[WildBill]

blackwingcat, on 21 July 2012 - 11:12 AM, said:

Hi.
I found your code miss. ntdll.dll (5.0.2195.7084)

 77FD4A02  68F10000C0                		push	C00000F1h <- 
 77FD4A07  E84C7BFDFF                		call	RtlRaiseStatus
 77FD4A0C                           L77FD4A0C:
 77FD4A0C  BEF00000C0                		mov	esi,C00000F0h
 77FD4A11  EBCF                      		jmp	L77FD49E2

Thanks! I found a separate issue in ntdll so I was going to release a new one anyway, so I'll put this fix in also.

This post has been edited by WildBill: 23 July 2012 - 02:19 AM

[WildBill]

tomasz86, on 22 July 2012 - 09:43 PM, said:

@WildBill

There seems to be a bug in atmfd.dll from KB2507618:

http://www.msfn.org/...fonts-in-win2k/

I can't begin to describe how much I hate that DLL. There is no symbol info available for it, and it's hopelessly complicated. Do you know if the problem goes away with an earlier version of my patched DLL? That would help me narrow the problem down.

[tomasz86]

The problem happens both in the older and the newer version. Can't just the XP file be used as it is? OTF fonts open properly with the XP atmfd.dll from KB2507618 installed.

[WildBill]

tomasz86, on 23 July 2012 - 02:37 AM, said:

The problem happens both in the older and the newer version. Can't just the XP file be used as it is? OTF fonts open properly with the XP atmfd.dll from KB2507618 installed.

I tried it once and it refused to let any fonts show up in the Control Panel. I haven't tried it since...

[tomasz86]

WildBill, on 23 July 2012 - 12:13 PM, said:

I tried it once and it refused to let any fonts show up in the Control Panel. I haven't tried it since...

I'm using it right now and all fonts are shown correctly.

The file is atmfd.dll 5.1.2.232.

[WildBill]

I've got a couple of updates posted:

Windows2000-KB2393802-v11-x86-ENU.exe

- A couple of ntdll bugfixes, and it should now be friendlier for slipstreaming.


Windows2000-KB2508429-v7-x86-ENU.exe

- Some new API functions added:

dnsapi.dll

NetInfo_Free
DnsFree
DnsFreeConfigStructure


iphlpapi.dll

GetTcpStatsFromStackEx
GetIpStatsFromStackEx
GetUdpStatsFromStackEx
GetIcmpStatsFromStackEx
GetTcpExTable2FromStack
GetUdpExTable2FromStack
GetExtendedTcpTable
GetExtendedUdpTable
GetBestInterfaceEx


The 2k iphlpapi only supports ipv4, so while the calls above will work for ipv4, they'll properly report an error code if called for ipv6.


My kernel32.dll rewrite is still proceeding apace...765 exported routines and counting.

This post has been edited by WildBill: 23 July 2012 - 09:11 PM

[tomasz86]

Thanks WildBill

Is the ntdll.dll version same as in v10?

Edit: Something seems to be wrong in the new ntdll.dll Explorer.exe restarts itself each time when trying to open a folder.

This post has been edited by tomasz86: 23 July 2012 - 10:03 PM

[blackwingcat]

Does Nirsoft Currport work ?
Our iphlpapi.dll seems problem on GetUdpExTable2FromStack/GetTcpExTable2FromStack

I found iphlpapi v5.0.2195.7097 requires KB957579(Minimum require is KB951798)

WildBill, on 23 July 2012 - 09:11 PM, said:

I've got a couple of updates posted:
iphlpapi.dll

GetTcpStatsFromStackEx
GetIpStatsFromStackEx
GetUdpStatsFromStackEx
GetIcmpStatsFromStackEx
GetTcpExTable2FromStack
GetUdpExTable2FromStack
GetExtendedTcpTable
GetExtendedUdpTable
GetBestInterfaceEx

This post has been edited by blackwingcat: 24 July 2012 - 11:55 PM

[WildBill]

tomasz86, on 23 July 2012 - 09:29 PM, said:

Thanks WildBill

Is the ntdll.dll version same as in v10?

Edit: Something seems to be wrong in the new ntdll.dll Explorer.exe restarts itself each time when trying to open a folder.

Really? There were only two extremely minor changes. One was to correct the error code that blackwingcat pointed out and the other was to fix a bug when initializing a process -- the location of a particular field is different in 2k vs. XP. The thing is, though, the code that's affected should never actually run since it only gets invoked if a process was using an activation context, and that functionality isn't active in my kernel yet. I'm not having any problems here...can you provide any more info?

[tomasz86]

I've just done more tests and actually the same problem happens with both v10 and v11. The test machine is a VM (uses uniproc non-PAE kernel) with all official updates installed. I just added KB2479628 and KB2393802.

[WildBill]

tomasz86, on 24 July 2012 - 08:05 PM, said:

I've just done more tests and actually the same problem happens with both v10 and v11. The test machine is a VM (uses uniproc non-PAE kernel) with all official updates installed. I just added KB2479628 and KB2393802.

Now that's interesting. I'm seeing the same thing in my VM, but not on real hardware. It must date back to v9, since the ntdll in v9 and v10 are the same. v9 was where I added a bunch of SxS API's to ntdll. I guess I'll have to look at it closely to see if I broke anything.

[tomasz86]

Well, I had problems with the ntdll.dll starting from v9, on real hardware too (check #533).

[WildBill]

I've been crawling through the code, double-checking and triple-checking everything, and I can't find anything wrong with the code. I tried backing some changes out and eventually replaced v9 ntdll with v8 ntdll and I still see occasional problems in a VM (though never on real hardware). From looking at the exceptions it looks like something is corrupting the heap, and subsequent heap operations are throwing exceptions. Mixing v8 ntdll with v9 kernel definitely isn't preventing the problem. What happens if you try a pure v8 install on a VM?

[tomasz86]

More test results:

1. After installing v11 folders don't open / Explorer is restarted... but they open in Safe Mode. On the other hand, IE doesn't open neither in "normal" mode nor in Safe Mode (Add/Remove programs don't open either as they depend on IE).

2. No problems occur when v8 is installed.

3. I found a bug in update.inf. There should be no ntdll.dll and win32k.sys in [System32.Files].

4. Replacing ntdll.dll v7084 from v11 with ntdll.dll v.7083 from v8 fixes all issues.

This post has been edited by tomasz86: 30 July 2012 - 09:21 PM

[WildBill]

There's something screwy going on...I backed up all the way to v3 and I still get the same occasional errors when accessing a network share from within a VM. I then tried a clean install of 2kSP4 and it still happens. I wonder if it's a VM thing. I'm using Virtual PC 2007.

[tomasz86]

It's innotek VirtualBox 1.5.6 on my side.

[WildBill]

Well, so far I haven't been able to track down what's corrupting the heap. I think the best strategy is to finish the kernel32 rewrite since I'm so close to the end, and then perhaps move on to rewriting ntdll (which is smaller). That way I can try to put in better heap corruption detection and maybe find out what's going on.

[WildBill]

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

[blackwingcat]

Can you run CurrPorts with KB2508429-v8 ?

WildBill, on 25 August 2012 - 11:14 AM, said:

I've posted Windows2000-KB2508429-v8-x86-ENU.exe on the main list. It adds MiniDumpWriteDump to dbghelp.dll. It doesn't actually write the minidump, rather ti sets the E_FAIL error code and returns false just as the real one would do if it fails. However, it will let you run Star Ruler

I've almost finished the draft cut of rewriting kernel32 -- 815 exported routines are in our of a total of 902, but I won't need that many before I can start testing and debugging it.

blackwingcat, on 23 July 2012 - 11:45 PM, said:

Does Nirsoft Currport work ?
Our iphlpapi.dll seems problem on GetUdpExTable2FromStack/GetTcpExTable2FromStack
I found iphlpapi v5.0.2195.7097 requires KB957579(Minimum require is KB951798)

WildBill, on 23 July 2012 - 09:11 PM, said:

I've got a couple of updates posted:
iphlpapi.dll

[MacLover]

I was taking a look at the IE6 SP1 version of the MS12-052 fix that BlackWingCat found on the Microsoft Security ISO and I decided to run it through IDA Pro and TurboDiff (I compared against the last pre-EOL fix, MS10-035/KB982381) and TurboDiff found no changes to any function in BROWSEUI.DLL between the two versions. Since WildBill's notes for MS10-071 show that changes to BROWSEUI.DLL were required to fully close up the AutoComplete vulnerability, I also compared the XP versions of MS10-035 and MS10-071 and functions did show up as changed.

This tells me that Microsoft is doing the same thing with these "Extended Support fixes" that they did with Windows 98's extended support in that they only fixed vulnerabilities marked as "Critical." I remember that WildBill had said that MS11-003 would be a pain to backport but it looks like M$ did the hard work for us for that bulletin (all of its CVE's are marked as "Critical") and an easier solution for that update might be to use the Microsoft MS11-003 or MS12-052 IE6 SP1 patch and add the other changes from the previous unofficial IE updates as necessary.

On another note, I noticed some issues with MS11-012 where FileZilla's toolbar has the same white splotches where the shadows are supposed to be that we had before adding the ShellIconBPP setting.

How FileZilla's toolbar looks on stock Win2k:
 filezilla_ok.png (5.89K)
Number of downloads: 5

How FileZilla's toolbar looks with MS11-012 installed:
 filezilla_broken.png (7.02K)
Number of downloads: 6

How FileZilla's toolbar looks on Windows XP:
 filezilla_srv03.png (8.44K)
Number of downloads: 5

This is a minor issue, so no rush on fixing this or doing any of the IE updates (I use Firefox 10 ESR on 2000, so the vulnerabilities don't concern me too much.)

PS I'm trying to learn some of this patch analysis stuff so that maybe I could help with the load at some point.

This post has been edited by MacLover: 06 September 2012 - 12:04 AM