Windows Research Kernel

[guga]

For those (like me) who would like to see the source code of kernel and their internal structures, equates, functions etc...Here is the link of Windows Research Kernel (WRK) from M$
http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416&c1=en-us&c2=0

It is worthfull dl it.

[Gunther]

Hi Gustavo,

good link. Thank you for providing it. 

Gunther

[guga]

You're welcome, Gunther :) 

Here are some more where it can be downloaded
http://wrktools.codeplex.com
http://social.microsoft.com/Forums/en-US/home?forum=kernel
http://www.awarenetwork.org/home/iqlord/other/wrk.rar

[guga]

Btw...I created a PDF containing the M$ documentation related to this Set of Kernel Apis.I compiled all docs from Windows Research Kernel file and uploaded on RosAsm board here
http://rosasm.freeforums.org/windows-research-kernel-t168.html

Couldn´t upload it in here due to the limitations of file size.

[Gunther]

Gustavo,

that's interesting material. You've had much effort compiling the entire stuff.

Gunther

[guga]

Indeed, this material is very good and also contradicts what M$ have being releasing on their own docs.

On a discussion i had with Dave here http://masm32.com/board/index.php?topic=3345.0 i was trying to figure it out what a hell NtCreateSection was doing in memory, since my debuggers were showing me something different from what M$ docs said. The 1st member of the structure (which i named as: SectionHandle) was proving to me that it is not at all just a handle as M$ docs said, but a member of a unknown structure.

After several tests i ended concluding that it is, in fact, part of a structure and not a simple variable where the handle is outputed.

Today, i finally found some documentation of the functions i´m analyzing and rewriting.

http://forum.vingrad.ru/topic-236938.html

As the source code shows, the "SectionHandle" (SnapSection) is related to a structure called "SNAPSHOTSTATE", whose members i have no idea what they are, so far.

What i´m doing is rebuilding CreateToolhelp32Snapshot Api to make it works on WinNT4 and also to have another source of reference material for those unknown internal Apis.

Btw....is someone knows where can i find the sources from the forum i posted above, please post it here, because the needed source is not in any of mine files of the Kernel Source code, neither the WDM SDK 

So, if anyone knows where are these sources:

Code: [Select]

NTSTATUS
ThpAllocateSnapshotSection(
    OUT PHANDLE SnapSection,
    IN DWORD dwFlags,
    IN DWORD th32ProcessID,
    PUCHAR RawProcess,
    PRTL_DEBUG_INFORMATION RawModule,
    PRTL_DEBUG_INFORMATION RawDebugInfo)
(....)
   ULONG ThreadCount = 0;
    SnapShotSize = sizeof(SNAPSHOTSTATE);
    Offset1 = 0;
    //
    // calculate the required snapshot size
    //
    if ((dwFlags & TH32CS_SNAPPROCESS) || (dwFlags & TH32CS_SNAPTHREAD)) {
        do {
            ProcessCount++;
            ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&RawProcess[Offset1];
            Offset1 += ProcessInfo->NextEntryOffset;
            ThreadCount += ProcessInfo->NumberOfThreads;
        } while (ProcessInfo->NextEntryOffset != 0

Please, let me know...or post the link here. I wold like to take a look at them.

[guga]

Wahooooooooooooo...I found it... I already have the leaked Windows2000 Source code here. Now it will be easier analyse this 

The structure is defined as:

Code: [Select]

/*
 snapshot structure

 This is mapped onto the beginning of the memory we use to hold the information.

*/
typedef struct tagSNAPSHOTSTATE {
    /* item list counts */
    ULONG    HeapListCount;
    ULONG    ProcessCount;
    ULONG    ModuleCount;
    ULONG    ThreadCount;
    /* item list head pointers */
    PHEAPLIST32         HeapListHead;
    PPROCESSENTRY32W    ProcessListHead;
    PMODULEENTRY32W     ModuleListHead;
    PTHREADENTRY32      ThreadListHead;
    /* item list current indexes */
    ULONG   HeapListIndex;
    ULONG   ProcessListIndex;
    ULONG   ModuleListIndex;
    ULONG   ThreadListIndex;
    /* data begins here... */
    UCHAR    DataBegin;
}SNAPSHOTSTATE;
typedef SNAPSHOTSTATE * PSNAPSHOTSTATE;

[dedndave]

a lot of that information can be found here

http://undocumented.ntinternals.net

[anta40]

For those (like me) who would like to see the source code of kernel and their internal structures, equates, functions etc...Here is the link of Windows Research Kernel (WRK) from M$
http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416&c1=en-us&c2=0

It is worthfull dl it.

Hi guga,

I'm not sure why the page won't open for me. Firefox said "The server at www.facultyresourcecenter.com is taking too long to respond."
But anyway, it's nice to know that the Windows Research Kernel is now publicly available.
Years ago, it was only available (legally) for those who were the member of MSDN AA program.

[Gunther]

Dave,

a lot of that information can be found here

http://undocumented.ntinternals.net

your link doesn't work for me.

Gunther

[dedndave]

try this, Gunther
you may have to have an updated version of java
or - perhaps look at an older archive

http://web.archive.org/web/20140326223518/http://undocumented.ntinternals.net/

[Gunther]

Thank you, Dave. 

Gunther

[guga]

Gunther, if you want i uploaded the contents of the whole site, plus, the chm containing the functions etc, and another source in pdf format

here http://rosasm.freeforums.org/undocumented-windowsnt-t170.html

[Gunther]

Gustavo,

Ah, the RosAsm forum. Thank you for the link. 

Gunther

[guga]

Yeah...I´m posting in RosAsm forum some of the file,s because here we have a limitation of size, and some of the files extends the limit.

One of the files, have 20 Mb (This one, i uploaded in mega.co :)


For example, i found an excellent article about PE insecurity here http://www.reversinglabs.com/advisory/pecoff.html, but i coldnt´upload the pdfs due to the limitation. So i created a subforum devoted to ebooks in RosAsm forum that can handle bigger uploads.