adding code to kernel32.dll
 

Hi
I have following problem: I write 'extension' to kernel32.dll (XP). There's not enough free space inside the file for my code so I tried to add a new section. But it failed - there is kernel error during XP loading (4C, c000007B - "bad image"; info from XP DDK - "this kind of error occurs very infrequently" :)).
The total size of original image is ED000h. I tried to increase the last existing section (.reloc), I tried to create the new one - both failed. It failes when total size is above ED000.
Kernel32 is located in memory just before ntdll.dll and there is 3000h b free space between them - so theoretically there is the space for my bigger image. As QUERY and MAP32 says, this space belongs to noone.
Is there any free space needed for system after the ring3 dll image ? used temporarly for something ?
If anyone can help, it will be nice :)

Regards
amigo

PS Of course I can remove some original code or resource to make space for my code , but I'd like to leave original image intact.

Did you recalculate the checksum field after modifying the .exe? (just a guess)

Yes,
Checksum doesn't matter here :(, loader doesn't check it, after modification inside existing code it loads the file OK without correcting checksum.
It depends of total size of image - I can increase last section 'a little' - up to the total size of ED000h (alignment 1000h) and above this value the crash occurs.

Regards
amigo

Maybe MS load kernel without standart EXE loader.
It will be very strange, but who know MS ways? ;)

don't pacth kernel32.dll, it maybe a protected system file by os loader.
use global hook or DLL inject.

I've patched it, without checksum correcting, and XP works OK with my code inside. So os loader didn't check it.
UFOSPACE, you said "don't patch, but hook". But hooking during OS loading requires ring0 patching...
Thanx all for suggests, but the problem remains.

hi amigo
try to debug the os loader to see what it does.

I think the new PE ImageSize ( [PE_Header+0x50] ) is incorrect and should be recalculated.

PE ImageSize = Sum of the VirtualSize (aligned with ObjectAlign) of all Sections

Try to see source code of Kriv virus, some technic very good to learn how to add code to kernel32.dll

amigo :
I don't know what you are going to do by that change. But maybe there are some cleaner ways to do that.
If you are going to change some API behavior or execution... Then it's better to use a filter between Kernel32.dll and Ntdll.dll (Using API redirection/SPYing), so that you can take the control and do what you want to response to API calls from User-Mode programs and return them what you want. By using that method you can remove yourself at any time and take back the system behavior to its normal state.

Regards
OMID

did you try to put your code inside additional DLL file, then just load that DLL from patched kernel's code and use GetProcAddress() to read & call your code (if you need to modify something inside the kernel, pass it to your procedure as a pointer), just my 0.02$

I think the key to this problem is the OS loader. Probably OS loader limits the image size...
BART's advice is a solution maybe, if your codes don't be executed during loading.

Now it works
 

Hi
Great thanks for all
I resolved the problem. I don't believe I made silly mistake as follows:
I had increased both Raw and Virtual Size, keeping Raw=Virtual.
I worked only on PE header, the file size didn't changed.
Then, the Raw Size in PE header was above EOF:((.
This caused the error .
After adding some nullz to the EOF all is OK.
I added new section after last original, .reloc. There's 3000 h free space between kernel32 and ntdll images (XP SP1), so I create new section 3000h of size.This is enough for my code.
.
Of course, Omidgl, I can explain what I'm doing.
It write some kind of universal antiviral protection.
I add my code to some procs (CreateProcess, CreateService etc)
My code check the name of starting process/service and its properties (size, checksum) with the list. When the starting process is not present on the list, the messagebox appears :" Do you want to start CIH.exe, image size..., created .... ?".
If answer is not, it writes 0 as a first byte of path, so the system message 'can't find the file' appears :).
Ye, I know, it's a little lame.....

Regards
amigo

For this kind of global hooks you'd be better using ntdll/ntoskrnl and native api interception... Any program not using win32 functions would escape your protection.