PE Tool for creating patches

[tomasz86]

Well, I had problems with the ntdll.dll starting from v9, on real hardware too (check #533).

[WildBill]

I've been crawling through the code, double-checking and triple-checking everything, and I can't find anything wrong with the code. I tried backing some changes out and eventually replaced v9 ntdll with v8 ntdll and I still see occasional problems in a VM (though never on real hardware). From looking at the exceptions it looks like something is corrupting the heap, and subsequent heap operations are throwing exceptions. Mixing v8 ntdll with v9 kernel definitely isn't preventing the problem. What happens if you try a pure v8 install on a VM?

[tomasz86]

More test results:

1. After installing v11 folders don't open / Explorer is restarted... but they open in Safe Mode. On the other hand, IE doesn't open neither in "normal" mode nor in Safe Mode (Add/Remove programs don't open either as they depend on IE).

2. No problems occur when v8 is installed.

3. I found a bug in update.inf. There should be no ntdll.dll and win32k.sys in [system32.Files].

4. Replacing ntdll.dll v7084 from v11 with ntdll.dll v.7083 from v8 fixes all issues.

Edited July 31, 2012 by tomasz86

[WildBill]

There's something screwy going on...I backed up all the way to v3 and I still get the same occasional errors when accessing a network share from within a VM. I then tried a clean install of 2kSP4 and it still happens. I wonder if it's a VM thing. I'm using Virtual PC 2007.

[tomasz86]

It's innotek VirtualBox 1.5.6 on my side.

[WildBill]

Well, so far I haven't been able to track down what's corrupting the heap. I think the best strategy is to finish the kernel32 rewrite since I'm so close to the end, and then perhaps move on to rewriting ntdll (which is smaller). That way I can try to put in better heap corruption detection and maybe find out what's going on.

[WildBill]

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

[blackwingcat]

Can you run CurrPorts with KB2508429-v8 ?

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

Does Nirsoft Currport work ?

Our iphlpapi.dll seems problem on GetUdpExTable2FromStack/GetTcpExTable2FromStack

I found iphlpapi v5.0.2195.7097 requires KB957579(Minimum require is KB951798)

I've got a couple of updates posted:

iphlpapi.dll

[MacLover]

I was taking a look at the IE6 SP1 version of the MS12-052 fix that BlackWingCat found on the Microsoft Security ISO and I decided to run it through IDA Pro and TurboDiff (I compared against the last pre-EOL fix, MS10-035/KB982381) and TurboDiff found no changes to any function in BROWSEUI.DLL between the two versions. Since WildBill's notes for MS10-071 show that changes to BROWSEUI.DLL were required to fully close up the AutoComplete vulnerability, I also compared the XP versions of MS10-035 and MS10-071 and functions did show up as changed.

This tells me that Microsoft is doing the same thing with these "Extended Support fixes" that they did with Windows 98's extended support in that they only fixed vulnerabilities marked as "Critical." I remember that WildBill had said that MS11-003 would be a pain to backport but it looks like M$ did the hard work for us for that bulletin (all of its CVE's are marked as "Critical") and an easier solution for that update might be to use the Microsoft MS11-003 or MS12-052 IE6 SP1 patch and add the other changes from the previous unofficial IE updates as necessary.

On another note, I noticed some issues with MS11-012 where FileZilla's toolbar has the same white splotches where the shadows are supposed to be that we had before adding the ShellIconBPP setting.

How FileZilla's toolbar looks on stock Win2k:

How FileZilla's toolbar looks with MS11-012 installed:

How FileZilla's toolbar looks on Windows XP:

This is a minor issue, so no rush on fixing this or doing any of the IE updates (I use Firefox 10 ESR on 2000, so the vulnerabilities don't concern me too much.)

PS I'm trying to learn some of this patch analysis stuff so that maybe I could help with the load at some point.

Edited September 6, 2012 by MacLover

[erpdude8]

hi WildBill. can you make the unofficial August 2012 Cumulative Time Zone KB2732052 Updates for Windows 2000?

MS KB article 2732052:

http://support.microsoft.com/kb/2732052/

supersedes and replaces previously released Time Zone hotfixes as well as the December 2011 Cumulative Time Zone updates.

I see a definite pattern of how and when MS releases new Time Zone updates for Windows for several years now, usually in August and in December of each year.

Edited September 7, 2012 by erpdude8

[tomasz86]

hi WildBill. can you make the unofficial August 2012 Cumulative Time Zone KB2732052 Updates for Windows 2000?

MS KB article 2732052:

http://support.microsoft.com/kb/2732052/

supersedes and replaces previously released Time Zone hotfixes as well as the December 2011 Cumulative Time Zone updates.

I see a definite pattern of how and when MS releases new Time Zone updates for Windows for several years now, usually in August and in December of each year.

acus has already done it

http://www.ryanvm.net/forum/viewtopic.php?p=126872#126872

Edited September 7, 2012 by tomasz86

[erpdude8]

thanks, tomasz86. i haven't been here that much lately.

btw, do you know by any chance if anyone got the KB2476490 oleaut32.dll v2.40.4535.0 security patch blackwingcat mentioned here?

I didn't realize that MS is still secretly making some new security fixes for win2000, even after extended support for Win2k ended mid-July 2010.

Edited September 7, 2012 by erpdude8

[tomasz86]

thanks, tomasz86. i haven't been here that much lately.

btw, do you know by any chance if anyone got the KB2476490 oleaut32.dll v2.40.4535.0 security patch blackwingcat mentioned here?

I didn't realize that MS is still secretly making some new security fixes for win2000, even after extended support for Win2k ended mid-July 2010.

I don't think it's available publicly. Only a few of the updates mentioned on the BWC's blog leaked. The IE Cumulative one has been recently replaced by the newly (officially) released CU (KB2722913). The two others are included in Update Rollup 2. Only the one for MDAC 2.8 SP1 (KB983838) still needs to be applied separately.

[WildBill]

I've got a new installment of MS11-011 (KB2393802) posted (v12). By request, it adds a number of kernel-level functions:

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

KeAreApcsDisabled

IoQueryFileDosDeviceName

MmProtectMdlSystemAddress

KeQueryActiveProcessorCount

PsDereferenceImpersonationToken

PsDereferencePrimaryToken

NtOpenProcessTokenEx

NtOpenThreadTokenEx

ZwOpenProcessTokenEx

ZwOpenThreadTokenEx

CcMdlWriteAbort

Enjoy...

[WildBill]

KB2508429 v9 is up, which should fix a STOP error when copying files over a network share...