• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
blackwingcat

KernelEx for Win2000

861 posts in this topic

Hello and awesome work blackwingcat.

Here is another thing which I know is bug in win2k.

Some programs (mostly oll ones) when started try to initialize its main dialog but freeze at some point. If you click X (close) they do exit, but if click any other button they get into not responding state. Note this bug maybe closely related to previews one if not the same. I have seen totally 3 programs like that so it is rare, but those programs do work fine on win 9X and probably on XP. I'm sending you an example of one tool from year 2000 which task is to add physical and/or virtual space/sections in PE files. Is rare to find that program now days. In archive is both original version and fixed version (not fixed by me) that WORKS on win2k. You can see how the fix is done and where the problem is without fully debuging - just by compare dissasm of both files. Note this too may be considered as malware tool by "super clever" AVs, but it by itself have nothing malware or destructive in it. Its main aim is to easy and fast add space in PE file for extra code when you do not have enough physical space in file for this task.

ToPo.rar

Edited by leonidij
0

Share this post


Link to post
Share on other sites

Will you guess me the any programs ?

If it is simple application as calc32.exe , I may be able to resolve it.

What is oll ? :angel

Similar problems are had by GDK softwares.and Java 7 and Google Chrome.

They resolve to replace gdk library file.

But if it is Java application we only should use Java 6 u51/60. :(

Hello and awsome work blackwingcat.

Here is another thing whch I know is bug in win2k.

Some programs (mostly oll ones) when started try to initalize its main dialog but freeze at some point. If you click X (close) they do exit, but if click any other button they get into not responding state. Note this bug maybe closely related to previews one if not the same. I have seen totally 3 programs like that so it is rare, but those programs do work fine on win 9X and probably on XP. I'm sending you an example of one tool from year 2000 which task is to add phisical and/or virtual space/sections in PE files. Is rare to find that nowdays. In archive is both original version and fixed version (not fixed by me) that WORKS on win2k. You can see how the fix is done and where the problem is without fully debuging - just by compare disasm of both files. Note this too may be considered as malware tool by "super claver" AVs, but it by itself have nothing malware or destructive in it. Its main aim is to easy and fast add space in PE file for extra code when you do not have enough phisical space in file for this task.

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

See the attached file in my previews post for what causes the problem and how it must be fixed.

The fixes are very similar to fixes you use but already done by someone else in this case.

This is also General problem and as I understood it it exist in modern applications too.

Attachment in previews post give you both the problem and the resolve :yes: .

_fixed.exe is the fixed file in there which works on win2k and the other exe is the original which do have the problem described above. It is again not saved registers and again is related to SendMessage function but I think not only this time.

Edited by leonidij
0

Share this post


Link to post
Share on other sites

It detected two Trojan as you said. :}

So, I'll create new standalone WIndows 2000 environment and test it.

but it by itself have nothing malware or destructive in it. Its main aim is to easy and fast add space in PE file for extra code when you do not have enough phisical space in file for this task.


_fixed.exe is the fixed file in there which works on win2k and the other exe is the original which do have the problem described above. It is again not saved registers and again is related to SendMessage function but I think not only this time.

And then...

I tested them.

On my new environment both programs seem to work fine.

Does topo12.exe have any problems on typical Windows 2000 environment ?

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Yes as what I described above. You can debug both in ollydbg or in any other debugger/dissassembler and see the difference between both. You can use also Cmpdisasm tool for this task. This program can be used to add extra code into exe and thats why AVs think oo it is very bad think to do, but as you know very well not only bad things can be added into existing program. The program itself have nothing malware, but you are free to be extra cautions. I think I remember one more program which have same problem. Will try to find it. It was one Opcode tool. Oh I think I remeber even one more program with that problem. Will search for them.

Here is one more program, called OpGen with that problem and it is OPENSOURCE! I found it in my collection and have the same problem. It is an Opcode Generator tool. The source is written in tasm32 and compiles flawlessly (I tested).

OPGEN.ZIP

Edited by leonidij
0

Share this post


Link to post
Share on other sites

I disassembled it.

But I think it resolved user32.dll problem as I said.

It causes from same bug.

Yes as what I described above. You can debug both in ollydbg or in any other debugger/dissassembler and see the difference between both. You can use also Cmpdisasm tool for this task. This program can be used to add extra code into exe and thats why AVs think oo it is very bad think to do, but as you know very well not only bad things can be added into existing program. The program itself have nothing malware, but you are free to be extra cautions. I think I remember one more program which have same problem. Will try to find it. It was one Opcode tool. Oh I think I remeber even one more program with that problem. Will search for them.

0

Share this post


Link to post
Share on other sites

See above of my post for attached file for another program with same problem.

And here with v18g +fixed user32 from v23g3 this problem does still exist.

On which environment you test it japanese or english?

And which user32.dll exactly are you using for tests?

This Opgen tool have much simpler gui as functions and does not use send message at all.

0x0000 "SetDlgItemTextA"
0x0000 "CheckRadioButton"
0x0000 "DialogBoxParamA"
0x0000 "IsDlgButtonChecked"
0x0000 "wsprintfA"
0x0000 "GetDlgItemTextA"
0x0000 "MessageBoxA"
0x0000 "EndDialog"

are the only user32 functions it uses.

Edited by leonidij
0

Share this post


Link to post
Share on other sites

Fixed version user32.dll is 5.0.2195.7160(Oct 7th 4:23am GMT) in v23h

See above of my post for attached file for another program with same problem.

And here with v18g +fixed user32 from v23g3 this problem does still exist.

On which environment you test it japanese or english?

And which user32.dll exactly are you using for tests?

This Opgen tool have much simpler gui as functions and does not use send message at all.

0x0000 "SetDlgItemTextA"
0x0000 "CheckRadioButton"
0x0000 "DialogBoxParamA"
0x0000 "IsDlgButtonChecked"
0x0000 "wsprintfA"
0x0000 "GetDlgItemTextA"
0x0000 "MessageBoxA"
0x0000 "EndDialog"

are the only user32 functions it uses.

0

Share this post


Link to post
Share on other sites

Yes indeed it works with both original calc32.exe (with its tooltips) and topo.exe! I actually have user32.dll deleted from know dlls and just placed v23h into directory where calc32.exe and topo.exe are and they run fine indeed. Seems that was caused by same bug. (And this also means user32 v23h is compatible with v18g other files.)

BUT Opgen.exe still do not work. It fails to fully initialize and the problem looks very same as the problem in topo.exe, BUT seems is caused by other function. Maybe this same bug is also present in other functions than SendMessage?

Opgen.exe + its full source code is attached in post #480 (a little above).

Edited by leonidij
0

Share this post


Link to post
Share on other sites

Hi blackwingcat, I found some bugs:

KB935839-23H

Windows doesn't work when install's comctl32 (5.2 Win2003 ver.), taskmgr crash and more.

sigverif.exe

When i run sigverif.exe it starts and scan files ok, but when i click button advanced program crashes

Edited by piotrhn
0

Share this post


Link to post
Share on other sites

It seems to have opgen general problem.

It does not also work on Windows XP.

You can download fixed newer version opgen from here.

http://www.reversing.be/forum/viewtopic.php?t=517

And what is runme.exe ?

Yes indeed it works with both original calc32.exe (with its tooltips) and topo.exe! I actually have user32.dll deleted from know dlls and just placed v23h into directory where calc32.exe and topo.exe are and they run fine indeed. Seems that was caused by same bug. (And this also means user32 v23h is compatible with v18g other files.)

BUT Opgen.exe still do not work. It fails to fully initialize and the problem looks very same as the problem in topo.exe, BUT seems is caused by other function. Maybe this same bug is also present in other functions than SendMessage?

Opgen.exe + its full source code is attached in post #480 (a little above).

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Hi blackwingcat, I found some bugs:

KB935839-23H

Windows doesn't work when install's comctl32 (5.2 Win2003 ver.), taskmgr crash and more.

sigverif.exe

When i run sigverif.exe it starts and scan files ok, but when i click button advanced program crashes

I found Windows 2000 taskmgr.exe native bug.

Please wait.

You can see more information from here.

http://blog.livedoor.jp/blackwingcat/archives/1817851.html (Japanese)

I released kernel v2.3h2. (return 5.2 XP ver)

and released KB839726-v2 / 5.0.2195.6904 Taskmgr.exe

English / Japanese and FRA/ITA/DEU/TW/PTG version

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Which buttons did you mean ? :)

( does K-Lite basic codecpack have no problem ?)

Hi,

I installed K-Lite Mega Codec Pack & in Media Player Classic 1.7.0.7805 buttons are invisible/broken.

0

Share this post


Link to post
Share on other sites

Hello blackwingcat.

Thanks for info!

that runme.exe is logo program of site from which the program was downloaded from. That site "protools" no longer exist and this runme.exe have nothing to do with opgen nor matters in any way. It is just there in archive I have. That's all about it.

And what is the difference between v2.3h and v2.3h2?

Edited by leonidij
0

Share this post


Link to post
Share on other sites

Hi.

v2.3h2 is replaced back comctl32.dll from 2003version to xpversion cause of some problems.

And what is the difference between v2.3h and v2.3h2?
0

Share this post


Link to post
Share on other sites

http://blog.livedoor.jp/blackwingcat/archives/1821933.html

http://blog.livedoor.jp/blackwingcat/archives/1707344.html

I released .Net 4.0 for Windows 2000 Extended kernel. RC2. :)

You can easy construct Extended Kernel Environment with Extendede Kernel DVD Creator on hfslip Kit.

http://www.msfn.org/board/topic/156521-unofficial-sp-52-for-microsoft-windows-2000/page-25

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Hello blackwingcat.

That bug you have fixed about SendMessage function in user32.dll seems was very Very VERY big flaw in win2k. I made that fix to user32.dll of SP5.1 (NON EXTENDED KERNEL) and now many programs, which gives trouble in past run flawlessly. Micro$oft seems forgot to fix this for full compatibility with win9X., but fixed it in XP. And the problem in Opgen.exe seems again was not fixed in 2k but also in XP and maybe all else versions (maybe it was too rare to be seen by developers). But this one in SendMessage is really important because without it many programs just can not work on win2k. I found many other programs which crashed before to work flawlessly now. So this really was MAJOR BUG (I think) reached in different ways by many programs.

One of many examples is FastScanner 3.0 from AT4RE.

Can be downloaded from:

http://www.woodmann.com/collaborative/tools/index.php/AT4RE_FastScanner

It still crashes when TotalScan button is clicked but before it was crashing right after launched.

Edited by leonidij
0

Share this post


Link to post
Share on other sites

Perhaps Recent version kernel32.dll(5.0.2195.7204) was fixed it.

Please try test again.

Sorry, I forget how It occures.

I can tell you that kernel32.dll contains some code specific to converting to and from the Korean locale. In several places throughout the NLS code it checks for the Korean locale and consults a special "KoreanWeights" table when it needs to. It was one of those things I had to reverse-engineer and have no way to test.

0

Share this post


Link to post
Share on other sites

Umm...

It was detected trojan horse.

https://www.virustotal.com/ja/file/39cbf8d2ba5c3f5a08035bbee2164a88909383add296809bec01aafa7f34dcbe/analysis/1382887371/

I think It is not origial archive.

And on my environment not crashed fs v3.0.

Hello blackwingcat.

That bug you have fixed about SendMessage function in user32.dll seems was very Very VERY big flaw in win2k. I made that fix to user32.dll of SP5.1 (NON EXTENDED KERNEL) and now many programs, which gives trouble in past run flawlessly. Micro$oft seems forgot to fix this for full compatibility with win9X., but fixed it in XP. And the problem in Opgen.exe seems again was not fixed in 2k but also in XP and maybe all else versions (maybe it was too rare to be seen by developers). But this one in SendMessage is really important because without it many programs just can not work on win2k. I found many other programs which crashed before to work flawlessly now. So this really was MAJOR BUG (I think) reached in different ways by many programs.

One of many examples is FastScanner 3.0 from AT4RE.
Can be downloaded from:

http://www.woodmann.com/collaborative/tools/index.php/AT4RE_FastScanner

It still crashes when TotalScan button is clicked but before it was crashing right after launched.

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Well now days Av database is so huge that include nearly every possible combinations. So they now more need to add non malware programs signatures in exlide database because their malware database catches nearly anything. As you can see half of AVs detect it clean and other half saying it is different thing. When result is like that I think 99,99999% sure it is false positive. And I think you can confirm yourself on your test machine that no malware actions was done. Ia also another practice of AV companies to add ANY product from some developers or site as malware thing whyle most of them have nothing malware in it. Just because that developer or site produces one or more things which can be used for this purpose, while at same time they do not include commercial programs which are total hiden malware like AD programs or copy protection rootkits and etc.

This fast scanner is tool to scan executables to see if they are packed and to see with what if they are - just like famous PEID. (in case you dont know about this programs). I posted it because I remembered that I was not able to use it in past to compare with others similar because of this crash. But now I download it again with that fix and started it and it was working fine!

BTW I have more examples of programs which was crashing due same reason, but after this fix theya re working just fine. BUT I'm afraid if I post them here you will cry even more about trojans and etc while they are noting like that. So I wont mention them here :).

It is just that this bug is commonly seen. It was not just in topo or calc32, but in many many many more applications.

Edited by leonidij
0

Share this post


Link to post
Share on other sites

ba415a4e.png

I try to run MSPAINT, notepad, cal, wordpad and robocopy of Vista binaries. ( Next version kernel v2.3i )

0

Share this post


Link to post
Share on other sites

I realesed English version extended kernel v2.3i2.

0

Share this post


Link to post
Share on other sites

Hi blackwingcat, it's been a while but your latest extended kernel fixed all the problems I was having with the latest Firefox builds and as an added bonus the Google Talk plugin now works so I can use Google Hangouts or Chat with Firefox on W2k. For the longest time I would get an error but it's fine now. So whatever changes you did nice job. Also, I see you've even got Java 6 updates still going. Windows 8, who needs that garbage?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.