• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

The information from the first event (the Kerberos failure) is as follows:

Event ID: 5000

Description:

The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.

Data:


05 00 00 c0 00 00 00 00
00 00 00 00 dc 15 2b 78
02 00 00 00 00 00 00 00
00 00 00 00 3f 00 01 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
7f 02 ff ff 00 00 ff ff
ff ff ff ff 92 12 0a 00
20 40 45 03 20 2d 00 00

0

Share this post


Link to post
Share on other sites

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

0

Share this post


Link to post
Share on other sites

The information from the first event (the Kerberos failure) is as follows:

Event ID: 5000

Description:

The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.

Data:


05 00 00 c0 00 00 00 00
00 00 00 00 dc 15 2b 78
02 00 00 00 00 00 00 00
00 00 00 00 3f 00 01 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
7f 02 ff ff 00 00 ff ff
ff ff ff ff 92 12 0a 00
20 40 45 03 20 2d 00 00

That was exactly what I needed: the first four dwords are 0xC0000005 (access violation), 0, 0 (null address accessed), 0x782B15DC (address where it was caused). The problem was obvious once I looked at it (actually, there were 2 occurrences of the problem). I'll post an update later today.

0

Share this post


Link to post
Share on other sites

MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).

0

Share this post


Link to post
Share on other sites

MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).

Thanks, the bug is fixed now. :)

EDIT: By the way, XP's MSVCRT.DLL works with your MS11-011 v6 update.

Edited by MacLover
0

Share this post


Link to post
Share on other sites

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

Strange. As far as I know, the patch doesn't do anything with resources. I took a pass through kernel32, ntdll, and ntoskrnl to see if I could spot any Unicode strings that weren't being freed, but so far everything looks okay. Are you seeing high memory usage for certain apps after a long time? Are you seeing it on both UP and MP processors? I'd probably need a lot more info before I'd know where to look, much less know that the patch itself is causing it.

I have it installed here, so I'll keep an eye out for memory leaks, but to date I've had no problems.

0

Share this post


Link to post
Share on other sites

Just wanted to report my experiences with MS11-011 and MS11-020.

MS11-011 v6 works pretty well on my system. The only real issue that I've run across is that the drivers for my ATI Theater 750 PCIe TV card will sometimes freeze the computer when booting. Strangely enough, sometimes it will start working after rebooting a couple of times. I guess that is an improvement since the drivers didn't work at all prior to installing MS11-011. Other than that, my computer has been working fine and I'm able to run several applications without BlackWingCat's KDW pack.

On the other hand, ZoneAlarm 7.0.483.000 does not like MS11-020 at all. It will blue screen right before the password prompt comes up.

The error message I get is:

***STOP: 0x0000001E (0xC0000005, 0xB1720D9F, 0x00000000, 0x00000000) KMODE_EXCEPTION_NOT_HANDLED

***ADDRESS B1720D9F base at B16DC000, DateStamp 4874da4c - vsdatant.sys

vsdatant.sys is part of ZoneAlarm.

0

Share this post


Link to post
Share on other sites

I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?

0

Share this post


Link to post
Share on other sites

I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?

Yes, it works normally without the patch installed.

I attached a copy of vsdatant.sys to this post. If need be, you can also download a copy of ZoneAlarm 7.0.483.000 from: http://download.zonealarm.com/bin/free/1023_zl/zlsSetup_70_483_000_en.exe

Thanks for your help.

vsdatant.zip

0

Share this post


Link to post
Share on other sites

Thanks. It looks like something is giving it an invalid pointer on an IOCTL_TCP_QUERY_INFORMATION_EX request. Hopefully it will be simple to find.

Edit: so far I've found one definite bug in iphlpapi.dll (missing reloc) and potentially some thread-safety issues in it (XP forces device queries to be thread-safe whereas 2k does not). I want to check out the other files before I post an update. I'm going to be going out to dinner in a little bit so the update might not be until late tonight. I've also found a missing reloc in srvsvc.dll (this new version of the PE Tool makes those much easier to find).

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I couldn't find any other obvious problems aside from the ones above so I've posted MS11-020 V5. Hopefully it will help...it's working for me, at least, though I'm not running ZoneAlarm. Also, I added exports for the following functions:

IcmpCreateFile

IcmpCloseHandle

IcmpSendEcho

IcmpSendEcho2

IcmpParseReplies

do_echo_rep

do_echo_req

register_icmp

Win2k is a bit different from XP in that all of this functionality is in a separate icmp.dll instead of in iphlpapi.dll, so the exports above are just forwarded exports to the routines in icmp.dll. It shouldn't make any difference to applications since the PE loader automatically resolves forwarded exports.

0

Share this post


Link to post
Share on other sites

I couldn't find any other obvious problems aside from the ones above so I've posted MS11-020 V5. Hopefully it will help...it's working for me, at least, though I'm not running ZoneAlarm.

WildBill you're the best. MS11-020 V5 solves the blue screen at boot when ZoneAlarm is installed. Everything seems to be working fine now.

0

Share this post


Link to post
Share on other sites

I didn't notice it before but VirtualBox needs two more APIs to install properly:

SETUPAPI.DLL -> SetupSetNonInteractiveMode

SETUPAPI.DLL -> SetupUninstallOEMInfW

As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000. :)

Again, keep up the great work!

0

Share this post


Link to post
Share on other sites

I didn't notice it before but VirtualBox needs two more APIs to install properly:

SETUPAPI.DLL -> SetupSetNonInteractiveMode

SETUPAPI.DLL -> SetupUninstallOEMInfW

As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000. :)

Again, keep up the great work!

Did you try BlackWingCat's setupapi.dll? I don't know if it supports those two functions, but it is probably worth a try.

http://blog.livedoor.jp/blackwingcat/archives/873798.html

0

Share this post


Link to post
Share on other sites

I didn't notice it before but VirtualBox needs two more APIs to install properly:

SETUPAPI.DLL -> SetupSetNonInteractiveMode

SETUPAPI.DLL -> SetupUninstallOEMInfW

As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000. :)

Again, keep up the great work!

Did you try BlackWingCat's setupapi.dll? I don't know if it supports those two functions, but it is probably worth a try.

http://blog.livedoor.jp/blackwingcat/archives/873798.html

BWC's SETUPAPI.DLL doesn't support SetupSetNonInteractiveMode, therefore I cannot install VirtualBox 4 even with a modified MSI to allow installation on Win2k. It does have SetupUninstallOEMInfW though.

0

Share this post


Link to post
Share on other sites

Hi folks,

I got a software which is broken under windows 2000 sp4 (french version), because of the function "TzSpecificLocalTimeToSystemTime" which is not into win2k kernel32.dll.

I've googled and i've seen this topic is talking about patch and is referencing this function name (TzSpecificLocalTimeToSystemTime). Do you think it's possible to patch kernel32.dll library to add this function? And then make my software compatible with windows 2000. Is it what you do with your custom patches?

Regards,

0

Share this post


Link to post
Share on other sites

WildBill's patch already has this function (TzSpecificLocalTimeToSystemTime) added. If you want to use it then you'll have to apply the English patch to your French system.

0

Share this post


Link to post
Share on other sites

WildBill's patch already has this function (TzSpecificLocalTimeToSystemTime) added. If you want to use it then you'll have to apply the English patch to your French system.

Isn't it risky to apply english patch onto another language windows? You talk about the patch MS11-011 right? The one that can be found on this page My link ?

Thanks for your help! I didnt think what i'd like to do someone else already did! Seems very hard work.

0

Share this post


Link to post
Share on other sites

Yes, I mean MS11-011 (2393802) but you should download it from here as I haven't updated the RyanVM list yet. V6 is the current version.

I can't say for sure but I guess that Windows files for European languages should be interchangeable. In the past I already tried using English kernel32.dll in a Polish system and no problems occurred. Of course some system dialogs may change to English but in case of kernel files most of them will be the text which you see on BSODs, not the actual system GUI.

Here there's instruction how to change the update.inf file.

0

Share this post


Link to post
Share on other sites

I found that my implementation of DbgPrintEx in ntdll was incorrect and would corrupt the stack, so I've posted MS11-011 V7 with a fixed version. I've also added DbgPrintEx to ntoskrnl, et. al. and RtlCaptureContext to kernel32. The new master additions list for V7 is below:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

DbgPrintEx

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Fixed version)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

RtlSetLastWin32ErrorAndNtStatusFromNtStatus

RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

RtlCaptureContext

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Thank you, WildBill :D

0

Share this post


Link to post
Share on other sites

Yes, I mean MS11-011 (2393802) but you should download it from here as I haven't updated the RyanVM list yet. V6 is the current version.

I can't say for sure but I guess that Windows files for European languages should be interchangeable. In the past I already tried using English kernel32.dll in a Polish system and no problems occurred. Of course some system dialogs may change to English but in case of kernel files most of them will be the text which you see on BSODs, not the actual system GUI.

Here there's instruction how to change the update.inf file.

Ok i managed to install MS11-011v7 (last one) on my french Win2K advanced server. I dont know if it's same for windows 2000 server or not.

After that i found that i got another dependency issue with iphlpapi.dll library. ("The procedure entry point GetIpErrorString could not be located in the dynamic link library iphlpapi.dll")

So i thought about installing version from win2k3 server (which has GetIpErrorString function). After that i had another depend with ws2_32.dll

(The procedure entry point freeaddrinfo could not be located in the dynamic link library WS2_32.dll). I search onto WildBill patches and found Windows2000-KB2508429-v3-x86-ENU.

But after reboot, i got services.exe crashing and 60 second autoreboot counter alert. Dont know what's wrong. I tried to boot into safemode and it works, but not in normal mode. Maybe it has to do with the iphlpapi.dll i directly copy from win2k3 to win2k server.

0

Share this post


Link to post
Share on other sites

Do you get this GetIpErrorString problem when trying to launch the program you mentioned before? What's the name of it?

You should check the dependencies with Dependency Walker. You will be able to solve the dependency problems with BlackWingCat's KDW. I may help you but first you need to let us know what the name of the program you're trying to use is.

0

Share this post


Link to post
Share on other sites

Alright, i will try KDW, didnt know this tool. Also i'd like to know how to add a simple function from one dll into another one using "PE TOOL", is there any how to to do this?

The tool i'd like to run under win2k PRO (and 2k PRO server if possible) it's here: here

To test the tool , you have to install it under XP+ and then copy the install folder or unpack the installer.

Thank you for your help.

Edited by int0x13
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.