PE Tool for creating patches

[tomasz86]

Thanks WildBill

By the way, here is a slimmed down version of the update.inf for KB2393802-v9. All useless sections and lines have been removed so it's much easier to navigate.

update.inf

Edited May 14, 2012 by tomasz86

[tomasz86]

These APIs are present in BWC kernel's kernel32.dll and are not included in yours:

ActivateActCtx
CheckRemoteDebuggerPresent
CreateActCtxA
CreateActCtxW
DeactivateActCtx
GetGeoInfoA
GetGeoInfoW
GetUserGeoID
ReleaseActCtx
WTSGetActiveConsoleSessionId

Would it be difficult to add them in the future version, especially the ones which have sth to do with ActCtx, i.e. ActivateActCtx, CreateActCtxA, CreateActCtxW, DeactivateActCtx & ReleaseActCtx? They help fix a lot of dependencies and also make it possible to use uxtheme.dll directly from %systemroot%\system32. Without these dependencies there are problems with .NET Framework (when uxtheme.dll is present in the system, that is).

Edited May 14, 2012 by tomasz86

[WildBill]

The ActCtx API's are the ones I've been working on since November, but I'm finding that I need them to actually work or apps like Adobe Reader crash.

[piotrhn]

In KB2393802-v9 fixed error with boot.ini->/PAE, now works ok without BSOD.

Thanks WildBill

[blackwingcat]

Hi,

Pe Tool v0.05 Seems to make broken out export table offset +0xc.

for example. Load hal.dll and save it. The name pointer is indicated "L.DLL"

[WildBill]

kernel32.dll rewrite status: NLS Hell .

468 exported functions implemented out of a total of about 902

I'm currently bogged down in the NLS support -- apparently kernel32 does all the heavy lifting for localized data (date/time formats, etc.). I'm having to reverse-engineer a bunch of structures, and in the process the format of the various .nls files in system32. I now know all about Japanese emperor eras, how to convert numbers to Hebrew numbers (including the special cases for 15 and 16 and the reason behind them), and creating Hebrew and Hijiri dates. I've completely reverse-engineered locale.nls (and documented it to the nth-power in my kernel32.h) and partially reverse-engineered ctype.nls and unicode.nls. I've even had to write a Java program that dumps out all the info in locale.nls. And, now I know why there are alternate month names for Polish for certain months...

(sigh)

Edited May 29, 2012 by WildBill

[tomasz86]

I think there's something wrong with the new version of ntdll.dll. My system gets stuck at the "preparing network connections" screen after installing the new version of the kernel and rebooting. Safe mode doesn't work too (it gets stuck at the login screen).

If I install it without the new ntdll.dll (=keep the ntdll.dll from v8) there are no problems. I've also installed it successfully in a VM (Virtualbox) where a uniprocessor non-PAE kernel is used. On my real system it's a multiprocessor PAE kernel.

Edited June 1, 2012 by tomasz86

[WildBill]

I didn't think ntdll had changed all that much, though I did add a few things. I'll have to keep that in mind for v10. Speaking of V10, I'd like to ask for some suggestions on developing it. While I'm making steady progress on reverse-engineering and rewriting kernel32 (about 550 exported routines implemented out of about 902), it's still going to be a while before it's complete enough to test, debug, and harden. In the meantime the rewrites of csrsrv and basesrv are sitting idle and are basically complete. It seems to me to be a terrible waste of time to just have them sit on my hard drive when people could be testing them, playing with my sources, and possibly improving them (in light of stuxnet and flame, bulletproofing has been on my mind of late).

To cut this spiel short, would it make sense for an interim v10 release (or some other nomenclature) with the rewritten basesrv and csrsrv included? Now that I've rewritten them in C, there should be a lot of potential for improvement, not to mention that patching them, localizing them, etc. will be infinitely easier.

[tomasz86]

I'm always ready to test although I can't really "improve" anything because of lack of any programming skills. I can only test the files in real environment.

By the way, it'd be nice go have

GetGeoInfoW
GetUserGeoID

in kernel32.dll. They are required for Chromium (Google Chrome, SRWare Iron) to work. The two APIs are present in BlackWingCat's kernel32.dll.

[piotrhn]

I think there's something wrong with the new version of ntdll.dll. My system gets stuck at the "preparing network connections" screen after installing the new version of the kernel and rebooting. Safe mode doesn't work too (it gets stuck at the login screen).

If I install it without the new ntdll.dll (=keep the ntdll.dll from v8) there are no problems. I've also installed it successfully in a VM (Virtualbox) where a uniprocessor non-PAE kernel is used. On my real system it's a multiprocessor PAE kernel.

I installed Win2000 +KB2393802-v9, on real hardware:

Athlon 64 x2 5600+

4GB RAM

Geforce 9800gt

Gigabyte GA-MA790X-DS4

Everything works fine.

[blackwingcat]

Windows2000-KB2393802-v9-x86-ENU.exe seems that it only changes the expand registry functions , it isn't fixed other buffer overflow security holes.

http://blog.livedoor.jp/blackwingcat/archives/1671977.html

Edited June 22, 2012 by blackwingcat

[blackwingcat]

I tried to use Windows2000-KB2393802-v9-x86-ENU.exe.

But it sometimes crashes with BSoD by Access VIOLATION on 0xA00A3512 in win32k.sys

A00A34E8 837D0CFC cmp dword ptr [ebp+0Ch],FFFFFFFCh

A00A34EC 7542 jnz LA00A3530

A00A34EE 8B7D08 mov edi,[ebp+08h]

A00A34F1 52 push edx

A00A34F2 52 push edx

A00A34F3 68E1010000 push 000001E1h

A00A34F8 57 push edi

A00A34F9 E85A89F6FF call SUB_LA000BE58

A00A34FE 89450C mov [ebp+0Ch],eax

A00A3501 50 push eax

A00A3502 E8D49EF7FF call SUB_LA001D3DB

A00A3507 85C0 test eax,eax

A00A3509 7425 jz LA00A3530

A00A350B 8B5510 mov edx,[ebp+10h]

A00A350E 85D2 test edx,edx

A00A3510 7C1E jl LA00A3530

A00A3512 3B5120 cmp edx,[ecx+20h] <-----------

A00A3515 7719 ja LA00A3530

A00A3517 85D2 test edx,edx

A00A3519 8B450C mov eax,[ebp+0Ch]

A00A351C 894314 mov [ebx+14h],eax

A00A351F 7514 jnz LA00A3535

A00A3521 8D774C lea esi,[edi+4Ch]

A00A3524 8D7B04 lea edi,[ebx+04h]

It seems somethings bad code.

Edited June 23, 2012 by blackwingcat

[WildBill]

I posted KB2393802-v9e today ("e" for "experimental"). I'm not adding it to the main list as it doesn't add any new functionality or attempt to fix any issues with v9. It does, however, include my rewrites of csrsrv.dll and basesrv.dll. If you manually extract the installer and look in the info folder it creates you can find the complete source code to my rewrites. I've tried to go the extra mile in hardening both against attack, but I invite anyone who is interested to play with them. Each was built with VS2005 standard and uses the libraries from the WinNT DDK version 3790.1830 for ntdll, etc.

Here is the link for v9e: http://www.mediafire.com/download.php?skox32b1rddgl26 (updated...see a few posts down)

Remember, this is experimental, so use at your own risk. So far I'm only using it in a VM.

Edited June 23, 2012 by WildBill

[WildBill]

I tried to use Windows2000-KB2393802-v9-x86-ENU.exe.

But it sometimes crashes with BSoD by Access VIOLATION on 0xA00A3512 in win32k.sys

A00A34E8 837D0CFC cmp dword ptr [ebp+0Ch],FFFFFFFCh

A00A34EC 7542 jnz LA00A3530

A00A34EE 8B7D08 mov edi,[ebp+08h]

A00A34F1 52 push edx

A00A34F2 52 push edx

A00A34F3 68E1010000 push 000001E1h

A00A34F8 57 push edi

A00A34F9 E85A89F6FF call SUB_LA000BE58

A00A34FE 89450C mov [ebp+0Ch],eax

A00A3501 50 push eax

A00A3502 E8D49EF7FF call SUB_LA001D3DB

A00A3507 85C0 test eax,eax

A00A3509 7425 jz LA00A3530

A00A350B 8B5510 mov edx,[ebp+10h]

A00A350E 85D2 test edx,edx

A00A3510 7C1E jl LA00A3530

A00A3512 3B5120 cmp edx,[ecx+20h] <-----------

A00A3515 7719 ja LA00A3530

A00A3517 85D2 test edx,edx

A00A3519 8B450C mov eax,[ebp+0Ch]

A00A351C 894314 mov [ebx+14h],eax

A00A351F 7514 jnz LA00A3535

A00A3521 8D774C lea esi,[edi+4Ch]

A00A3524 8D7B04 lea edi,[ebx+04h]

It seems somethings bad code.

I'm looking at that routine and I see something I don't like in its treatment of ECX. Let me see if I can do something with it.

[WildBill]

BWC: I removed the v9e above and posted another one with an updated win32k.sys file (version 5.0.2195.7402). It explicitly sets ECX rather than relying on ValidateHmenu() to set it. If it works out for you, I can post a V10 on the main list.

The new v9e is here:

http://www.mediafire.com/download.php?7o1y5rbcr9eqxc0

For reference, this is what it looks like (a few other instructions above it changed to reflect the fact that some things moved up by 4 bytes):

.text:A00A34E4 loc_A00A34E4:                           ; CODE XREF: xxxGetMenuBarInfo(x,x,x,x)+187j
.text:A00A34E4                 cmp     [ebp+arg_4], 0FFFFFFFCh
.text:A00A34E8                 jnz     short loc_A00A3530
.text:A00A34EA                 mov     edi, [ebp+arg_0]
.text:A00A34ED                 push    edx             ; int
.text:A00A34EE                 push    edx             ; UnicodeString
.text:A00A34EF                 push    1E1h            ; MbString
.text:A00A34F4                 push    edi             ; int
.text:A00A34F5                 call    _xxxSendMessage@16 ; int
.text:A00A34FA                 mov     [ebp+arg_4], eax
.text:A00A34FD                 push    eax
.text:A00A34FE                 call    _ValidateHmenu@4 ; ValidateHmenu(x)
.text:A00A3503                 test    eax, eax
.text:A00A3505                 jz      short loc_A00A3530
.text:A00A3507                 push    [ebp+arg_4]
.text:A00A350A                 pop     ecx
.text:A00A350B                 mov     edx, [ebp+arg_8]
.text:A00A350E                 test    edx, edx
.text:A00A3510                 jl      short loc_A00A3530
.text:A00A3512                 cmp     edx, [ecx+20h]
.text:A00A3515                 ja      short loc_A00A3530