Hi Guys and Gals . I am trying to get my amd graphics driver work in xp.
For that i needed to add various function to systemfiles like videoport.sys,ntoskrnl.exe,kernel32.dll and few other.
please help me .

Great hope you are really serious about that ��⚠�� now will you try to formalize it what back ground have you gathered to achieve your goal any thoughts

Still trying. i Have a bit knowledge with PE.
any tool exist for adding export to a dll?

There are tools here to do what you want.
http://www.woodmann.com/collaborative/tools/Category:RCE_Tools

thanks for help.
But there is no export tool only import namely iidking

I want to add following function to kernel32.dll
==================================================================================================== ==========================================================
LIBRARY NAME : kernel32.dll
Function Added
--------------------------------------------------------------------------------------------------------------------------------------------------------------
DecodePointer
EncodePointer
GetNativeSystemInfo
GetProcessHandleCount
SetDllDirectoryW
IsWow64Process
IsWow64Message
CheckRemoteDebuggerPresent
SetDllDirectoryA
GetModuleHandleExW
InterlockedPopEntrySList
InterlockedPushEntrySList
InitializeSListHead
InterlockedFlushSList
QueryDepthSList
AttachConsole
TzSpecificLocalTimeToSystemTime
RtlCaptureStackBackTrace
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
GetHandleContext
GetModuleHandleExA
GetProcessId
SetThreadUILanguage
WTSGetActiveConsoleSessionId
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
ReleaseActCtx
CreateActCtxW
CreateActCtxA
ActivateActCtx
DeactivateActCtx
RtlCaptureContext
GetGeoInfoW
GetUserGeoID
GetGeoInfoA
GetSystemTimes
GetVolumePathNamesForVolumeNameW
GetVolumePathNamesForVolumeNameA
IsProcessInJob
GetCurrentActCtx
GetThreadId
GetDllDirectoryW
DebugActiveProcessStop
ZombifyActCtx
AddRefActCtx
QueryActCtxW
FindActCtxSectionStringW
FindActCtxSectionStringA
SetProcessDEPPolicy
GetSystemDEPPolicy
GetProcessDEPPolicy
GetThreadIOPendingFlag
CreateMemoryResourceNotification
QueryMemoryResourceNotification
SetFirmwareEnvironmentVariableA
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableA
GetFirmwareEnvironmentVariableW
DecodeSystemPointer
EncodeSystemPointer
SetHandleContext
EnumSystemGeoID
ConvertFiberToThread
BaseCheckAppcompatCache
SetThreadStackGuarantee
InitializeCriticalSectionEx
FlsFree
FlsGetValue
FlsSetValue
FlsAlloc
FindActCtxSectionGuid
GetDllDirectoryA
LCMapStringEx
InitOnceExecuteOnce
RegisterApplicationRecoveryCallback
ApplicationRecoveryInProgress
RegisterApplicationRestart
ApplicationRecoveryFinished
GetLocaleInfoEx
CompareStringEx
GetNLSVersion
GetNLSVersionEx
GetTimeFormatEx
GetDateFormatEx
IsValidLocaleName
EnumSystemLocalesEx
CreateSemaphoreExW
CreateSemaphoreExA
GetThreadID
GetThreadPreferredUILanguages
SetThreadPreferredUILanguages
CheckForReadOnlyResource
FindFirstStreamW
FindNextStreamW
FindNLSString
GetNumaNodeProcessorMask
GetNumaProcessorNode
GetLogicalProcessorInformation
GetNumaHighestNodeNumber
InitializeConditionVariable
WakeConditionVariable
SleepConditionVariableCS
WakeAllConditionVariable
QueryThreadCycleTime
LocaleNameToLCID
InterlockedCompareExchange64
GetSystemRegistryQuota
SetFileValidData
GetCurrentProcessorNumber
GetConsoleProcessList
QueryFullProcessImageNameA
QueryFullProcessImageNameW
CheckNameLegalDOS8Dot3A
CheckNameLegalDOS8Dot3W
GetUserDefaultLocaleName
GetSystemDefaultLocaleName
SetFileInformationByHandle
GetFileInformationByHandleEx
OpenFileById
CancelSynchronousIo
CancelIoEx
AcquireSRWLockExclusive
AcquireSRWLockShared
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
LCIDToLocaleName
K32GetProcessMemoryInfo
GetProcessPreferredUILanguages
SetProcessPreferredUILanguages
GetFinalPathNameByHandleW
K32EmptyWorkingSet
K32EnumDeviceDrivers
K32EnumProcessModules
K32GetDeviceDriverBaseNameA
K32GetDeviceDriverBaseNameW
K32GetDeviceDriverFileNameA
K32GetDeviceDriverFileNameW
K32GetMappedFileNameA
K32GetMappedFileNameW
K32GetModuleBaseNameA
K32GetModuleBaseNameW
K32GetModuleFileNameExA
K32GetModuleFileNameExW
K32GetModuleInformation
K32GetPerformanceInfo
I have heard there is a tool namely ETCH but i cannot find it any where.
PLease teach me.

Never heard of it.
Tell me why IIDKing will not work.
http://www.woodmann.com/collaborative/tools/Category:Import_Editors

I don't know what AMD graphics card you have, but is there any reason why you can't use an XP compatible driver suite?

http://support.amd.com/en-us/download/windows-legacy

What you have in mind is a bad idea for many reasons, but let's start with why you've come to this point in the first place.

@Woodmann IID King Can add only import where i need to add export.
Thanks a lot for your effort to keep such a awesome tool and ebook library.
@ Kayaker
Only few dependency need to be fixed to run it.
Any way i didnot want to go to new os as they contain telemetry spyware.
I cannot use as newer R9 Series is not supported.

I guess you need a Virtual Machine to do this.

Thanks a lot every one.
I myself added function to export table using most powerful tool That is hexeditor .
I am too lazy to do that manually. Anyway last of all got driver working.
Windows XP STill now rock , isnt it?

Anyone know how to add some space to PE

You need to write a driver that hooks mmmapviewofA and create extra space or use what woodmann suggested

Hello XPForever,

Welcome to our board. If you have not worked a bit on cracking, you may find adding spaces to PE a bit more daunting (adding space is always easy -- getting the code to work is difficult)

Now, if you search google for "add some space to PE" you will not find anything. The formal word for this is: "CODE CAVE".

You can begin here:

1) How to inject your code into a PE Executable: http://www.ntcore.com/files/inject2exe.htm

2) What is a code cave by the way: https://en.wikipedia.org/wiki/Code_cave

3) Making space for added bytecode (machine code) in a Windows PE executable: http://stackoverflow.com/questions/5619813/making-space-for-added-bytecode-machine-code-in-a-windows-pe-executable

4) How do I make space for my code cave in a Windows PE 32bit executable: http://stackoverflow.com/questions/35685589/how-do-i-make-space-for-my-code-cave-in-a-windows-pe-32bit-executable

5) Adding a section to your PE: the easy way : http://ge0-it.blogspot.in/2012/08/adding-section-to-your-pe-easy-way.html

6) Adding New Functions to Compiled Code: http://sandsprite.com/CodeStuff/add_function.html

Want a better way? Learn how to DETOURS (and by Microsoft, no less).

Go for it. Don't get discouraged. Ask what want to know further. And remember, doing what you want to do (add space in a PE for your code) is DIFFERENT in PE and a .NET PE (You will need to learn .NET reversing for that).

(And yes, ETCH used to exist. But it was on a university server only. It has now been (around a decade) that it's been taken off. ETCH was not exactly a tool, but a Framework with multiple tools (mostly DLLS and a few EXE). It was highly crude. Nothing what you are expecting. More like W32DASM. Good in it's days, no longer useful now (unless you want straight disassembly dumps). It was, in many ways, a percusor to Microsoft Detours. I used it a couple of times, but never managed to work for "REAL LIFE" applications. Detours and a few (by our great mods and members themselves) are better. There was an old tool by G-ROM (but for the life of me can't remember the name -- I think one of the mods also asked for the source but "Dream on" was the reply to that query by G-RoM, heh!) Anyways, I digress... Begin your journey by searching for how to create "Code Caves" in PE and in .NET PE. Then, as you learn, share it here. Knowledge or tools, everything is welcome. As are you.

Have Phun

ProcDump32 (1.6.2 FINAL) ?

Heh, I think I can guess who might have asked for the source
Digressing again, but here's what he wrote in the final version:



Actually, both ProcDump32 by G-RoM, Lorian & Stone and LordPE Deluxe by yoda would still both be very useful for working with PE files in XP. Both can still be found on the web, though NTCore's CFF Explorer or several other more modern PE tools are probably a better bet now.

And yeah XPFOREVER, XP still rocks in many ways, certainly for reversing fun

I still have the source code to Procdump in my archive. Since we are on 17 years now and G-RoM abandoned the scene around 10 years ago (if my memory hasn't completely failed me) I'll consider uploading for historical reference. From memory I recall that there was a plan to update it to v2 and some work was carried out to do so but a lot of planned functions were never implemented.

Regards,

CrackZ.

Ah, there you go.

It's really that simple.

Mr. C! As always, you simply floor me.

Have Phun

Thanks Guys , For all help .
PLEASE SEE THIS PAGE :: blog.livedoor.jp/blackwingcat/archives/1299806.html
I wish to devlope such compabality layer for XP. That guy did for 2k
please donot mind my english but i am good in japanese

First I thought You are crazy. But then I've realized I've made my software compatible with Windows 95 in 2016 :P, keep it real XPFOREVER! Keep it gangsta and XP style :P

Howdy Bart,

Good to see you around and that you're back developing PELock and other things. Good luck with all that.


Cheers,
Kayaker

Talking about good old days I would recommend Code Snippet Creator by Iczelion, a must!!!

ciao!
ZaiRoN

Hi guys i failed to add most functions.
You guys are more experienced than me.
how can i add export with snippet creator?
is there any plugin for ollydbg that can copy code and expand table then put the code on other pe file?
is there any tool that can compare two files in assembly?
Many guys /gals did this things with 9x but none wrote how they did it.
there so many tools exists for import but none for export.
I am new in reverse engineering started a month ago, i have no idea but no one can move me from XP
Windows XP for ever!
newer apps have few dependencies but i have no idea how to fix it.
how to make wrapper libraries?
please answer me my questions.
please don't mind i have asked too many.
please help me i am truly novice.
sorry I am going little off topic ::
i love xp as i like its stability ,speed and efficiency of it
on today's modern hardware none modern windows can beat xp in matter of performance , speed and security.
XP support ended two year back still i not got a virus with avast free but in my other laptop running 7 with Norton got 11 times infected.
I don't know why whole world is saying bad of xp , isn't it a great os?

Did you try the tool? Did you check the menu items?
I see a lot of questions from you but no effort :/...

I'd guess you're probably following this ongoing thread on Remodeling Windows XP Kernel32
http://www.msfn.org/board/topic/175529-remodeling-windows-xp-kernel32/?page=5

You can see that it's not easy modifying system files successfully. It's hard to help you without knowing exactly what you've done or are trying to do.

You said that you got your graphics driver working. Great. What did you do? Did you add one of the 147 functions that you wanted to add to the XP kernel32.dll? Or did you modify one of the graphics driver/user files to get around the dependancy problems?

You said you failed to add *most* functions. Were you able to add *any* functions successfully? Again, to what file and how did you do it?

As for tools for comparing binary files, why don't you browse the Tool Library, there's a whole section on that.
http://www.woodmann.com/collaborative/tools/Category:Executable_Diff_Tools

your guess is not correct.
I have expanded the table , open the kernel32.dll with hex workshop then added some code shown up in stud pe then adjusted rva .

your guess is not correct.
I have changed import binary to vernel32 ,vell32,vtoskrnl,vall from kernel32,shell32,ntoskrnl.
taken win7 files then renamed vernel32 ,vell32,vtoskrnl,vall from kernel32,shell32,ntoskrnl.
stetted min version of pe to 0
copied files to system32
then edited inf of driver (crimson device software from amd ) to accept nt5.1 x86 (XP)
opened device manager and updated driver with modified one

hex editing kernel32.dll making pc to not start in most cases.
any of you here tried to mod systemfiles?
please help me

woohoo great i m gonna dust my windows 3.1 and put the windows 10 files into it and fire it up to space what a great idea whodhavethunkit (pun intended)

Hey guys any of you can help me ?

snipet creator has only import option no export

As far as I know there are no automagic tools to add exports. Don't know why, I guess there was never a need, most RE tasks of that sort can be done with import addition/code injection. Adding exports is a cool idea, there just isn't usually a call for it.

One way or another you're going to have to completely understand the PE structure and learn to add exports manually to even contemplate what you're trying to do in the larger scheme. Notice that the few in that msfn forum thread I linked who CAN add exports to a system file still have troubles, and they aren't giving away any secrets. "CFF Explorer" was the closest I saw to a clue, but that's only part of the solution.

There are plenty of resources around to understand the PE structure. Iczelion's PE tutorials are a good first resource. Get hold of 010 Editor and run and study the PE parsing template on simple dlls. I've always used the following as a reference when working on PE files in a hex editor:

Exe file format with offsets rather than explanations
http://www.woodmann.com/IDArchive/ID-RIP/database/essays/fboyjoe/exe_hdr.html

Iczelion's tutorial #17 contains the most basic dll/exe example you can get. Use it to try to add sections/exports and study the differences from the original. You can start by adding _imports_ with some existing tool and see how it's done, how you would do that manually. Adding the structure/offsets for exports should be somewhat similar.

People will help if you have a *specific* problem to some detail you can't understand and you can show you've done some work. You're asking things about something that's very difficult to do to start with, and a general plea for help isn't going to get you very far if no one even knows what the question is.

thanks a lot for help

@kayaker


well studying the differences between an exe with and without exports or mimicking them should not be much of a problem

an export by definition is some code that some one outside is expected to use

that means if you export blah() from your binary you aren't normally supposed to use it

some one either loadlibs and calls your blah() or links to your blah using .lib or .exp

(there is no rule that you cant call an exported function internally or no exception that it is never called internally )

Infact you can code a simple c program and produce an exe

( I will stick with exe for demo exports are normally done in a dll not in a exe )



with that code you can build two exes one with export and one without exports using this command-line



it is a mean little exe with no bloat that you can easily compare for differences

if the dos_elfaw_new is adjusted to point to same place and rich crap nuked out and time stamp ignored

we can conclude that the only differences that matter in header for exported and noexport binary is

Address of Export Table / Size of Export Table / and virtual size in .rdata section that has exports

and then it is simply a matter of parsing the actual export table implementation in .rdata section



as stated earlier you can see 140 wrt pe signature at 0xc8 is Address of Export Table and 144 size of Export table
0x148 is Address of import table and it changed because export table seems to be added first or i couldn't locate how to make linker embed the
import table first and export table later
the 1f0 is VirtualSize in .rdata section (do the math with PEHEADER format to confirm my assertion)
and the next difference is directly at 0x600 ( the code section is same in both exes)

and that is plain parsing the diffs by ignoring the import table and finding the diff using luvelsmeyer / iczelion / matt pietrek / and or other innumerable me toos

the point is if you add export table who is going to code the actual crap that is exported that is what i was trying to elicit from XPFOREVER but it seems he is a quitter

well let me go to sleep

someone can write a tool for adding export