not trivial, you can found some codes on underground sites (be carefull and keep strong the AV  ). Anyway expect to be tagged as 'malware' from your AV.

I have just made a little research about ordinal values of kernel functions.

Result: They seem to vary between different os versions.

No you're wrong that'will break compatibility and legacy for some old, and not so old, sw. Any compatible call existing on a previous version should keep the same ordinal for standard 'kernel32.dll', 'user32.dll', etc.
Of course 'ntdll.dll' may change because you are supposed to to never use it directly...

And an other question:
a statment like : Version 5.1.2600.5781
what is the 5781 here?

Not sure, but should be 5.1=OS=XP, 2600=Original Build, 5781=Subversion=Service pack3

Maybe you want consider a different approach hooking the system calls or injecting DLL, have a look here... The article give also some hints on 'proxyDll' (rootkit) that, again, is very hard when you are dealing with kernel.dll...

[jj2007]

I would like to run compiled third party software, not my own!

OK, I misunderstood that. Could a global hook on GetProcAddress work?

[aardvajk]

Any compatible call existing on a previous version should keep the same ordinal for standard 'kernel32.dll', 'user32.dll', etc

Functions exported by name have different ordinals on different OS versions, as you're supposed to import them by name. Things exported by ordinal have static ordinals, otherwise those would break, as you said. For instance, LocalAlloc that czerny asked for goes like this:

Code: [Select]

LocalAlloc
Ordinal Platform
486 2000 SP0
486 2000 SP1
486 2000 SP2
489 2000 SP3
490 2000 SP4
837 7 SP0
837 7 SP1
970 8 SP0
943 8.1
501 95 RTM
501 95 SP1
503 95 OSR 2
506 95 OSR 2.5
506 95 OSR 2-USB
560 98
560 98 SE
575 ME
314 NT31 SP0
314 NT31 SP3
372 NT35 SP0
372 NT35 SP3
383 NT351 SP0
383 NT351 SP2
386 NT351 SP3
386 NT351 SP4
386 NT351 SP5
407 NT4 SP1
407 NT4 SP2
408 NT4 SP3
408 NT4 SP4
408 NT4 SP5
408 NT4 SP6a
591 Server2003 SP0
601 Server2003 SP1
601 Server2003 SP2
767 Server2008 SP1
767 Server2008 SP2
762 Vista SP0
767 Vista SP1
767 Vista SP2
565 XP SP0
577 XP SP1a
584 XP SP2
587 XP SP3

while MirrorIcon that's only exported by ordinal goes like this

Code: [Select]

MirrorIcon
Ordinal Platform
414 2000 SP0
414 2000 SP1
414 2000 SP2
414 2000 SP3
414 2000 SP4
414 7 SP0
414 7 SP1
414 8 SP0
... etc

For the problem, I'd say find an older version of polink or an alternate linker that'll make the def export-forwarding work. It'll be the least painful.

[jj2007]

I'd say find an older version of polink or an alternate linker that'll make the def export-forwarding work. It'll be the least painful.

Hi Aardvajk,

Czerny needs a Kernel32.dll for a third party application, i.e. no source, that's why I suggested a global hook on GetProcAddress above.

[czerny]

No you're wrong that'will break compatibility and legacy for some old, and not so old, sw. Any compatible call existing on a previous version should keep the same ordinal for standard 'kernel32.dll', 'user32.dll', etc.
Of course 'ntdll.dll' may change because you are supposed to to never use it directly...

Hmm, how is the ordinal of LocalAlloc in your os kernel?

They must change! in w2k there is no DecodePointer(), in XPsp3 there is that function. The function have to be in alphabetical order. So the ordinals must change. Think about it!

[czerny]

Maybe you want consider a different approach hooking the system calls or injecting DLL, have a look here... The article give also some hints on 'proxyDll' (rootkit) that, again, is very hard when you are dealing with kernel.dll...

Thank you! Interesting articel! I must study it first.

Most time there is stuff about hooking an existing function. But I will insert not existing functions.

[czerny]

I'd say find an older version of polink or an alternate linker that'll make the def export-forwarding work. It'll be the least painful.

Hi Aardvajk,

Czerny needs a Kernel32.dll for a third party application, i.e. no source, that's why I suggested a global hook on GetProcAddress above.

No, no, he is right!
I need this feature to make the fake-kernel32.dll.

[TimoVJL]

I am also looking for a lightwight virtual machine to test this.

Hope, anybody could help

czerny

QEMU ? here

[frankie]

They must change! in w2k there is no DecodePointer(), in XPsp3 there is that function. The function have to be in alphabetical order. So the ordinals must change. Think about it!

Well the export section is a little bit more complicated and allows you to do it.
The export directory points to 3 tables, a table holding an array of string pointers that points to the function names saved in another part of the PE (tipically readonly), a table holding the ordinal for each function and the real address table holding the functions, or variables or absolutes, addresses. The link between the first two tables is direct: for each function the same index points to its ordinal. When you link dynamically a function you search in the names table for your function, than using the index where you have found it peek the corresponding ordinal. From ordinal you have to subtract the 'base ordinal' and you will get the index in the addresses table  .
This mechanism allows to order the symbols so you can perform faster binary searches, but each symbol can have whichever ordinal you want  . Moreover using the 'base ordinal' your DLL can have ordinals starting from whichever value you want (not necessarily 1). The only constrain is that you cannot have any 'hole' inside the ordinals serie...
I draft a picture to show it.
If you have time and constance you can also edit the DLL adding entries to export table poining to your functions in a foreign DLL  But this thread begins to resemble a trojan development... 
 

[czerny]

I am also looking for a lightwight virtual machine to test this.

Hope, anybody could help

czerny

QEMU ? here

Looks promising! I will try it.