PE Tool for creating patches

[WildBill]

What happens without /SOS? Same thing?

Another dumb question: is /BOOTLOG set? Are you using any bootskin settings?

Okay, after spending the day investigating, it looks like ESP (stack pointer) must have become corrupted somewhere, and then an interrupt occurred (most likely from a driver, which wouldn't be loaded when you're in safe mode). So now, the trick will be finding whatever is corrupting ESP yet doesn't result in a BSOD all the time (maybe the routine in question recovers the correct ESP before it returns?) It's pretty hard to screw up ESP and not generate a GP fault when returning from a routine.

Edited November 14, 2011 by WildBill

[dencorso]

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great!

[WildBill]

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great!

Ask and ye shall receive... see the top post

[dencorso]

Wow, that was really swift!

Thanks a whole lot!

You do rock!

[WildBill]

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.

Here's something to try...ntoskrnl was a bit different than the other three in that it had some extra changes when I was still working out how to hook in the bootskin code. I undid those extra changes so it matches the others, and I altered the bootskin code very slightly to better restore ESP (in ntoskrnl only for now). I don't see any reason why this would help as I didn't see any obvious issues, but it's worth a try. I've tested it in a VM with no issues.

This is an early build of V5 that adds some new functions to ntdll and kernel32, but there are some more things I'd like to add before making it an "official" v5. I'm using it here on my laptop with no problems, so for the adventurous it adds the following:

ntdll

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

kernel32

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

Windows2000-KB2393802-v5-early-1-x86-ENU.exe

Edited November 15, 2011 by WildBill

[tomasz86]

Something strange's going on

1. I don't have any bootskin setting set.

2. /BOOTLOG is enabled but it's not created because the BSOD happens before boot logging is even started.

3. The strange thing is that regardless of /SOS set or not, the beginning of GUI part is the same and looks as if /SOS was enabled. I can see the GUI part for only half a second before the BSOD appears.

4. The v5 doesn't make any difference.

...

I think I found the reason. The BSOD appears only when /PAE is enabled. Interestingly it doesn't affect the desktop as I've just turned /PAE on and no problems here. It was turned on on the notebook by mistake but still there's no BSOD unless I install your patch

[WildBill]

If your desktop is multiprocessor, then its PAE kernel is ntkrpamp.exe (which gets renamed to ntkrnlpa.exe), whereas the laptop's uniprocessor PAE one is from ntkrnlpa.exe (i.e., they're different). Actually, that info helps a lot: it means that I probably messed something up in the uniprocessor PAE kernel. Hopefully it will be easy to find.

[WildBill]

A-ha...the original ntkrnlpa had a stack variable in a different place than in the other three files, and it affected the SOS setting (and probably caused the BSOD). This might help:

Windows2000-KB2393802-v5-early-2-x86-ENU.exe

I also checked the multiprocessor PAE kernel, and that one looks ok (the variable's location is the same as the non-PAE one). Go figure.

Edited November 15, 2011 by WildBill

[tomasz86]

It's all right now

[WildBill]

MS11-011 V5 is now posted, and it includes just about everything I could add to kernel32 and ntdll without major pain in the process. The complete list of additions is now:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock

KeReleaseInterruptSpinLock

InterlockedPushEntrySList

InterlockedPopEntrySList

RtlInt64ToUnicodeString

RtlIntegerToUnicode

RtlClearBit

RtlTestBit

RtlSetBit

ZwQueryInformationThread......already there, added it to the export table

IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)

PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)

PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)

_vsnwprintf

_aulldvrm

RtlGetVersion

KeFlushQueuedDpcs

ntdll.dll

RtlIpv4StringToAddressA

RtlIpv4StringToAddressW

RtlIpv4StringToAddressExA

RtlIpv4StringToAddressExW

RtlIpv4AddressToStringA

RtlIpv4AddressToStringW

RtlIpv4AddressToStringExA

RtlIpv4AddressToStringExW

RtlIpv6StringToAddressA

RtlIpv6StringToAddressW

RtlIpv6StringToAddressExA

RtlIpv6StringToAddressExW

RtlIpv6AddressToStringA

RtlIpv6AddressToStringW

RtlIpv6AddressToStringExA

RtlIpv6AddressToStringExW

RtlInitializeGenericTableAvl

RtlIsGenericTableEmptyAvl

RtlGetElementGenericTableAvl

RtlNumberGenericTableElementsAvl

RtlInsertElementGenericTableAvl

RtlDeleteElementGenericTableAvl

RtlEnumerateGenericTableLikeADirectory

RtlLookupElementGenericTableAvl

RtlEnumerateGenericTableWithoutSplayingAvl

RtlEnumerateGenericTableAvl

RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)

RtlInterlockedPushEntrySList

RtlInterlockedPopEntrySList

RtlInterlockedFlushSList

RtlQueryDepthSList

RtlInitializeSListHead

LdrLockLoaderLock

LdrUnlockLoaderLock

LdrAddRefDll

RtlComputePrivatizedDllName_U

RtlValidateUnicodeString

RtlDuplicateUnicodeString

RtlDowncaseUnicodeChar

RtlFindCharInUnicodeString

RtlpEnsureBufferSize

RtlMultiAppendUnicodeStringBuffer

RtlAppendPathElement

LdrEnumerateLoadedModules

RtlRandomEx

RtlUnhandledExceptionFilter2

RtlUnhandledExceptionFilter

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)

RtlGetNtVersionNumbers

DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)

_vsnwprintf

_lfind

_aulldvrm

_alldvrm

RtlpNotOwnerCriticalSection

RtlpApplyLengthFunction

RtlCopyOutOfProcessMemoryStreamTo

RtlLockMemoryStreamRegion

RtlUnlockMemoryStreamRegion

RtlNtPathNameToDosPathName

RtlGetLengthWithoutLastFullDosOrNtPathElement

RtlCreateBootStatusDataFile

RtlComputeCrc32

RtlCaptureContext

RtlLockBootStatusData

RtlUnlockBootStatusData

RtlGetSetBootStatusData

RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)

RtlAddMemoryStream

RtlReleaseMemoryStream

RtlQueryInterfaceMemoryStream

RtlReadOutOfProcessMemoryStream

RtlRevertMemoryStream

RtlCloneMemoryStream

RtlCommitMemoryStream

RtlSetMemoryStreamSize

RtlWriteMemoryStream

RtlSeekMemoryStream

RtlCopyMemoryStreamTo

RtlReadMemoryStream

RtlStatMemoryStream

RtlInitMemoryStream

RtlFinalReleaseOutOfProcessMemoryStream

RtlInitOutOfProcessMemoryStream

bootvid.dll

VidSetVgaPalette (used by the bootskin code)

kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)

EncodePointer (forwarded export to NTDLL.RtlEncodePointer)

InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)

InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)

InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)

QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)

InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)

GetModuleHandleExA

GetModuleHandleExW

IsWow64Process

IsWow64Message

GetProcessHandleCount

GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)

SetDllDirectoryA

SetDllDirectoryW

GetDllDirectoryA

GetDllDirectoryW

AttachConsole

TzSpecificLocalTimeToSystemTime

SetClientTimeZoneInformation

IsValidUILanguage

GetSystemWow64DirectoryA

GetSystemWow64DirectoryW

SetHandleContext

GetProcessId

GetSystemTimes

CreateMemoryResourceNotification

QueryMemoryResourceNotification

AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)

RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)

RtlCaptureStackBackTrace

SetThreadUILanguage

LZStart

GetExpandedNameA

GetExpandedNameW

LZInit

LZDone

LZCreateFileW

LZOpenFileA

LZOpenFileW

LZSeek

LZRead

LZClose

LZCloseFile

LZCopy

CopyLZFile

GetVolumePathNamesForVolumeNameW

GetVolumePathNamesForVolumeNameA

GetHandleContext

GetCPFileNameFromRegistry

EnumerateLocalComputerNamesW

EnumerateLocalComputerNamesA

CreateSocketHandle

CreateNlsSecurityDescriptor

AddLocalAlternateComputerNameW

AddLocalAlternateComputerNameA

RemoveLocalAlternateComputerNameW

RemoveLocalAlternateComputerNameA

SetLocalPrimaryComputerNameW

SetLocalPrimaryComputerNameA

Edited November 20, 2011 by WildBill

[bristols]

Hi WildBill,

MS11-011 V5 is now posted (...)

After installing the update, I get this error on reboot (the progress bar on the Windows 2000 boot screen having reached 100%):

stop:c0000139 (Entry Point Not Found)
The procedure entry point LdrLockLoaderLock could not be located in the dynamic link library ntdll.dll

[WildBill]

Hmm. That doesn't make any sense...I checked ntdll and the routine is there and it's in the export table. I also downloaded the patch and it matches what I uploaded. Did you install it normally or slipstream it? I'm not able to test slipstreaming, but I'm typing this on a laptop with V5 installed. I tested the patch on both a uniprocessor and a multiprocessor installation.

The ntdll you should have after installing the patch is version 5.0.2195.7010, 531,728 bytes, MD5 hash AB3331B195F0430945E0BADDA30112A3.

Edited November 21, 2011 by WildBill

[tomasz86]

WildBill,

ntdll.dll 5.0.2195.7080 is included in KB915985 which is a HBR. Bristols uses HBRs so that's probably the reason why your ntdll.dll doesn't install (as its version is lower).

By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.

I've also got one question unrelated to the kernel patch. Can such icon anomalies be caused by 2479628?

They can be brought back to normal by changing color depth or resolution.

Edited November 22, 2011 by tomasz86

[bristols]

Did you install it normally or slipstream it?

(...)

The ntdll you should have after installing the patch is version 5.0.2195.7010

By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.

That's the problem. I've installed blackwingcat's KB915985-v2. Indeed I have Ntdll.dll 5.0.2195.7081.

WildBill, I see that several other of the files included in your update have lower version numbers than those found in some hotfixes. Tricky... I suppose that your update would cause problems too for people who have installed the hotfixes in question.

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

[WildBill]

When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

Edited November 22, 2011 by WildBill