Jump to content

PE Tool for creating patches


WildBill

Recommended Posts

WildBill, could you provide a full list of functions you added to the kernel?

I was planning to include my notes (as usual) in the update, but here's a short summary:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

bootvid.dll

VidSetVgaPalette (my own creation, see below for why)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

(there's also an *ahem* little tweak to the cpu-count calculation...)

All the functions have been added to all files and I've been using them for quite some time now. The very last feature is something special, which I just perfected on ntoskrnl.exe tonight...boot skin support:

Over this weekend I have to add the bootskin support to the other ntos...exe kernel files, but the gist of it is this: if you want a custom bootskin, put a 640x480x16 BMP image called bootskin.bmp in your winnt\system32 folder. Then add an option to boot.ini which will tell the kernel to use it. The option format is as follows:

/bootskin=<master flag>:<fade in>:<hide progressbar>:<bouncy_scrolling>:<custom_image>:<scroll_x>:<scroll_y>:<scroll_width>:<scroll_height>:<scroll increment>:<progress_x>:<progress_y>:<progress_color>

master_flag : 0 or 1, it has to be 1 for any other option to work. It provides an easy way to revert back to default 2k behavior.

fade_in: 0 or 1, when 1 it fades in the image from black (like XP does)

hide_progressbar: 0 or 1, when 1 it hides the blue 2k progress bar that comes up.

bouncy_scrolling: 0 or 1, when 1 it causes the scrolling "blue ribbon" area to bounce back and forth, cylon-style

custom_image: 0 or 1, when 1 it enables loading the bootskin.bmp image. When 0, the kernel will use the default 2k image or whatever image is in the kernel's resource area.

flag default values are all 0.

scroll_x: 0 to 639 (default 0), specifies the left edge of the scrolling "blue ribbon" area. Note though that bootvid.dll requires that only even numbers are used, so the low bit will be automatically stripped off (1 and 0 have the same effect, 2 and 3 have the same effect, etc.)

scroll_y: 0 to 479 (default 416), specifies the top edge of the scrolling "blue ribbon" area.

scroll_width: 0 to 640 (default 640) , specifies the width of the scrolling "blue ribbon" area. Is checked against scroll_x to ensure that the area does not extend past pixel 639. Invalid values will cause the kernel to revert to default 2k settings. Note though that the maximum scrollable area is 1/4 of the total screen real-estate. This is because of a buffer size limit in ntoskrnl's allocated image area.

scroll_height: 0 to 480 (default 10), specifies the height of the scrolling "blue ribbon" area. Is checked against scroll_y to ensure that the area does not extend past pixel 479. Invalid values will cause the kernel to revert to default 2k settings.

scroll_increment: 0 to 639 (default 4), controls the speed that the "blue ribbon" area scrolls. Values greater than 320 cause it to appear to scroll right-to-left.

progress_x: 0 to 478 (default 274), sets the left position of the blue 2k progress bar.

progress_y: 0 to 472 (default 437), sets the top position of the blue 2k progress bar.

progress_color: 0 to 15 (default 1), sets the color to use when drawing the blue 2k progress bar.

bootvid.dll is pretty weird, and you might have to have scroll_x and scroll_width be on 4-pixel boundaries to avoid some pixel weirdness at the edges. I'm tempted to rewrite it from scratch, but I've been holding onto this update long enough.

If you boot into safe mode, I disable all boot skin support. This is for safety.

As an example, the screenshot below uses these settings:

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect /bootskin=1:1:1:0:1:264:384:112:7:8

You don't have to include all settings, but to include a setting you have to include all settings before it (no skipping settings).

When changing a custom boot skin, bear this in mind: because of the way the kernel starts up, it takes TWO reboots before the new skin is visible. This is because the kernel can't load the skin until the entire I/O subsystem is up and running, which takes quite a while. My solution is to use the registry to cache the bootskin because the registry is available a lot sooner (believe me, I tried every trick I could think of to come up with some other way). The first reboot will show the cached skin from the registry and will load the new skin into the registry. The second reboot, therefore, will show the new skin. All in all, it works very well, and performance is excellent. I also use a checksum to validate the cached image and I make sure that the loaded image is truly 640x480x16. I also enforce a maximum file size of 160k bytes, which will cover any uncompressed image (though RLE-encoded images also work). The cached skin is written to \Registry\Machine\System\CurrentControlSet\Control\Bootlogo in a series of 1k chunks, where the chunks are grouped into up to four keys containing up to 40k bytes (because according to MSDN, there is a key-size and value-size limit).

The settings go in boot.ini instead of the registry because the kernel needs to know the settings when it first tries to show the default 2k image, and that is way before the registry is available.

Edit...updated to reflect the v3 list.

post-68113-0-66357000-1316847314_thumb.p

Edited by WildBill
Link to comment
Share on other sites


This is a pretty impressive list :) I'm looking forward to downloading and installing your patch ;)

By the way, you mentioned before that one musn't apply any BlackWingCat's kernel patches after yours is installed. Wouldn't it be good to set the file version to a higher number than the one used in BWC's kernel v10? It would prevent your kernel files being overwritten by the other (older) ones.

I'd also like to ask about two more functions such as:

ntdll.dll -> RtlRandomEx

rpcrt4.dll -> I_RpcExceptionFilter

Would it be difficult to implement these too? I'm asking because after adding GetModuleHandleExW to kernel32.dll only these two are needed to make Windows Installer 4.5 work under Win2k.

Link to comment
Share on other sites

This patch looks like it might actually help in using XP files for some of the other security patches. Also, that bootskin feature looks awesome!

Keep up the great work!

Edited by MacLover
Link to comment
Share on other sites

Updates added:

  • KB891861-v3 - I added KB899591 and KB919521 to the Update Rollup 1.
    KB830407-v2, KB835730-v3, KB890466-v3 - three HBRs which normally require a manual registry fix; this fix is done automatically in these versions.
    KB954920-v2 - an update for MDAC 2.81
    KB960071 - a HBR for MDAC 2.81

Updates removed:

  • KB919521 - replaced by KB891861-v3.

'Easy download' hasn't been updated yet.

Details in #215.

Edited by tomasz86
Link to comment
Share on other sites

This is a pretty impressive list :) I'm looking forward to downloading and installing your patch ;)

By the way, you mentioned before that one musn't apply any BlackWingCat's kernel patches after yours is installed. Wouldn't it be good to set the file version to a higher number than the one used in BWC's kernel v10? It would prevent your kernel files being overwritten by the other (older) ones.

I'd also like to ask about two more functions such as:

ntdll.dll -> RtlRandomEx

rpcrt4.dll -> I_RpcExceptionFilter

Would it be difficult to implement these too? I'm asking because after adding GetModuleHandleExW to kernel32.dll only these two are needed to make Windows Installer 4.5 work under Win2k.

Well, I've finished copying bootskin support to the four kernel files, and I've added RtlRandomEx. I'll take a quick look at I_RpcExceptionFilter tomorrow.

Link to comment
Share on other sites

Do I install both Windows2000-KB891861-v3-x86-ENU and WINDOWS2000-KB891861-UR2-V4-X86-ENU.EXE.

Also note that Windows2000-KB890466-x86-ENU.EXE fix is for Windows 2000 Server only.

Thanks for the updates.

You don't need to install KB891861-v3 if you use UR2 as all of these updates are already included in UR2 :)

Thanks for the notice about KB890466, I forgot about it.

Well, I've finished copying bootskin support to the four kernel files, and I've added RtlRandomEx. I'll take a quick look at I_RpcExceptionFilter tomorrow.

Thank you WildBill :thumbup

There are more functions I'm interested in but for this moment I'll just stop here ;)

Link to comment
Share on other sites

I just posted a V2 of MS10-084 that adds I_RpcExceptionFilter and updated the download link. Over the rest of the week I'll concentrate on buttoning up MS11-011...

Edit...I updated the function summary to include RtlRandomEx for ntdll and AttachConsole for kernel32.dll. The AttachConsole is the one from XP rather than from blackwingcat's v10 kernel.

Edited by WildBill
Link to comment
Share on other sites

At long last...my MS11-011 patch is up. While the security patch itself is pretty minor, since the kernel is patched so rarely I took the opportunity to add a lot more to it. As the posts above show, this is a massive upgrade to the w2k kernel. Since it is a kernel patch, I highly recommend backing up your kernel files just in case of any issues:

ntoskrnl.exe

ntkrnlpa.exe

ntkrnlmp.exe

ntkrpamp.exe

kernel32.dll

ntdll.dll

boodvid.dll

I've been using the bulk of it for several months now in both uniprocessor and multiprocessor environments so I really don't anticipate any issues, but you never know. Be warned that restoring a broken kernel can mean restoring the backups using a different computer (or in my case, a spare hard drive that boots Windows). I think it's unlikely in the extreme, but forewarned is forearmed.

The next patch will be MS11-020. That one's pretty complete as well (and also includes a lot of upgrades). I'm basically trying to see how much I can add in a short amount of time before posting it. When both patches are installed, I would expect a lot of XP-only things to work on 2k.

Just for the heck of it, attached is the boot skin I'm using. This is the boot.ini setting for it:

/bootskin=1:1:1:0:1:264:384:112:7:8

The patch includes my notes, which are pretty extensive. Here's just a small snippet from one routine that documents the boot skin settings:


; -------------------------------------------------------------------------
; GetCustomBootLogoSettings
;
; Loads the boot logo settings from boot.ini:
;
; +------------------------------ Flag: MASTER (0..1) -- must be 1 for any other custom functionality (default=0)
; | +---------------------------- Flag: fade in from black (0..1) -- 1 to enable (default=0)
; | | +-------------------------- Flag: no 2k progress bar (0..1) -- 1 hides it (default=0)
; | | | +------------------------ Flag: bouncy scrolling (0..1) -- 1 makes it bounce back and forth (default=0)
; | | | | +---------------------- Flag: use custom image (0..1) -- 1 enables using \SystemRoot\System32\bootskin.bmp (default=0)
; | | | | | +-------------------- Scroll x pos (0..639) *1 (default=0)
; | | | | | | +------------------ Scroll y pos (0..479) (default=416)
; | | | | | | | +---------------- Scroll width (0..640 - scroll x pos) *1, *2 (default=640)
; | | | | | | | | +-------------- Scroll height (0..480 - scroll y pos) *2 (default=10)
; | | | | | | | | | +------------ Scroll increment (0..scroll width - 2) *1 (default=4)
; | | | | | | | | | | +---------- Progress bar x position (0..478) *1 (default=274)
; | | | | | | | | | | | +-------- Progress bar y position (0..472) (default=437)
; | | | | | | | | | | | | +------ Progress bar color (0..15) *3 (default=1)
; | | | | | | | | | | | | |
; /BOOTSKIN=#:#:#:#:#:#:#:#:#:#:#:#:#
;
; *1 Horizontal positions, widths, and increments are clipped to even numbers:
; bootvid.dll doesn't support bitblt operations on odd pixel boundaries.
; If I had more time I'd rewrite it from scratch as back in the day I spent
; an enormous amount of time doing bare-metal VGA graphics (ahh, memories...)
;
; *2 Scrollable area is limited to one quarter of the total screen area, because
; that's all the static scroll buffer space we have. Unfortunatly we can't
; use dynamically allocated buffer space because bootvid.dll is called at a
; higher IRQL level such that we can't use pageable memory (attempting to do
; so results in a BSOD: Windows does not allow using pageable memory at that
; IRQL level and intentionally blue-screens when you try to do so).
;
; *3 Since the screen mode is 640x480x16, only the low four bits of the color
; value are used (the rest are zeroed out)
;
; Inputs
;
; LoadOptions [ebp+8] char*
;
; Outputs
;
; none (populates data in the data segment)
;
; Locals
;
; KeyName [ebp-8] UNICODE_STRING
; KeyHandle [ebp-$C] HANDLE
; ObjectAttributes [ebp-$24] OBJECT_ATTRIBUTES
; Flags [ebp-$28] word
; ScrollX [ebp-$2C] int
; ScrollY [ebp-$30] int
; ScrollWidth [ebp-$34] int
; ScrollHeight [ebp-$38] int
; ScrollIncrement [ebp-$3C] int
; ProgressXPos [ebp-$40] int
; ProgressYPos [ebp-$44] int
; ProgressColor [ebp-$48] int
;
; Comments
;
; You can't skip options, e.g. "::". To include an option, you MUST include all
; options before it.
;
; The code will allow spaces instead of colons to separate options.
;
; This allows what I would consider the minimum for decent bootskin functionality.
; I was tempted to go really insane and add some esoteric features, like:
;
; - staggered fades (e.g. fade in x colors, then fade in the rest)
; - fade in from an rgb color other than black
; - palette cycling (select block of colors and cycling type, e.g. continuous or
; back-and-forth)
; - tweaked 16-color modes for widescreen displays (e.g. 720x480x16, 640x350x16)
; - 256-color support (320x200x256)
; - tweaked 256-color support (320x240x256, 320x400x256, 360x400x256, 360x480x256)
;
; While cool, they would take an eternity to add and would require a complete
; rewrite of bootvid.dll. Perhaps some ambitious developer might want to take it on...
; -------------------------------------------------------------------------

bootskin.bmp

Edited by WildBill
Link to comment
Share on other sites

I hate to be the bearer of bad news, but if you have the KB915985 hotfix installed, the NTDLL.DLL file from your MS11-011 fix will not be installed and there will be a BSOD on the next boot. KB915985 installs a NTDLL.DLL with a higher version number than the one in your fix.

Thankfully, I tested this scenario in a VM :)

NTDLL.DLL from KB915985: 5.0.2195.7080

NTDLL.DLL from MS11-011: 5.0.2195.7007

Edit: A copy of NTDLL.DLL in the UNIPROC folder is needed for slipstreaming. But other than that and the KB915985 issue, the fix works perfectly!

Edited by MacLover
Link to comment
Share on other sites

Thank you very much, WildBill :)

You must uninstall BlackWingCat's kernel v5 or your system won't boot. It has a higher version of kernel32.dll (7139 vs. WildBill's 7136) and isn't replaced when installing WildBill's patch.

WildBill,

Why is there no ntdll.dll in UNIPROC? Without it there's a blue screen on booting (and during text setup too if slipstreamed).

At this moment you have to replace the ntdll.dll from uniproc (in the i386 folder on w2k CD) manually. Otherwise you'll see a blue screen after reboot.

Edited by tomasz86
Link to comment
Share on other sites

While your at this, why not patch the ram limit on PAE, original win2k did not have the limit. (> 4gb).

How about adding some of the debugging api which is required by newer games also. dbghelp.dll and some other dll's from the debugging kit or XPSP3 are drop in compatible also. This would help out a lot with developing on the OS.

win2k forever.

Link to comment
Share on other sites

To make everything clear about KB915985 - Originally it was a hotfix (by request) and the v2 version mentioned above by PROBLEMCHYLD is an unofficial version made by BlackWingCat.

It can be downloaded here:

http://blog.livedoor.jp/blackwingcat/archives/845435.html

On the one hand it would be nice to have WildBill's changes done to the newest version available (KB915985-v2) but on the other hand there is no proof that the original KB915985 is perfectly stable (as it is a HBR). A possible solution could be to add BlackWingCat's changes, i.e. RtlCaptureStackBackTrace to WildBill's ntdll.dll and not use KB915985 at all.

Edited by tomasz86
Link to comment
Share on other sites

I posted a v2 of MS11-011 with these changes:

- Added ntdll.dll to the uniproc folder

- Bumped up each kernel32.dll file to version 7150

- Added IsValidUILanguage() to kernel32.dll

Edited by WildBill
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...