Windows Vista Extended Kernel

About a month ago I started working on kernel extensions for Windows NT 6.0.

The x64 branch of the extended kernel is quite mature, running current versions of Firefox/Gecko-based browsers, GIMP 2.10.18 and PassMark PerformanceTest 10.0. A release of Brave browser based on Chromium 83 has a fault that points to an entry in the import table of kernel32 as of writing, but Electron-based applications like Visual Studio Code work.

The x86 branch is much younger and I'm just getting to grips with making x86 kernel extensions, though it will help with the many x86-native applications still floating around including Office 2013+ installers, as well as those who run Vista x86.

There are two ways to install the extended kernel files.

First Method
Replacement of Files in System Folders

Simply put, you copy the extended kernel files to the system32 and syswow64 (for x86 files on x64 systems) folders. Obviously you will have to do this from another OS. From another version of Windows, you will have take ownership of each file to be replaced. From Linux/BSD/etc. you don't have to worry about permissions.

This method is necessary to ensure proper functioning of the address and search bars in Firefox 68+ based browsers. Otherwise search engine data is not downloaded and you will have to type in URLs manually, including extensions (like https://, ftp:// etc.).

All software will now rely on my files. Keep your original Vista files handy for when Vista-compatible applications exhibit unforseen behaviour; VMware WS 10-12 installers are one such example.
This method may also be undesirable if you make use of ESU updates.

Second Method
Local DLL Redirection

In this case, the system relies on the original MS DLLs and only user-specified programs will be able to use my DLLs and their extra functions. Preferred if you are concerned about malware using W7+ functions and/or use ESU updates.

Even if you use the first method, you can use this method to substitute extended DLLs with original Vista DLLs if Vista-compatible applications are broken.

To prepare for DLL redirection, create the following registry key and reboot:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] "DevOverrideEnable"=dword:00000001

Once you have done that, you can make programs use my modified files by creating a file or folder labelled xxxx.exe.local (where xxxx.exe is the program's executable) in the program's folder. If a .local file is created, then modfiied files are placed in the program's folder. If a .local folder is created, then the modified files are placed in that folder.

Unfortunately, offering the download links in this thread would run afoul of the anti-XP+ policy, even after I badly scarred and abused the files. So contact me directly if you are interested or have questions.

Comments

  • edited July 2020
    This is wonderful. You mentioned in the other thread about replacing RtlQueryPerformanceCounter with NtQueryInformationProcess (for ntdll) using CFF Explorer, in order for Firefox 78 to work. It actually seems to work better than 68 for local DLL redirection, as I don't have to type out the protocol in the address bar in order for it to work. Search is still broken, however.



    Edit: 78 ESR will autofill the protocol, but YouTube is broken. 68 will not add the protocol, but YouTube works. 60.9.0ESR seems to work perfectly, including search. All need MinorSubsystemVersion changed to 0.
  • edited July 2020
    Edit: 78 ESR will autofill the protocol, but YouTube is broken. 68 will not add the protocol, but YouTube works. 60.9.0ESR seems to work perfectly, including search. All need MinorSubsystemVersion changed to 0.


    I just installed 78 ESR and YouTube works. Mind you I applied my files globally, but I don't see why having local files would affect rendering.
  • If you’re playing with kernel modification, here is something I stumbled across recently that after I read it, I was like of course, how did I not realize that. To sum it up, basically the 4GB ram limit for 32bit Windows is artificial. Everyone assumes that because 2 to the power of 32 is 4GB that is the limit for 32bit processors. But 16bit processor, such as the 8088 or 80286 address way more than 2 to 16.

    https://www.geoffchappell.com/notes/windows/license/memory.htm?tx=33
  • Um the 80286 had a 24bit addressing bus, hence why it was capable of 16mb memory.
    The 8088 was 8 bit but had still had 16 bit addressing. Nonetheless stuck at 1mb memory. Yes they are 16bit processors but that means nothing with regards to hardware. Just like the 386SX is 32bit but is still 24/16bit bus like 286.

    PAE allows modern systems to run 32bit OS, but still allow usage over 4gb memory. Albeit with the restriction of 4gb segments.
    MS just castrated the PAE of consumer OS so that it maxed at approx 4gb.
  • edited July 2020
    um 8088 is 16bit, with an 8 bit data bus, making it cheaper to implement. Just like the 386sx is 32bit internally with a 16bit bus. The 8088 actually has 20 bit addressing, which is why it accesses 1MB. 2^16 is 64K.

    Starting with the pentium pro, the addressing is 36bit, still WAY more than 4GB, support for PAE and the /GB switch was added to windows shortly after, and I run Microsoft Exchange taking advantage of that back in the early 2000's.

    Read the article, it's talking about hack to the kernel to enable more memory on windows vista. Since this thread was about the vista kernel, I figured it was topical.
  • If you’re playing with kernel modification, here is something I stumbled across recently that after I read it, I was like of course, how did I not realize that. To sum it up, basically the 4GB ram limit for 32bit Windows is artificial. Everyone assumes that because 2 to the power of 32 is 4GB that is the limit for 32bit processors. But 16bit processor, such as the 8088 or 80286 address way more than 2 to 16.


    I suppose I could incorporate that into any possible modification to the x86 ntoskrnl.exe, considering that many newer BIOSes don't do a very good job at remapping hardware-reserved memory beyond 4 GB, leaving under 1 GB free for software in extreme cases.

    The next endeavour would be to challenge the x64 memory limit of 128 GB in Vista Business, Enterprise and Ultimate.
  • where i can get the files?
  • Thanks for giving me the file links

    I think it will be better to take a service pack installation and reconfigure it to replace these files it will be useful for non-experts
  • "I think it will be better to take a service pack installation and reconfigure it to replace these files it will be useful for non-experts"

    That is currently not possible. The tools used to create NT 6.x update packages haven't leaked, nor am I aware of a way to reverse an existing one.
  • it will taky maybe year to leak some files for it installshield program will not work either since the files are protected by Trusted instaler with is almost impossible to replace files owned by him by program instaler
  • also i found that every file taht service pack uses has _ in the end of the names i also found program that has job of replacing registry
  • maybe its possible to make installer by using the iexpress wizard in windows
  • First off, I'm sure that InstallShield scripts can be configured to run takeown and icacls. Though I do not see any advantages of replacing the batch-based installer with something proprietary.

    Second, the files ending in "_" are compressed using LZX21 by a MS tool. Readily available, but I don't see the need when the installer is already compressed by 7z.

    Third, that would work to create a self-extracting executable, though AVs are trained to flag anything made with IExpress these days.
  • Don't make multiple posts so soon right after each other. If you need to add something within an hour or so, use the edit function.
  • i was wondering where can i find these files?thank you
Sign In or Register to comment.