PE Tool for creating patches

[bristols]

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

Strange. As far as I know, the patch doesn't do anything with resources. I took a pass through kernel32, ntdll, and ntoskrnl to see if I could spot any Unicode strings that weren't being freed, but so far everything looks okay. Are you seeing high memory usage for certain apps after a long time? Are you seeing it on both UP and MP processors? I'd probably need a lot more info before I'd know where to look, much less know that the patch itself is causing it.

I have it installed here, so I'll keep an eye out for memory leaks, but to date I've had no problems.

I've been using 2393802-v7 since yesterday and haven't experienced any problems. Coupled with the fact that my earlier report was less than scientific (I wasn't monitoring apps for memory usage, but instead was just observing odd lags in GDI refreshes in those certain apps I mentioned), I have to say now that I would disregard my earlier post.

Actually, the behaviour was like some kind of hard drive write lag. I saw it on a multiprocessor system - Pentium D Presler, ATI Radeon Xpress 1100 Pro chipset. I'm still quite unfamiliar with the system, and as such I haven't fine-tuned it, in terms of performance, to any large degree.

Edited November 30, 2011 by bristols

[WildBill]

Thanks, it turned out to be easy to find with the info you sent me (I missed a LEAVE instruction on AttachConsoleInternal). A V8 will be out shortly...

[WildBill]

Due to a bug in one of the new kernel routines (thanks, Bristols for finding it), I've had to post MS11-011 V8. This one also adds a new version of win32k.sys: I had originally wanted to wait until I posted MS11-034 (KB2506223) to add routines to win32k.sys, but analysis is showing that there are quite a lot of changes in MS11-034 such that it will take a while to complete. I'd really like to see if people can get the ATI v11 drivers working, so this one includes win32k.sys with some functions added. As such, I've also added a requirement that MS11-012 (KB2479628) first be installed (which I'm not happy about...this is why I held off on adding win32k.sys until now). Hopefully this won't create a problem as there is no circular dependency and this hotfix will warn you to install KB2479628 if need be.

Anyhow, here's the new list of additions:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

DbgPrintEx

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Fixed version)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

RtlSetLastWin32ErrorAndNtStatusFromNtStatus

RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

RtlCaptureContext

win32k.sys

EngIsSemaphoreOwned

EngClearEvent

EngBugCheckEx (forwards to NTOSKRNL.KeBugCheckEx)

EngAllocSectionMem

EngFreeSectionMem

EngMapSection

I'm prepared to release a new version of MS11-012 that also contains the new win32k.sys just to be safe, but I'm not sure which version is best to use as a starting point: the last one I released or tomasz's updated version. Any recommendations?

Edited December 4, 2011 by WildBill

[WildBill]

Just to be ultra-safe I also just posted MS11-012 V7, which has the new win32k.sys that I added to MS11-011 V8. This probably still has the slipstreaming issues that V6a had, but at least there is now no possibility of overwriting the newer win32k.sys from MS11-011 V8 with an older one. Both hotfixes now contain win32k.sys 5.0.2195.7401.

Edited December 4, 2011 by WildBill

[tomasz86]

WildBill,

there is v9 of MS11-012 available already

Could you add the newest win32k.sys to it instead of making a v7?

EDIT

Now I saw your comment in the last line of #454. Well, it's up to you I guess because after all, it's your patch

In my opinion the best way to go is to have only one updated version for each update.

EDIT2

Actually, if I remember correctly, v6a should be almost exactly the same as v9... the only difference being that v9 adds also registry changes from 967715 & 2286198 (details).

Edited December 4, 2011 by tomasz86

[acus]

Hi WildBill,

may I ask you to change the version number of two files?

In your Windows2000-KB2508429-v5-x86-ENU.exe there are:

1. kerberos.dll -> v.5.0.2195.7056

2. samsrv.dll -> v.5.0.2195.7011

while in Windows2000-KB907868-x86-ENU.EXE there is:

1. kerberos.dll -> v.5.0.2195.7072

and in Windows2000-KB904765-x86-ENU.EXE there is:

2. samsrv.dll -> v.5.0.2195.7071

Regards

[WildBill]

Hmm. I just realized that my MS11-012 patch actually does require MS11-011; it just doesn't do so explicitly. I'm going to have to release *another* MS11-011 with the new win32k.sys removed (so to get the new win32k.sys functions people should upgrade MS11-012 instead if they haven't done so already). As for kerberos.dll and samsrv.dll, is there an HBR that has those other versions?

Ignore the scratched-out part...getting all these hotfixes mixed up in my head...

Edited December 4, 2011 by WildBill

[acus]

Hi WildBill,

yes, you are right, the hotfixes are HBR.

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=904765

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=907868

Regards.

[tomasz86]

Ignore the scratched-out part...getting all these hotfixes mixed up in my head...

There are almost 300 updates/hotfixes on bristols' page

It's hard NOT to get confused...

I prepared a script which you may find useful.

updatever.cmd

You can use it to create update.ver automatically. Files from root directory and (if exist) files from uniproc, wms & xpsp2_binarydrop are processed. Useless files (spmsg.dll, spuninst.exe, empty.cat) are ignored. Files without version are also properly listed (instead of A=B,C,D they go A=B,,D).

1. Place updatever.cmd in an empty folder & run it once. Two folders (HF & TOOLS) will be created.

2. Download, unpack & copy into TOOLS these two files: fciv.exe (download) and filever.exe (find & download). I haven't tested newer versions of filever.exe so I can't say whether they work or not. The one I use is 5.0.2134.1.

3. Unpack updates like this:

4. Run updatever.cmd.

This is an example created for 2393802-v8:

[SourceFileInfo]
bootvid.dll=93a240abe57c7fff70217094c6ef31da,00050000087C0003,11360
kernel32.dll=60959fe454a2d22d916b5ea7b2fa50cf,0005000008931BF2,764688
ntdll.dll=56edaaa97265f14f9831a0b85ef6180a,0005000008931BAB,531728
ntkrnlmp.exe=085676dc6cbf24978b6540d223ccd9d6,0005000008931CD5,1961024
ntkrnlpa.exe=d14dafcbf3d1b7ae4b78451217caee73,0005000008931CD5,1960096
ntkrpamp.exe=e2d0c621099d41b90fe342f942b65d90,0005000008931CD5,1982336
ntoskrnl.exe=ee0f8d6a9272446d4a08ae58aa9067cb,0005000008931CD5,1937376
win32k.sys=982892466636b2178dc978cfbad2dd10,0005000008931CE9,1670896
uniproc\kernel32.dll=2302eab80f89e66f13053b873b1c2d35,0005000008931BF2,764688
uniproc\ntdll.dll=56edaaa97265f14f9831a0b85ef6180a,0005000008931BAB,531728

Edited December 4, 2011 by tomasz86

[bristols]

Thanks WildBill.

Added 2393802 (MS11-011) v8 to the Windows 2000 Post-SP4 Updates for HFSLIP page.

Edited September 14, 2012 by bristols

[MacLover]

Turns out that for the ATI 9.x driver needed for my netbook (The 11.x driver installed but wouldn't start - I don't think this is an issue with your patch as the same things happen on XP with the desktop drivers (AMD does not provide reference drivers for its notebook chipsets) ) needs one more API to function:

NTOSKRNL.EXE -> vDbgPrintEx

For now, I'll try hex-editing the driver to use DbgPrintEx and see what happens

EDIT: Looks like hex-editing the driver did no good, I'll just use blackwingcat's driver for now

EDIT: Interestingly enough, the Realtek HD Audio drivers from 2011 refuse to start on Windows 2000 despite the fact all needed APIs are present (Code 10 in Device Manager)

Edited December 5, 2011 by MacLover

[WildBill]

I'll see about adding vDbgPrintEx when I can. In other news, I have a local version of MS11-020 that has a kerberos that's based on the HBR version, but it looks like analyzing samsrv is going to take significantly longer. I might release an interim one with the upgraded kerberos one in the meantime (the HBR merely adds a length check on incoming messages).

[MacLover]

Looks like the Realtek HD Audio Driver issue is caused by a patch somewhere as I just installed a "cleaner" Win2k disc with only the official patches, IE6, DirectX 9, and MSXML integrated. The latest driver from Realtek.com installed just fine using that install.

I'll try to narrow down the problem as soon as possible.

EDIT: I manually installed every unofficial fix, the issue didn't show up, which tells me that something went wrong with my fully slipstreamed Win2k DVD. In other words, there's nothing wrong with any of your patches

EDIT: Turns out the issue was caused by the way DriverPacks integrates KB888111

Edited December 7, 2011 by MacLover

[tomasz86]

I added a new update (thanks to bristols for this one):

MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution

Windows2000-UU-KBz2288621-x86-Global.exe

• 
  usp10.dll 1.626.6002.22402
  

It replaces 981322.

[WildBill]

Another day, another version

MS11-020 v6 is posted, with the following changes:

- incorporates KB907868 (kerberos length-validation HBR)

- incorporates MS11-013 (KB2496930: Vulnerabilities in Kerberos Could Allow Elevation of Privilege)

- incorporates MS11-014 (KB2478960: Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege)

The samsrv HBR will take quite a while to analyze, and I have some higher priorities at the moment, e.g. adding vDbgPrintEx to ntoskrnl, et.al. and porting MS11-034 (which will also take a while to analyze). These priorities are open to change, of course, especially if anyone else wants to determine the necessary changes to samsrv in the meantime...

Edited December 8, 2011 by WildBill