The MASM Forum

For those (like me) who would like to see the source code of kernel and their internal structures, equates, functions etc...Here is the link of Windows Research Kernel (WRK) from M$
http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416&c1=en-us&c2=0

It is worthfull dl it.

Hi Gustavo,

good link. Thank you for providing it.  :t

Gunther

You're welcome, Gunther :)  :t

Here are some more where it can be downloaded
http://wrktools.codeplex.com
http://social.microsoft.com/Forums/en-US/home?forum=kernel
http://www.awarenetwork.org/home/iqlord/other/wrk.rar

Btw...I created a PDF containing the M$ documentation related to this Set of Kernel Apis.I compiled all docs from Windows Research Kernel file and uploaded on RosAsm board here
http://rosasm.freeforums.org/windows-research-kernel-t168.html

Couldn´t upload it in here due to the limitations of file size.

Gustavo,

that's interesting material. You've had much effort compiling the entire stuff.

Gunther

Indeed, this material is very good and also contradicts what M$ have being releasing on their own docs.

On a discussion i had with Dave here http://masm32.com/board/index.php?topic=3345.0 i was trying to figure it out what a hell NtCreateSection was doing in memory, since my debuggers were showing me something different from what M$ docs said. The 1st member of the structure (which i named as: SectionHandle) was proving to me that it is not at all just a handle as M$ docs said, but a member of a unknown structure.

After several tests i ended concluding that it is, in fact, part of a structure and not a simple variable where the handle is outputed.

Today, i finally found some documentation of the functions i´m analyzing and rewriting.

http://forum.vingrad.ru/topic-236938.html

As the source code shows, the "SectionHandle" (SnapSection) is related to a structure called "SNAPSHOTSTATE", whose members i have no idea what they are, so far.

What i´m doing is rebuilding CreateToolhelp32Snapshot Api to make it works on WinNT4 and also to have another source of reference material for those unknown internal Apis.

Btw....is someone knows where can i find the sources from the forum i posted above, please post it here, because the needed source is not in any of mine files of the Kernel Source code, neither the WDM SDK  :(

So, if anyone knows where are these sources:
NTSTATUS
ThpAllocateSnapshotSection(
    OUT PHANDLE SnapSection,
    IN DWORD dwFlags,
    IN DWORD th32ProcessID,
    PUCHAR RawProcess,
    PRTL_DEBUG_INFORMATION RawModule,
    PRTL_DEBUG_INFORMATION RawDebugInfo)
(....)
   ULONG ThreadCount = 0;
    SnapShotSize = sizeof(SNAPSHOTSTATE);
    Offset1 = 0;
    //
    // calculate the required snapshot size
    //
    if ((dwFlags & TH32CS_SNAPPROCESS) || (dwFlags & TH32CS_SNAPTHREAD)) {
        do {
            ProcessCount++;
            ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&RawProcess[Offset1];
            Offset1 += ProcessInfo->NextEntryOffset;
            ThreadCount += ProcessInfo->NumberOfThreads;
        } while (ProcessInfo->NextEntryOffset != 0


Please, let me know...or post the link here. I wold like to take a look at them.

Wahooooooooooooo...I found it... I already have the leaked Windows2000 Source code here. Now it will be easier analyse this  :biggrin:

The structure is defined as:

/*
snapshot structure

This is mapped onto the beginning of the memory we use to hold the information.

*/
typedef struct tagSNAPSHOTSTATE {
    /* item list counts */
    ULONG    HeapListCount;
    ULONG    ProcessCount;
    ULONG    ModuleCount;
    ULONG    ThreadCount;
    /* item list head pointers */
    PHEAPLIST32         HeapListHead;
    PPROCESSENTRY32W    ProcessListHead;
    PMODULEENTRY32W     ModuleListHead;
    PTHREADENTRY32      ThreadListHead;
    /* item list current indexes */
    ULONG   HeapListIndex;
    ULONG   ProcessListIndex;
    ULONG   ModuleListIndex;
    ULONG   ThreadListIndex;
    /* data begins here... */
    UCHAR    DataBegin;
}SNAPSHOTSTATE;
typedef SNAPSHOTSTATE * PSNAPSHOTSTATE;

a lot of that information can be found here

http://undocumented.ntinternals.net (http://undocumented.ntinternals.net)

Quote from: guga on July 01, 2014, 02:27:44 AM
For those (like me) who would like to see the source code of kernel and their internal structures, equates, functions etc...Here is the link of Windows Research Kernel (WRK) from M$
http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416&c1=en-us&c2=0

It is worthfull dl it.

Hi guga,

I'm not sure why the page won't open for me. Firefox said "The server at www.facultyresourcecenter.com is taking too long to respond."
But anyway, it's nice to know that the Windows Research Kernel is now publicly available.
Years ago, it was only available (legally) for those who were the member of MSDN AA program.

Dave,

Quote from: dedndave on July 01, 2014, 09:19:26 AM
a lot of that information can be found here

http://undocumented.ntinternals.net (http://undocumented.ntinternals.net)

your link doesn't work for me.

Gunther

try this, Gunther
you may have to have an updated version of java
or - perhaps look at an older archive

http://web.archive.org/web/20140326223518/http://undocumented.ntinternals.net/ (http://web.archive.org/web/20140326223518/http://undocumented.ntinternals.net/)

Thank you, Dave.  :t

Gunther

Gunther, if you want i uploaded the contents of the whole site, plus, the chm containing the functions etc, and another source in pdf format

here http://rosasm.freeforums.org/undocumented-windowsnt-t170.html

Gustavo,

Ah, the RosAsm forum. Thank you for the link.  :t

Gunther

Yeah...I´m posting in RosAsm forum some of the file,s because here we have a limitation of size, and some of the files extends the limit.

One of the files, have 20 Mb (This one, i uploaded in mega.co :)


For example, i found an excellent article about PE insecurity here http://www.reversinglabs.com/advisory/pecoff.html, but i coldnt´upload the pdfs due to the limitation. So i created a subforum devoted to ebooks in RosAsm forum that can handle bigger uploads.

Btw...Anta, do you want me to upload the contents of http://www.microsoft.com/education/ww/faculty/pages/resources.aspx ?

Are you still having troubles opening the site ?

Gustavo,

Quote from: guga on July 02, 2014, 03:33:44 AM
For example, i found an excellent article about PE insecurity here http://www.reversinglabs.com/advisory/pecoff.html, but i coldnt´upload the pdfs due to the limitation. So i created a subforum devoted to ebooks in RosAsm forum that can handle bigger uploads.

that's a real interesting article. Good to know for every serious programmer.

Gunther

Quote from: guga on July 02, 2014, 03:46:14 AM
Btw...Anta, do you want me to upload the contents of http://www.microsoft.com/education/ww/faculty/pages/resources.aspx ?

Are you still having troubles opening the site ?

Hi guga,

No problem. After using a proxy, I could access that page.
Blame my ISP, I guess.
Anyway, after checking my old external disks, I found my MSDN AA stuffs, including windows research kernel
itself  ;)

OK, guys...I´m quite finishing the new CreateToolhelp32Snapshot function.

Once done, i´ll try to recreate "Process32First" and "Process32Next" and post here

Ok, i finished the newer CreateToolhelp32Snapshot function. It´s working fine here with all flags used in the regular Api. All M$ annoyances are now fixed. No more polluting the stack unnecessarily, and the errors messages are now properly set.

I will start rebuilding the others to try to make a small app to you guys test it, if you like :)

Need people to help me test this on Vista/Win7 and above and specially on the good old Win NT4.

Why NT4 ? Because CreateToolhelp32Snapshot wasn´t supposed to work with it ;)

Quote from: guga on July 01, 2014, 03:18:47 AM
Btw...I created a PDF containing the M$ documentation related to this Set of Kernel Apis.I compiled all docs from Windows Research Kernel file and uploaded on RosAsm board here
http://rosasm.freeforums.org/windows-research-kernel-t168.html

Couldn´t upload it in here due to the limitations of file size.

Hi Guga,
I know its been a few years, but is there any way you can re-upload this to a working location? I'm doing extensive research and work with this stuff and the docs would be VERY VERY handy. Thank you so much.

Hi Mondragon

Sorry for the delay, i just saw it now.

Here is a link where i uploaded the old files for windows research kernel. (https://www.4shared.com/rar/vouQmCXSca/Windows_research_kernel.html)

I uploaded the full pdf, and wrk files.