PE Tool for creating patches

**WildBill** · November 26, 2011

Thanks. It looks like something is giving it an invalid pointer on an IOCTL_TCP_QUERY_INFORMATION_EX request. Hopefully it will be simple to find.

Edit: so far I've found one definite bug in iphlpapi.dll (missing reloc) and potentially some thread-safety issues in it (XP forces device queries to be thread-safe whereas 2k does not). I want to check out the other files before I post an update. I'm going to be going out to dinner in a little bit so the update might not be until late tonight. I've also found a missing reloc in srvsvc.dll (this new version of the PE Tool makes those much easier to find).

Edited November 26, 2011 by WildBill

**WildBill** · November 27, 2011

I couldn't find any other obvious problems aside from the ones above so I've posted MS11-020 V5. Hopefully it will help...it's working for me, at least, though I'm not running ZoneAlarm. Also, I added exports for the following functions:

IcmpCreateFile

IcmpCloseHandle

IcmpSendEcho

IcmpSendEcho2

IcmpParseReplies

do_echo_rep

do_echo_req

register_icmp

Win2k is a bit different from XP in that all of this functionality is in a separate icmp.dll instead of in iphlpapi.dll, so the exports above are just forwarded exports to the routines in icmp.dll. It shouldn't make any difference to applications since the PE loader automatically resolves forwarded exports.

**discdude** · November 27, 2011

I couldn't find any other obvious problems aside from the ones above so I've posted MS11-020 V5. Hopefully it will help...it's working for me, at least, though I'm not running ZoneAlarm.

WildBill you're the best. MS11-020 V5 solves the blue screen at boot when ZoneAlarm is installed. Everything seems to be working fine now.

**MacLover** · November 27, 2011

I didn't notice it before but VirtualBox needs two more APIs to install properly:

SETUPAPI.DLL -> SetupSetNonInteractiveMode

SETUPAPI.DLL -> SetupUninstallOEMInfW

As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000.

Again, keep up the great work!

**discdude** · November 28, 2011

I didn't notice it before but VirtualBox needs two more APIs to install properly:
SETUPAPI.DLL -> SetupSetNonInteractiveMode
SETUPAPI.DLL -> SetupUninstallOEMInfW
As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000.
Again, keep up the great work!

Did you try BlackWingCat's setupapi.dll? I don't know if it supports those two functions, but it is probably worth a try.

http://blog.livedoor.jp/blackwingcat/archives/873798.html

**MacLover** · November 28, 2011

I didn't notice it before but VirtualBox needs two more APIs to install properly:
SETUPAPI.DLL -> SetupSetNonInteractiveMode
SETUPAPI.DLL -> SetupUninstallOEMInfW
As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000.
Again, keep up the great work!
Did you try BlackWingCat's setupapi.dll? I don't know if it supports those two functions, but it is probably worth a try.
http://blog.livedoor.jp/blackwingcat/archives/873798.html

BWC's SETUPAPI.DLL doesn't support SetupSetNonInteractiveMode, therefore I cannot install VirtualBox 4 even with a modified MSI to allow installation on Win2k. It does have SetupUninstallOEMInfW though.

**int0x13** · November 28, 2011

Hi folks,

I got a software which is broken under windows 2000 sp4 (french version), because of the function "TzSpecificLocalTimeToSystemTime" which is not into win2k kernel32.dll.

I've googled and i've seen this topic is talking about patch and is referencing this function name (TzSpecificLocalTimeToSystemTime). Do you think it's possible to patch kernel32.dll library to add this function? And then make my software compatible with windows 2000. Is it what you do with your custom patches?

Regards,

**tomasz86** · November 28, 2011

WildBill's patch already has this function (TzSpecificLocalTimeToSystemTime) added. If you want to use it then you'll have to apply the English patch to your French system.

**int0x13** · November 28, 2011

WildBill's patch already has this function (TzSpecificLocalTimeToSystemTime) added. If you want to use it then you'll have to apply the English patch to your French system.

Isn't it risky to apply english patch onto another language windows? You talk about the patch MS11-011 right? The one that can be found on this page My link ?

Thanks for your help! I didnt think what i'd like to do someone else already did! Seems very hard work.

**tomasz86** · November 28, 2011

Yes, I mean MS11-011 (2393802) but you should download it from here as I haven't updated the RyanVM list yet. V6 is the current version.

I can't say for sure but I guess that Windows files for European languages should be interchangeable. In the past I already tried using English kernel32.dll in a Polish system and no problems occurred. Of course some system dialogs may change to English but in case of kernel files most of them will be the text which you see on BSODs, not the actual system GUI.

Here there's instruction how to change the update.inf file.

**WildBill** · November 29, 2011

I found that my implementation of DbgPrintEx in ntdll was incorrect and would corrupt the stack, so I've posted MS11-011 V7 with a fixed version. I've also added DbgPrintEx to ntoskrnl, et. al. and RtlCaptureContext to kernel32. The new master additions list for V7 is below:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

DbgPrintEx

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Fixed version)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

RtlSetLastWin32ErrorAndNtStatusFromNtStatus

RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

RtlCaptureContext

Edited November 29, 2011 by WildBill

**tomasz86** · November 29, 2011

Thank you, WildBill

**int0x13** · November 29, 2011

Yes, I mean MS11-011 (2393802) but you should download it from here as I haven't updated the RyanVM list yet. V6 is the current version.
I can't say for sure but I guess that Windows files for European languages should be interchangeable. In the past I already tried using English kernel32.dll in a Polish system and no problems occurred. Of course some system dialogs may change to English but in case of kernel files most of them will be the text which you see on BSODs, not the actual system GUI.
Here there's instruction how to change the update.inf file.

Ok i managed to install MS11-011v7 (last one) on my french Win2K advanced server. I dont know if it's same for windows 2000 server or not.

After that i found that i got another dependency issue with iphlpapi.dll library. ("The procedure entry point GetIpErrorString could not be located in the dynamic link library iphlpapi.dll")

So i thought about installing version from win2k3 server (which has GetIpErrorString function). After that i had another depend with ws2_32.dll

(The procedure entry point freeaddrinfo could not be located in the dynamic link library WS2_32.dll). I search onto WildBill patches and found Windows2000-KB2508429-v3-x86-ENU.

But after reboot, i got services.exe crashing and 60 second autoreboot counter alert. Dont know what's wrong. I tried to boot into safemode and it works, but not in normal mode. Maybe it has to do with the iphlpapi.dll i directly copy from win2k3 to win2k server.

**tomasz86** · November 29, 2011

Do you get this GetIpErrorString problem when trying to launch the program you mentioned before? What's the name of it?

You should check the dependencies with Dependency Walker. You will be able to solve the dependency problems with BlackWingCat's KDW. I may help you but first you need to let us know what the name of the program you're trying to use is.

**int0x13** · November 29, 2011

Alright, i will try KDW, didnt know this tool. Also i'd like to know how to add a simple function from one dll into another one using "PE TOOL", is there any how to to do this?

The tool i'd like to run under win2k PRO (and 2k PRO server if possible) it's here: here

To test the tool , you have to install it under XP+ and then copy the install folder or unpack the installer.

Thank you for your help.

Edited November 29, 2011 by int0x13

Sign In

PE Tool for creating patches

Recommended Posts

WildBill

WildBill

discdude

MacLover

discdude

MacLover

int0x13

tomasz86

int0x13

tomasz86

WildBill

tomasz86

int0x13

tomasz86

int0x13

Please sign in to comment

Recently Browsing 0 members

Activity

Browse