Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

KernelEx for Win2000

- - - - -

  • Please log in to reply
661 replies to this topic

#476
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag

Hello and awesome work blackwingcat.

 

Here is another thing which I know is bug in win2k.

   Some programs (mostly oll ones) when started try to initialize its main dialog but freeze at some point. If you click X (close) they do exit, but if click any other button they get into not responding state. Note this bug maybe closely related to previews one if not the same. I have seen totally 3 programs like that so it is rare, but those programs do work fine on win 9X and probably on XP. I'm sending you an example of one tool from year 2000 which task is to add physical and/or virtual space/sections in PE files. Is rare to find that program now days. In archive is both original version and fixed version (not fixed by me) that WORKS on win2k. You can see how the fix is done and where the problem is without fully debuging - just by compare dissasm of both files. Note this too may be considered as malware tool by "super clever" AVs, but it by itself have nothing malware or destructive in it. Its main aim is to easy and fast add space in PE file for extra code when you do not have enough physical space in file for this task.

Attached Files


Edited by leonidij, 08 October 2013 - 06:04 AM.



How to remove advertisement from MSFN

#477
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

Will you guess me the any programs ?

If it is simple application as calc32.exe , I may be able to resolve it.

What is oll ? :angel

 

Similar problems are had by GDK softwares.and Java 7 and Google Chrome.

They resolve to replace gdk library file.

But if it is Java application we only should use Java 6 u51/60. :(

 

Hello and awsome work blackwingcat.

 

Here is another thing whch I know is bug in win2k.

   Some programs (mostly oll ones) when started try to initalize its main dialog but freeze at some point. If you click X (close) they do exit, but if click any other button they get into not responding state. Note this bug maybe closely related to previews one if not the same. I have seen totally 3 programs like that so it is rare, but those programs do work fine on win 9X and probably on XP. I'm sending you an example of one tool from year 2000 which task is to add phisical and/or virtual space/sections in PE files. Is rare to find that nowdays. In archive is both original version and fixed version (not fixed by me) that WORKS on win2k. You can see how the fix is done and where the problem is without fully debuging - just by compare disasm of both files. Note this too may be considered as malware tool by "super claver" AVs, but it by itself have nothing malware or destructive in it. Its main aim is to easy and fast add space in PE file for extra code when you do not have enough phisical space in file for this task.


Edited by blackwingcat, 07 October 2013 - 08:54 PM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#478
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag

See the attached file in my previews post for what causes the problem and how it must be fixed.

The fixes are very similar to fixes you use but already done by someone else in this case.

This is also General problem and as I understood it it exist in modern applications too.

Attachment in previews post give you both the problem and the resolve :yes: .

_fixed.exe is the fixed file in there which works on win2k and the other exe is the original which do have the problem described above. It is again not saved registers and again is related to SendMessage function but I think not only this time.


Edited by leonidij, 08 October 2013 - 04:55 AM.


#479
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

It detected two Trojan as you said. :}

So, I'll create new standalone WIndows 2000 environment and test it.

 

but it by itself have nothing malware or destructive in it. Its main aim is to easy and fast add space in PE file for extra code when you do not have enough phisical space in file for this task.

 


_fixed.exe is the fixed file in there which works on win2k and the other exe is the original which do have the problem described above. It is again not saved registers and again is related to SendMessage function but I think not only this time.

 

And then...

I tested them.

On my new environment both programs seem to work fine.

Does topo12.exe have any problems on typical Windows 2000 environment ?


Edited by blackwingcat, 08 October 2013 - 09:46 PM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#480
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag

Yes as what I described above. You can debug both in ollydbg or in any other debugger/dissassembler and see the difference between both. You can use also Cmpdisasm tool for this task. This program can be used to add extra code into exe and thats why AVs think oo it is very bad think to do, but as you know very well not only bad things can be added into existing program. The program itself have nothing malware, but you are free to be extra cautions. I think I remember one more program which have same problem. Will try to find it. It was one Opcode tool. Oh I think I remeber even one more program with that problem. Will search for them.
 

 

Here is one more program, called OpGen with that problem and it is OPENSOURCE! I found it in my collection and have the same problem. It is an Opcode Generator tool. The source is written in tasm32 and compiles flawlessly (I tested).

Attached Files


Edited by leonidij, 09 October 2013 - 04:49 AM.


#481
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

I disassembled it.

But I think it resolved user32.dll problem as I said.

It causes from same bug.

 

Yes as what I described above. You can debug both in ollydbg or in any other debugger/dissassembler and see the difference between both. You can use also Cmpdisasm tool for this task. This program can be used to add extra code into exe and thats why AVs think oo it is very bad think to do, but as you know very well not only bad things can be added into existing program. The program itself have nothing malware, but you are free to be extra cautions. I think I remember one more program which have same problem. Will try to find it. It was one Opcode tool. Oh I think I remeber even one more program with that problem. Will search for them.
 


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#482
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag

See above of my post for attached file for another program with same problem.

And here with v18g +fixed user32  from v23g3 this problem does still exist.

On which environment you test it japanese or english?

And which user32.dll exactly are you using for tests?

 

This Opgen tool have much simpler gui as functions and does not use send message at all.

 

    0x0000       "SetDlgItemTextA"
    0x0000       "CheckRadioButton"
    0x0000       "DialogBoxParamA"
    0x0000       "IsDlgButtonChecked"
    0x0000       "wsprintfA"
    0x0000       "GetDlgItemTextA"
    0x0000       "MessageBoxA"
    0x0000       "EndDialog"

 

are the only user32 functions it uses.


Edited by leonidij, 09 October 2013 - 04:58 AM.


#483
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

Fixed version user32.dll is 5.0.2195.7160(Oct 7th 4:23am GMT) in v23h

 

See above of my post for attached file for another program with same problem.

And here with v18g +fixed user32  from v23g3 this problem does still exist.

On which environment you test it japanese or english?

And which user32.dll exactly are you using for tests?

 

This Opgen tool have much simpler gui as functions and does not use send message at all.

 

    0x0000       "SetDlgItemTextA"
    0x0000       "CheckRadioButton"
    0x0000       "DialogBoxParamA"
    0x0000       "IsDlgButtonChecked"
    0x0000       "wsprintfA"
    0x0000       "GetDlgItemTextA"
    0x0000       "MessageBoxA"
    0x0000       "EndDialog"

 

are the only user32 functions it uses.


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#484
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag

Yes indeed it works with both original calc32.exe (with its tooltips) and topo.exe! I actually have user32.dll deleted from know dlls and just placed v23h into directory where calc32.exe and topo.exe are and they run fine indeed. Seems that was caused by same bug. (And this also means user32 v23h is compatible with v18g other files.)

 

BUT Opgen.exe still do not work. It fails to fully initialize and the problem looks very same as the problem in topo.exe, BUT seems is caused by other function. Maybe this same bug is also present in other functions than SendMessage?

 

Opgen.exe + its full source code is attached in post #480 (a little above).


Edited by leonidij, 09 October 2013 - 06:35 AM.


#485
piotrhn

piotrhn

    Newbie

  • Member
  • 40 posts
  • Joined 17-July 06
  • OS:Windows 8 x64
  • Country: Country Flag

Hi blackwingcat, I found some bugs:

 

KB935839-23H

Windows doesn't work when install's comctl32 (5.2 Win2003 ver.), taskmgr crash and more.

 

sigverif.exe

When i run sigverif.exe it starts and scan files ok, but when i click button advanced program crashes


Edited by piotrhn, 09 October 2013 - 09:53 AM.


#486
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

It seems to have opgen general problem.

It does not also work on Windows XP.

 

You can download fixed newer version opgen from here.

http://www.reversing...topic.php?t=517

 

And what is runme.exe ?

 

Yes indeed it works with both original calc32.exe (with its tooltips) and topo.exe! I actually have user32.dll deleted from know dlls and just placed v23h into directory where calc32.exe and topo.exe are and they run fine indeed. Seems that was caused by same bug. (And this also means user32 v23h is compatible with v18g other files.)

 

BUT Opgen.exe still do not work. It fails to fully initialize and the problem looks very same as the problem in topo.exe, BUT seems is caused by other function. Maybe this same bug is also present in other functions than SendMessage?

 

Opgen.exe + its full source code is attached in post #480 (a little above).


Edited by blackwingcat, 09 October 2013 - 07:37 PM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#487
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

Hi blackwingcat, I found some bugs:

 

KB935839-23H

Windows doesn't work when install's comctl32 (5.2 Win2003 ver.), taskmgr crash and more.

 

sigverif.exe

When i run sigverif.exe it starts and scan files ok, but when i click button advanced program crashes

 

I found Windows 2000 taskmgr.exe native bug.

Please wait.

 

You can see more information from here.

http://blog.livedoor...es/1817851.html (Japanese)

 

I released kernel v2.3h2. (return 5.2 XP ver)

 

and released KB839726-v2  / 5.0.2195.6904 Taskmgr.exe

 

English / Japanese and  FRA/ITA/DEU/TW/PTG version


Edited by blackwingcat, 10 October 2013 - 12:34 AM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#488
piotrhn

piotrhn

    Newbie

  • Member
  • 40 posts
  • Joined 17-July 06
  • OS:Windows 8 x64
  • Country: Country Flag

Hi,

I installed K-Lite Mega Codec Pack & in Media Player Classic 1.7.0.7805 buttons are invisible/broken.


Edited by piotrhn, 14 October 2013 - 04:06 PM.


#489
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag
Which buttons did you mean ? :)
( does K-Lite basic codecpack have no problem ?)

 

Hi,
I installed K-Lite Mega Codec Pack & in Media Player Classic 1.7.0.7805 buttons are invisible/broken.


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#490
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

I released Safari 6.0.5 for Windows 2000 with Extended Kernel.

 

http://blog.livedoor...es/1819424.html


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#491
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag

Hello blackwingcat.

Thanks for info!

 

that runme.exe is logo program of site from which the program was downloaded from. That site "protools" no longer exist and this runme.exe have nothing to do with opgen nor matters in any way. It is just there in archive I have. That's all about it.

 

And what is the difference between v2.3h and v2.3h2?


Edited by leonidij, 16 October 2013 - 09:40 AM.


#492
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

Hi.

 

v2.3h2 is replaced back comctl32.dll from 2003version to xpversion cause of some problems.

 

And what is the difference between v2.3h and v2.3h2?

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#493
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

http://blog.livedoor...es/1821933.html

http://blog.livedoor...es/1707344.html

 

I released .Net 4.0 for Windows 2000 Extended kernel. RC2. :)

 

You can easy construct  Extended Kernel Environment with Extendede Kernel DVD Creator on hfslip Kit.

http://www.msfn.org/...ws-2000/page-25


Edited by blackwingcat, 24 October 2013 - 05:37 PM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#494
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag
Hello blackwingcat.

That bug you have fixed about SendMessage function in user32.dll seems was very Very VERY big flaw in win2k. I made that fix to user32.dll of SP5.1 (NON EXTENDED KERNEL) and now many programs, which gives trouble in past run flawlessly. Micro$oft seems forgot to fix this for full compatibility with win9X., but fixed it in XP. And the problem in Opgen.exe seems again was not fixed in 2k but also in XP and maybe all else versions (maybe it was too rare to be seen by developers). But this one in SendMessage is really important because without it many programs just can not work on win2k. I found many other programs which crashed before to work flawlessly now. So this really was MAJOR BUG (I think) reached in different ways by many programs.

One of many examples is FastScanner 3.0 from AT4RE.
Can be downloaded from:

http://www.woodmann....4RE_FastScanner

It still crashes when TotalScan button is clicked but before it was crashing right after launched.

Edited by leonidij, 26 October 2013 - 01:07 PM.


#495
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

Perhaps Recent version kernel32.dll(5.0.2195.7204) was fixed it.

Please try test again.

Sorry, I forget how It occures.

 

I can tell you that kernel32.dll contains some code specific to converting to and from the Korean locale. In several places throughout the NLS code it checks for the Korean locale and consults a special "KoreanWeights" table when it needs to. It was one of those things I had to reverse-engineer and have no way to test.


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#496
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

Umm...

 

It was detected trojan horse.

 

https://www.virustot...sis/1382887371/

 

I think It is not origial archive.

 

And on my environment not crashed fs v3.0.

 

Hello blackwingcat.

That bug you have fixed about SendMessage function in user32.dll seems was very Very VERY big flaw in win2k. I made that fix to user32.dll of SP5.1 (NON EXTENDED KERNEL) and now many programs, which gives trouble in past run flawlessly. Micro$oft seems forgot to fix this for full compatibility with win9X., but fixed it in XP. And the problem in Opgen.exe seems again was not fixed in 2k but also in XP and maybe all else versions (maybe it was too rare to be seen by developers). But this one in SendMessage is really important because without it many programs just can not work on win2k. I found many other programs which crashed before to work flawlessly now. So this really was MAJOR BUG (I think) reached in different ways by many programs.

One of many examples is FastScanner 3.0 from AT4RE.
Can be downloaded from:

http://www.woodmann....4RE_FastScanner

It still crashes when TotalScan button is clicked but before it was crashing right after launched.


Edited by blackwingcat, 27 October 2013 - 05:43 PM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#497
leonidij

leonidij

    Newbie

  • Member
  • 17 posts
  • Joined 27-September 13
  • OS:none specified
  • Country: Country Flag
Well now days Av database is so huge that include nearly every possible combinations. So they now more need to add non malware programs signatures in exlide database because their malware database catches nearly anything. As you can see half of AVs detect it clean and other half saying it is different thing. When result is like that I think 99,99999% sure it is false positive. And I think you can confirm yourself on your test machine that no malware actions was done. Ia also another practice of AV companies to add ANY product from some developers or site as malware thing whyle most of them have nothing malware in it. Just because that developer or site produces one or more things which can be used for this purpose, while at same time they do not include commercial programs which are total hiden malware like AD programs or copy protection rootkits and etc.

This fast scanner is tool to scan executables to see if they are packed and to see with what if they are - just like famous PEID. (in case you dont know about this programs). I posted it because I remembered that I was not able to use it in past to compare with others similar because of this crash. But now I download it again with that fix and started it and it was working fine!

BTW I have more examples of programs which was crashing due same reason, but after this fix theya re working just fine. BUT I'm afraid if I post them here you will cry even more about trojans and etc while they are noting like that. So I wont mention them here :).

It is just that this bug is commonly seen. It was not just in topo or calc32, but in many many many more applications.

Edited by leonidij, 28 October 2013 - 06:00 AM.


#498
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

ba415a4e.png

 

I try to run MSPAINT, notepad, cal, wordpad and robocopy of Vista binaries. ( Next version kernel v2.3i )


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#499
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 876 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag

I realesed English version extended kernel v2.3i2.


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#500
DanR20

DanR20

    Newbie

  • Member
  • 31 posts
  • Joined 28-February 12
  • OS:none specified
  • Country: Country Flag
Hi blackwingcat, it's been a while but your latest extended kernel fixed all the problems I was having with the latest Firefox builds and as an added bonus the Google Talk plugin now works so I can use Google Hangouts or Chat with Firefox on W2k. For the longest time I would get an error but it's fine now. So whatever changes you did nice job. Also, I see you've even got Java 6 updates still going. Windows 8, who needs that garbage?




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users