Bypassing Kernel32.dll for Fun and Nonprofit
Uncategorized
11
Posts
7
Posters
0
Views
-
Bypassing Kernel32.dll for Fun and Nonprofit
-
Bypassing Kernel32.dll for Fun and Nonprofit
@andrewrk RIP zig on windows 95
-
@andrewrk RIP zig on windows 95
@andrewrk less unseriously, how do you handle the eldritch abomination of Win32-to-NT path mangling
-
Bypassing Kernel32.dll for Fun and Nonprofit
@andrewrk
> If you pass an APC routine here then some old bitrotted 32-bit code runs and you get garbage results.but the function that takes an APC routine is the ntdll one? I thought only kernel32 was supposed to have bitrotten stuff...
-
Bypassing Kernel32.dll for Fun and Nonprofit
@andrewrk can't you skip also the ntdll and go directly for the syscall? : P
-
@andrewrk
> If you pass an APC routine here then some old bitrotted 32-bit code runs and you get garbage results.but the function that takes an APC routine is the ntdll one? I thought only kernel32 was supposed to have bitrotten stuff...
@wolf480pl APC routine is valid if the file is asynchronous
-
@andrewrk
> If you pass an APC routine here then some old bitrotted 32-bit code runs and you get garbage results.but the function that takes an APC routine is the ntdll one? I thought only kernel32 was supposed to have bitrotten stuff...
@andrewrk @wolf480pl as far as we can tell, passing an APC to NtReadFile of a non-overlapped file handle probably worked (or at least was intended to?) many moons ago, but there is no wrapper exposed from kernel32 which triggers that code path, so it bit-rotted probably in the transition to the 64-bit NT kernel. This is one of the things you need to take care of when using ntdll: documentation is even more nonexistent than normal, and code paths which kernel32 doesnt take are sometimes broken!
-
@andrewrk @wolf480pl as far as we can tell, passing an APC to NtReadFile of a non-overlapped file handle probably worked (or at least was intended to?) many moons ago, but there is no wrapper exposed from kernel32 which triggers that code path, so it bit-rotted probably in the transition to the 64-bit NT kernel. This is one of the things you need to take care of when using ntdll: documentation is even more nonexistent than normal, and code paths which kernel32 doesnt take are sometimes broken!
@andrewrk @wolf480pl for the record, this hypothesis is based on the fact that *often*, this particular usage of NtReadFile works as expected, but in *some* cases, it will:
* fail to write the APC arguments to the right registers; this could be relevant to the 32-to-64-bit transition because the x86 calling convention passes arguments on the stack rather than in registers
* write the "Information" field of the IO_STATUS_BLOCK at the wrong offset (4 bytes instead of 8 bytes) -
@andrewrk less unseriously, how do you handle the eldritch abomination of Win32-to-NT path mangling
@andrewrk @joe I mean, it's *annoying* (particularly since NT -> DOS path conversion is kinda heuristic-based, i.e. "let's hope paths don't go through a weird path to \??\"), but at the end of the day it's just some hacky string conversion! And here's the thing: given that the conversion happens in kernel32, can you guess how well that code is written in the first place? Yeaaaah, so it's not actually too hard to write something with equivalent quality :P
-
Bypassing Kernel32.dll for Fun and Nonprofit
@andrewrk well, sounds like a profit to me, after all.
-
Bypassing Kernel32.dll for Fun and Nonprofit
@andrewrk "Using ntdll functions feels like using software made by senior engineers, while using kernel32 functions feels like using software made by Microsoft employees." You don't take prisoners, do you?
-
undefined swelljoe@mas.to shared this topic
Gli ultimi otto messaggi ricevuti dalla Federazione
-
+++SCOOP+++ Non erano i comunisti a mangiare i bambini, ma i villaggi vacanze.
-
“mille morti nel mediterraneo” dopo il ciclone harry. una delle peggiori stragi di migranti passata sotto silenzio
@anarchia
Migranti. Nelle scorse settimane il ciclone Harry, che ha provocato danni enormi in Sicilia, Calabria e Sardegna, ha anche causato la morte di centinaia di migranti nel Mediterraneo. La Guardia Costiera
-
@uriel
OK, ma io non ho tutto sto tempo a disposizione, gradirei vedere un raggio di sole, anche saltuariamente... 😊
-
I know some people hate hacker news, but I still find interesting links and comments there.
Like, today someone made a pretty interesting comparison of LLMs and mouse as computer interfaces: the GUI and the mouse revolutionized how we interact with computers, but the big winners were not mice manufacturers.
-
Our flight to Doha seems delayed due to the weather…
-
@Alberto archeologicamente parlando, il periodo di pioggia piu' lungo e' durato due milioni di anni.
-
@mike you must admit they are being honest :D
-
Cassandra Crossing 657/ LLM, Algoritmi e Debito tecnologico
Mentre il termine “Vibe coding” perde per fortuna vigore, sempre più ambienti di programmazione “forzano” l’utilizzo di LLM per lo sviluppo di software; cosa mai potrebbe andare storto che già altri non abbiano evidenziato?
https://www.lealternative.net/2026/02/05/cassandra-crossing-657-llm-algoritmi-e-debito-tecnologico/
