• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

Strange. As far as I know, the patch doesn't do anything with resources. I took a pass through kernel32, ntdll, and ntoskrnl to see if I could spot any Unicode strings that weren't being freed, but so far everything looks okay. Are you seeing high memory usage for certain apps after a long time? Are you seeing it on both UP and MP processors? I'd probably need a lot more info before I'd know where to look, much less know that the patch itself is causing it.

I have it installed here, so I'll keep an eye out for memory leaks, but to date I've had no problems.

I've been using 2393802-v7 since yesterday and haven't experienced any problems. Coupled with the fact that my earlier report was less than scientific (I wasn't monitoring apps for memory usage, but instead was just observing odd lags in GDI refreshes in those certain apps I mentioned), I have to say now that I would disregard my earlier post. :)

Actually, the behaviour was like some kind of hard drive write lag. I saw it on a multiprocessor system - Pentium D Presler, ATI Radeon Xpress 1100 Pro chipset. I'm still quite unfamiliar with the system, and as such I haven't fine-tuned it, in terms of performance, to any large degree.

Edited by bristols
0

Share this post


Link to post
Share on other sites

Thanks, it turned out to be easy to find with the info you sent me (I missed a LEAVE instruction on AttachConsoleInternal). A V8 will be out shortly...

0

Share this post


Link to post
Share on other sites

Due to a bug in one of the new kernel routines (thanks, Bristols for finding it), I've had to post MS11-011 V8. This one also adds a new version of win32k.sys: I had originally wanted to wait until I posted MS11-034 (KB2506223) to add routines to win32k.sys, but analysis is showing that there are quite a lot of changes in MS11-034 such that it will take a while to complete. I'd really like to see if people can get the ATI v11 drivers working, so this one includes win32k.sys with some functions added. As such, I've also added a requirement that MS11-012 (KB2479628) first be installed (which I'm not happy about...this is why I held off on adding win32k.sys until now). Hopefully this won't create a problem as there is no circular dependency and this hotfix will warn you to install KB2479628 if need be.

Anyhow, here's the new list of additions:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

DbgPrintEx

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Fixed version)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

RtlSetLastWin32ErrorAndNtStatusFromNtStatus

RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

RtlCaptureContext

win32k.sys

EngIsSemaphoreOwned

EngClearEvent

EngBugCheckEx (forwards to NTOSKRNL.KeBugCheckEx)

EngAllocSectionMem

EngFreeSectionMem

EngMapSection

I'm prepared to release a new version of MS11-012 that also contains the new win32k.sys just to be safe, but I'm not sure which version is best to use as a starting point: the last one I released or tomasz's updated version. Any recommendations?

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Just to be ultra-safe I also just posted MS11-012 V7, which has the new win32k.sys that I added to MS11-011 V8. This probably still has the slipstreaming issues that V6a had, but at least there is now no possibility of overwriting the newer win32k.sys from MS11-011 V8 with an older one. Both hotfixes now contain win32k.sys 5.0.2195.7401.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

WildBill,

there is v9 of MS11-012 available already ;)

Could you add the newest win32k.sys to it instead of making a v7?

EDIT

Now I saw your comment in the last line of #454. Well, it's up to you I guess because after all, it's your patch :whistle:

In my opinion the best way to go is to have only one updated version for each update.

EDIT2

Actually, if I remember correctly, v6a should be almost exactly the same as v9... the only difference being that v9 adds also registry changes from 967715 & 2286198 (details).

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Hi WildBill,

may I ask you to change the version number of two files?

In your Windows2000-KB2508429-v5-x86-ENU.exe there are:

1. kerberos.dll -> v.5.0.2195.7056

2. samsrv.dll -> v.5.0.2195.7011

while in Windows2000-KB907868-x86-ENU.EXE there is:

1. kerberos.dll -> v.5.0.2195.7072

and in Windows2000-KB904765-x86-ENU.EXE there is:

2. samsrv.dll -> v.5.0.2195.7071

Regards

0

Share this post


Link to post
Share on other sites

Hmm. I just realized that my MS11-012 patch actually does require MS11-011; it just doesn't do so explicitly. I'm going to have to release *another* MS11-011 with the new win32k.sys removed (so to get the new win32k.sys functions people should upgrade MS11-012 instead if they haven't done so already). As for kerberos.dll and samsrv.dll, is there an HBR that has those other versions?

Ignore the scratched-out part...getting all these hotfixes mixed up in my head...

Edited by WildBill
0

Share this post


Link to post
Share on other sites
Ignore the scratched-out part...getting all these hotfixes mixed up in my head...

There are almost 300 updates/hotfixes on bristols' page :w00t:

It's hard NOT to get confused...

I prepared a script which you may find useful.

updatever.cmd

You can use it to create update.ver automatically. Files from root directory and (if exist) files from uniproc, wms & xpsp2_binarydrop are processed. Useless files (spmsg.dll, spuninst.exe, empty.cat) are ignored. Files without version are also properly listed (instead of A=B,C,D they go A=B,,D).

1. Place updatever.cmd in an empty folder & run it once. Two folders (HF & TOOLS) will be created.

UHjgA.pngTgRmC.png

2. Download, unpack & copy into TOOLS these two files: fciv.exe (download) and filever.exe (find & download). I haven't tested newer versions of filever.exe so I can't say whether they work or not. The one I use is 5.0.2134.1.

BpiGF.png

3. Unpack updates like this:

tvQCp.png

4. Run updatever.cmd.

This is an example created for 2393802-v8:


[SourceFileInfo]
bootvid.dll=93a240abe57c7fff70217094c6ef31da,00050000087C0003,11360
kernel32.dll=60959fe454a2d22d916b5ea7b2fa50cf,0005000008931BF2,764688
ntdll.dll=56edaaa97265f14f9831a0b85ef6180a,0005000008931BAB,531728
ntkrnlmp.exe=085676dc6cbf24978b6540d223ccd9d6,0005000008931CD5,1961024
ntkrnlpa.exe=d14dafcbf3d1b7ae4b78451217caee73,0005000008931CD5,1960096
ntkrpamp.exe=e2d0c621099d41b90fe342f942b65d90,0005000008931CD5,1982336
ntoskrnl.exe=ee0f8d6a9272446d4a08ae58aa9067cb,0005000008931CD5,1937376
win32k.sys=982892466636b2178dc978cfbad2dd10,0005000008931CE9,1670896
uniproc\kernel32.dll=2302eab80f89e66f13053b873b1c2d35,0005000008931BF2,764688
uniproc\ntdll.dll=56edaaa97265f14f9831a0b85ef6180a,0005000008931BAB,531728

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Thanks WildBill.

Added 2393802 (MS11-011) v8 to the Windows 2000 Post-SP4 Updates for HFSLIP page.

Edited by bristols
0

Share this post


Link to post
Share on other sites

Turns out that for the ATI 9.x driver needed for my netbook (The 11.x driver installed but wouldn't start - I don't think this is an issue with your patch as the same things happen on XP with the desktop drivers (AMD does not provide reference drivers for its notebook chipsets) ) needs one more API to function:

NTOSKRNL.EXE -> vDbgPrintEx

For now, I'll try hex-editing the driver to use DbgPrintEx and see what happens :}

EDIT: Looks like hex-editing the driver did no good, I'll just use blackwingcat's driver for now :whistle:

EDIT: Interestingly enough, the Realtek HD Audio drivers from 2011 refuse to start on Windows 2000 despite the fact all needed APIs are present (Code 10 in Device Manager)

Edited by MacLover
0

Share this post


Link to post
Share on other sites

I'll see about adding vDbgPrintEx when I can. In other news, I have a local version of MS11-020 that has a kerberos that's based on the HBR version, but it looks like analyzing samsrv is going to take significantly longer. I might release an interim one with the upgraded kerberos one in the meantime (the HBR merely adds a length check on incoming messages).

0

Share this post


Link to post
Share on other sites

Looks like the Realtek HD Audio Driver issue is caused by a patch somewhere as I just installed a "cleaner" Win2k disc with only the official patches, IE6, DirectX 9, and MSXML integrated. The latest driver from Realtek.com installed just fine using that install.

I'll try to narrow down the problem as soon as possible.

EDIT: I manually installed every unofficial fix, the issue didn't show up, which tells me that something went wrong with my fully slipstreamed Win2k DVD. In other words, there's nothing wrong with any of your patches :)

EDIT: Turns out the issue was caused by the way DriverPacks integrates KB888111

Edited by MacLover
0

Share this post


Link to post
Share on other sites

I added a new update (thanks to bristols for this one):

MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution

Windows2000-UU-KBz2288621-x86-Global.exe


  • usp10.dll 1.626.6002.22402

It replaces 981322.

0

Share this post


Link to post
Share on other sites

Another day, another version ;)

MS11-020 v6 is posted, with the following changes:

- incorporates KB907868 (kerberos length-validation HBR)

- incorporates MS11-013 (KB2496930: Vulnerabilities in Kerberos Could Allow Elevation of Privilege)

- incorporates MS11-014 (KB2478960: Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege)

The samsrv HBR will take quite a while to analyze, and I have some higher priorities at the moment, e.g. adding vDbgPrintEx to ntoskrnl, et.al. and porting MS11-034 (which will also take a while to analyze). These priorities are open to change, of course, especially if anyone else wants to determine the necessary changes to samsrv in the meantime...

Edited by WildBill
0

Share this post


Link to post
Share on other sites

One caveat about MS011-013: while I believe I've faithfully ported the patch and it seems to work fine, from my analysis I'm not certain that MS took the patch quite far enough. Maybe I'm just being paranoid, but I might take a second look at their patch tomorrow as I'm not convinced that they fully closed the security hole...

Edit...false alarm, it looks okay :)

Edited by WildBill
0

Share this post


Link to post
Share on other sites

New patch posted: MS11-038 Vulnerability in OLE Automation Could Allow Remote Code Execution (critical). You can find it on the master list...

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Thanks WildBill ;)

I prepared a new version of the update.ver making script. It now works not only for updates but for service packs too! It supports only Windows 2000 at the moment but I plan to make it compatible with both XP & 2003. Now you don't even have to unpack updates - you just have to place them in HF. Unpacked or not, they'll still be processed. I also greatly improved the speed of it and made it more "pretty" (files which are being processed are now displayed on the screen).

You can download it here. The URL is the same as before.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Alright, i will try KDW, didnt know this tool. Also i'd like to know how to add a simple function from one dll into another one using "PE TOOL", is there any how to to do this?

The tool i'd like to run under win2k PRO (and 2k PRO server if possible) it's here: here

To test the tool , you have to install it under XP+ and then copy the install folder or unpack the installer.

Thank you for your help.

I'm very sorry for such a late reply.

I actually managed to install the application in Windows 2000 using KDW and setting OS version to XP SP3 in fcwin2k.exe. The real problem is that there are a lot of dependencies missing, not only the one related to iphlpapi.dll. The dlls from KDW won't be enough to fix them because they lack some functions which are required by the program.

I'll try to play with some dlls copied directly from XP and see if it's possible to achieve something. At this moment I'd say there is no more than about 20% chance that it'll run under Win2k.

0

Share this post


Link to post
Share on other sites

WildBill,

I have just two questions/suggestions for you ;)

1. What do you think about making a v10 of 2479628 (MS11-012) which would include all changes done by me (v9) and you (v7). Having two versions of the same patch is confusing and v9 is already included on the bristols' updates list. Do you have any objections against it? If not, I'd like to ask you to do it or (if you're busy and don't have time) I can do it myself.

2. What do you think about making multilanguage updates? Up to now I've prepared multilanguage versions of some of your updates separately but I'd be probably much better if one update was made by just one person to avoid any unexpected issues. Checking if the update is multilanguage is pretty simple. You must just check the same update available for some other language and see if the file included is the same one (its langauge version will be English or "language neutral"). If it is then it means that it's interchangeable between different language versions of Windows and one update can be made for all of them.

You just have to edit update.inf like this:


[Strings]
LangTypeValue = 0x0

After doing so the update will install in any language version of Windows. The installer will be in English but it doesn't matter at all.

3. I'd like to ask you about unofficial updates' filenames. As you've probably noticed I use the following scheme:

Windows2000-UU-(HBR-)KB(zX)XXXXXX-x86-XXX.exe

By doing so it's clear what kind of update it is by just looking at the filename. It's extremely easy to separate official and unofficial updates and HBRs thanks to it. Adding the "z" before 2 in KB2* for new updates makes them listed at the end, after the older ones starting from 8/9. What's you opinion about it? I know you've sticked to the official M$ filename style but wouldn't it be better to have unofficial updates clearly distinguished from the official ones to avoid any misunderstandings?

These are just my proposals ;) I just believe that it would be nice to have some kind of "official" structure for the UUs.

Please share your opinion about them.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

I added some new updates.

MS07-?: SetupDiGetDeviceRegistryProperty function returns an incorrect RequiredSize value on DBCS characters in Windows 2000

Windows2000-UU-HBR-KB888609-v4-x86-ENU.exe

MS07-? A microcode reliability update is available that improves the reliability of systems that use Intel processors

Windows2000-UU-KB936357-v4-x86-Global.exe

MS11-090: Cumulative Security Update for ActiveX Kill Bits

Windows2000-UU-KBz2618451-x86-Global.exe

The first two are recompiled versions of updates made by BlackWingCat. The third one (2618451) replaces 2562937.

0

Share this post


Link to post
Share on other sites

I've done some tests with the updates from this month's Patch Tuesday and these are my results:

MS12-002: Didn't test this one but it looks like a simple registry fix.

MS12-003: Didn't even try as it updates a core system file (WINSRV.DLL)

MS12-004: The DirectShow (QUARTZ.DLL,QDVD.DLL) update worked fine but the Windows Multimedia Library (WINMM.DLL,MCISEQ.DLL) part broke sound completely.

MS12-005: Works (Seems PACKAGER.EXE hasn't changed much since the NT4 days...)

MS12-006: Works thanks to WildBill's MS11-011 and MS11-020 updates. (SCHANNEL.DLL,WINHTTP.DLL)

0

Share this post


Link to post
Share on other sites

The worst vulnerability (in windows history) MS12-004, was showed By Microsoft

I released MS12-004 for WIndows 2000 Japanese Version yesterday.

But I don't have English version WINMM.DLL,MCISEQ.DLL.

Is there Anyone provide me the Dlls ? :yes:

Windows Legacy Update

I've done some tests with the updates from this month's Patch Tuesday and these are my results:

MS12-002: Didn't test this one but it looks like a simple registry fix.

MS12-003: Didn't even try as it updates a core system file (WINSRV.DLL)

MS12-004: The DirectShow (QUARTZ.DLL,QDVD.DLL) update worked fine but the Windows Multimedia Library (WINMM.DLL,MCISEQ.DLL) part broke sound completely.

MS12-005: Works (Seems PACKAGER.EXE hasn't changed much since the NT4 days...)

MS12-006: Works thanks to WildBill's MS11-011 and MS11-020 updates. (SCHANNEL.DLL,WINHTTP.DLL)

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.