PE Tool for creating patches

[WildBill]

Would you mind testing a bootskin to see how that works out?

[tomasz86]

It works only partially. The bootskin is loaded but at the same time there's the standard progress bar too which is located in the up-left corner of the screen.

[WildBill]

Hmm. What were the bootskin settings?

[tomasz86]

I used your settings:

/bootskin=1:1:1:0:1:264:384:112:7:8

and the bootskin.bmp from #234.

[WildBill]

Oops Mistake on my part. I messed up how I was testing the flag.

Windows2000-KB2393802-v1-early-c5q-x86-ENU.exe

[tomasz86]

I think the checksum is wrong...

or maybe not as I've just checked it and it looks fine. I tried to install the patch on a uniprocessor system and got a BSOD on boot.

EDIT

After doing more tests I can say that the same BSOD appears when I try to install v3 of the update... It's related to ntoskrnl.exe. I'll post the details later on.

Edited November 10, 2011 by tomasz86

[WildBill]

The uniprocessor one definitely won't work as I haven't migrated the changes to it yet. Only the non-PAE mp one is "done". I wanted to see if you give it a good bill of health on the bootskin stuff before updating the other three files.

[tomasz86]

Are you sure? I'm outside now and can't check it once again but I tried installing both the current fixed version and also the original v3. Uniprocessor kernel should be fully functional in that one, shouldn't it?

In both cases the BSOD was exactly the same, related to ntoskrnl.exe.

The configuration it happened is a notebook:

Pentium III-M 933Mhz

640 MB PC133 SDRAM

integrated Intel Graphics

IDE HDD

[WildBill]

If the checksum is wrong, it won't even load: you'll get an error saying it's missing or corrupted. I've started porting the changes to the other files, so I'll be able to test it over the weekend. The V3 one worked here last time I checked...

[tomasz86]

As I said before, I've checked the checksums and everything seems to be fine so it's not the problem here. I guess it may be a different issue but I'll wait with more testing for your final version

I also forgot to say that the progress bar issue was fixed after installing c5q.

On the other hand, I've prepared some new updates:

MS11-?: Fraudulent digital certificates could allow spoofing

Windows2000-UU-KBz2641690-x86-Global.exe (replaces 2616676)

Microsoft VC++ 2005/2008/2010

YumeYao_MicrosoftVC78910RuntimeLibraries_Addon_2_0_7_Win2K.7z (HFSLIP folder: HFAAO)

This is a modified version of YumeYao's addon. It replaces Microsoft's VC++ 2005, VC++ 2008 & VC++ 2010. Some files from VC++ 2010 rely on kernel32.dll from BlackWingCat's KDW which is included in this addon.

Edited November 11, 2011 by tomasz86

[WildBill]

I finished porting the changes and the patch is working here, so I've posted MS11-011 v4 and updated the link on the master list. For the record, the complete list of new API calls the patch adds is:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

EDIT: forgot to list a couple of extra routines I added to ntdll.

Edited November 12, 2011 by WildBill

[WildBill]

tomasz: just as soon as you can give me the all-clear for V4 I'll consider that a green light for V5 (I've already started on it and added a few more routines to ntdll and kernel32)...

[tomasz86]

I missed the fact that you already uploaded a v4

I've installed it on both my desktop and laptop computers and while everything seems to work fine here (on the desktop),

there's still the same error on the other one:

*** STOP: 0x0000001E (0xC0000005, 0xDDC6473E, 0x00000000, 0x0000000C)
KMODE_EXCEPTION_NOT_HANDLED

*** Address DDC6473E base at DDC00000, DateStamp 4ebda139 - ntoskrnl.exe

System specifications are listed in #398

[WildBill]

Hmm. I'm going to need some more info to track that one down, since the address is pointing to a trap routine (specifically, it traps 0x57, which I assume means int 0x57). When does the BSOD happen? Does it create a minidump file? It looks like it trapped an interrupt (maybe from a driver?) and it didn't like it.

The 0xC0000005 means ACCESS_VIOLATION, so I assume that it tried to access an invalid memory location. The problem is going to be finding where it happened.

Edit: it looks like int 57h is a relocated IRQ7, so maybe a driver that's using IRQ7 is causing the problem. The interrupt request for a driver is shown under the Resources tab in the Device Manager. It's also possible that it's really IRQ15, from a secondary interrupt controller.

Edited November 13, 2011 by WildBill

[tomasz86]

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.