Library of missing functions for Windows XP/2003/Vista/7 NTOSKRNL.EXE
Project is intended to help in porting drivers from Windows 7/8/8.1/10 for work with Windows XP/2003/Vista/7
How-To:
- Compile sources to make ntoskrn8.sys
- Make corrections to target driver XXX.sys so that it loads ntoskrn8.sys instead of the original ntoskrnl.exe
- If XXX.sys is driver made for Windows 8, change security_cookie to random value, security_cookie is constant 0x4EE640BB(x32) / 0x32A2DF2D992B(x64) inside file, change only first match !
- Place ntoskrn8.sys to X:/Windows/system32/drivers/ folder
Compiling:
-
Install Windows 7 DDK v7.1.0 (download from Microsoft Web site)
-
Original DDK header files has mistake with definintion of MmAllocateContiguousMemorySpecifyCacheNode, apply fix to two files \WinDDK\Win7\inc\ddk\ntddk.h and \WinDDK\Win7\inc\ddk\wdm.h:
#if (NTDDI_VERSION >= NTDDI_WIN2K)
typedef ULONG NODE_REQUIREMENT;
to:
#if (NTDDI_VERSION >= NTDDI_VISTA)
typedef ULONG NODE_REQUIREMENT;
-
Download project files to any local folder
git clone https://github.com/MovAX0xDEAD/NTOSKRNL_Emu -
Choose Target OS (XP, 2003, Vista or WIndows 7) for which OS Emu_Extender will be compiled. Keep in mind that depending on the target operating system the way of exporting the functions changes, if a function already exists in the kernel it will be simply redirected without injecting emulation code
-
Run shell: "Start Menu\Programs\Windows Driver Kits\Win7 7600.16385.1\Build Environments\Windows XXX\YYY Free Build Environment" (XXX - target OS, YYY - target CPU)
-
In shell change current directory to local project folder
-
In shell type command BLD to compile project
-
Compiled ntoskrn8.sys will be in ntoskrn8/objfre_XXX_x86/YYY folder
This is Library of missing functions for Windows 7' STORPORT.SYS v6.1.7601.xxxxx to emulate Windows 8' STORPORT.SYS
How-To:
- Compile ntoskrnl Emu_Extender
- Place storpor8.sys to X:/Windows/system32/drivers/ folder
- Make corrections to target xxx.sys so that it loads storpor8.sys instead of the original storport.sys
- Place backported storport.sys from Windows 7 to X:/Windows/system32/drivers/ folder
Last version for Windows XP/2003 is 1.9, but possible to backport 1.11 version:
-
Get files from Windows 7 Updates (KB3125574):
WDF01000.SYS v1.11.9200.20755 WdfLdr.sys v1.11.9200.16384 -
In WDF01000.SYS replace string "ntoskrnl.exe" to "ntoskrn8.sys" in import section
-
Recalc checksum
If need coexist with original WDF1.9 drivers:
- Rename WDF01000.SYS->WDF01_W8.SYS, WdfLdr.sys->WdfLdr8.sys
- In WDF01_W8.SYS replace string "WdfLdr.sys" to "WdfLdr8.sys" in import section
- In WdfLdr8.sys replace unicode string "\Registry\Machine\System\CurrentControlSet\Services\Wdf%02d000" to "\Registry\Machine\System\CurrentControlSet\Services\Wdf%02d_w8"
- In WdfLdr8.sys replace hex pattern F6 78 1B F6 to F6 EB 1B F6 (x32), 85 FF 78 2A to 85 FF EB 2A (x64)
- In target driver XXX.sys replace string "WdfLdr.sys" to "WdfLdr8.sys" in import section
- In .INF of ported driver add creating new service:
AddService=WDF01_W8,, WDF.AddService
....
[WDF.AddService]
DisplayName = "Windows Driver Framework v1.11 for XP/2003"
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\WDF01_W8.SYS
LoadOrderGroup = Base
- Recalc checksum of all edited *.sys
Storport was released since Windows 2003, but possible to backport Windows 7 version:
-
Get files from Windows 7 Updates (KB5010404):
storport.sys v6.1.7601.25735 -
In storport.sys replace string "ntoskrnl.exe" to "ntoskrn8.sys" in import section
-
Storport may use MSI interrupts, need to force use only legacy/non-MSI interrupts:
x32 - replace hex pattern 8B 8E 3C 01 00 00 to B9 00 00 00 00 90 (mov ecx, [esi+13Ch] -> mov ecx, 0)
x64 - replace hex pattern 8B 83 C0 01 00 00 to B8 00 00 00 00 90 (mov eax, [rbx+1C0h] -> mov eax, 0)
-
Windows 7 storport does not report SMART data when using STORAHCI, need to patch RaUnitScsiMiniportIoctl in storport.sys to enable SMART reporting:
x32 - replace hex pattern 75 36 8B 45 0C 81 78 10 00 06 1B 00 75 2A to 90 90 8B 45 0C 81 78 10 00 06 1B 00 90 90
x64 - replace hex pattern 75 36 81 7F 10 00 06 1B 00 75 2D to 90 90 81 7F 10 00 06 1B 00 90 90
-
Recalc checksum
-
Get files from Windows 7 Updates (KB3125574):
stornvme.sys v6.1.7601.23403 -
MS Windows 7 NVMe driver require storport.sys from Windows 7, use backported one
USB3 driver from Windows 8 require WDF 1.11, use backported one.
-
Get required files from Windows 8 (KB4534283/4556840, KB2984005, RTM ISO):
ucx01000.sys v6.2.9200.22453 usbhub3.sys v6.2.9200.21180 usbxhci.sys v6.2.9200.22099 wpprecorder.sys v6.2.9200.16384 usbd.sys v6.2.9200.20761
from Vista Beta/Longhorn 5456.5:
ksecdd.sys v6.0.5456.5
-
In files ucx01000.sys, usbhub3.sys, usbxhci.sys, wpprecorder.sys, usbd.sys change security_cookie to random value
-
In files ucx01000.sys, usbhub3.sys, usbxhci.sys, ksecdd.sys replace string name "ntoskrnl.exe" to "ntoskrn8.sys" in import section
-
For x64 usbd.sys, replace string name "ntoskrnl.exe" to "ntoskrn8.sys" in import section
-
Rename ksecdd.sys->ksecd8.sys, usbd.sys->usbd_w8.sys, wpprecorder.sys->wpprecor.sys
-
In files ucx01000.sys, usbhub3.sys, usbxhci.sys replace string name "WppRecorder.sys" to "WppRecor.sys" in import section
-
In usbhub3.sys replace string name "ksecdd.sys" to "ksecd8.sys" in import section
-
In usbhub3.sys replace string name "usbd.sys" to "usbd_w8.sys" in import section
-
Windows 8 USB3 driver always report USB2 speed on inserted USB3 devices, need to patch usbhub3.sys for proper speed reporting:
x32 - replace hex pattern 83 7E 54 03 75 09 to 83 7E 54 03 EB 09
x64 - replace hex pattern 00 00 00 03 75 0A to 00 00 00 03 EB 0A
-
Recalc checksum
Needs files from Windows 8 USB3 driver (usbd_w8.sys and wpprecor.sys).
Note that some motherboards may have a deadlock issue when trying to reboot with the UAS device connected. Windows will turn off but not finish the reboot cycle. If you Safe Remove the UAS device reboot will finish normally. There is the option of using the deadlock patched version of the driver that fixes the issue.
-
Get required files from Windows 8 (RTM ISO):
uaspstor.sys v6.2.9200.16384 -
In uaspstor.sys change security_cookie to random value
-
In uaspstor.sys replace string "ntoskrnl.exe" to "ntoskrn8.sys","storport.sys" to "storpor8.sys","usbd.sys" to "usbd_w8.sys", "WppRecorder.sys" to "WppRecor.sys" in import section
-
Recalc checksum
Deadlock patched UASP (CAUTION: Same as with a USB flash drive, rebooting while writing data will corrupt your data)
-
In uaspstor.sys change security_cookie to random value
-
In uaspstor.sys replace string "ntoskrnl.exe" to "ntoskrn8.sys","storport.sys" to "stor_ua8.sys","usbd.sys" to "usbd_w8.sys", "WppRecorder.sys" to "WppRecor.sys" in import section
-
Create a copy of "storport.sys" and rename to "stor_uas.sys", create a copy of "storpor8.sys" and rename to "stor_ua8.sys"
-
In stor_ua8.sys replace string "storport.sys" to "stor_uas.sys"
-
In stor_uas.sys patch RaidAdapterSetSystemPowerCompletion to fix deadlock. Only the UASP driver will use this patched storport.
x32 - replace hex pattern 75 0B 85 FF to EB 0B 85 FF
x64 - replace hex pattern 75 0C 41 3B FE to EB 0C 41 3B FE
-
In stor_uas.sys replace unicode string "\ D e v i c e \ R a i d P o r t" to something else like "\ D e v i c e \ U a s p P o r t"
-
Recalc checksum
STORAHCI driver requires storport.sys from Windows 8, but possible to use storport.sys v6.1.7601.xxxxx from Windows 7 Storport.sys from Windows 7 more compatible with Windows XP/2003 because it still call required PoStartNextPowerIrp when processing power IRPs. Microsoft removed calls to PoStartNextPowerIrp in Windows 8's storport.sys, without this call Windows XP/2003 kernel cannot finish current power IRP and start next IRP => it generate BSOD (0x0000009F). Also storport.sys from Windows 7 has compatibility mode to allow old XP/2003 kernels write crashdumps through storport based disk drivers. In storport.sys from Windows 8 compatibility mode was removed, writing crashdumps possible only with new kernels.
Take attention: Windows 8's STORAHCI + Windows 7's STORPORT may have significal performance drop and high CPU usage, there is no fix yet
-
Get files from Windows 8 Updates (KB5006739):
storahci.sys v6.2.9200.20652 -
In storahci.sys replace string "storport.sys" to "storpor8.sys" in import section
-
Storahci.sys was compiled with Windows 8 DDK's storport.h and writes values to new fields of _PORT_CONFIGURATION_INFORMATION struct, these fields not exist in Windows 7's storport.sys. Need to skip these writes to avoid damaging other structures in memory:
- x32:
- Replace hex pattern 83 A6 C8 00 00 00 00 to 90 90 90 90 90 90 90 (and dword ptr [esi+0C8h], 0 -> nop)
- Replace hex pattern 83 8E CC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [esi+0CCh], 3 -> nop)
- x64:
- Replace hex pattern 44 89 B7 D8 00 00 00 to 90 90 90 90 90 90 90 (mov [rdi+0D8h], r14d -> nop)
- Replace hex pattern 83 8F DC 00 00 00 03 to 90 90 90 90 90 90 90 (or dword ptr [rdi+0DCh], 3 -> nop)
If you want compile storahci from sources (from Windows 8 DDK Samples), comment two lines:
ConfigInfo->BusResetHoldTime = 0;
...
ConfigInfo->FeatureSupport |= STOR_ADAPTER_FEATURE_STOP_UNIT_DURING_POWER_DOWN;
-
In storahci.sys change security_cookie to random value
-
Recalc checksum
-
Get files from Windows 7 Updates (KB5010404):
atapi.sys v6.1.7601.25735 ataport.sys v6.1.7601.25735 msahci.sys v6.1.7601.25735 pciidex.sys v6.1.7601.25735 -
In ataport.sys, pciidex.sys replace string "ntoskrnl.exe" to "ntoskrn8.sys" in import section
-
Pciidex.sys uses MS Internal/Undocumented HalDispatchTable way to call functions from Kernel/HAL, for Windows XP/2003 need to use compatible variant:
- x32: replace hex pattern FF 50 3C to FF 50 40, same in asm code:
mov eax, ds:HalDispatchTable
...
call dword ptr [eax+3Ch] => call dword ptr [eax+40h]
- x64: replace hex patterns:
- FF 50 78 to EB 2A 90
- offset +2Ch: CC CC CC CC CC CC CC CC 48 89 6C to FF 90 80 00 00 00 EB CF 48 89 6C, same in asm code:
mov rax, cs:HalDispatchTable
...
call qword ptr [rax+78h] => jmp patch
orig:
mov r10d, eax
patch:
call qword ptr [eax+80h]
jmp orig
-
Recalc checksum
-
MSHDC.INF from Windows 7 conflict with original mshdc.inf from Windows XP/2003. msahci.sys enumerates IDE/SATA channels as "Internal_IDE_Channel" and compatible ID is "*PNP0600". Original mshdc.inf from Windows XP/2003 for compatible Device ID "*PNP0600" will install wrong "Standard IDE/ESDI Hard Disk Controller" driver
These drivers require storport.sys from Windows 7, use backported one
-
In file iaStorA.sys/iaStorAC.sys/iaStorAVC.sys replace string "ntoskrnl.exe" to "ntoskrn8.sys" in import section (do not change second string "NTOSKRNL.exe")
-
Recalc checksum
This driver requires storport.sys from Windows 7, use backported one
-
In file amd_xata.sys replace string "ntoskrnl.exe" to "ntoskrn8.sys" in import section
-
Recalc checksum
This driver requires storport.sys from Windows 7, use backported one
-
In file secnvme.sys/secnvmeF.sys replace string "ntoskrnl.exe" to "ntoskrn8.sys" in import section
-
Recalc checksum