Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

PE Tool for creating patches

- - - - -

  • Please log in to reply
674 replies to this topic

#526
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
I've posted KB2393802-v9 :whistle:

It doesn't include the new rewritten stuff and is mostly a bugfix version. It adds several SxS API's to ntdll, but until the rest of the pieces are added to kernel32 they won't do anything (they should be safe to call, they'll just return error codes since they won't succeed). I still recommend it though as it fixes several bugs in -v8.

Now I can work on finishing SxS support for v10 without having those bugs hanging over my head...

Edited by WildBill, 14 May 2012 - 01:24 PM.



How to remove advertisement from MSFN

#527
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • OS:XP Pro x86
  • Country: Country Flag
Thanks WildBill :)

By the way, here is a slimmed down version of the update.inf for KB2393802-v9. All useless sections and lines have been removed so it's much easier to navigate.

Attached Files


Edited by tomasz86, 14 May 2012 - 03:33 PM.

Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#528
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • OS:XP Pro x86
  • Country: Country Flag
These APIs are present in BWC kernel's kernel32.dll and are not included in yours:

ActivateActCtx
CheckRemoteDebuggerPresent
CreateActCtxA
CreateActCtxW
DeactivateActCtx
GetGeoInfoA
GetGeoInfoW
GetUserGeoID
ReleaseActCtx
WTSGetActiveConsoleSessionId

Would it be difficult to add them in the future version, especially the ones which have sth to do with ActCtx, i.e. ActivateActCtx, CreateActCtxA, CreateActCtxW, DeactivateActCtx & ReleaseActCtx? They help fix a lot of dependencies and also make it possible to use uxtheme.dll directly from %systemroot%\system32. Without these dependencies there are problems with .NET Framework (when uxtheme.dll is present in the system, that is).

Edited by tomasz86, 14 May 2012 - 04:24 PM.

Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#529
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
The ActCtx API's are the ones I've been working on since November, but I'm finding that I need them to actually work or apps like Adobe Reader crash.

#530
piotrhn

piotrhn

    Newbie

  • Member
  • 43 posts
  • OS:Windows 8 x64
  • Country: Country Flag
In KB2393802-v9 fixed error with boot.ini->/PAE, now works ok without BSOD.

Thanks WildBill :hello:

#531
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 766 posts
  • OS:Windows 2000 Professional
  • Country: Country Flag
Hi,

Pe Tool v0.05 Seems to make broken out export table offset +0xc.
for example. Load hal.dll and save it. The name pointer is indicated "L.DLL"
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#532
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
kernel32.dll rewrite status: NLS Hell ™.

468 exported functions implemented out of a total of about 902

I'm currently bogged down in the NLS support -- apparently kernel32 does all the heavy lifting for localized data (date/time formats, etc.). I'm having to reverse-engineer a bunch of structures, and in the process the format of the various .nls files in system32. I now know all about Japanese emperor eras, how to convert numbers to Hebrew numbers (including the special cases for 15 and 16 and the reason behind them), and creating Hebrew and Hijiri dates. I've completely reverse-engineered locale.nls (and documented it to the nth-power in my kernel32.h) and partially reverse-engineered ctype.nls and unicode.nls. I've even had to write a Java program that dumps out all the info in locale.nls. And, now I know why there are alternate month names for Polish for certain months...

(sigh)

Edited by WildBill, 29 May 2012 - 03:31 AM.


#533
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • OS:XP Pro x86
  • Country: Country Flag
I think there's something wrong with the new version of ntdll.dll. My system gets stuck at the "preparing network connections" screen after installing the new version of the kernel and rebooting. Safe mode doesn't work too (it gets stuck at the login screen).

If I install it without the new ntdll.dll (=keep the ntdll.dll from v8) there are no problems. I've also installed it successfully in a VM (Virtualbox) where a uniprocessor non-PAE kernel is used. On my real system it's a multiprocessor PAE kernel.

Edited by tomasz86, 01 June 2012 - 05:56 PM.

Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#534
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
I didn't think ntdll had changed all that much, though I did add a few things. I'll have to keep that in mind for v10. Speaking of V10, I'd like to ask for some suggestions on developing it. While I'm making steady progress on reverse-engineering and rewriting kernel32 (about 550 exported routines implemented out of about 902), it's still going to be a while before it's complete enough to test, debug, and harden. In the meantime the rewrites of csrsrv and basesrv are sitting idle and are basically complete. It seems to me to be a terrible waste of time to just have them sit on my hard drive when people could be testing them, playing with my sources, and possibly improving them (in light of stuxnet and flame, bulletproofing has been on my mind of late).

To cut this spiel short, would it make sense for an interim v10 release (or some other nomenclature) with the rewritten basesrv and csrsrv included? Now that I've rewritten them in C, there should be a lot of potential for improvement, not to mention that patching them, localizing them, etc. will be infinitely easier.

#535
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • OS:XP Pro x86
  • Country: Country Flag
I'm always ready to test :whistle: although I can't really "improve" anything because of lack of any programming skills. I can only test the files in real environment.

By the way, it'd be nice go have

GetGeoInfoW
GetUserGeoID
in kernel32.dll. They are required for Chromium (Google Chrome, SRWare Iron) to work. The two APIs are present in BlackWingCat's kernel32.dll.
Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#536
piotrhn

piotrhn

    Newbie

  • Member
  • 43 posts
  • OS:Windows 8 x64
  • Country: Country Flag

I think there's something wrong with the new version of ntdll.dll. My system gets stuck at the "preparing network connections" screen after installing the new version of the kernel and rebooting. Safe mode doesn't work too (it gets stuck at the login screen).

If I install it without the new ntdll.dll (=keep the ntdll.dll from v8) there are no problems. I've also installed it successfully in a VM (Virtualbox) where a uniprocessor non-PAE kernel is used. On my real system it's a multiprocessor PAE kernel.


I installed Win2000 +KB2393802-v9, on real hardware:
Athlon 64 x2 5600+
4GB RAM
Geforce 9800gt
Gigabyte GA-MA790X-DS4

Everything works fine.

#537
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 766 posts
  • OS:Windows 2000 Professional
  • Country: Country Flag
Windows2000-KB2393802-v9-x86-ENU.exe seems that it only changes the expand registry functions , it isn't fixed other buffer overflow security holes.

http://blog.livedoor...es/1671977.html

Edited by blackwingcat, 21 June 2012 - 08:17 PM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#538
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 766 posts
  • OS:Windows 2000 Professional
  • Country: Country Flag
I tried to use Windows2000-KB2393802-v9-x86-ENU.exe.
But it sometimes crashes with BSoD by Access VIOLATION on 0xA00A3512 in win32k.sys

A00A34E8 837D0CFC cmp dword ptr [ebp+0Ch],FFFFFFFCh
A00A34EC 7542 jnz LA00A3530
A00A34EE 8B7D08 mov edi,[ebp+08h]
A00A34F1 52 push edx
A00A34F2 52 push edx
A00A34F3 68E1010000 push 000001E1h
A00A34F8 57 push edi
A00A34F9 E85A89F6FF call SUB_LA000BE58
A00A34FE 89450C mov [ebp+0Ch],eax
A00A3501 50 push eax
A00A3502 E8D49EF7FF call SUB_LA001D3DB
A00A3507 85C0 test eax,eax
A00A3509 7425 jz LA00A3530
A00A350B 8B5510 mov edx,[ebp+10h]
A00A350E 85D2 test edx,edx
A00A3510 7C1E jl LA00A3530
A00A3512 3B5120 cmp edx,[ecx+20h] <-----------
A00A3515 7719 ja LA00A3530
A00A3517 85D2 test edx,edx
A00A3519 8B450C mov eax,[ebp+0Ch]
A00A351C 894314 mov [ebx+14h],eax
A00A351F 7514 jnz LA00A3535
A00A3521 8D774C lea esi,[edi+4Ch]
A00A3524 8D7B04 lea edi,[ebx+04h]

It seems somethings bad code.

Edited by blackwingcat, 23 June 2012 - 07:36 AM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#539
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
I posted KB2393802-v9e today ("e" for "experimental"). I'm not adding it to the main list as it doesn't add any new functionality or attempt to fix any issues with v9. It does, however, include my rewrites of csrsrv.dll and basesrv.dll. If you manually extract the installer and look in the info folder it creates you can find the complete source code to my rewrites. I've tried to go the extra mile in hardening both against attack, but I invite anyone who is interested to play with them. Each was built with VS2005 standard and uses the libraries from the WinNT DDK version 3790.1830 for ntdll, etc.

Here is the link for v9e: http://www.mediafire.com/download.php?skox32b1rddgl26 (updated...see a few posts down)

Remember, this is experimental, so use at your own risk. So far I'm only using it in a VM.

Edited by WildBill, 23 June 2012 - 03:41 PM.


#540
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag

I tried to use Windows2000-KB2393802-v9-x86-ENU.exe.
But it sometimes crashes with BSoD by Access VIOLATION on 0xA00A3512 in win32k.sys

A00A34E8 837D0CFC cmp dword ptr [ebp+0Ch],FFFFFFFCh
A00A34EC 7542 jnz LA00A3530
A00A34EE 8B7D08 mov edi,[ebp+08h]
A00A34F1 52 push edx
A00A34F2 52 push edx
A00A34F3 68E1010000 push 000001E1h
A00A34F8 57 push edi
A00A34F9 E85A89F6FF call SUB_LA000BE58
A00A34FE 89450C mov [ebp+0Ch],eax
A00A3501 50 push eax
A00A3502 E8D49EF7FF call SUB_LA001D3DB
A00A3507 85C0 test eax,eax
A00A3509 7425 jz LA00A3530
A00A350B 8B5510 mov edx,[ebp+10h]
A00A350E 85D2 test edx,edx
A00A3510 7C1E jl LA00A3530
A00A3512 3B5120 cmp edx,[ecx+20h] <-----------
A00A3515 7719 ja LA00A3530
A00A3517 85D2 test edx,edx
A00A3519 8B450C mov eax,[ebp+0Ch]
A00A351C 894314 mov [ebx+14h],eax
A00A351F 7514 jnz LA00A3535
A00A3521 8D774C lea esi,[edi+4Ch]
A00A3524 8D7B04 lea edi,[ebx+04h]

It seems somethings bad code.


I'm looking at that routine and I see something I don't like in its treatment of ECX. Let me see if I can do something with it.

#541
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
BWC: I removed the v9e above and posted another one with an updated win32k.sys file (version 5.0.2195.7402). It explicitly sets ECX rather than relying on ValidateHmenu() to set it. If it works out for you, I can post a V10 on the main list.

The new v9e is here:

http://www.mediafire...7o1y5rbcr9eqxc0


For reference, this is what it looks like (a few other instructions above it changed to reflect the fact that some things moved up by 4 bytes):

.text:A00A34E4 loc_A00A34E4:                           ; CODE XREF: xxxGetMenuBarInfo(x,x,x,x)+187j
.text:A00A34E4                 cmp     [ebp+arg_4], 0FFFFFFFCh
.text:A00A34E8                 jnz     short loc_A00A3530
.text:A00A34EA                 mov     edi, [ebp+arg_0]
.text:A00A34ED                 push    edx             ; int
.text:A00A34EE                 push    edx             ; UnicodeString
.text:A00A34EF                 push    1E1h            ; MbString
.text:A00A34F4                 push    edi             ; int
.text:A00A34F5                 call    _xxxSendMessage@16 ; int
.text:A00A34FA                 mov     [ebp+arg_4], eax
.text:A00A34FD                 push    eax
.text:A00A34FE                 call    _ValidateHmenu@4 ; ValidateHmenu(x)
.text:A00A3503                 test    eax, eax
.text:A00A3505                 jz      short loc_A00A3530
.text:A00A3507                 push    [ebp+arg_4]
.text:A00A350A                 pop     ecx
.text:A00A350B                 mov     edx, [ebp+arg_8]
.text:A00A350E                 test    edx, edx
.text:A00A3510                 jl      short loc_A00A3530
.text:A00A3512                 cmp     edx, [ecx+20h]
.text:A00A3515                 ja      short loc_A00A3530


#542
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 766 posts
  • OS:Windows 2000 Professional
  • Country: Country Flag
It hasn't resolved yet.
It always occures when I click CCC menu with skins.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
win32k+a3512

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 007c0605

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: CCC.exe

EXCEPTION_RECORD: ae8ab7a4 -- (.exr 0xffffffffae8ab7a4)
ExceptionAddress: a00a3512 (win32k+0x000a3512)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 007c0605
Attempt to read from address 007c0605

TRAP_FRAME: ae8ab7f8 -- (.trap 0xffffffffae8ab7f8)
ErrCode = 00000000
eax=a0383210 ebx=ae8ab8b0 ecx=007c05e5 edx=00000000 esi=ae8ab8b4 edi=a0383530
eip=a00a3512 esp=ae8ab86c ebp=ae8ab878 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00050246
win32k+0xa3512:


BWC: I removed the v9e above and posted another one with an updated win32k.sys file (version 5.0.2195.7402). It explicitly sets ECX rather than relying on ValidateHmenu() to set it. If it works out for you, I can post a V10 on the main list.

The new v9e is here:

http://www.mediafire...7o1y5rbcr9eqxc0


For reference, this is what it looks like (a few other instructions above it changed to reflect the fact that some things moved up by 4 bytes):

.text:A00A34E4 loc_A00A34E4:                           ; CODE XREF: xxxGetMenuBarInfo(x,x,x,x)+187j
.text:A00A34E4                 cmp     [ebp+arg_4], 0FFFFFFFCh
.text:A00A34E8                 jnz     short loc_A00A3530
.text:A00A34EA                 mov     edi, [ebp+arg_0]
.text:A00A34ED                 push    edx             ; int
.text:A00A34EE                 push    edx             ; UnicodeString
.text:A00A34EF                 push    1E1h            ; MbString
.text:A00A34F4                 push    edi             ; int
.text:A00A34F5                 call    _xxxSendMessage@16 ; int
.text:A00A34FA                 mov     [ebp+arg_4], eax
.text:A00A34FD                 push    eax
.text:A00A34FE                 call    _ValidateHmenu@4 ; ValidateHmenu(x)
.text:A00A3503                 test    eax, eax
.text:A00A3505                 jz      short loc_A00A3530
.text:A00A3507                 push    [ebp+arg_4]
.text:A00A350A                 pop     ecx
.text:A00A350B                 mov     edx, [ebp+arg_8]
.text:A00A350E                 test    edx, edx
.text:A00A3510                 jl      short loc_A00A3530
.text:A00A3512                 cmp     edx, [ecx+20h]
.text:A00A3515                 ja      short loc_A00A3530


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#543
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
Hmm. I think I know what to do. Give me an hour or two and I'll post another one.

#544
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
Here's a v9e2 with a new win32k.sys. I'd be very surprised if this causes a crash and the official one doesn't.

http://www.mediafire...fshx0n67py3na9w

#545
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 766 posts
  • OS:Windows 2000 Professional
  • Country: Country Flag
Okay.
It seems working fine :)

Here's a v9e2 with a new win32k.sys. I'd be very surprised if this causes a crash and the official one doesn't.

http://www.mediafire...fshx0n67py3na9w


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#546
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
Excellent! I'll post a v10 one (without my experimental rewrites) shortly.

#547
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
KB2393802-V10 is now up on the main list, with the win32k.sys fix from v9e2.

#548
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
I finally have WideCharToMultiByte rewritten in kernel32 (it's pretty messy and probably buggy), but it's letting me make progress on a bunch of simpler functions that require it. I'm up to 565 exported functions rewritten out of about 902, and I expect progress to pick up now that most of the really tough NLS stuff is done (if nothing else, most of the .nls files will finally be documented).

In the meantime, I was wondering if anyone has had a chance to look over the sources for my rewritten basesrv and csrsrv.

#549
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • OS:XP Pro x86
  • Country: Country Flag
I haven't got time to do more extensive testing but I think win32k.sys is missing from the uniproc folder (in 2393802-V10).
Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#550
WildBill

WildBill

    Senior Member

  • Developer
  • 696 posts
  • OS:none specified
  • Country: Country Flag
It's the same file either way. I don't think I've ever had a separate one for uniproc in that patch.

I guess no one has taken a look at the v9e sources :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN