flat assembler
Message board for the users of flat assembler.

Index > Windows > Patching system dlls

Goto page 1, 2, 3, 4  Next
Author
Thread Post new topic Reply to topic
r22



Joined: 27 Dec 2004
Posts: 805
r22 01 Dec 2005, 22:50
On xp and xp64 you can't just brute patch a copy of the dll and then copy it back into the system directory because the next time windows boots it'll be replaced with the original.

By brute patch I mean hex editor, copy and paste your smaller function over the dlls bigger function, so the bigger functions garbage bytes get left to keep the padding.

Anyone know how to make a patch stick on xp /64. I'd guess there's a hash check going on and the patched dll is failing it.

Any ideas on how to get around this security annoyance would be appreciated.

FOR THE CURIOUS:
I made a RtlInitUnicodeString function that runs 210% faster than the one in ntdll.dll and I want to see how much of a performance boost it'll give to the operating system and programs.

If I can get this working I'll patch more slow functions :D
Post 01 Dec 2005, 22:50
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 01 Dec 2005, 22:52
Can you post the function?
Post 01 Dec 2005, 22:52
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 01 Dec 2005, 23:53
It's nothing special. I would have tried to encorperate SIMD instructions but I think I would have ran out of bytes. 84byte limit (well that was when I thought I could just hex edit the function into a system dll).

Code:
RtlInitUnicodeString22: ;;rcx=buff rdx=ucharstr 77bytes
                 xor    r9d,r9d
                 test   rdx,rdx
                 mov    dword[rcx],r9d
                 mov    [rcx+8],rdx
                 jz     .end
                 mov    r8,rdx
       .scan:
                 mov    eax,dword[rdx]

                 test   ax,ax
                 jz     .one
                 add    rdx,4
                 shr    eax,16
                 test   ax,ax
                 jz     .two
                 jmp    .scan
       .two:
                 add    rdx,2
       .one:
                 mov    eax,0fffch
                 sub    rdx,r8
                 cmp    rdx,0fffeh
                 cmovnb rdx,rax
                 mov    [ecx],dx
                 add    dx,2
                 mov    [ecx+2],dx
                 ret
       .end:
                 retn
    
Post 01 Dec 2005, 23:53
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 02 Dec 2005, 01:06
Optimizing system DLLs funtions is a good idea r22 Very Happy

About the limit of the size code remember that you can add a new code section to the executable and then modify the export table to point to that section. http://board.flatassembler.net/topic.php?t=4253

Regards,
LocoDelAssembly

PS: Are you planning to do optimizations for the 32-bit version of WinXP?

[edit]About Windows restores the original version of the DLL I didn't know. I hope you can solve that problem, good luck!![/edit]
Post 02 Dec 2005, 01:06
View user's profile Send private message Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade 02 Dec 2005, 10:18
Nice idea to optimize windows. About windows replacing the original file, you should look in c:\windows\system32\dllcache (its a hidden/system folder, you might need to change the viewing options in the folder options to see it). I believe those are the ones which windows uses to replace the originals if they are edited. So either delete the dll from that dllcache, or patch the file in the dll cache before patching the one in the system folder, and windows will replace the dll with the patched one.

Not sure how it checks for changes, but almost certain its that dllcache folder which is used to get the originals.

Good luck,

gunblade
Post 02 Dec 2005, 10:18
View user's profile Send private message Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv 02 Dec 2005, 17:04
Google for sfc.dll. That's your problem.
Post 02 Dec 2005, 17:04
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 02 Dec 2005, 22:59
MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT flag. Will exchange dlls after reboot. Works for NT only. Let's you modify even system files (that's the way viruses on windows change them - so despite all, viruses can be educational!)
Post 02 Dec 2005, 22:59
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 02 Dec 2005, 23:35
What I've tried so far (landed me in the recovery console renaming backups)

Boot into safe mode, copy MY ntdll into /system32/ and /dllcache/ restart
Select normal boot, it gets to the windows boot logo then immediately restarts. Try booting into safe mode again, win logo immediate restart.

After getting the modified dll in SFC kicks in on the next start up and sees that the dll is wrong and then sees that the backup in dllcache is wrong too and does a hard restart.

Or there's some horrible hidden bug in my 80byte function (I doubt it).

So my only option is to permanently disable SFC which probably isn't the safest thing to do even on xp 64.

Decompile from my 'patched' ntdll
Code:
.text:0000000078EF4120                 public RtlInitUnicodeString
.text:0000000078EF4120 RtlInitUnicodeString proc near          ; CODE XREF: sub_78F13500-524CDp
.text:0000000078EF4120                                         ; .text:0000000078EC89BEp ...
.text:0000000078EF4120                 xor     r9d, r9d
.text:0000000078EF4123                 test    rdx, rdx
.text:0000000078EF4126                 mov     [rcx], r9d
.text:0000000078EF4129                 mov     [rcx+8], rdx
.text:0000000078EF412D                 jz      short loc_78EF416F
.text:0000000078EF412F                 mov     r8, rdx
.text:0000000078EF4132
.text:0000000078EF4132 loc_78EF4132:                           ; CODE XREF: RtlInitUnicodeString+25j
.text:0000000078EF4132                 mov     eax, [rdx]
.text:0000000078EF4134                 test    ax, ax
.text:0000000078EF4137                 jz      short loc_78EF414B
.text:0000000078EF4139                 add     rdx, 4
.text:0000000078EF413D                 shr     eax, 10h
.text:0000000078EF4140                 test    ax, ax
.text:0000000078EF4143                 jz      short loc_78EF4147
.text:0000000078EF4145                 jmp     short loc_78EF4132
.text:0000000078EF4147 ; ---------------------------------------------------------------------------
.text:0000000078EF4147
.text:0000000078EF4147 loc_78EF4147:                           ; CODE XREF: RtlInitUnicodeString+23j
.text:0000000078EF4147                 add     rdx, 2
.text:0000000078EF414B
.text:0000000078EF414B loc_78EF414B:                           ; CODE XREF: RtlInitUnicodeString+17j
.text:0000000078EF414B                 mov     eax, 0FFFCh
.text:0000000078EF4150                 sub     rdx, r8
.text:0000000078EF4153                 cmp     rdx, 0FFFEh
.text:0000000078EF415A                 cmovnb  rdx, rax
.text:0000000078EF415E                 mov     [ecx], dx
.text:0000000078EF4162                 add     dx, 2
.text:0000000078EF4166                 mov     [ecx+2], dx
.text:0000000078EF416B                 retn
.text:0000000078EF416C ; ---------------------------------------------------------------------------
.text:0000000078EF416C                 retn
.text:0000000078EF416C ; ---------------------------------------------------------------------------
.text:0000000078EF416D                 db 66h, 41h
.text:0000000078EF416F ; ---------------------------------------------------------------------------
.text:0000000078EF416F
.text:0000000078EF416F loc_78EF416F:                           ; CODE XREF: RtlInitUnicodeString+Dj
.text:0000000078EF416F                 mov     [rax+2], ecx
.text:0000000078EF4172                 pop     rdi
.text:0000000078EF4173                 retn
.text:0000000078EF4173 RtlInitUnicodeString endp ; sp =  8
    


I left the extra bytes from the old function in there, it shouldn't effect anything since they are after the first retn.

My replacement function scans the wide char string by dword instead of word, so maybe its hitting a memory boundary? But why would that cause a hard reboot wouldn't I at least get a blue screen on boot up if that were the case?

If anyone else wants to mess around with this
the modified ntdll.dll is at
http://www.kryogeniks.com/r22/ntdll.dll.zip
Post 02 Dec 2005, 23:35
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 03 Dec 2005, 00:18
Did you corrected the checksum of ntdll.dll? Maybe your function is OK and your problem is only that Windows detects checksum bad and reboots for that since there is no another copy with checksum good.
Post 03 Dec 2005, 00:18
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 03 Dec 2005, 01:59
I used imagehlp.dll to get the correct checksum then used tiny hexer to edit my patched dll with the right checksum.

Doing this bought me a few extra seconds of the windows xp 64 logo before my system flashed a blue screen and then restarted.

the updated dll (with correct checksum) http://www.kryogeniks.com/r22/ntdll.dll.zip

Anyone know how to make your system stop on those blue screens instead of restart, I remember seeing a setting but don't remember where.
Post 03 Dec 2005, 01:59
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 03 Dec 2005, 03:34
Yes, go to system properties (right click on "My computer" and then in "properties"), then select the tab "Advanced options", on "start and recovery" ("inicio y recuperación" on my windows Razz) click the button "configuration", and then unmark "Reboot automatically" (or "Restart automatically", I don't know the exact frase on english version).

Good luck!

[edit] Sorry, I can't test your DLL, I have an Athlon64 but a 32-bit Windows XP[/edit]
Post 03 Dec 2005, 03:34
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 04 Dec 2005, 03:33
Ok,
I tweaked the function so it would check WORDs at a time instead of DWORDS (to make sure it wasn't hitting a memory boundary).
AND I disabled the CRCDISK service but finding it in reg and setting its "start" key to 4.

Safe mode to get my patched ntdll into the system32 and dllcache folders
Reboot and freeze in normal and safe mode reboot.

Safe mode shows that it freezes after ACPITABL.DAT is loaded.
ACPITABL.DAT supposedly has to do with SATA drivers for RAID so this is odd.

Optimizing my windows kernel has become a very frustrating task.
Post 04 Dec 2005, 03:33
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 05 Dec 2005, 10:15
if you just delete system32/dllcache you save ~350Mb and windows stops replacing files by original, i always do it on new windoze instalations
Post 05 Dec 2005, 10:15
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
DC740



Joined: 01 Oct 2004
Posts: 74
Location: Argentina
DC740 05 Dec 2005, 14:09
there is a crack that replaces some windows xp dlls to stop asking for registration... DON'T USE IT, but you can check all the steps to see how it disables the dll replacing... I won't post it, it's illegal, but i'm shure you can find it... the readme says:
"
-======================================-
Windows 2003 & XP & LH
Anti Product Activation Crack 2.0.1
-======================================-
"
"-============================================================-

S$$$$$Ss. Ss. .sS
$$$ $$$ ²²$$$²² $$$
.sS$$$$S $$$ $$$ .sS$$$$S $$$ .sS$$$$Ss $$$.sS$Ss
$$$ $$$ $$$ $$$ $$$ $$$ S²' $$$ `$$$
sS$Ss.$$$ $$$.sSS²'sS$Ss.$$$ $$$ $$$ $$$ $$$
$$$' $$$ $$$ $$$' $$$ $$$ $$$ $$$ $$$
$$$ $$$ $$$ $$$ $$$ $$$ $$$ gS$ $$$ $$$
S$$Ss.$²' `²S S$$Ss.$²' `²S S$$.sSS²' S²' `²S
Okt'04 CW2K
--[ All Windows WPA-Patch 2.0 ]--

For people who don't like begging Mircosoft
for activating their Windows.

-============================================================- "

I tryied it, and works, it explains how to disable the windows file protection in the readme... and also explains a lot of things that it does... and for curious people... I've got a licensed copy of windows xp home edition, i bought it with my new computer, so i'm not doing anithing illegal....

good bye and happy coding
Post 05 Dec 2005, 14:09
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 05 Dec 2005, 14:18
I think optimizing is good too, but I'm afraid the patching contradicts with M$'s license ^o) doesn't it?
Post 05 Dec 2005, 14:18
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
vbVeryBeginner



Joined: 15 Aug 2004
Posts: 884
Location: \\world\asia\malaysia
vbVeryBeginner 05 Dec 2005, 16:24
Quote:
but I'm afraid the patching contradicts with M$'s license ^o) doesn't it?

maybe need to email and seek their approval first Laughing
Post 05 Dec 2005, 16:24
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 05 Dec 2005, 19:48
But why if you replace user32.dll for a completely new DLL? In that case you are not patching anything, you are using just a DLL written by you which provides all the funtionality of the original. Ways to do this incrementaly is developing a proxy DLL which forward the calls to the originals API functions in the case of functions that are not reimplemented. Of course forwarding spends some cycles because the proxy DLL must jump to the original API but maybe there is a way to trick the export table to point directly to the original API.
Post 05 Dec 2005, 19:48
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 06 Dec 2005, 00:04
Editing files on your own computer does NOT go against any license.

Editing windows and then redistributing it would be against MS license agreement but optimizing my own kernel that I purchased from microsoft is my God given right nay duty as a programmer.
Post 06 Dec 2005, 00:04
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 06 Dec 2005, 02:59
But in the case of my proposal, is ilegal distribute an open source system DLL which replace the original and relies unimplemented functions to the original by forwarding the calls? Note that actually there is no need to do reverse engineering because there is enough info in DDKs to implement some system DLLs functions.
Post 06 Dec 2005, 02:59
View user's profile Send private message Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade 06 Dec 2005, 10:56
locodelassembly, if i understood correctly, he isnt replacing the full DLL. He takes a copy of it, edits it, then replaces the original with the edited one.

I don't know why I didnt suggest it earlier, but someone else has beaten me to it now, that you should just remove the dllcache directory entirely. I do that to any windows installation, as I dont want windows replacing my files. It doesnt seem to cause any problems in XP nor 2k3 server.
And then you just need to patch the file in the windows directory.

Another thing if it still crashes, you could try getting SoftIce (sadly commercial Sad), but its a great debugger that you can set to start up even before windows, so that you can execute the debugger (Ctrl-D i think), while windows is booting up, allowing you to inspect dll's and drivers.

They have XP support, but maybe not 64-bit. Another idea would be running your windows installation in an emulated environment?.. If you can find an emulator somewhere which supports 64-bit emulation.

Again, good luck, and i would try the driver in my windows installation, but its 32-bit. I might still try patching a dll to see if it works anyway. I'll tell you of any findings.

gunblade
Post 06 Dec 2005, 10:56
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.