• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

I think I'm going to need some help with my kernel32 rewrite. I have it passing 130 unit tests, but I can't seem to get WinExec working. I've loaded up most of the routines involved with debugging output and I can't find anything wrong, but it doesn't properly spawn the process. I can post the project sources if anyone would like to help tracking the problem down.

The way I test it is to copy the new kernel32 to kernel32_new.dll, and have my test program perform tests against the normal kernel32 and the rewritten one and compare the results. My WinExec test attempts to spawn calc.exe from both of them. It works with the normal kernel32, but the rewritten one doesn't fully spawn the process. I get a running calc.exe in Task Manager but the window never appears and it seems to want to consume about 5% CPU until I kill it. I've been fighting with this for a couple of weeks and I'm stumped.

Testing this way lets me protect my system since I don't have to replace kernel32, though so far I haven't tested any kernel32 routines that change anything--only the ones that read info or do things that don't affect the system.

0

Share this post


Link to post
Share on other sites

Never mind: I had a flash of insight and figured out what the problem was: my rewritten kernel32 was passing a starting address to calc.exe that was "incorrect" because calc was loading the original kernel32 when it started up. When I temporarily hardcoded the starting address it would have normally received, it started up just fine. This doesn't make the rewritten kernel32 ready for use (it still causes the VM to crash when I completely replace the original one), but WinExec should be at least somewhat sound now (though I haven't tested Win16 apps with it yet). Now to write more tests...

0

Share this post


Link to post
Share on other sites

I succeeded load exfat.sys on WIndows 2000

1095f7c1.png

But exfat drive was not read from windows 2000.

0190c90b.png

If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out.

It's in this update:

http://www.microsoft...s.aspx?id=19364

That extracts out to a directory containing the following:



Volume in drive G is DATA
Volume Serial Number is 7A4C-636C

Directory of G:\exfat

10/16/2012 06:58 PM <DIR> .
10/16/2012 06:58 PM <DIR> ..
10/16/2012 06:58 PM 0 dirlist.txt
10/16/2012 06:55 PM <DIR> SP2GDR
10/16/2012 06:55 PM <DIR> SP2QFE
10/16/2012 06:55 PM <DIR> SP3GDR
10/16/2012 06:55 PM <DIR> SP3QFE
11/30/2007 07:18 AM 17,272 spmsg.dll
11/30/2007 07:18 AM 231,288 spuninst.exe
10/16/2012 06:55 PM <DIR> update
3 File(s) 248,560 bytes

Directory of G:\exfat\SP2GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:58 AM 133,632 exfat.sys
09/30/2008 02:44 AM 18,944 fmifs.dll
09/29/2008 05:59 AM 30,720 format.com
09/29/2008 05:58 AM 9,216 fs_rec.sys
09/30/2008 02:44 AM 77,824 ifsutil.dll
09/30/2008 02:44 AM 8,455,168 shell32.dll
09/30/2008 02:44 AM 57,344 uexfat.dll
09/30/2008 02:44 AM 278,528 ulib.dll
8 File(s) 9,061,376 bytes

Directory of G:\exfat\SP2QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:53 AM 133,632 exfat.sys
09/30/2008 02:05 AM 18,944 fmifs.dll
09/29/2008 05:54 AM 30,720 format.com
09/29/2008 05:53 AM 9,216 fs_rec.sys
09/30/2008 02:05 AM 77,824 ifsutil.dll
09/30/2008 11:35 AM 8,461,312 shell32.dll
09/30/2008 02:05 AM 57,344 uexfat.dll
09/30/2008 02:05 AM 278,528 ulib.dll
09/29/2008 05:46 AM 351,744 xpsp3res.dll
9 File(s) 9,419,264 bytes

Directory of G:\exfat\SP3GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:21 AM 133,632 exfat.sys
09/30/2008 02:19 AM 18,944 fmifs.dll
09/29/2008 06:22 AM 30,720 format.com
09/29/2008 06:20 AM 9,216 fs_rec.sys
09/30/2008 02:19 AM 77,824 ifsutil.dll
09/30/2008 02:19 AM 8,461,824 shell32.dll
09/30/2008 02:19 AM 57,344 uexfat.dll
09/30/2008 02:19 AM 278,528 ulib.dll
8 File(s) 9,068,032 bytes

Directory of G:\exfat\SP3QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:51 AM 133,632 exfat.sys
09/30/2008 01:56 AM 18,944 fmifs.dll
09/29/2008 06:52 AM 30,720 format.com
09/29/2008 06:50 AM 9,216 fs_rec.sys
09/30/2008 01:56 AM 77,824 ifsutil.dll
09/30/2008 01:56 AM 8,462,336 shell32.dll
09/30/2008 01:56 AM 57,344 uexfat.dll
09/30/2008 01:56 AM 278,528 ulib.dll
8 File(s) 9,068,544 bytes

Directory of G:\exfat\update

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/30/2008 02:32 AM 926 branches.inf
11/30/2007 10:17 AM 804 eula.txt
09/30/2008 06:29 AM 22,668 KB955704.CAT
11/30/2007 07:18 AM 26,488 spcustom.dll
11/30/2007 07:18 AM 755,576 update.exe
09/30/2008 04:49 PM 3,028 update.ver
09/30/2008 02:32 AM 678 updatebr.inf
09/30/2008 06:36 AM 24,318 update_SP2GDR.inf
09/30/2008 06:32 AM 25,523 update_SP2QFE.inf
09/30/2008 06:38 AM 27,395 update_SP3GDR.inf
09/30/2008 06:29 AM 27,395 update_SP3QFE.inf
07/09/2008 03:38 AM 382,840 updspapi.dll
12 File(s) 1,297,639 bytes

Total Files Listed:
48 File(s) 38,163,415 bytes
17 Dir(s) 402,366,476,288 bytes free

So it looks like it's a _lot_ more than just the exfat.sys driver file :(

Maybe in code, it's just a function or two ?

0

Share this post


Link to post
Share on other sites

Well, I'm finally making decent progress on the kernel32 rewrite; a lot of stuff is working now. One problem that I've been struggling with for the past couple of weeks, though has uncovered a bug in ntdll that I must have introduced at some point. In changing over how DLL's are loaded to try to add activation context support, I followed the XP code a bit too closely. The result was a heap corruption bug that would only manifest itself when a DLL was being unloaded. Consequently I've uploaded MS11-011 V14 (KB2393802), which you can find on the main download list.

The update, as usual, also includes some new API goodies:

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

KeAcquireInStackQueuedSpinLockAtDpcLevel

KeReleaseInStackQueuedSpinLockFromDpcLevel

0

Share this post


Link to post
Share on other sites

(sigh)

You know, on some days it's really tough.

I just posted MS11-011 V15 (KB2393802). I found the same bug I fixed in V14 in a different place and had to fix it. Sorry for the inconvenience, folks. The lesson: it's possible to follow the XP code too closely.

0

Share this post


Link to post
Share on other sites

Kernel32 update: almost there!

As of tonight the VM boots, but Explorer, Task Manager, etc. crash when I do certain things. I think I'm just a bugfix or two from really cooking with gas. ;)

0

Share this post


Link to post
Share on other sites

YEAH!!!!

Still some application errors in Event Viewer, but the VM finally runs with it :)

post-68113-0-52544100-1358560155_thumb.p

0

Share this post


Link to post
Share on other sites

Congratulations! clapping.gif

0

Share this post


Link to post
Share on other sites

Awesome! I take it that this means future additional api's will be easy-ish to implement?

0

Share this post


Link to post
Share on other sites

It should just mean adding the C code and rebuilding.

0

Share this post


Link to post
Share on other sites

I've posted v16 (yikes!) of KB2393802 and updated the master list (Windows2000-KB2393802-v16-x86-ENU.exe). No bugfixes, but a few goodies:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

IoAssignDriveLetters

IoReadPartitionTable

IoSetPartitionInformation

IoWritePartitionTable

These functions were already present, and I simply added them to the export table and bumped up the version one tick. The idea is to hopefully help with driver compatibility.

There's also one new file:

usbser.sys (5.1.2600.5512 from XPSP3)

Why the new file? I picked up an Arduino Uno a while ago and no matter what I did, I couldn't get the Arduino software to program it (I can program my older Arduino Duemilanove just fine). Someone on a help forum had the same problem and had to use the XP usbser.sys driver to make it work. I gave it a try and presto, it works like a charm. So consider v16 the Arduino Uno version of the update :D

I don't know if XP has a newer rev of the driver or not; this one is straight from the SP3 distro and works for me.

In kernel32 news...

This is somewhat frustrating. I'm *this close*, but there is still a memory corruption bug somewhere (at least I think that's what it is). It only shows up on the kernel side so it's hard to track down. My VM boots just fine, but ESENT and the Distributed LinkTracking Client report errors in Event Viewer and windbg reports some exceptions at certain times during bootup. I'm working on cleaning up the code to try to track the remaining bug(s) down.

Edited by WildBill
0

Share this post


Link to post
Share on other sites
usbser.sys (5.1.2600.5512 from XPSP3)

I don't know if XP has a newer rev of the driver or not; this one is straight from the SP3 distro and works for me.

No, it hasn't. 5512 is the latest build available.

0

Share this post


Link to post
Share on other sites

Looks like the March 2013 security updates iso includes an updated KB2809289 for Windows 2000 and IE6SP1. Here's just the folder from the DVD, to save everyone from having to get the whole 3GB file... https://www.box.com/...j7b369i3xoskqgg

It appears that this update replaces the previously released KB2792100 - the new patch appears to have all the fixes from the previous hotfix in addition to an updated mshtml.dll, and new timestamps on all the rest of the files.

Edited by jimmsta
0

Share this post


Link to post
Share on other sites

tomasz86, I am getting this error: "The procedure entry point GetFirmWareEnvironmentVariableA could not be located in the dynamic link library KERNEL32.dll." I need this GetFirmWareEnvironmentVariableA procedure. I installed your UURollup-v10d-x86-ENU.exe already; I noticed in your posting that this procedure is in Wild Bill's BWC kernel32.dll 5.0.2195.7193 but not yours. Are you planning to do any more updates to kernel32.dll and include some of these missing procedures? I'm trying to run Macrium Reflect and was able to install it (with a minor error,) but as soon as I started it up I received the above error. Your W2K patch works pretty well otherwise (had a minor issue with some icons, fixed it) Note: this is for my business computer, which is still running W2K (with no problems!!) Thanks, GaryMX

Edited by GaryMX
0

Share this post


Link to post
Share on other sites

@GaryMX You should definitely check this topic. I'd suggest you install the newest daily version of UURollup-v11 (the current one being d20130312). The so called daily releases are often quite experimental but the current one is actually probably the most stable release of UURollup available at the moment :)

PS Make sure to install my unofficial Update Rollup 2 before installing it. Having IE6 with the newest Cumulative Update (which is 2809289) installed is also recommended.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

@tomasz86, I have already read the topic on your first link and have been on your website many times. This is the order that I installed the updates (I already had the original SP4 installed):

W2K Update Rollup-KB891861-v2.EXE (First rollup of updates and additions since SP4.) The MS$ file name may not be exact, but it is the official one.

Your Update Rollup2 (I may not have the exact file name: Windows2000-UpdateRollup2-x86)

Windows2000-UURollup-v10d-x86-ENU.exe (which "updated" my W2K to be able to run certain apps, such as the newer Firefox/SeaMonkey)

I have tried my hardest to find your download link for UURollup-v11and Google does not have any download sites. I know you have SkyDrive, but I am unable to see anything on it as of yet a search for "tomasz86" or "UURollup-v11" brings no results. I tried DropBox and can't seem to find you there either. A link to these latest updates would be helpful. I have a dual-drive setup and tested your UURollup-v10d-x86 extensively with good results, except for an icon problem which I fixed (some of the file associations disappeared, along with the icons!) I just put them back in the registry and did a "restore" in Folder Options/File Types. If v11 of the UURollup allows me to run Macrium Reflect Free, that would be great.

There was one other issue, which isn't critical to me, but is annoying: since I installed the UURollup-v10d, all of my scheduled tasks will not run. I went in to each one and reentered my logon/password combination (I run as Administrator with full rights.) Nonetheless, they will not run. I have a scheduled Microsoft Backup which used to work, but now, when I manually run it, I get errors in my log file, "You do not have permission to access portions of [folder name]. Please see the owner or administrator to get permission" for EACH folder that I have selected to be backed up. I have FULL permissions. I have tried various tricks, to no avail. There is no help online for this problem. The .BKF file that Microsoft Backup creates is not usable and will not restore files. Any suggestions?

One more thing: on your website, "http://windows2000.tk/#archive" you mention the Application Compatibility Launcher and mention running the Firefox install. I used your link in MozillaZine instead: http://forums.mozillazine.org/viewtopic.php?f=23&t=2482475 with great results. I am running SeaMonkey 2.16 (Firefox 19 platform) with no problems whatsoever.

Thanks for your prompt reply to my posts.

GaryMX

0

Share this post


Link to post
Share on other sites

I finally found your link to your SkyDrive account in the RyanVM.net Discussion Board: (Your SkyDrive account) When I click on the Windows blue box (296 files!) I see a bunch of numbered boxes (assuming files.) I still can't locate the UURollup v11 latest versions.

Another question about UURollup: I noticed that I can't update Adobe Reader 9.5 to v 10 (or later) as it "knows" that I am not running XP. Some other programs warn me that "this update may not work, but do you want to continue anyway?" and I click yes. No problems there. Is there no way to fool the Adobe Reader update program to allow me to update the Reader to a newer version?

Thanks.

GaryMX

0

Share this post


Link to post
Share on other sites

OK, I know that there are so many different versions of Windows 2000 unofficial updates available that it may be confusing :lol: but too many things have been mixed there :w00t:

  1. Update Rollup 2 - The old one (Update Rollup-KB891861-v2.EXE) is obsolete and shouldn't be used any more. It probably won't harm you if you've already installed it but there were several bugs in it. The only one version of Update Rollup 2 used now is available on my website (Windows2000-UpdateRollup2-x86-ENU.exe) with its extension for Windows 2000 Server (Windows2000-UpdateRollup2-SrvExt-v2-XXX.exe).
  2. SkyDrive - The SkyDrive archive was set up when Dropbox blocked access to the original one but it's not used at the moment since Dropbox is working again so you can safely just ignore it. The main archive which is constantly updated is the Download Archive located in Dropbox which link to you can find at my website here.
  3. UURollup - The stable version of UURollup (Windows2000-UURollup-v10d-x86-ENU.exe) is also available at my website here (Windows2000-UURollup-v10d-x86). The test versions (weekly & daily) are available in the Download Archive, ex. for UURollup-v11 you need to navigate to Windows2000 -> UnofficialUpdatesRollup and then choose between Daily / Stable / Weekly.
  4. Task Scheduler - Are you sure that it was UURollup to break it? :unsure: I use Task Scheduler on my computer all the time and haven't experienced any problems at all.
  5. Firefox - The instructions at mozillaZine is for UURollup-v10. In case of UURollup-v11 you only need to install the program using Application Compatibility Launcher and disable hardware acceleration in its settings. The other steps are no longer required.
  6. Acrobat Reader - The newest version works but in order to install it you have to modify the installer. It's an MSI installer so Application Compatibility Launcher doesn't work in this case. Feel free to try the one which I've just uploaded to the Download Archive (Windows2000 -> Programs).

0

Share this post


Link to post
Share on other sites

@tomasz86 -- I accessed your link for Dropbox; that was easy! The file "Windows2000-UpdateRollup2-x86-ENU.exe" (46.56 MB) is exactly the same as the file that I have archived to my USB hard drive. I downloaded it on 12/19/2012. Did you make changes to this file since then? Everything is working well on my W2K computer, except for the Microsoft Backup. What changes are in v11 of UURollup? Is the function GetFirmWareEnvironmentVariableA included in v11's KERNEL32.DLL? That function is in Wild Bill's BWC kernel, from what I have read. Can I install v11 of UURollup right over v10d, without uninstalling it?

I read on one of the forums that you can run Adobe Reader v10 or v11 directly by copying the files from a computer that has it to the W2K computer. I am a bit skeptical of that, as I just installed v11 on my XP computer and it makes several changes to the Registry. I am going to try using your AcrobatReader_Windows2000.7z file from Dropbox.

Regarding Microsoft Backup: here is the sequence of events (I have two distinct hard drives on my W2K computer; drive C main boot, drive D alternate boot) I image copied Drive C to my USB hard drive using Drive Image (had to boot into XP using Hiren's Boot CD to do it) then, I "restored" the C drive image on top of D drive, which did not have a fully functional W2K install. I made drive D bootable, switched the boot selection to use D as default. I installed all of your updates including UURollup on drive D. I then tested the install extensively for a month (Feb 7 - March 7.) All of my regular functions necessary for my business worked, all CAD/CAM software, and especially, my Internet browser was now up to date!! By March 7th, I felt confident to go back to Drive C and install UURollup there (I had the original image saved, so I wasn't worried.) The reason for this was my Add/Remove programs list would not show, running on Drive D. Maybe a bug because they were installed on drive C, and my running operating system was on drive D!

I changed the boot order back to C drive, by default, then installed all of the updates in the order that they were to be installed, with UURollup v10d being the last one. I noticed the Add/Remove programs list was back; I had minor issues with some of the icons (fixed it); updated the browser. Everything else worked smoothly. But one issue carried over from D drive -- I could no longer run Microsoft Backup automatically (Task Scheduler.) If I ran it manually, I got the error in the log as I said in the previous post. Both D and C drives gave me this error, regardless of where I booted. It's puzzling how, as Administrator, I cannot have permission to "access portions of [folder name.] As I said before, I went through Microsoft forums, including MSDN, with no answers. I'll probably post this on a Microsoft forum if no one here has any suggestions as to how to fix this.

I have one more (wild) theory -- is it perhaps because I "restored" the drive image to Drive D while running Windows XP (instead of W2K,) is it possible that the NTFS file permissions changed because I was running XP? Just a wild theory ..

Thanks for your prompt replies!

GaryMX

Edited by GaryMX
0

Share this post


Link to post
Share on other sites

@GaryMX GetFirmWareEnvironmentVariableA is included in UURollup-v11's kernel32.dll :yes: As for installing it over UURollup-v10d... Well, I'd say that it should work but I haven't really tested it. If you uninstalled UURollup-v10 smoothly and installed UURollup-v11 daily after that then it would be probably safer.

I don't think I can really help with the other problem as I've never experienced such issues myself :( I'd suggest creating a separate topic related to that particular problem with Task Scheduler and file permissions.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

@tomasz86 -- OK, I'll go get the UURollup-v11 daily and install it. If that can help me to get Macrium Reflect Free running, then great! I won't have to worry about Microsoft Backup. I'll bet, however, that the Free edition doesn't allow for daily (or differential) backups. I have found that they want you to purchase the software to do that. Unfortunately, on my limited budget, that won't happen ... Thanks for the help. I will probably try the MSFN forum first (regarding the MS Backup file permissions issue) and see if anyone responds with help.

GaryMX

0

Share this post


Link to post
Share on other sites

I uploaded a new weekly version of UURollup-v11 just yesterday so you can use it instead of the daily one :) Have you tried Cobian Backup? It's free for both personal and commercial use and allows several different types of backups (differential, incremental, etc.).

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Tomasz (and all the developers),

I want to thank you for all the hard and difficult work you have done. I have been a longtime lurker and this is my first post. I have several older machines that I was ready to throw away and they came to life with windows 2k. The newer linux distributions bring these dinosaurs to their knees, although I run a win2k VM under linux mint. I cannot believe the difference in performance, it is fantastic! I am going to the older windows releases, because like most others I hate windows 8. Your progression and improvements to win2k put it on almost an equal footing with windows xp, and far less system resources used for getting the same jobs done.

Thanks!

Win2kreviver

0

Share this post


Link to post
Share on other sites

I have moved my comments on UURollup to this forum topic: Unofficial SP 5.2 for Microsoft Windows 2000-- everyone else should do the same, as @tomasz86 is only replying to questions there ...

Edited by GaryMX
0

Share this post


Link to post
Share on other sites

Ahhh.

Finally.

The VM with my rewritten kernel32 comes up with no errors. I have maybe half a dozen more routines to add, and then the question is, how to test it in the community?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.