• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

I've posted KB2393802-v9 :whistle:

It doesn't include the new rewritten stuff and is mostly a bugfix version. It adds several SxS API's to ntdll, but until the rest of the pieces are added to kernel32 they won't do anything (they should be safe to call, they'll just return error codes since they won't succeed). I still recommend it though as it fixes several bugs in -v8.

Now I can work on finishing SxS support for v10 without having those bugs hanging over my head...

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Thanks WildBill :)

By the way, here is a slimmed down version of the update.inf for KB2393802-v9. All useless sections and lines have been removed so it's much easier to navigate.

update.inf

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

These APIs are present in BWC kernel's kernel32.dll and are not included in yours:

ActivateActCtx
CheckRemoteDebuggerPresent
CreateActCtxA
CreateActCtxW
DeactivateActCtx
GetGeoInfoA
GetGeoInfoW
GetUserGeoID
ReleaseActCtx
WTSGetActiveConsoleSessionId

Would it be difficult to add them in the future version, especially the ones which have sth to do with ActCtx, i.e. ActivateActCtx, CreateActCtxA, CreateActCtxW, DeactivateActCtx & ReleaseActCtx? They help fix a lot of dependencies and also make it possible to use uxtheme.dll directly from %systemroot%\system32. Without these dependencies there are problems with .NET Framework (when uxtheme.dll is present in the system, that is).

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

The ActCtx API's are the ones I've been working on since November, but I'm finding that I need them to actually work or apps like Adobe Reader crash.

0

Share this post


Link to post
Share on other sites

In KB2393802-v9 fixed error with boot.ini->/PAE, now works ok without BSOD.

Thanks WildBill :hello:

0

Share this post


Link to post
Share on other sites

Hi,

Pe Tool v0.05 Seems to make broken out export table offset +0xc.

for example. Load hal.dll and save it. The name pointer is indicated "L.DLL"

0

Share this post


Link to post
Share on other sites

kernel32.dll rewrite status: NLS Hell .

468 exported functions implemented out of a total of about 902

I'm currently bogged down in the NLS support -- apparently kernel32 does all the heavy lifting for localized data (date/time formats, etc.). I'm having to reverse-engineer a bunch of structures, and in the process the format of the various .nls files in system32. I now know all about Japanese emperor eras, how to convert numbers to Hebrew numbers (including the special cases for 15 and 16 and the reason behind them), and creating Hebrew and Hijiri dates. I've completely reverse-engineered locale.nls (and documented it to the nth-power in my kernel32.h) and partially reverse-engineered ctype.nls and unicode.nls. I've even had to write a Java program that dumps out all the info in locale.nls. And, now I know why there are alternate month names for Polish for certain months...

(sigh)

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I think there's something wrong with the new version of ntdll.dll. My system gets stuck at the "preparing network connections" screen after installing the new version of the kernel and rebooting. Safe mode doesn't work too (it gets stuck at the login screen).

If I install it without the new ntdll.dll (=keep the ntdll.dll from v8) there are no problems. I've also installed it successfully in a VM (Virtualbox) where a uniprocessor non-PAE kernel is used. On my real system it's a multiprocessor PAE kernel.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

I didn't think ntdll had changed all that much, though I did add a few things. I'll have to keep that in mind for v10. Speaking of V10, I'd like to ask for some suggestions on developing it. While I'm making steady progress on reverse-engineering and rewriting kernel32 (about 550 exported routines implemented out of about 902), it's still going to be a while before it's complete enough to test, debug, and harden. In the meantime the rewrites of csrsrv and basesrv are sitting idle and are basically complete. It seems to me to be a terrible waste of time to just have them sit on my hard drive when people could be testing them, playing with my sources, and possibly improving them (in light of stuxnet and flame, bulletproofing has been on my mind of late).

To cut this spiel short, would it make sense for an interim v10 release (or some other nomenclature) with the rewritten basesrv and csrsrv included? Now that I've rewritten them in C, there should be a lot of potential for improvement, not to mention that patching them, localizing them, etc. will be infinitely easier.

0

Share this post


Link to post
Share on other sites

I'm always ready to test :whistle: although I can't really "improve" anything because of lack of any programming skills. I can only test the files in real environment.

By the way, it'd be nice go have

GetGeoInfoW
GetUserGeoID

in kernel32.dll. They are required for Chromium (Google Chrome, SRWare Iron) to work. The two APIs are present in BlackWingCat's kernel32.dll.

0

Share this post


Link to post
Share on other sites

I think there's something wrong with the new version of ntdll.dll. My system gets stuck at the "preparing network connections" screen after installing the new version of the kernel and rebooting. Safe mode doesn't work too (it gets stuck at the login screen).

If I install it without the new ntdll.dll (=keep the ntdll.dll from v8) there are no problems. I've also installed it successfully in a VM (Virtualbox) where a uniprocessor non-PAE kernel is used. On my real system it's a multiprocessor PAE kernel.

I installed Win2000 +KB2393802-v9, on real hardware:

Athlon 64 x2 5600+

4GB RAM

Geforce 9800gt

Gigabyte GA-MA790X-DS4

Everything works fine.

0

Share this post


Link to post
Share on other sites

I tried to use Windows2000-KB2393802-v9-x86-ENU.exe.

But it sometimes crashes with BSoD by Access VIOLATION on 0xA00A3512 in win32k.sys

A00A34E8 837D0CFC cmp dword ptr [ebp+0Ch],FFFFFFFCh

A00A34EC 7542 jnz LA00A3530

A00A34EE 8B7D08 mov edi,[ebp+08h]

A00A34F1 52 push edx

A00A34F2 52 push edx

A00A34F3 68E1010000 push 000001E1h

A00A34F8 57 push edi

A00A34F9 E85A89F6FF call SUB_LA000BE58

A00A34FE 89450C mov [ebp+0Ch],eax

A00A3501 50 push eax

A00A3502 E8D49EF7FF call SUB_LA001D3DB

A00A3507 85C0 test eax,eax

A00A3509 7425 jz LA00A3530

A00A350B 8B5510 mov edx,[ebp+10h]

A00A350E 85D2 test edx,edx

A00A3510 7C1E jl LA00A3530

A00A3512 3B5120 cmp edx,[ecx+20h] <-----------

A00A3515 7719 ja LA00A3530

A00A3517 85D2 test edx,edx

A00A3519 8B450C mov eax,[ebp+0Ch]

A00A351C 894314 mov [ebx+14h],eax

A00A351F 7514 jnz LA00A3535

A00A3521 8D774C lea esi,[edi+4Ch]

A00A3524 8D7B04 lea edi,[ebx+04h]

It seems somethings bad code.

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

I posted KB2393802-v9e today ("e" for "experimental"). I'm not adding it to the main list as it doesn't add any new functionality or attempt to fix any issues with v9. It does, however, include my rewrites of csrsrv.dll and basesrv.dll. If you manually extract the installer and look in the info folder it creates you can find the complete source code to my rewrites. I've tried to go the extra mile in hardening both against attack, but I invite anyone who is interested to play with them. Each was built with VS2005 standard and uses the libraries from the WinNT DDK version 3790.1830 for ntdll, etc.

Here is the link for v9e: http://www.mediafire.com/download.php?skox32b1rddgl26 (updated...see a few posts down)

Remember, this is experimental, so use at your own risk. So far I'm only using it in a VM.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I tried to use Windows2000-KB2393802-v9-x86-ENU.exe.

But it sometimes crashes with BSoD by Access VIOLATION on 0xA00A3512 in win32k.sys

A00A34E8 837D0CFC cmp dword ptr [ebp+0Ch],FFFFFFFCh

A00A34EC 7542 jnz LA00A3530

A00A34EE 8B7D08 mov edi,[ebp+08h]

A00A34F1 52 push edx

A00A34F2 52 push edx

A00A34F3 68E1010000 push 000001E1h

A00A34F8 57 push edi

A00A34F9 E85A89F6FF call SUB_LA000BE58

A00A34FE 89450C mov [ebp+0Ch],eax

A00A3501 50 push eax

A00A3502 E8D49EF7FF call SUB_LA001D3DB

A00A3507 85C0 test eax,eax

A00A3509 7425 jz LA00A3530

A00A350B 8B5510 mov edx,[ebp+10h]

A00A350E 85D2 test edx,edx

A00A3510 7C1E jl LA00A3530

A00A3512 3B5120 cmp edx,[ecx+20h] <-----------

A00A3515 7719 ja LA00A3530

A00A3517 85D2 test edx,edx

A00A3519 8B450C mov eax,[ebp+0Ch]

A00A351C 894314 mov [ebx+14h],eax

A00A351F 7514 jnz LA00A3535

A00A3521 8D774C lea esi,[edi+4Ch]

A00A3524 8D7B04 lea edi,[ebx+04h]

It seems somethings bad code.

I'm looking at that routine and I see something I don't like in its treatment of ECX. Let me see if I can do something with it.

0

Share this post


Link to post
Share on other sites

BWC: I removed the v9e above and posted another one with an updated win32k.sys file (version 5.0.2195.7402). It explicitly sets ECX rather than relying on ValidateHmenu() to set it. If it works out for you, I can post a V10 on the main list.

The new v9e is here:

http://www.mediafire.com/download.php?7o1y5rbcr9eqxc0

For reference, this is what it looks like (a few other instructions above it changed to reflect the fact that some things moved up by 4 bytes):


.text:A00A34E4 loc_A00A34E4: ; CODE XREF: xxxGetMenuBarInfo(x,x,x,x)+187j
.text:A00A34E4 cmp [ebp+arg_4], 0FFFFFFFCh
.text:A00A34E8 jnz short loc_A00A3530
.text:A00A34EA mov edi, [ebp+arg_0]
.text:A00A34ED push edx ; int
.text:A00A34EE push edx ; UnicodeString
.text:A00A34EF push 1E1h ; MbString
.text:A00A34F4 push edi ; int
.text:A00A34F5 call _xxxSendMessage@16 ; int
.text:A00A34FA mov [ebp+arg_4], eax
.text:A00A34FD push eax
.text:A00A34FE call _ValidateHmenu@4 ; ValidateHmenu(x)
.text:A00A3503 test eax, eax
.text:A00A3505 jz short loc_A00A3530
.text:A00A3507 push [ebp+arg_4]
.text:A00A350A pop ecx
.text:A00A350B mov edx, [ebp+arg_8]
.text:A00A350E test edx, edx
.text:A00A3510 jl short loc_A00A3530
.text:A00A3512 cmp edx, [ecx+20h]
.text:A00A3515 ja short loc_A00A3530

0

Share this post


Link to post
Share on other sites

It hasn't resolved yet.

It always occures when I click CCC menu with skins.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:

win32k+a3512

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 007c0605

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: CCC.exe

EXCEPTION_RECORD: ae8ab7a4 -- (.exr 0xffffffffae8ab7a4)

ExceptionAddress: a00a3512 (win32k+0x000a3512)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000000

Parameter[1]: 007c0605

Attempt to read from address 007c0605

TRAP_FRAME: ae8ab7f8 -- (.trap 0xffffffffae8ab7f8)

ErrCode = 00000000

eax=a0383210 ebx=ae8ab8b0 ecx=007c05e5 edx=00000000 esi=ae8ab8b4 edi=a0383530

eip=a00a3512 esp=ae8ab86c ebp=ae8ab878 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00050246

win32k+0xa3512:

BWC: I removed the v9e above and posted another one with an updated win32k.sys file (version 5.0.2195.7402). It explicitly sets ECX rather than relying on ValidateHmenu() to set it. If it works out for you, I can post a V10 on the main list.

The new v9e is here:

http://www.mediafire.com/download.php?7o1y5rbcr9eqxc0

For reference, this is what it looks like (a few other instructions above it changed to reflect the fact that some things moved up by 4 bytes):


.text:A00A34E4 loc_A00A34E4: ; CODE XREF: xxxGetMenuBarInfo(x,x,x,x)+187j
.text:A00A34E4 cmp [ebp+arg_4], 0FFFFFFFCh
.text:A00A34E8 jnz short loc_A00A3530
.text:A00A34EA mov edi, [ebp+arg_0]
.text:A00A34ED push edx ; int
.text:A00A34EE push edx ; UnicodeString
.text:A00A34EF push 1E1h ; MbString
.text:A00A34F4 push edi ; int
.text:A00A34F5 call _xxxSendMessage@16 ; int
.text:A00A34FA mov [ebp+arg_4], eax
.text:A00A34FD push eax
.text:A00A34FE call _ValidateHmenu@4 ; ValidateHmenu(x)
.text:A00A3503 test eax, eax
.text:A00A3505 jz short loc_A00A3530
.text:A00A3507 push [ebp+arg_4]
.text:A00A350A pop ecx
.text:A00A350B mov edx, [ebp+arg_8]
.text:A00A350E test edx, edx
.text:A00A3510 jl short loc_A00A3530
.text:A00A3512 cmp edx, [ecx+20h]
.text:A00A3515 ja short loc_A00A3530

0

Share this post


Link to post
Share on other sites

Hmm. I think I know what to do. Give me an hour or two and I'll post another one.

0

Share this post


Link to post
Share on other sites

Excellent! I'll post a v10 one (without my experimental rewrites) shortly.

0

Share this post


Link to post
Share on other sites

KB2393802-V10 is now up on the main list, with the win32k.sys fix from v9e2.

0

Share this post


Link to post
Share on other sites

I finally have WideCharToMultiByte rewritten in kernel32 (it's pretty messy and probably buggy), but it's letting me make progress on a bunch of simpler functions that require it. I'm up to 565 exported functions rewritten out of about 902, and I expect progress to pick up now that most of the really tough NLS stuff is done (if nothing else, most of the .nls files will finally be documented).

In the meantime, I was wondering if anyone has had a chance to look over the sources for my rewritten basesrv and csrsrv.

0

Share this post


Link to post
Share on other sites

I haven't got time to do more extensive testing but I think win32k.sys is missing from the uniproc folder (in 2393802-V10).

0

Share this post


Link to post
Share on other sites

It's the same file either way. I don't think I've ever had a separate one for uniproc in that patch.

I guess no one has taken a look at the v9e sources :(

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.