Jump to content

PE Tool for creating patches


WildBill

Recommended Posts

Never mind: I had a flash of insight and figured out what the problem was: my rewritten kernel32 was passing a starting address to calc.exe that was "incorrect" because calc was loading the original kernel32 when it started up. When I temporarily hardcoded the starting address it would have normally received, it started up just fine. This doesn't make the rewritten kernel32 ready for use (it still causes the VM to crash when I completely replace the original one), but WinExec should be at least somewhat sound now (though I haven't tested Win16 apps with it yet). Now to write more tests...

Link to comment
Share on other sites

  • 2 weeks later...

I succeeded load exfat.sys on WIndows 2000

1095f7c1.png

But exfat drive was not read from windows 2000.

0190c90b.png

If you can post it somewhere I can do a quick run through in Ida tomorrow and see what it spits out.

It's in this update:

http://www.microsoft...s.aspx?id=19364

That extracts out to a directory containing the following:



Volume in drive G is DATA
Volume Serial Number is 7A4C-636C

Directory of G:\exfat

10/16/2012 06:58 PM <DIR> .
10/16/2012 06:58 PM <DIR> ..
10/16/2012 06:58 PM 0 dirlist.txt
10/16/2012 06:55 PM <DIR> SP2GDR
10/16/2012 06:55 PM <DIR> SP2QFE
10/16/2012 06:55 PM <DIR> SP3GDR
10/16/2012 06:55 PM <DIR> SP3QFE
11/30/2007 07:18 AM 17,272 spmsg.dll
11/30/2007 07:18 AM 231,288 spuninst.exe
10/16/2012 06:55 PM <DIR> update
3 File(s) 248,560 bytes

Directory of G:\exfat\SP2GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:58 AM 133,632 exfat.sys
09/30/2008 02:44 AM 18,944 fmifs.dll
09/29/2008 05:59 AM 30,720 format.com
09/29/2008 05:58 AM 9,216 fs_rec.sys
09/30/2008 02:44 AM 77,824 ifsutil.dll
09/30/2008 02:44 AM 8,455,168 shell32.dll
09/30/2008 02:44 AM 57,344 uexfat.dll
09/30/2008 02:44 AM 278,528 ulib.dll
8 File(s) 9,061,376 bytes

Directory of G:\exfat\SP2QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 05:53 AM 133,632 exfat.sys
09/30/2008 02:05 AM 18,944 fmifs.dll
09/29/2008 05:54 AM 30,720 format.com
09/29/2008 05:53 AM 9,216 fs_rec.sys
09/30/2008 02:05 AM 77,824 ifsutil.dll
09/30/2008 11:35 AM 8,461,312 shell32.dll
09/30/2008 02:05 AM 57,344 uexfat.dll
09/30/2008 02:05 AM 278,528 ulib.dll
09/29/2008 05:46 AM 351,744 xpsp3res.dll
9 File(s) 9,419,264 bytes

Directory of G:\exfat\SP3GDR

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:21 AM 133,632 exfat.sys
09/30/2008 02:19 AM 18,944 fmifs.dll
09/29/2008 06:22 AM 30,720 format.com
09/29/2008 06:20 AM 9,216 fs_rec.sys
09/30/2008 02:19 AM 77,824 ifsutil.dll
09/30/2008 02:19 AM 8,461,824 shell32.dll
09/30/2008 02:19 AM 57,344 uexfat.dll
09/30/2008 02:19 AM 278,528 ulib.dll
8 File(s) 9,068,032 bytes

Directory of G:\exfat\SP3QFE

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/29/2008 06:51 AM 133,632 exfat.sys
09/30/2008 01:56 AM 18,944 fmifs.dll
09/29/2008 06:52 AM 30,720 format.com
09/29/2008 06:50 AM 9,216 fs_rec.sys
09/30/2008 01:56 AM 77,824 ifsutil.dll
09/30/2008 01:56 AM 8,462,336 shell32.dll
09/30/2008 01:56 AM 57,344 uexfat.dll
09/30/2008 01:56 AM 278,528 ulib.dll
8 File(s) 9,068,544 bytes

Directory of G:\exfat\update

10/16/2012 06:55 PM <DIR> .
10/16/2012 06:55 PM <DIR> ..
09/30/2008 02:32 AM 926 branches.inf
11/30/2007 10:17 AM 804 eula.txt
09/30/2008 06:29 AM 22,668 KB955704.CAT
11/30/2007 07:18 AM 26,488 spcustom.dll
11/30/2007 07:18 AM 755,576 update.exe
09/30/2008 04:49 PM 3,028 update.ver
09/30/2008 02:32 AM 678 updatebr.inf
09/30/2008 06:36 AM 24,318 update_SP2GDR.inf
09/30/2008 06:32 AM 25,523 update_SP2QFE.inf
09/30/2008 06:38 AM 27,395 update_SP3GDR.inf
09/30/2008 06:29 AM 27,395 update_SP3QFE.inf
07/09/2008 03:38 AM 382,840 updspapi.dll
12 File(s) 1,297,639 bytes

Total Files Listed:
48 File(s) 38,163,415 bytes
17 Dir(s) 402,366,476,288 bytes free

So it looks like it's a _lot_ more than just the exfat.sys driver file :(

Maybe in code, it's just a function or two ?

Link to comment
Share on other sites

Well, I'm finally making decent progress on the kernel32 rewrite; a lot of stuff is working now. One problem that I've been struggling with for the past couple of weeks, though has uncovered a bug in ntdll that I must have introduced at some point. In changing over how DLL's are loaded to try to add activation context support, I followed the XP code a bit too closely. The result was a heap corruption bug that would only manifest itself when a DLL was being unloaded. Consequently I've uploaded MS11-011 V14 (KB2393802), which you can find on the main download list.

The update, as usual, also includes some new API goodies:

ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe

KeAcquireInStackQueuedSpinLockAtDpcLevel

KeReleaseInStackQueuedSpinLockFromDpcLevel

Link to comment
Share on other sites

(sigh)

You know, on some days it's really tough.

I just posted MS11-011 V15 (KB2393802). I found the same bug I fixed in V14 in a different place and had to fix it. Sorry for the inconvenience, folks. The lesson: it's possible to follow the XP code too closely.

Link to comment
Share on other sites

  • 5 weeks later...
  • 3 weeks later...

I've posted v16 (yikes!) of KB2393802 and updated the master list (Windows2000-KB2393802-v16-x86-ENU.exe). No bugfixes, but a few goodies:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

IoAssignDriveLetters

IoReadPartitionTable

IoSetPartitionInformation

IoWritePartitionTable

These functions were already present, and I simply added them to the export table and bumped up the version one tick. The idea is to hopefully help with driver compatibility.

There's also one new file:

usbser.sys (5.1.2600.5512 from XPSP3)

Why the new file? I picked up an Arduino Uno a while ago and no matter what I did, I couldn't get the Arduino software to program it (I can program my older Arduino Duemilanove just fine). Someone on a help forum had the same problem and had to use the XP usbser.sys driver to make it work. I gave it a try and presto, it works like a charm. So consider v16 the Arduino Uno version of the update :D

I don't know if XP has a newer rev of the driver or not; this one is straight from the SP3 distro and works for me.

In kernel32 news...

This is somewhat frustrating. I'm *this close*, but there is still a memory corruption bug somewhere (at least I think that's what it is). It only shows up on the kernel side so it's hard to track down. My VM boots just fine, but ESENT and the Distributed LinkTracking Client report errors in Event Viewer and windbg reports some exceptions at certain times during bootup. I'm working on cleaning up the code to try to track the remaining bug(s) down.

Edited by WildBill
Link to comment
Share on other sites

  • 1 month later...

Looks like the March 2013 security updates iso includes an updated KB2809289 for Windows 2000 and IE6SP1. Here's just the folder from the DVD, to save everyone from having to get the whole 3GB file... https://www.box.com/...j7b369i3xoskqgg

It appears that this update replaces the previously released KB2792100 - the new patch appears to have all the fixes from the previous hotfix in addition to an updated mshtml.dll, and new timestamps on all the rest of the files.

Edited by jimmsta
Link to comment
Share on other sites

tomasz86, I am getting this error: "The procedure entry point GetFirmWareEnvironmentVariableA could not be located in the dynamic link library KERNEL32.dll." I need this GetFirmWareEnvironmentVariableA procedure. I installed your UURollup-v10d-x86-ENU.exe already; I noticed in your posting that this procedure is in Wild Bill's BWC kernel32.dll 5.0.2195.7193 but not yours. Are you planning to do any more updates to kernel32.dll and include some of these missing procedures? I'm trying to run Macrium Reflect and was able to install it (with a minor error,) but as soon as I started it up I received the above error. Your W2K patch works pretty well otherwise (had a minor issue with some icons, fixed it) Note: this is for my business computer, which is still running W2K (with no problems!!) Thanks, GaryMX

Edited by GaryMX
Link to comment
Share on other sites

@GaryMX You should definitely check this topic. I'd suggest you install the newest daily version of UURollup-v11 (the current one being d20130312). The so called daily releases are often quite experimental but the current one is actually probably the most stable release of UURollup available at the moment :)

PS Make sure to install my unofficial Update Rollup 2 before installing it. Having IE6 with the newest Cumulative Update (which is 2809289) installed is also recommended.

Edited by tomasz86
Link to comment
Share on other sites

@tomasz86, I have already read the topic on your first link and have been on your website many times. This is the order that I installed the updates (I already had the original SP4 installed):

W2K Update Rollup-KB891861-v2.EXE (First rollup of updates and additions since SP4.) The MS$ file name may not be exact, but it is the official one.

Your Update Rollup2 (I may not have the exact file name: Windows2000-UpdateRollup2-x86)

Windows2000-UURollup-v10d-x86-ENU.exe (which "updated" my W2K to be able to run certain apps, such as the newer Firefox/SeaMonkey)

I have tried my hardest to find your download link for UURollup-v11and Google does not have any download sites. I know you have SkyDrive, but I am unable to see anything on it as of yet a search for "tomasz86" or "UURollup-v11" brings no results. I tried DropBox and can't seem to find you there either. A link to these latest updates would be helpful. I have a dual-drive setup and tested your UURollup-v10d-x86 extensively with good results, except for an icon problem which I fixed (some of the file associations disappeared, along with the icons!) I just put them back in the registry and did a "restore" in Folder Options/File Types. If v11 of the UURollup allows me to run Macrium Reflect Free, that would be great.

There was one other issue, which isn't critical to me, but is annoying: since I installed the UURollup-v10d, all of my scheduled tasks will not run. I went in to each one and reentered my logon/password combination (I run as Administrator with full rights.) Nonetheless, they will not run. I have a scheduled Microsoft Backup which used to work, but now, when I manually run it, I get errors in my log file, "You do not have permission to access portions of [folder name]. Please see the owner or administrator to get permission" for EACH folder that I have selected to be backed up. I have FULL permissions. I have tried various tricks, to no avail. There is no help online for this problem. The .BKF file that Microsoft Backup creates is not usable and will not restore files. Any suggestions?

One more thing: on your website, "http://windows2000.tk/#archive" you mention the Application Compatibility Launcher and mention running the Firefox install. I used your link in MozillaZine instead: http://forums.mozillazine.org/viewtopic.php?f=23&t=2482475 with great results. I am running SeaMonkey 2.16 (Firefox 19 platform) with no problems whatsoever.

Thanks for your prompt reply to my posts.

GaryMX

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...