Jump to content

PE Tool for creating patches


WildBill
 Share

Recommended Posts


I think the checksum is wrong...

or maybe not as I've just checked it and it looks fine. I tried to install the patch on a uniprocessor system and got a BSOD on boot.

EDIT

After doing more tests I can say that the same BSOD appears when I try to install v3 of the update... It's related to ntoskrnl.exe. I'll post the details later on.

Edited by tomasz86
Link to comment
Share on other sites

The uniprocessor one definitely won't work as I haven't migrated the changes to it yet. Only the non-PAE mp one is "done". I wanted to see if you give it a good bill of health on the bootskin stuff before updating the other three files.

Link to comment
Share on other sites

Are you sure? I'm outside now and can't check it once again but I tried installing both the current fixed version and also the original v3. Uniprocessor kernel should be fully functional in that one, shouldn't it?

In both cases the BSOD was exactly the same, related to ntoskrnl.exe.

The configuration it happened is a notebook:

Pentium III-M 933Mhz

640 MB PC133 SDRAM

integrated Intel Graphics

IDE HDD

Link to comment
Share on other sites

If the checksum is wrong, it won't even load: you'll get an error saying it's missing or corrupted. I've started porting the changes to the other files, so I'll be able to test it over the weekend. The V3 one worked here last time I checked...

Link to comment
Share on other sites

As I said before, I've checked the checksums and everything seems to be fine so it's not the problem here. I guess it may be a different issue but I'll wait with more testing for your final version ;)

I also forgot to say that the progress bar issue was fixed after installing c5q.

On the other hand, I've prepared some new updates:

MS11-?: Fraudulent digital certificates could allow spoofing

Windows2000-UU-KBz2641690-x86-Global.exe (replaces 2616676)

Microsoft VC++ 2005/2008/2010

YumeYao_MicrosoftVC78910RuntimeLibraries_Addon_2_0_7_Win2K.7z (HFSLIP folder: HFAAO)

This is a modified version of YumeYao's addon. It replaces Microsoft's VC++ 2005, VC++ 2008 & VC++ 2010. Some files from VC++ 2010 rely on kernel32.dll from BlackWingCat's KDW which is included in this addon.

Edited by tomasz86
Link to comment
Share on other sites

I finished porting the changes and the patch is working here, so I've posted MS11-011 v4 and updated the link on the master list. For the record, the complete list of new API calls the patch adds is:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

EDIT: forgot to list a couple of extra routines I added to ntdll.

Edited by WildBill
Link to comment
Share on other sites

I missed the fact that you already uploaded a v4 :lol:

I've installed it on both my desktop and laptop computers and while everything seems to work fine here (on the desktop),

there's still the same error on the other one:


*** STOP: 0x0000001E (0xC0000005, 0xDDC6473E, 0x00000000, 0x0000000C)
KMODE_EXCEPTION_NOT_HANDLED

*** Address DDC6473E base at DDC00000, DateStamp 4ebda139 - ntoskrnl.exe

System specifications are listed in #398

Link to comment
Share on other sites

Hmm. I'm going to need some more info to track that one down, since the address is pointing to a trap routine (specifically, it traps 0x57, which I assume means int 0x57). When does the BSOD happen? Does it create a minidump file? It looks like it trapped an interrupt (maybe from a driver?) and it didn't like it.

The 0xC0000005 means ACCESS_VIOLATION, so I assume that it tried to access an invalid memory location. The problem is going to be finding where it happened.

Edit: it looks like int 57h is a relocated IRQ7, so maybe a driver that's using IRQ7 is causing the problem. The interrupt request for a driver is shown under the Resources tab in the Device Manager. It's also possible that it's really IRQ15, from a secondary interrupt controller.

Edited by WildBill
Link to comment
Share on other sites

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...