News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Windows Research Kernel

Started by guga, July 01, 2014, 02:27:44 AM

Previous topic - Next topic

guga

For those (like me) who would like to see the source code of kernel and their internal structures, equates, functions etc...Here is the link of Windows Research Kernel (WRK) from M$
http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416&c1=en-us&c2=0

It is worthfull dl it.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Gunther

Hi Gustavo,

good link. Thank you for providing it.  :t

Gunther
You have to know the facts before you can distort them.

guga

You're welcome, Gunther :)  :t

Here are some more where it can be downloaded
http://wrktools.codeplex.com
http://social.microsoft.com/Forums/en-US/home?forum=kernel
http://www.awarenetwork.org/home/iqlord/other/wrk.rar
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

guga

Btw...I created a PDF containing the M$ documentation related to this Set of Kernel Apis.I compiled all docs from Windows Research Kernel file and uploaded on RosAsm board here
http://rosasm.freeforums.org/windows-research-kernel-t168.html

Couldn´t upload it in here due to the limitations of file size.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Gunther

Gustavo,

that's interesting material. You've had much effort compiling the entire stuff.

Gunther
You have to know the facts before you can distort them.

guga

Indeed, this material is very good and also contradicts what M$ have being releasing on their own docs.

On a discussion i had with Dave here http://masm32.com/board/index.php?topic=3345.0 i was trying to figure it out what a hell NtCreateSection was doing in memory, since my debuggers were showing me something different from what M$ docs said. The 1st member of the structure (which i named as: SectionHandle) was proving to me that it is not at all just a handle as M$ docs said, but a member of a unknown structure.

After several tests i ended concluding that it is, in fact, part of a structure and not a simple variable where the handle is outputed.

Today, i finally found some documentation of the functions i´m analyzing and rewriting.

http://forum.vingrad.ru/topic-236938.html

As the source code shows, the "SectionHandle" (SnapSection) is related to a structure called "SNAPSHOTSTATE", whose members i have no idea what they are, so far.

What i´m doing is rebuilding CreateToolhelp32Snapshot Api to make it works on WinNT4 and also to have another source of reference material for those unknown internal Apis.

Btw....is someone knows where can i find the sources from the forum i posted above, please post it here, because the needed source is not in any of mine files of the Kernel Source code, neither the WDM SDK  :(

So, if anyone knows where are these sources:
NTSTATUS
ThpAllocateSnapshotSection(
    OUT PHANDLE SnapSection,
    IN DWORD dwFlags,
    IN DWORD th32ProcessID,
    PUCHAR RawProcess,
    PRTL_DEBUG_INFORMATION RawModule,
    PRTL_DEBUG_INFORMATION RawDebugInfo)
(....)
   ULONG ThreadCount = 0;
    SnapShotSize = sizeof(SNAPSHOTSTATE);
    Offset1 = 0;
    //
    // calculate the required snapshot size
    //
    if ((dwFlags & TH32CS_SNAPPROCESS) || (dwFlags & TH32CS_SNAPTHREAD)) {
        do {
            ProcessCount++;
            ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&RawProcess[Offset1];
            Offset1 += ProcessInfo->NextEntryOffset;
            ThreadCount += ProcessInfo->NumberOfThreads;
        } while (ProcessInfo->NextEntryOffset != 0


Please, let me know...or post the link here. I wold like to take a look at them.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

guga

Wahooooooooooooo...I found it... I already have the leaked Windows2000 Source code here. Now it will be easier analyse this  :biggrin:

The structure is defined as:

/*
snapshot structure

This is mapped onto the beginning of the memory we use to hold the information.

*/
typedef struct tagSNAPSHOTSTATE {
    /* item list counts */
    ULONG    HeapListCount;
    ULONG    ProcessCount;
    ULONG    ModuleCount;
    ULONG    ThreadCount;
    /* item list head pointers */
    PHEAPLIST32         HeapListHead;
    PPROCESSENTRY32W    ProcessListHead;
    PMODULEENTRY32W     ModuleListHead;
    PTHREADENTRY32      ThreadListHead;
    /* item list current indexes */
    ULONG   HeapListIndex;
    ULONG   ProcessListIndex;
    ULONG   ModuleListIndex;
    ULONG   ThreadListIndex;
    /* data begins here... */
    UCHAR    DataBegin;
}SNAPSHOTSTATE;
typedef SNAPSHOTSTATE * PSNAPSHOTSTATE;
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

dedndave


anta40

Quote from: guga on July 01, 2014, 02:27:44 AM
For those (like me) who would like to see the source code of kernel and their internal structures, equates, functions etc...Here is the link of Windows Research Kernel (WRK) from M$
http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416&c1=en-us&c2=0

It is worthfull dl it.

Hi guga,

I'm not sure why the page won't open for me. Firefox said "The server at www.facultyresourcecenter.com is taking too long to respond."
But anyway, it's nice to know that the Windows Research Kernel is now publicly available.
Years ago, it was only available (legally) for those who were the member of MSDN AA program.

Gunther

Dave,

Quote from: dedndave on July 01, 2014, 09:19:26 AM
a lot of that information can be found here

http://undocumented.ntinternals.net

your link doesn't work for me.

Gunther
You have to know the facts before you can distort them.

dedndave

try this, Gunther
you may have to have an updated version of java
or - perhaps look at an older archive

http://web.archive.org/web/20140326223518/http://undocumented.ntinternals.net/

Gunther

Thank you, Dave.  :t

Gunther
You have to know the facts before you can distort them.

guga

Gunther, if you want i uploaded the contents of the whole site, plus, the chm containing the functions etc, and another source in pdf format

here http://rosasm.freeforums.org/undocumented-windowsnt-t170.html
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Gunther

Gustavo,

Ah, the RosAsm forum. Thank you for the link.  :t

Gunther
You have to know the facts before you can distort them.

guga

Yeah...I´m posting in RosAsm forum some of the file,s because here we have a limitation of size, and some of the files extends the limit.

One of the files, have 20 Mb (This one, i uploaded in mega.co :)


For example, i found an excellent article about PE insecurity here http://www.reversinglabs.com/advisory/pecoff.html, but i coldnt´upload the pdfs due to the limitation. So i created a subforum devoted to ebooks in RosAsm forum that can handle bigger uploads.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com