PE Tool for creating patches

[tomasz86]

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

Yes, I've already analysed some files included in HBRs but there's still a lot more to do I hope I'll manage to finish the first part in the next few days.

When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

The problem is that it happens randomly (once a few days) even after the cache is flushed. I can't reproduce it, unfortunately.

Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

That'd be probably the safest solution. You may also try to play with [OverrideVersionNumbers] but I don't really know if it works.

In case you bump the number to a higher than 7081, would be it be difficult to add changes from the original 915985 and BWC's 915985-v2?

Edited November 22, 2011 by tomasz86

[WildBill]

I'm taking a look at KB915985 and I'll see if I can push out a V6 with a higher version number. It looks like the changes in the HBR are pretty simple.

[WildBill]

I posted MS11-011 V6, which includes the KB915985 hotfix as well as the fix in blackwingcat's v2, with one exception: the HBR also has a change to RtlCallQueryRegistryRoutine that the hotfix doesn't mention, but my patch completely replaces it (and routines that call it) with the version from XPSP3. If it winds up being changed in XP then I can change it as well, but I figure the best thing to do is to leave RtlCallQueryRegistryRoutine alone.

The ntdll version is 5.0.2195.7082, which should make slipstreaming happy. I also found a couple more routines that could go into ntdll, so here's the new additions list:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

RtlSetLastWin32ErrorAndNtStatusFromNtStatus

RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

[MacLover]

I found an issue with your MS11-020 fix :

On Windows 2000 Advanced Server (Probably any other server variant as well), when I enable Active Directory, I am unable to log on to the system unless I use safe mode *without* networking. I narrowed down the issue to being caused by the KERBEROS.DLL file from said update.

When I look at the event log on the system (in safe mode), it mentions Kerberos causing an exception and then a cascade of failures caused by that.

[WildBill]

Can you post the info from the event? If it has the address where it happened I could try to hunt it down.

[MacLover]

The information from the first event (the Kerberos failure) is as follows:

Event ID: 5000

Description:

The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.

Data:

05 00 00 c0 00 00 00 00
00 00 00 00 dc 15 2b 78
02 00 00 00 00 00 00 00
00 00 00 00 3f 00 01 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
7f 02 ff ff 00 00 ff ff
ff ff ff ff 92 12 0a 00
20 40 45 03 20 2d 00 00

[bristols]

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

[tomasz86]

I added December 2011 cumulative time zone update. It's available for all supported 24 languages.

Windows2000-UU-KBz2633952-x86-ARA.exe

Windows2000-UU-KBz2633952-x86-CHS.exe

Windows2000-UU-KBz2633952-x86-CHT.exe

Windows2000-UU-KBz2633952-x86-CSY.exe

Windows2000-UU-KBz2633952-x86-DAN.exe

Windows2000-UU-KBz2633952-x86-DEU.exe

Windows2000-UU-KBz2633952-x86-ELL.exe

Windows2000-UU-KBz2633952-x86-ENU.exe

Windows2000-UU-KBz2633952-x86-ESN.exe

Windows2000-UU-KBz2633952-x86-FIN.exe

Windows2000-UU-KBz2633952-x86-FRA.exe

Windows2000-UU-KBz2633952-x86-HEB.exe

Windows2000-UU-KBz2633952-x86-HUN.exe

Windows2000-UU-KBz2633952-x86-ITA.exe

Windows2000-UU-KBz2633952-x86-JPN.exe

Windows2000-UU-KBz2633952-x86-KOR.exe

Windows2000-UU-KBz2633952-x86-NLD.exe

Windows2000-UU-KBz2633952-x86-NOR.exe

Windows2000-UU-KBz2633952-x86-PLK.exe

Windows2000-UU-KBz2633952-x86-PTB.exe

Windows2000-UU-KBz2633952-x86-PTG.exe

Windows2000-UU-KBz2633952-x86-RUS.exe

Windows2000-UU-KBz2633952-x86-SVE.exe

Windows2000-UU-KBz2633952-x86-TRK.exe

[WildBill]

The information from the first event (the Kerberos failure) is as follows:

Event ID: 5000

Description:

The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.

Data:

05 00 00 c0 00 00 00 00
00 00 00 00 dc 15 2b 78
02 00 00 00 00 00 00 00
00 00 00 00 3f 00 01 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
7f 02 ff ff 00 00 ff ff
ff ff ff ff 92 12 0a 00
20 40 45 03 20 2d 00 00

That was exactly what I needed: the first four dwords are 0xC0000005 (access violation), 0, 0 (null address accessed), 0x782B15DC (address where it was caused). The problem was obvious once I looked at it (actually, there were 2 occurrences of the problem). I'll post an update later today.

[WildBill]

MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).

[MacLover]

MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).

Thanks, the bug is fixed now.

EDIT: By the way, XP's MSVCRT.DLL works with your MS11-011 v6 update.

Edited November 26, 2011 by MacLover

[WildBill]

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

Strange. As far as I know, the patch doesn't do anything with resources. I took a pass through kernel32, ntdll, and ntoskrnl to see if I could spot any Unicode strings that weren't being freed, but so far everything looks okay. Are you seeing high memory usage for certain apps after a long time? Are you seeing it on both UP and MP processors? I'd probably need a lot more info before I'd know where to look, much less know that the patch itself is causing it.

I have it installed here, so I'll keep an eye out for memory leaks, but to date I've had no problems.

[discdude]

Just wanted to report my experiences with MS11-011 and MS11-020.

MS11-011 v6 works pretty well on my system. The only real issue that I've run across is that the drivers for my ATI Theater 750 PCIe TV card will sometimes freeze the computer when booting. Strangely enough, sometimes it will start working after rebooting a couple of times. I guess that is an improvement since the drivers didn't work at all prior to installing MS11-011. Other than that, my computer has been working fine and I'm able to run several applications without BlackWingCat's KDW pack.

On the other hand, ZoneAlarm 7.0.483.000 does not like MS11-020 at all. It will blue screen right before the password prompt comes up.

The error message I get is:

***STOP: 0x0000001E (0xC0000005, 0xB1720D9F, 0x00000000, 0x00000000) KMODE_EXCEPTION_NOT_HANDLED

***ADDRESS B1720D9F base at B16DC000, DateStamp 4874da4c - vsdatant.sys

vsdatant.sys is part of ZoneAlarm.

[WildBill]

I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?

[discdude]

I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?

Yes, it works normally without the patch installed.

I attached a copy of vsdatant.sys to this post. If need be, you can also download a copy of ZoneAlarm 7.0.483.000 from: http://download.zonealarm.com/bin/free/1023_zl/zlsSetup_70_483_000_en.exe

Thanks for your help.

vsdatant.zip