WildBill

PE Tool for creating patches

695 posts in this topic

I think I'm going to need some help with my kernel32 rewrite. I have it passing 130 unit tests, but I can't seem to get WinExec working. I've loaded up most of the routines involved with debugging output and I can't find anything wrong, but it doesn't properly spawn the process. I can post the project sources if anyone would like to help tracking the problem down.

The way I test it is to copy the new kernel32 to kernel32_new.dll, and have my test program perform tests against the normal kernel32 and the rewritten one and compare the results. My WinExec test attempts to spawn calc.exe from both of them. It works with the normal kernel32, but the rewritten one doesn't fully spawn the process. I get a running calc.exe in Task Manager but the window never appears and it seems to want to consume about 5% CPU until I kill it. I've been fighting with this for a couple of weeks and I'm stumped.

Testing this way lets me protect my system since I don't have to replace kernel32, though so far I haven't tested any kernel32 routines that change anything--only the ones that read info or do things that don't affect the system.

0

Share this post


Link to post
Share on other sites

Never mind: I had a flash of insight and figured out what the problem was: my rewritten kernel32 was passing a starting address to calc.exe that was "incorrect" because calc was loading the original kernel32 when it started up. When I temporarily hardcoded the starting address it would have normally received, it started up just fine. This doesn't make the rewritten kernel32 ready for use (it still causes the VM to crash when I completely replace the original one), but WinExec should be at least somewhat sound now (though I haven't tested Win16 apps with it yet). Now to write more tests...

0

Share this post


Link to post
Share on other sites

I succeeded load exfat.sys on WIndows 2000

1095f7c1.png

But exfat drive was not read from windows 2000.

0190c90b.png

If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out.

It's in this update:

http://www.microsoft...s.aspx?id=19364

That extracts out to a directory containing the following:



Volume in drive G is DATA
Volume Serial Number is 7A4C-636C

Directory of G:\exfat

10/16/2012 06:58 PM <DIR> .
10/16/2012 06:58 PM <DIR> ..
10/16/2012 06:58 PM 0 dirlist.txt
10/16/2012 06:55 PM <DIR> SP2GDR
10/16/2012 06:55 PM <DIR> SP2QFE
10/16/2012 06:55 PM <DIR> SP3GDR
10/16/2012 06:55 PM <DIR> SP3QFE
11/30/2007 07:18 AM 17,272 spmsg.dll
11/30/2007 07:18 AM 231,288 spuninst.exe
10/16/2012 06:55 PM <DIR> update
3 File(s) 248,560 bytes

Directory of G:\exfat\SP2GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:58 AM 133,632 exfat.sys
09/30/2008 02:44 AM 18,944 fmifs.dll
09/29/2008 05:59 AM 30,720 format.com
09/29/2008 05:58 AM 9,216 fs_rec.sys
09/30/2008 02:44 AM 77,824 ifsutil.dll
09/30/2008 02:44 AM 8,455,168 shell32.dll
09/30/2008 02:44 AM 57,344 uexfat.dll
09/30/2008 02:44 AM 278,528 ulib.dll
8 File(s) 9,061,376 bytes

Directory of G:\exfat\SP2QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:53 AM 133,632 exfat.sys
09/30/2008 02:05 AM 18,944 fmifs.dll
09/29/2008 05:54 AM 30,720 format.com
09/29/2008 05:53 AM 9,216 fs_rec.sys
09/30/2008 02:05 AM 77,824 ifsutil.dll
09/30/2008 11:35 AM 8,461,312 shell32.dll
09/30/2008 02:05 AM 57,344 uexfat.dll
09/30/2008 02:05 AM 278,528 ulib.dll
09/29/2008 05:46 AM 351,744 xpsp3res.dll
9 File(s) 9,419,264 bytes

Directory of G:\exfat\SP3GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:21 AM 133,632 exfat.sys
09/30/2008 02:19 AM 18,944 fmifs.dll
09/29/2008 06:22 AM 30,720 format.com
09/29/2008 06:20 AM 9,216 fs_rec.sys
09/30/2008 02:19 AM 77,824 ifsutil.dll
09/30/2008 02:19 AM 8,461,824 shell32.dll
09/30/2008 02:19 AM 57,344 uexfat.dll
09/30/2008 02:19 AM 278,528 ulib.dll
8 File(s) 9,068,032 bytes

Directory of G:\exfat\SP3QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:51 AM 133,632 exfat.sys
09/30/2008 01:56 AM 18,944 fmifs.dll
09/29/2008 06:52 AM 30,720 format.com
09/29/2008 06:50 AM 9,216 fs_rec.sys
09/30/2008 01:56 AM 77,824 ifsutil.dll
09/30/2008 01:56 AM 8,462,336 shell32.dll
09/30/2008 01:56 AM 57,344 uexfat.dll
09/30/2008 01:56 AM 278,528 ulib.dll
8 File(s) 9,068,544 bytes

Directory of G:\exfat\update

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/30/2008 02:32 AM 926 branches.inf
11/30/2007 10:17 AM 804 eula.txt
09/30/2008 06:29 AM 22,668 KB955704.CAT
11/30/2007 07:18 AM 26,488 spcustom.dll
11/30/2007 07:18 AM 755,576 update.exe
09/30/2008 04:49 PM 3,028 update.ver
09/30/2008 02:32 AM 678 updatebr.inf
09/30/2008 06:36 AM 24,318 update_SP2GDR.inf
09/30/2008 06:32 AM 25,523 update_SP2QFE.inf
09/30/2008 06:38 AM 27,395 update_SP3GDR.inf
09/30/2008 06:29 AM 27,395 update_SP3QFE.inf
07/09/2008 03:38 AM 382,840 updspapi.dll
12 File(s) 1,297,639 bytes

Total Files Listed:
48 File(s) 38,163,415 bytes
17 Dir(s) 402,366,476,288 bytes free

So it looks like it's a _lot_ more than just the exfat.sys driver file :(

Maybe in code, it's just a function or two ?

0

Share this post


Link to post
Share on other sites

Well, I'm finally making decent progress on the kernel32 rewrite; a lot of stuff is working now. One problem that I've been struggling with for the past couple of weeks, though has uncovered a bug in ntdll that I must have introduced at some point. In changing over how DLL's are loaded to try to add activation context support, I followed the XP code a bit too closely. The result was a heap corruption bug that would only manifest itself when a DLL was being unloaded. Consequently I've uploaded MS11-011 V14 (KB2393802), which you can find on the main download list.

The update, as usual, also includes some new API goodies:

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

KeAcquireInStackQueuedSpinLockAtDpcLevel

KeReleaseInStackQueuedSpinLockFromDpcLevel

0

Share this post


Link to post
Share on other sites

(sigh)

You know, on some days it's really tough.

I just posted MS11-011 V15 (KB2393802). I found the same bug I fixed in V14 in a different place and had to fix it. Sorry for the inconvenience, folks. The lesson: it's possible to follow the XP code too closely.

0

Share this post


Link to post
Share on other sites

Kernel32 update: almost there!

As of tonight the VM boots, but Explorer, Task Manager, etc. crash when I do certain things. I think I'm just a bugfix or two from really cooking with gas. ;)

0

Share this post


Link to post
Share on other sites

YEAH!!!!

Still some application errors in Event Viewer, but the VM finally runs with it :)

post-68113-0-52544100-1358560155_thumb.p

0

Share this post


Link to post
Share on other sites

Congratulations! clapping.gif

0

Share this post


Link to post
Share on other sites

Awesome! I take it that this means future additional api's will be easy-ish to implement?

0

Share this post


Link to post
Share on other sites

It should just mean adding the C code and rebuilding.

0

Share this post


Link to post
Share on other sites

I've posted v16 (yikes!) of KB2393802 and updated the master list (Windows2000-KB2393802-v16-x86-ENU.exe). No bugfixes, but a few goodies:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

IoAssignDriveLetters

IoReadPartitionTable

IoSetPartitionInformation

IoWritePartitionTable

These functions were already present, and I simply added them to the export table and bumped up the version one tick. The idea is to hopefully help with driver compatibility.

There's also one new file:

usbser.sys (5.1.2600.5512 from XPSP3)

Why the new file? I picked up an Arduino Uno a while ago and no matter what I did, I couldn't get the Arduino software to program it (I can program my older Arduino Duemilanove just fine). Someone on a help forum had the same problem and had to use the XP usbser.sys driver to make it work. I gave it a try and presto, it works like a charm. So consider v16 the Arduino Uno version of the update :D

I don't know if XP has a newer rev of the driver or not; this one is straight from the SP3 distro and works for me.

In kernel32 news...

This is somewhat frustrating. I'm *this close*, but there is still a memory corruption bug somewhere (at least I think that's what it is). It only shows up on the kernel side so it's hard to track down. My VM boots just fine, but ESENT and the Distributed LinkTracking Client report errors in Event Viewer and windbg reports some exceptions at certain times during bootup. I'm working on cleaning up the code to try to track the remaining bug(s) down.

Edited by WildBill
0

Share this post


Link to post
Share on other sites
usbser.sys (5.1.2600.5512 from XPSP3)

I don't know if XP has a newer rev of the driver or not; this one is straight from the SP3 distro and works for me.

No, it hasn't. 5512 is the latest build available.

0

Share this post


Link to post
Share on other sites

Looks like the March 2013 security updates iso includes an updated KB2809289 for Windows 2000 and IE6SP1. Here's just the folder from the DVD, to save everyone from having to get the whole 3GB file... https://www.box.com/...j7b369i3xoskqgg

It appears that this update replaces the previously released KB2792100 - the new patch appears to have all the fixes from the previous hotfix in addition to an updated mshtml.dll, and new timestamps on all the rest of the files.

Edited by jimmsta
0

Share this post


Link to post
Share on other sites

tomasz86, I am getting this error: "The procedure entry point GetFirmWareEnvironmentVariableA could not be located in the dynamic link library KERNEL32.dll." I need this GetFirmWareEnvironmentVariableA procedure. I installed your UURollup-v10d-x86-ENU.exe already; I noticed in your posting that this procedure is in Wild Bill's BWC kernel32.dll 5.0.2195.7193 but not yours. Are you planning to do any more updates to kernel32.dll and include some of these missing procedures? I'm trying to run Macrium Reflect and was able to install it (with a minor error,) but as soon as I started it up I received the above error. Your W2K patch works pretty well otherwise (had a minor issue with some icons, fixed it) Note: this is for my business computer, which is still running W2K (with no problems!!) Thanks, GaryMX

Edited by GaryMX
0

Share this post


Link to post
Share on other sites

@GaryMX You should definitely check this topic. I'd suggest you install the newest daily version of UURollup-v11 (the current one being d20130312). The so called daily releases are often quite experimental but the current one is actually probably the most stable release of UURollup available at the moment :)

PS Make sure to install my unofficial Update Rollup 2 before installing it. Having IE6 with the newest Cumulative Update (which is 2809289) installed is also recommended.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.