[WildBill]

I finished porting the changes and the patch is working here, so I've posted MS11-011 v4 and updated the link on the master list. For the record, the complete list of new API calls the patch adds is:


ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock
KeReleaseInterruptSpinLock
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlInt64ToUnicodeString
RtlIntegerToUnicode
RtlClearBit
RtlTestBit
RtlSetBit
ZwQueryInformationThread......already there, added it to the export table
IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)
PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)
PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)
_vsnwprintf
_aulldvrm
RtlGetVersion
KeFlushQueuedDpcs


ntdll.dll

RtlIpv4StringToAddressA
RtlIpv4StringToAddressW
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4AddressToStringA
RtlIpv4AddressToStringW
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressW
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringW
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlInitializeGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEnumerateGenericTableAvl
RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlQueryDepthSList
RtlInitializeSListHead
LdrLockLoaderLock
LdrUnlockLoaderLock
LdrAddRefDll
RtlComputePrivatizedDllName_U
RtlValidateUnicodeString
RtlDuplicateUnicodeString
RtlDowncaseUnicodeChar
RtlFindCharInUnicodeString
RtlpEnsureBufferSize
RtlMultiAppendUnicodeStringBuffer
RtlAppendPathElement
LdrEnumerateLoadedModules
RtlRandomEx
RtlUnhandledExceptionFilter2
RtlUnhandledExceptionFilter


bootvid.dll

VidSetVgaPalette (used by the bootskin code)


kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)
EncodePointer (forwarded export to NTDLL.RtlEncodePointer)
InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)
InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)
InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)
QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)
InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)
GetModuleHandleExA
GetModuleHandleExW
IsWow64Process
IsWow64Message
GetProcessHandleCount
GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)
SetDllDirectoryA
SetDllDirectoryW
GetDllDirectoryA
GetDllDirectoryW
AttachConsole
TzSpecificLocalTimeToSystemTime
SetClientTimeZoneInformation
IsValidUILanguage
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
SetHandleContext
GetProcessId


EDIT: forgot to list a couple of extra routines I added to ntdll.

This post has been edited by WildBill: 12 November 2011 - 05:45 PM

[WildBill]

tomasz: just as soon as you can give me the all-clear for V4 I'll consider that a green light for V5 (I've already started on it and added a few more routines to ntdll and kernel32)...

[tomasz86]

I missed the fact that you already uploaded a v4

I've installed it on both my desktop and laptop computers and while everything seems to work fine here (on the desktop),

there's still the same error on the other one:

*** STOP: 0x0000001E (0xC0000005, 0xDDC6473E, 0x00000000, 0x0000000C)
KMODE_EXCEPTION_NOT_HANDLED

*** Address DDC6473E base at DDC00000, DateStamp 4ebda139 - ntoskrnl.exe

System specifications are listed in #398

[WildBill]

Hmm. I'm going to need some more info to track that one down, since the address is pointing to a trap routine (specifically, it traps 0x57, which I assume means int 0x57). When does the BSOD happen? Does it create a minidump file? It looks like it trapped an interrupt (maybe from a driver?) and it didn't like it.

The 0xC0000005 means ACCESS_VIOLATION, so I assume that it tried to access an invalid memory location. The problem is going to be finding where it happened.

Edit: it looks like int 57h is a relocated IRQ7, so maybe a driver that's using IRQ7 is causing the problem. The interrupt request for a driver is shown under the Resources tab in the Device Manager. It's also possible that it's really IRQ15, from a secondary interrupt controller.

This post has been edited by WildBill: 13 November 2011 - 07:36 AM

[tomasz86]

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.

[WildBill]

What happens without /SOS? Same thing?

Another dumb question: is /BOOTLOG set? Are you using any bootskin settings?

Okay, after spending the day investigating, it looks like ESP (stack pointer) must have become corrupted somewhere, and then an interrupt occurred (most likely from a driver, which wouldn't be loaded when you're in safe mode). So now, the trick will be finding whatever is corrupting ESP yet doesn't result in a BSOD all the time (maybe the routine in question recovers the correct ESP before it returns?) It's pretty hard to screw up ESP and not generate a GP fault when returning from a routine.

This post has been edited by WildBill: 13 November 2011 - 06:26 PM

[dencorso]

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great!

[WildBill]

dencorso, on 14 November 2011 - 01:14 AM, said:

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great!

Ask and ye shall receive... see the top post

[dencorso]

Wow, that was really swift!
Thanks a whole lot!
You do rock!

[WildBill]

tomasz86, on 13 November 2011 - 07:58 AM, said:

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.

Here's something to try...ntoskrnl was a bit different than the other three in that it had some extra changes when I was still working out how to hook in the bootskin code. I undid those extra changes so it matches the others, and I altered the bootskin code very slightly to better restore ESP (in ntoskrnl only for now). I don't see any reason why this would help as I didn't see any obvious issues, but it's worth a try. I've tested it in a VM with no issues.

This is an early build of V5 that adds some new functions to ntdll and kernel32, but there are some more things I'd like to add before making it an "official" v5. I'm using it here on my laptop with no problems, so for the adventurous it adds the following:

ntdll

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)


kernel32

GetSystemTimes
CreateMemoryResourceNotification
QueryMemoryResourceNotification
AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)
RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)



Windows2000-KB2393802-v5-early-1-x86-ENU.exe

This post has been edited by WildBill: 14 November 2011 - 09:44 PM

[tomasz86]

Something strange's going on

1. I don't have any bootskin setting set.

2. /BOOTLOG is enabled but it's not created because the BSOD happens before boot logging is even started.

3. The strange thing is that regardless of /SOS set or not, the beginning of GUI part is the same and looks as if /SOS was enabled. I can see the GUI part for only half a second before the BSOD appears.

4. The v5 doesn't make any difference.

...

I think I found the reason. The BSOD appears only when /PAE is enabled. Interestingly it doesn't affect the desktop as I've just turned /PAE on and no problems here. It was turned on on the notebook by mistake but still there's no BSOD unless I install your patch

[WildBill]

If your desktop is multiprocessor, then its PAE kernel is ntkrpamp.exe (which gets renamed to ntkrnlpa.exe), whereas the laptop's uniprocessor PAE one is from ntkrnlpa.exe (i.e., they're different). Actually, that info helps a lot: it means that I probably messed something up in the uniprocessor PAE kernel. Hopefully it will be easy to find.

[WildBill]

A-ha...the original ntkrnlpa had a stack variable in a different place than in the other three files, and it affected the SOS setting (and probably caused the BSOD). This might help:

Windows2000-KB2393802-v5-early-2-x86-ENU.exe

I also checked the multiprocessor PAE kernel, and that one looks ok (the variable's location is the same as the non-PAE one). Go figure.

This post has been edited by WildBill: 14 November 2011 - 11:55 PM

[tomasz86]

It's all right now

[WildBill]

MS11-011 V5 is now posted, and it includes just about everything I could add to kernel32 and ntdll without major pain in the process. The complete list of additions is now:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock
KeReleaseInterruptSpinLock
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlInt64ToUnicodeString
RtlIntegerToUnicode
RtlClearBit
RtlTestBit
RtlSetBit
ZwQueryInformationThread......already there, added it to the export table
IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)
PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)
PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)
_vsnwprintf
_aulldvrm
RtlGetVersion
KeFlushQueuedDpcs


ntdll.dll

RtlIpv4StringToAddressA
RtlIpv4StringToAddressW
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4AddressToStringA
RtlIpv4AddressToStringW
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressW
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringW
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlInitializeGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEnumerateGenericTableAvl
RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlQueryDepthSList
RtlInitializeSListHead
LdrLockLoaderLock
LdrUnlockLoaderLock
LdrAddRefDll
RtlComputePrivatizedDllName_U
RtlValidateUnicodeString
RtlDuplicateUnicodeString
RtlDowncaseUnicodeChar
RtlFindCharInUnicodeString
RtlpEnsureBufferSize
RtlMultiAppendUnicodeStringBuffer
RtlAppendPathElement
LdrEnumerateLoadedModules
RtlRandomEx
RtlUnhandledExceptionFilter2
RtlUnhandledExceptionFilter
RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlGetNtVersionNumbers
DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)
_vsnwprintf
_lfind
_aulldvrm
_alldvrm
RtlpNotOwnerCriticalSection
RtlpApplyLengthFunction
RtlCopyOutOfProcessMemoryStreamTo
RtlLockMemoryStreamRegion
RtlUnlockMemoryStreamRegion
RtlNtPathNameToDosPathName
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlCreateBootStatusDataFile
RtlComputeCrc32
RtlCaptureContext
RtlLockBootStatusData
RtlUnlockBootStatusData
RtlGetSetBootStatusData
RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)
RtlAddMemoryStream
RtlReleaseMemoryStream
RtlQueryInterfaceMemoryStream
RtlReadOutOfProcessMemoryStream
RtlRevertMemoryStream
RtlCloneMemoryStream
RtlCommitMemoryStream
RtlSetMemoryStreamSize
RtlWriteMemoryStream
RtlSeekMemoryStream
RtlCopyMemoryStreamTo
RtlReadMemoryStream
RtlStatMemoryStream
RtlInitMemoryStream
RtlFinalReleaseOutOfProcessMemoryStream
RtlInitOutOfProcessMemoryStream


bootvid.dll

VidSetVgaPalette (used by the bootskin code)


kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)
EncodePointer (forwarded export to NTDLL.RtlEncodePointer)
InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)
InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)
InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)
QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)
InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)
GetModuleHandleExA
GetModuleHandleExW
IsWow64Process
IsWow64Message
GetProcessHandleCount
GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)
SetDllDirectoryA
SetDllDirectoryW
GetDllDirectoryA
GetDllDirectoryW
AttachConsole
TzSpecificLocalTimeToSystemTime
SetClientTimeZoneInformation
IsValidUILanguage
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
SetHandleContext
GetProcessId
GetSystemTimes
CreateMemoryResourceNotification
QueryMemoryResourceNotification
AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)
RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)
RtlCaptureStackBackTrace
SetThreadUILanguage
LZStart
GetExpandedNameA
GetExpandedNameW
LZInit
LZDone
LZCreateFileW
LZOpenFileA
LZOpenFileW
LZSeek
LZRead
LZClose
LZCloseFile
LZCopy
CopyLZFile
GetVolumePathNamesForVolumeNameW
GetVolumePathNamesForVolumeNameA
GetHandleContext
GetCPFileNameFromRegistry
EnumerateLocalComputerNamesW
EnumerateLocalComputerNamesA
CreateSocketHandle
CreateNlsSecurityDescriptor
AddLocalAlternateComputerNameW
AddLocalAlternateComputerNameA
RemoveLocalAlternateComputerNameW
RemoveLocalAlternateComputerNameA
SetLocalPrimaryComputerNameW
SetLocalPrimaryComputerNameA

This post has been edited by WildBill: 20 November 2011 - 05:12 PM

[bristols]

Hi WildBill,

WildBill, on 20 November 2011 - 04:58 PM, said:

MS11-011 V5 is now posted (...)

After installing the update, I get this error on reboot (the progress bar on the Windows 2000 boot screen having reached 100%):

stop:c0000139 (Entry Point Not Found)
The procedure entry point LdrLockLoaderLock could not be located in the dynamic link library ntdll.dll

[WildBill]

Hmm. That doesn't make any sense...I checked ntdll and the routine is there and it's in the export table. I also downloaded the patch and it matches what I uploaded. Did you install it normally or slipstream it? I'm not able to test slipstreaming, but I'm typing this on a laptop with V5 installed. I tested the patch on both a uniprocessor and a multiprocessor installation.

The ntdll you should have after installing the patch is version 5.0.2195.7010, 531,728 bytes, MD5 hash AB3331B195F0430945E0BADDA30112A3.

This post has been edited by WildBill: 21 November 2011 - 04:58 PM

[tomasz86]

WildBill,

ntdll.dll 5.0.2195.7080 is included in KB915985 which is a HBR. Bristols uses HBRs so that's probably the reason why your ntdll.dll doesn't install (as its version is lower).

By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.


I've also got one question unrelated to the kernel patch. Can such icon anomalies be caused by 2479628?



They can be brought back to normal by changing color depth or resolution.

This post has been edited by tomasz86: 21 November 2011 - 07:24 PM

[bristols]

WildBill, on 21 November 2011 - 04:56 PM, said:

Did you install it normally or slipstream it?

(...)

The ntdll you should have after installing the patch is version 5.0.2195.7010

tomasz86, on 21 November 2011 - 07:15 PM, said:

By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.

That's the problem. I've installed blackwingcat's KB915985-v2. Indeed I have Ntdll.dll 5.0.2195.7081.

WildBill, I see that several other of the files included in your update have lower version numbers than those found in some hotfixes. Tricky... I suppose that your update would cause problems too for people who have installed the hotfixes in question.

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

[WildBill]

When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

This post has been edited by WildBill: 21 November 2011 - 08:29 PM