WildBill

Not usually, especially if they're in a data segment rather than a code segment. A generic hex editor would be better suited for that purpose. That said, if you need to *lengthen* a key, my tool could help you move the key to a location that could accommodate it. You can either expand a segment or add a new one and put the new key in the space you allocated. Then, however, you'd have to update all references to the old key to point to the new one. A combination of my tool and a hex editor could do that, though you might need something like IDA to find all of the references. If the file you're modding can't accommodate another segment, one thing my tool can do is combine segments to free up a segment entry. I had to do that to SRV.SYS so I could add a .patch segment.

http://www.mediafire.com/download/kddw215c9u2h36f/Windows2000-KB2508429-v10-x86-ENU.exe It's not quite ready for prime time, but it's seeing lots of testing and improvements as I use it. I've now got a few patches ready for release: MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution (update) Windows2000-KB2286198-v3-x86-ENU.EXE MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Windows2000-KB981852-v2-x86-ENU.exe MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege Windows2000-KB2160329-x86-ENU.exe MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution Windows2000-KB2079403-x86-ENU.exe MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution Windows2000-KB2115168-x86-ENU.exe MS10-053 Cumulative Security Update for Internet Explorer Windows2000-KB2183461-v2-x86-ENU.exe MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution Windows2000-KB982214-v2-x86-ENU.exe MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution Windows2000-KB982665-v2-x86-ENU.exe MS10-061 Vulnerability in Print Spooler Service Could Allow Remote Code Execution Windows2000-KB2347290-x86-ENU.exe MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution Windows2000-KB981322-x86-ENU.exe MS10-065(partial) IIS Repeated Parameter Request Denial of Service Vulnerability Windows2000-KB2124261-x86-ENU.exe MS10-065(partial) Directory Authentication Bypass Vulnerability Windows2000-KB2290570-x86-ENU.exe MS10-067 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution Windows2000-KB2259922-x86-ENU.exe MS10-069 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege Windows2000-KB2121546-x86-ENU.exe MS10-071 Cumulative Security Update for Internet Explorer Windows2000-KB2360131-v3-x86-ENU.exe MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-21-2010] Windows2000-KB981957-x86-ENU.exe MS10-074 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution Windows2000-KB2387149-x86-ENU.exe MS10-076 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution Windows2000-KB982132-x86-ENU.exe MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege Windows2000-KB2279986-x86-ENU.exe MS10-081 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution Windows2000-KB2296011-x86-ENU.exe MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution [12-31-2010] Windows2000-KB979687-v2-x86-ENU.exe MS10-084 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege [09-28-2011] Windows2000-KB2360937-v2-x86-ENU.exe MS10-090 Cumulative Security Update for Internet Explorer [01-02-2011] Windows2000-KB2416400-x86-ENU.exe MS10-091 Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution [01-29-2011] Windows2000-KB2296199-x86-ENU.exe MS10-096 Vulnerability in Windows Address Book Could Allow Remote Code Execution [12-24-2010] Windows2000-KB2423089-x86-ENU.exe MS10-097 Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution [01-29-2011] Windows2000-KB2443105-v2-x86-ENU.exe MS10-098 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-27-2010] Windows2000-KB2436673-x86-ENU.exe MS10-099 Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege [01-31-2011] Windows2000-KB2440591-x86-ENU.exe MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution [02-06-2011] Windows2000-KB2419632-x86-ENU.exe MS11-007 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [02-16-2011] Windows2000-KB2485376-x86-ENU.exe MS11-010 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege [02-20-2011] Windows2000-KB2476687-v2-x86-ENU.exe MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege [01-11-2014] Windows2000-KB2393802-v21-x86-ENU.exe (obsolete -- see below) MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [01-16-2014] Windows2000-KB2479628-v10-x86-ENU.exe (obsolete -- see below) MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [01-18-2015] Windows2000-KB2479629-v3-x86-ENU.exe MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution [05-16-2011] Windows2000-KB2511455-x86-ENU.exe MS11-013 Vulnerabilities in Kerberos Could Allow Elevation of Privilege and MS11-014 Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege and MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution [01-25-2014] Windows2000-KB2508429-v17-x86-ENU.exe MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [05-08-2011] Windows2000-KB2507618-x86-ENU.exe MS11-033 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution [05-03-2011] Windows2000-KB2485663-x86-ENU.exe MS11-038 Vulnerability in OLE Automation Could Allow Remote Code Execution [12-08-2011] Windows2000-KB2476490-x86-ENU.exe The first one is a re-release. I decided to load the patch in my PE Tool and saw that I had missed a relocation. This one should have all of them now. The second one patches srv.sys. It appears to be a patch for multiple buffer overflow holes. The third one comes courtesy of blackwingcat's analysis, but it's an ENU version instead of a JPN one. Once again, it's a buffer overflow fix. I'm running all three on my box with no problems so far, though since I'm not an entire security firm, I have to add a "use at your own risk" disclaimer. I added MS10-051 and MS10-052. The new files inside are unmodified XPSP3 versions, and from looking inside them I think they'll work just fine. I'm running them on my Win2k box with no problems. MS10-052 especially is an *extremely* minor tweak.

If you are looking for WildBill's post-EOL patches for Windows 2000 go to Post #3 Now, for the PE Tool for creating patches, here's the Download link: PE Tool 0.0.5 Version 0.0.1 ------------------ INITIAL RELEASE Version 0.0.2 ------------------ Improved the disassembly view: if an address evaluates to a known name, the name will be shown instead and color-coded. Version 0.0.3 ------------------ - Fixed some bugs in the assemble instruction dialog where certain edit fields weren't being enabled. - Fixed some bugs where the clicked-on address didn't match the assembly text. - Improved detection of .map entries so that they show up in the disassembly. - Added a menu entry for changing the code entry point. - Improved the feedback in confirmation dialogs when working with relocs. - Updated the .map files with my newest versions. Version 0.0.4 ------------------ - Fixed some disassembly bugs. - Fixed some bugs when assembling instructions. - Added a menu entry under Directories... that lets you change the address of an exported function. Version 0.0.5 ------------------- - ***LOTS*** of fixes - Adds control over the listing font to the preferences window. - Automatically updates build timestamps. - Tries to detect the need for relocs and will list them as warnings at the bottom in a new message window. - Highlights instructions where it thinks a reloc is needed in red. - Added buttons to the hex bytes dialog to make it easy to insert ANSI or Unicode strings. - Added the ability to split sections. - Added the ability to chop off the beginning of sections. - Added the ability to move the entire export table. - Added support for adding forwarded exports. - Added the ability to grow the file header if space is available. - Added an "Update exports" menu entry that will force rebuilding the export table. I've been trying to build a simple tool that will hopefully make creating security patches easier. It's still pretty rough around the edges, but here is a screenshot of what I've got so far: I've been using it to make a Win2k patch for KB982214, the SMB vulnerability. I'll probably be able to test the patch tomorrow in a VM. The tool lets you do a few simple things so far: - Add relocation chunks and chunk entries - Move certain sections (this is somewhat dangerous for most sections, but moving resources and relocations should be safe) - View some directory information, like imports and relocations - Automatically fixes up certain directory information if the section that contains them moves (relocations, imports, debug info, etc.) - Grow sections to fill any available slack between them and the next section - Change bytes - Assemble instructions - Fix a file checksum If you have a .MAP file the disassembler can resolve symbols and color-code them, as the pic shows. It's also showing relocations in red. I didn't write the disassembler portion and it's not perfect, but I've managed to fix some of the worst issues.

I tested it using the POC code that blackwingcat pointed to: Beyond that I haven't heard any reports one way or the other. I'm running it on my box (not just in a VM, but in the normal OS installation) and I've experienced no problems. I'd certainly appreciate any reports of usage or any form of independent assessment. I haven't tried Vektor's patch, so I'm reluctant to evaluate one against the other. His has the plus of being applicable to multiple OS'es, whereas mine is for Win2k only. On the other hand, my patch is slipstreamable like any other MS hotfix. That's not to say that Vektor's isn't -- it might be, I haven't tried it. On another note, for the past few weeks I've been prepping to build a backported patch for MS10-054 (KB982214: Vulnerabilities in SMB Server Could Allow Remote Code Execution). I've boiled it down to 5 routines that have to be patched and a small one that has to be added. The tough part has been the logistics of actually building a patch, though I've got my PE tool almost to the point where I can use it to make the patch. Basically I'm using IDA for the analysis part and my own tool for the patching part. Once it's ready I plan on releasing that patch as well as my PE tool. Then I'd like to move on to MS10-049 (KB980436: Vulnerabilities in SChannel Could Allow Remote Code Execution). I have no plans to switch away from Win2k any time soon, and I don't like the idea of having those holes unpatched.

I've fixed my patch and uploaded v2 here: Windows2000-KB2286198-v2-x86-ENU.EXE This has proper relocation info for the code I added and should eliminate the (unlikely) possibility of a crash. Nonetheless, I strongly recommend installing this one. If you already installed my earlier patch this one will install over it just fine. Once installed, shell32.dll will show version 5.0.3900.7157. Enjoy...

While my patch seems to work, I've found a problem where I should have put relocation entries in it but didn't. This means that the DLL could crash if the PE loader doesn't put it at its preferred address. While this is unlikely, I'm working on an update with proper relocation entries added. That would ensure that the DLL would work wherever the PE loaded put it. I plan on releasing the update as soon as it's ready.

Thanks for the link. I tried tests A and B, and my patch blocks it in test A (viewing the link), but not test B (double-clicking on the link to execute it). As for making the patch, I broke down and bought a copy of IDA Pro Standard and the Hex-Rays decompiler ($$$!). I expanded the code section and patched the PE header in IDA so that I could add code. It was a VERY painful process, so much so that I've started working on a simple tool to do it instead. I think I can have the tool ready enough in a couple of days so that it will be useful.

Would you be able to determine if my patch closes the security hole?

This is OT, but blackwingcat, have you seen the LNK patch I posted in the Win2k forum? If it effectively closes the vulnerability it might be useful to you since it can be slipstreamed, etc. Unfortunately I don't know how to test it to see if it closes the security hole.

Hmm. If I'd checked the forum this might have saved me some effort. Anyhow, I also tried to put together a patch for the LNK vulnerability. It's done the "standard" way, with the main exception being that it doesn't use a signed update since I couldn't figure out how to sign it. This is the first time I've attempted making a patch for Windows, so this is really new territory for me. I've tried it in a VM and I'm not seeing any problems, but I also don't really know for certain that this closes the security hole. If anyone knows how to verify it I'd appreciate it. I tried a proof-of-concept of the vulnerability and the patch seems to block it, but I can't claim to be knowledgeable about the details of the security hole beyond that it somehow masquerades as a Control Panel link. When installed, the version of shell32.dll will bump up to 5.0.3900.7156 so you can tell if it's installed. Windows2000-KB2286198-x86-ENU.EXE "Use at your own risk" goes without saying until someone here can hopefully validate it.

No, the bitmap format won't have any effect since everything is stored in memory uncompressed. I've actually been making a lot of speed optimizations for version 1.1.5, as I've been gradually improving support for alpha-blended window borders on Windows 2000 and performance was suffering. Let me see if it's good enough to release as-is.

Version 1.1.4 is now up, with a couple of fixes.

2nd-level dropdown menu skinning should work, but the Explorer shell's New... submenu is owner-drawn. That's why it looks different. For example, the Arrange Icons... submenu paints correctly. I saw the start button issue too with your skin, I think it has to do with the narrowness of the taskbar. I'll have to play with it some more to see what's going on. For the Quicklaunch icons, try adding these settings to the [METRICS] section to see if they help: TaskbarIconWidth=16 TaskbarIconHeight=16 To get extra system tray space, you have to assign an image to the tray: [COMPONENT_SYSTEMTRAY] Type=Image Component=SystemTray Image= <-- Need to assign an image and set the image's ContentRectLeft setting State=Normal StartingFrame=0 EndingFrame=0 TextColor=White Font=Arial_10px_Normal Transparent icon text works through the font smoothing engine, so yes, it won't work with font smoothing disabled.

In Windows 2000, they're in browseui.dll.

Forget everything I said about the taskbar thickness setting. It should reflect the desired visual thickness, not the client thickness. In your case, it should be set to 20. (sheesh...I wrote it and I got it wrong). The other problems you were seeing were the results of either bugs or aspects that weren't supported (such as thinner-than-normal taskbars). I've posted version 1.1.3 which should give you much better results.

Sure. Can you post a link? One thing to check is the TaskbarHeight setting. For example, this is in the Uber skin: [METRICS] ClockWidth=80 ClockHeight=0 ClockSizeUnits=Pixels TaskbarHeight=40 StartButtonXOfs=0 StartButtonYOfs=1 MultilineTaskText=1 CaptionMinLeftInset=7 CaptionMinRightInset=7 CaptionIconInset=6 CaptionIconLinked=1 The taskbar image height in Uber is 46 pixels, so in this example we want 46 pixels visible. The taskbar window itself is 48 pixels wide: the bottom 2 pixels are offscreen, but we don't want to waste the image on anything that isn't visible. However, assuming a standard 4-pixel border thickness, if we exclude the top and bottom borders from the taskbar, that gives 48-8=40 pixels. So in the Uber case, TaskbarHeight=40 means that we want the client portion of the taskbar to be 40 pixels wide. This probably sounds strange that the setting is for the client thickness instead of the overall window thickness, but the setting also determines how much the taskbar grows by when you drag the border to have multiple rows. In this case, it grows 40 pixels at a time, so the Uber taskbar thickness is always 40*rows+8, where the extra 8 pixels are from the top and bottom borders. Remember, though, that the bottom 2 pixels are always offscreen, so your image should not cover those pixels. Let's try another example. If your taskbar image is, say, 31 pixels high, then it corresponds to a taskbar window that is really 33 pixels high (the bottom two pixels are offscreen). Take 8 off that to remove the top and bottom borders and you get 25. So in this case the setting should be TaskbarHeight=25 to cause the taskbar to grow 25 pixels at a time. Basically, the setting is the image height minus 6 pixels. (forget all this...I'm having a brain-dead moment. The setting is the total visual thickness...so if you want to see 20 pixels, set it to 20). Now that the skinning engine is getting pretty powerful, SmoothText is really hurting for some comprehensive documentation. Does anyone want to volunteer to write some? I'd probably need a link to your theme to try to figure out what's wrong with the window borders. As a status update, the next version will have improved support for alpha-blended window borders. I can't promise perfection, but in the last couple of days I've really improved its behavior.

Last month I updated my ExtendAPI program, and now I'm able to use it to play at least one XP-only game on Win2k without having to patch anything (Overlord). I've posted the new version of ExtendAPI, and here is a link for anyone inclined to play with it. http://www.mediafire.com/download.php?ozlmwgyu54o ExtendAPI is a little experiment of mine. I wanted to see if I could write a program that could live in the system tray and automatically reroute imports of Windows API calls that aren't normally in Win2k to other DLL's. The idea is to be able to add support for XP-only API routines without having to patch anything or wrap system DLL's. I haven't tried anything beyond rerouting imports for TraceMessage, but it at least lets me play Overlord unmodified. The program uses an .INI file that tells it which routines it can reroute, the DLL in which a program normally expects to find it, and the DLL where it can actually find it. I can't guarantee how well ExtendAPI will play with your applications (this is experimental, after all), but perhaps there is some potential if anyone wants to play with it.

Version 1.1.2 is now up, with a few refinements...

Good to hear that you got it sorted. Just as an FYI, I use XBCD drivers on Windows 2000.

Thanks for the compliments! I find that I can't live without it when I'm surfing the web. There's still a lot of room for improvement, so any feedback is greatly appreciated. I've posted a new version that (for me, at least) has a major improvement. Now Courier New should look a lot better, which makes SmoothText finally usable when coding.

Uploaded version 1.1.0 tonight. Some small improvements and fixes...

I'm using D6.

A little tease of version 1.1.0. I have no idea how long it will take to perfect, but this is where it is today...

Only Uber, Dark Star, and Neptunium will work out of the box. You'll have to supply the images for the others since I didn't create those (those are WB skins that I happen to like). On another note, I've started working on supporting alpha-blended window borders. It's very buggy and not ready for prime time, but I've made rapid progress in the last 24 hours.

Hmm. Under the folder where you have SmoothText installed, is there a Skins folder with the skin .ini files there? Is there a Skins\Uber folder containing the skin images?