• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

I'm putting together a patched called KB2479629 that combines KB2479628 and KB2393802. It incorporates fixes to the bug that blackwingcat found, the win32k.sys raw-input API, and I think a few other things (I'll have to go back and see what else I added). KB2479629 isn't used by MS so it should be safe to use.

0

Share this post


Link to post
Share on other sites

Just wondering what's going on since last year :P

0

Share this post


Link to post
Share on other sites

I've been sitting on the update so I could test it thoroughly, but I just posted KB2479629. It combines KB2479628 and KB2393802, rendering them obsolete. It also adds some new stuff:

 

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

 

The fix for the NTQueryInformationProcess bug that blackwingcat found.

 

setupapi.dll

 

Added SetupUninstallOEMInfW

 

user32.dll

 

Added true implementations for the following (for mouse and keyboard support only, not other USB devices)

 

DefRawInputProc

GetRawInputBuffer

GetRawInputData

GetRawInputDeviceInfoA

GetRawInputDeviceInfoW

GetRawInputDeviceList

GetRegisteredRawInputDevices

RegisterRawInputDevices

 

win32k.sys

 

Kernel-side implementation of the raw-input API that user32.dll invokes (where the real work is).

 

wtsapi32.dll

 

Added stubs for WTSRegisterSessionNotification and WTSUnRegisterSessionNotification

0

Share this post


Link to post
Share on other sites

New update: KB2508429 v16 (apparently I never uploaded v15, oh well...). There are three new functions for advapi32 since v14:

 

RegSaveKeyExA

RegSaveKeyExW

EnumerateTraceGuids

0

Share this post


Link to post
Share on other sites

It's been a long while since I mentioned it, but I've quietly been working on a total rewrite of kernel32.dll in C. It took forever, but I've finally squashed enough of the bugs such that it's booting in a VM without exhibiting any errors. Once I synchronize it with the current kernel32.dll in my patches, I'll be releasing a new version of the rewrite with full source.

1

Share this post


Link to post
Share on other sites

Great, WildBill!  You do rock! :thumbup

0

Share this post


Link to post
Share on other sites

Thanks for your work Wildbill.

To run some modern browsers, some missing dependencies are required. Could you add them?

GetNumaHighestNodeNumber - Palemoon AtomXP 25x, Firefox 39x

GetLogicalProcessorInformation - Palemoon AtomXP SSE (for old processors) - http://www.romanstefko.com/pale-moon-sse/

CreateActCtxW - K-meleon 75x

WTSGetActiveConsoleSessionId, RtlCaptureContext - Vivaldi - https://vivaldi.com/

Edited by tierney
0

Share this post


Link to post
Share on other sites

There seems to be a bug in KB2479629: When I attempt to install it on a "fresh" Windows 2000 system (Windows 2000 SP4+UR1, no unofficial patches installed), the installer will say that KB2479628 is not installed. From looking at update.inf, it seems like the old WIN32K.SYS version check from MS11-011/KB2393802 was left in the INF. Removing the check from the INF fixed the installer and everything is working.

 

Thanks again for the patches!

0

Share this post


Link to post
Share on other sites

Thanks for your work Wildbill.

To run some modern browsers, some missing dependencies are required. Could you add them?

GetNumaHighestNodeNumber - Palemoon AtomXP 25x, Firefox 39x

GetLogicalProcessorInformation - Palemoon AtomXP SSE (for old processors) - http://www.romanstefko.com/pale-moon-sse/

CreateActCtxW - K-meleon 75x

WTSGetActiveConsoleSessionId, RtlCaptureContext - Vivaldi - https://vivaldi.com/

 

Funny that you mention those, since I'm testing an update here that adds the first two (GetNumaHighestNodeNumber and GetLogicalProcessorInformation). Unfortunately health issues intervened and I'm currently recovering from gall bladder surgery. When I get back on my feet so to speak I'll try to remember to look at the rest of those.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

WildBill, great to know you're working on those. Thanks for letting us know. Meanwhile, get well soon!

0

Share this post


Link to post
Share on other sites

+1: Get well soon, WildBill!  :yes:

0

Share this post


Link to post
Share on other sites

Thanks! I'm almost fully recovered; I had a bout of anemia a couple weeks ago, and I've been cooking steaks every night to try to get my numbers back up. I'll be seeing the doc tomorrow, but I anticipate that I should be back to work on Monday.

 

I've started looking at the requested routines, and it looks like I only need to add CreateActCtxW (as the patch versions I have here already contain the other routines). That one will be tricky because I've found that putting in stub versions causes some applications to act wonky (because they expect them to actually work). I once took a stab ad making fully functional versions of the activation context API (which MS calls the Fusion API), but it's far from trivial. Still, taking another look never hurts.

0

Share this post


Link to post
Share on other sites

I've got a couple new versions posted up on the master list:

 

Windows2000-KB2508429-v17-x86-ENU.exe

 

iphlpapi.dll

if_indextoname
 

 

 

Windows2000-KB2479629-v3-x86-ENU.exe

 

(There was no v2, that was internal and only added IsProcessInJob)

 

kernel32.dll

IsProcessInJob
GetNumaHighestNodeNumber
GetNumaProcessorNode
GetNumaNodeProcessorMask
GetNumaProcessorMap
GetNumaAvailableMemory
GetNumaAvailableMemoryNode
GetLogicalProcessorInformation


ntdll.dll

NtIsProcessInJob
ZwIsProcessInJob


ntoskrnl.exe/ntkrnlpa.exe/ntkrnlpa.exe/ntkrpamp.exe

Added support to NtQuerySystemInformation for new kernel32 API calls

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Unfortunately, I have been unable to download Windows2000-KB2479629-v3-x86-ENU.exe.

 

MediaFire says "The file you attempted to download was determined to be dangerous. For your protection, MediaFire does not enable distribution of dangerous files."

0

Share this post


Link to post
Share on other sites

Unfortunately, I have been unable to download Windows2000-KB2479629-v3-x86-ENU.exe.

 

MediaFire says "The file you attempted to download was determined to be dangerous. For your protection, MediaFire does not enable distribution of dangerous files."

 

That's just bizarre. I scanned it on my end with Avast and it's clean, so I deleted it from MediaFire and I'm re-uploading it. I'll update the link once it completes.

 

Hmm. It still thinks it's infected, so I rebuilt the .exe and I'm reposting it. For some reason the new one is different from the original. I have no idea why.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

zip, rar or 7z it with a password, and MediaFire'll stop meddling. If I may suggest a general password for such cases, "False8positivE" is a good one. :)

 

 

BTW, how many false positives does it get from Virus Total?

0

Share this post


Link to post
Share on other sites

Hi, WildBill.

 

Have you fixed srv.sys critical problem?

5.0.2195.7368 and 5.0.2195.7369.

http://www.msfn.org/board/topic/149233-kernelex-for-win2000/page-27#entry1106699

 

I can't find your announce. :P

 

I apologize if my post to the problem is fixed something you have already taken care of.

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Hi, WildBill.

 

Have you fixed srv.sys critical problem?

5.0.2195.7368 and 5.0.2195.7369.

http://www.msfn.org/board/topic/149233-kernelex-for-win2000/page-27#entry1106699

 

I can't find your announce. :P

 

I apologize if my post to the problem is fixed something you have already taken care of.

 

 

Yes, it's fixed in KB2508429 v17, which has srv.sys 5.0.2195.7371. I just double-checked the file in IDA and it's fixed.

 

On another note, I'm still plugging away with my kernel32.dll rewrite. I had thought it was ready, but I found a bug when I run Seven File Replacer -- the GUI doesn't render properly. I've been slowly verifying the routines that it calls, but Seven File Replacer is a hideously complex program for some reason, so it's been really hard to track down.

 

EDIT: I had a bout of insomnia and decided to work on verifying some more routines in my rewrite. What a relief -- I finally tracked that bug down! memset() in the original kernel32 is **evil**.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Umm.

It seems it has no problem with Engish version extended kernel Game Edition 5.0.2195.7236.)

I recommend  that you try to make the dll which has minimum kernel extension and check it. :yes:

 

 

Hi, WildBill.

 

Have you fixed srv.sys critical problem?

5.0.2195.7368 and 5.0.2195.7369.

http://www.msfn.org/board/topic/149233-kernelex-for-win2000/page-27#entry1106699

 

I can't find your announce. :P

 

I apologize if my post to the problem is fixed something you have already taken care of.

 

 

Yes, it's fixed in KB2508429 v17, which has srv.sys 5.0.2195.7371. I just double-checked the file in IDA and it's fixed.

 

On another note, I'm still plugging away with my kernel32.dll rewrite. I had thought it was ready, but I found a bug when I run Seven File Replacer -- the GUI doesn't render properly. I've been slowly verifying the routines that it calls, but Seven File Replacer is a hideously complex program for some reason, so it's been really hard to track down.

 

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.