• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

I finished porting the changes and the patch is working here, so I've posted MS11-011 v4 and updated the link on the master list. For the record, the complete list of new API calls the patch adds is:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

EDIT: forgot to list a couple of extra routines I added to ntdll.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

tomasz: just as soon as you can give me the all-clear for V4 I'll consider that a green light for V5 (I've already started on it and added a few more routines to ntdll and kernel32)... ;)

0

Share this post


Link to post
Share on other sites

I missed the fact that you already uploaded a v4 :lol:

I've installed it on both my desktop and laptop computers and while everything seems to work fine here (on the desktop),

there's still the same error on the other one:


*** STOP: 0x0000001E (0xC0000005, 0xDDC6473E, 0x00000000, 0x0000000C)
KMODE_EXCEPTION_NOT_HANDLED

*** Address DDC6473E base at DDC00000, DateStamp 4ebda139 - ntoskrnl.exe

System specifications are listed in #398

0

Share this post


Link to post
Share on other sites

Hmm. I'm going to need some more info to track that one down, since the address is pointing to a trap routine (specifically, it traps 0x57, which I assume means int 0x57). When does the BSOD happen? Does it create a minidump file? It looks like it trapped an interrupt (maybe from a driver?) and it didn't like it.

The 0xC0000005 means ACCESS_VIOLATION, so I assume that it tried to access an invalid memory location. The problem is going to be finding where it happened.

Edit: it looks like int 57h is a relocated IRQ7, so maybe a driver that's using IRQ7 is causing the problem. The interrupt request for a driver is shown under the Resources tab in the Device Manager. It's also possible that it's really IRQ15, from a secondary interrupt controller.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.

0

Share this post


Link to post
Share on other sites

What happens without /SOS? Same thing?

Another dumb question: is /BOOTLOG set? Are you using any bootskin settings?

Okay, after spending the day investigating, it looks like ESP (stack pointer) must have become corrupted somewhere, and then an interrupt occurred (most likely from a driver, which wouldn't be loaded when you're in safe mode). So now, the trick will be finding whatever is corrupting ESP yet doesn't result in a BSOD all the time (maybe the routine in question recovers the correct ESP before it returns?) It's pretty hard to screw up ESP and not generate a GP fault when returning from a routine.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great! :thumbup

0

Share this post


Link to post
Share on other sites

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great! :thumbup

Ask and ye shall receive... see the top post :)

0

Share this post


Link to post
Share on other sites

Wow, that was really swift! :yes:

Thanks a whole lot!

You do rock! :thumbup

0

Share this post


Link to post
Share on other sites

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.

Here's something to try...ntoskrnl was a bit different than the other three in that it had some extra changes when I was still working out how to hook in the bootskin code. I undid those extra changes so it matches the others, and I altered the bootskin code very slightly to better restore ESP (in ntoskrnl only for now). I don't see any reason why this would help as I didn't see any obvious issues, but it's worth a try. I've tested it in a VM with no issues.

This is an early build of V5 that adds some new functions to ntdll and kernel32, but there are some more things I'd like to add before making it an "official" v5. I'm using it here on my laptop with no problems, so for the adventurous it adds the following:

ntdll

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

kernel32

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

Windows2000-KB2393802-v5-early-1-x86-ENU.exe

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Something strange's going on :huh:

1. I don't have any bootskin setting set.

2. /BOOTLOG is enabled but it's not created because the BSOD happens before boot logging is even started.

3. The strange thing is that regardless of /SOS set or not, the beginning of GUI part is the same and looks as if /SOS was enabled. I can see the GUI part for only half a second before the BSOD appears.

4. The v5 doesn't make any difference.

...

I think I found the reason. The BSOD appears only when /PAE is enabled. Interestingly it doesn't affect the desktop as I've just turned /PAE on and no problems here. It was turned on on the notebook by mistake but still there's no BSOD unless I install your patch ;)

0

Share this post


Link to post
Share on other sites

If your desktop is multiprocessor, then its PAE kernel is ntkrpamp.exe (which gets renamed to ntkrnlpa.exe), whereas the laptop's uniprocessor PAE one is from ntkrnlpa.exe (i.e., they're different). Actually, that info helps a lot: it means that I probably messed something up in the uniprocessor PAE kernel. Hopefully it will be easy to find.

0

Share this post


Link to post
Share on other sites

A-ha...the original ntkrnlpa had a stack variable in a different place than in the other three files, and it affected the SOS setting (and probably caused the BSOD). This might help:

Windows2000-KB2393802-v5-early-2-x86-ENU.exe

I also checked the multiprocessor PAE kernel, and that one looks ok (the variable's location is the same as the non-PAE one). Go figure.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

It's all right now :)

0

Share this post


Link to post
Share on other sites

MS11-011 V5 is now posted, and it includes just about everything I could add to kernel32 and ntdll without major pain in the process. The complete list of additions is now:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Hi WildBill,

MS11-011 V5 is now posted (...)

After installing the update, I get this error on reboot (the progress bar on the Windows 2000 boot screen having reached 100%):


stop:c0000139 (Entry Point Not Found)
The procedure entry point LdrLockLoaderLock could not be located in the dynamic link library ntdll.dll

:}

0

Share this post


Link to post
Share on other sites

Hmm. That doesn't make any sense...I checked ntdll and the routine is there and it's in the export table. I also downloaded the patch and it matches what I uploaded. Did you install it normally or slipstream it? I'm not able to test slipstreaming, but I'm typing this on a laptop with V5 installed. I tested the patch on both a uniprocessor and a multiprocessor installation.

The ntdll you should have after installing the patch is version 5.0.2195.7010, 531,728 bytes, MD5 hash AB3331B195F0430945E0BADDA30112A3.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

WildBill,

ntdll.dll 5.0.2195.7080 is included in KB915985 which is a HBR. Bristols uses HBRs so that's probably the reason why your ntdll.dll doesn't install (as its version is lower).

By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.

I've also got one question unrelated to the kernel patch. Can such icon anomalies be caused by 2479628?

HmxO6.pngBZIXU.png

They can be brought back to normal by changing color depth or resolution.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Did you install it normally or slipstream it?

(...)

The ntdll you should have after installing the patch is version 5.0.2195.7010

By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.

That's the problem. I've installed blackwingcat's KB915985-v2. Indeed I have Ntdll.dll 5.0.2195.7081.

WildBill, I see that several other of the files included in your update have lower version numbers than those found in some hotfixes. Tricky... I suppose that your update would cause problems too for people who have installed the hotfixes in question.

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

0

Share this post


Link to post
Share on other sites

When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

Yes, I've already analysed some files included in HBRs but there's still a lot more to do :whistle: I hope I'll manage to finish the first part in the next few days.

When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

The problem is that it happens randomly (once a few days) even after the cache is flushed. I can't reproduce it, unfortunately.

Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

That'd be probably the safest solution. You may also try to play with [OverrideVersionNumbers] but I don't really know if it works.

In case you bump the number to a higher than 7081, would be it be difficult to add changes from the original 915985 and BWC's 915985-v2?

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

I'm taking a look at KB915985 and I'll see if I can push out a V6 with a higher version number. It looks like the changes in the HBR are pretty simple.

0

Share this post


Link to post
Share on other sites

I posted MS11-011 V6, which includes the KB915985 hotfix as well as the fix in blackwingcat's v2, with one exception: the HBR also has a change to RtlCallQueryRegistryRoutine that the hotfix doesn't mention, but my patch completely replaces it (and routines that call it) with the version from XPSP3. If it winds up being changed in XP then I can change it as well, but I figure the best thing to do is to leave RtlCallQueryRegistryRoutine alone.

The ntdll version is 5.0.2195.7082, which should make slipstreaming happy. I also found a couple more routines that could go into ntdll, so here's the new additions list:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

RtlSetLastWin32ErrorAndNtStatusFromNtStatus

RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

0

Share this post


Link to post
Share on other sites

I found an issue with your MS11-020 fix :} :

On Windows 2000 Advanced Server (Probably any other server variant as well), when I enable Active Directory, I am unable to log on to the system unless I use safe mode *without* networking. I narrowed down the issue to being caused by the KERBEROS.DLL file from said update.

When I look at the event log on the system (in safe mode), it mentions Kerberos causing an exception and then a cascade of failures caused by that.

0

Share this post


Link to post
Share on other sites

Can you post the info from the event? If it has the address where it happened I could try to hunt it down.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.