WildBill

PE Tool for creating patches

696 posts in this topic

I've just done more tests and actually the same problem happens with both v10 and v11. The test machine is a VM (uses uniproc non-PAE kernel) with all official updates installed. I just added KB2479628 and KB2393802.

Now that's interesting. I'm seeing the same thing in my VM, but not on real hardware. It must date back to v9, since the ntdll in v9 and v10 are the same. v9 was where I added a bunch of SxS API's to ntdll. I guess I'll have to look at it closely to see if I broke anything.

0

Share this post


Link to post
Share on other sites

Well, I had problems with the ntdll.dll starting from v9, on real hardware too (check #533).

0

Share this post


Link to post
Share on other sites

I've been crawling through the code, double-checking and triple-checking everything, and I can't find anything wrong with the code. I tried backing some changes out and eventually replaced v9 ntdll with v8 ntdll and I still see occasional problems in a VM (though never on real hardware). From looking at the exceptions it looks like something is corrupting the heap, and subsequent heap operations are throwing exceptions. Mixing v8 ntdll with v9 kernel definitely isn't preventing the problem. What happens if you try a pure v8 install on a VM?

0

Share this post


Link to post
Share on other sites

More test results:

1. After installing v11 folders don't open / Explorer is restarted... but they open in Safe Mode. On the other hand, IE doesn't open neither in "normal" mode nor in Safe Mode (Add/Remove programs don't open either as they depend on IE).

2. No problems occur when v8 is installed.

3. I found a bug in update.inf. There should be no ntdll.dll and win32k.sys in [system32.Files].

4. Replacing ntdll.dll v7084 from v11 with ntdll.dll v.7083 from v8 fixes all issues.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

There's something screwy going on...I backed up all the way to v3 and I still get the same occasional errors when accessing a network share from within a VM. I then tried a clean install of 2kSP4 and it still happens. I wonder if it's a VM thing. I'm using Virtual PC 2007.

0

Share this post


Link to post
Share on other sites

It's innotek VirtualBox 1.5.6 on my side.

0

Share this post


Link to post
Share on other sites

Well, so far I haven't been able to track down what's corrupting the heap. I think the best strategy is to finish the kernel32 rewrite since I'm so close to the end, and then perhaps move on to rewriting ntdll (which is smaller). That way I can try to put in better heap corruption detection and maybe find out what's going on.

0

Share this post


Link to post
Share on other sites

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler ;)

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

0

Share this post


Link to post
Share on other sites

Can you run CurrPorts with KB2508429-v8 ?

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler ;)

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

Does Nirsoft Currport work ?

Our iphlpapi.dll seems problem on GetUdpExTable2FromStack/GetTcpExTable2FromStack

I found iphlpapi v5.0.2195.7097 requires KB957579(Minimum require is KB951798)

I've got a couple of updates posted:

iphlpapi.dll

0

Share this post


Link to post
Share on other sites

I was taking a look at the IE6 SP1 version of the MS12-052 fix that BlackWingCat found on the Microsoft Security ISO and I decided to run it through IDA Pro and TurboDiff (I compared against the last pre-EOL fix, MS10-035/KB982381) and TurboDiff found no changes to any function in BROWSEUI.DLL between the two versions. Since WildBill's notes for MS10-071 show that changes to BROWSEUI.DLL were required to fully close up the AutoComplete vulnerability, I also compared the XP versions of MS10-035 and MS10-071 and functions did show up as changed.

This tells me that Microsoft is doing the same thing with these "Extended Support fixes" that they did with Windows 98's extended support in that they only fixed vulnerabilities marked as "Critical." I remember that WildBill had said that MS11-003 would be a pain to backport but it looks like M$ did the hard work for us for that bulletin (all of its CVE's are marked as "Critical") and an easier solution for that update might be to use the Microsoft MS11-003 or MS12-052 IE6 SP1 patch and add the other changes from the previous unofficial IE updates as necessary.

On another note, I noticed some issues with MS11-012 where FileZilla's toolbar has the same white splotches where the shadows are supposed to be that we had before adding the ShellIconBPP setting.

How FileZilla's toolbar looks on stock Win2k:

post-307433-0-43602500-1346910793_thumb.

How FileZilla's toolbar looks with MS11-012 installed:

post-307433-0-43926600-1346910807_thumb.

How FileZilla's toolbar looks on Windows XP:

post-307433-0-60888500-1346911265_thumb.

This is a minor issue, so no rush on fixing this or doing any of the IE updates (I use Firefox 10 ESR on 2000, so the vulnerabilities don't concern me too much.)

PS I'm trying to learn some of this patch analysis stuff so that maybe I could help with the load at some point.

Edited by MacLover
0

Share this post


Link to post
Share on other sites

hi WildBill. can you make the unofficial August 2012 Cumulative Time Zone KB2732052 Updates for Windows 2000?

MS KB article 2732052:

http://support.microsoft.com/kb/2732052/

supersedes and replaces previously released Time Zone hotfixes as well as the December 2011 Cumulative Time Zone updates.

I see a definite pattern of how and when MS releases new Time Zone updates for Windows for several years now, usually in August and in December of each year.

Edited by erpdude8
0

Share this post


Link to post
Share on other sites

hi WildBill. can you make the unofficial August 2012 Cumulative Time Zone KB2732052 Updates for Windows 2000?

MS KB article 2732052:

http://support.microsoft.com/kb/2732052/

supersedes and replaces previously released Time Zone hotfixes as well as the December 2011 Cumulative Time Zone updates.

I see a definite pattern of how and when MS releases new Time Zone updates for Windows for several years now, usually in August and in December of each year.

acus has already done it :whistle:

http://www.ryanvm.net/forum/viewtopic.php?p=126872#126872

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

thanks, tomasz86. i haven't been here that much lately.

btw, do you know by any chance if anyone got the KB2476490 oleaut32.dll v2.40.4535.0 security patch blackwingcat mentioned here?

I didn't realize that MS is still secretly making some new security fixes for win2000, even after extended support for Win2k ended mid-July 2010.

Edited by erpdude8
0

Share this post


Link to post
Share on other sites

thanks, tomasz86. i haven't been here that much lately.

btw, do you know by any chance if anyone got the KB2476490 oleaut32.dll v2.40.4535.0 security patch blackwingcat mentioned here?

I didn't realize that MS is still secretly making some new security fixes for win2000, even after extended support for Win2k ended mid-July 2010.

I don't think it's available publicly. Only a few of the updates mentioned on the BWC's blog leaked. The IE Cumulative one has been recently replaced by the newly (officially) released CU (KB2722913). The two others are included in Update Rollup 2. Only the one for MDAC 2.8 SP1 (KB983838) still needs to be applied separately.

0

Share this post


Link to post
Share on other sites

I've got a new installment of MS11-011 (KB2393802) posted (v12). By request, it adds a number of kernel-level functions:

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

KeAreApcsDisabled

IoQueryFileDosDeviceName

MmProtectMdlSystemAddress

KeQueryActiveProcessorCount

PsDereferenceImpersonationToken

PsDereferencePrimaryToken

NtOpenProcessTokenEx

NtOpenThreadTokenEx

ZwOpenProcessTokenEx

ZwOpenThreadTokenEx

CcMdlWriteAbort

Enjoy... :hello:

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.