archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/base/mvdm/wow16/kernel31/patch.txt

335 lines
15 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. This is an overview document describing how to create module patches
  2. in Windows 95.
  4. Legal aspects:
  5. --------------
  6. While we are obviously using this module-patching technology to
  7. make already-shipping apps run or run better, it is possible
  8. for us to make a mistake and wrongly patch a module. For example,
  9. there might be two similar versions of an app which need to be
  10. patched differently, but we only know about one of them. Due to the
  11. obvious liability concerns, we need to obtain authorization from
  12. the app vendor for each module patch we put into the registry.
  13. The letter must specify the name of the module, the number of the
  14. segment taking the patch, the bytes being replaced, and the new
  15. bytes taking their place. The letter can be from any responsible
  16. person at the vendor, eg. an engineer who is familiar with the code.
  17. At the same time, talking to the vendor will help us find out how
  18. many different versions there are of an app, so we can figure out
  19. how to patch each one.
  21. See brianrey if you have a module patch you want to check in.
  22. It would be a good idea to get the ball rolling on getting the
  23. letter as soon as possible after you know what the patch is, since
  24. it can sometimes take a while to get these things taken care of.
  25. We already get similar letters for app-hack bits.
  28. How to check in a patch:
  29. ------------------------
  30. Since the patch values go in the registry, and since the initial registry
  31. contents are owned by setup, you must work with Andy Hill to get your
  32. module patches checked in.
  34. A common mistake when adding app-patches to msbase.inx is to leave out
  35. field 4 (field 3 if you are a computer), which are flags. The reason
  36. for the confusion is the flag that means "This is a binary regkey" is 01,
  37. and the opcode for "Change" is also 01, so everything just shifts down
  38. one step and nobody gets hurt. Except that the patch doesn't work.
  39. eg: If you want to add a key whose value is <01,09,70,00,02,ff,76,eb,15>
  40. WRONG
  41. HKLM,"SYSTEM\...",Change,01,09,70,00,02,ff,76,eb,15
  42. BETTER
  43. HKLM,"SYSTEM\...",Change,1,01,09,70,00,02,ff,76,eb,15
  46. How to make a patch:
  47. --------------------
  48. All definitions of the structures used below are in core\kernel\patch.asm.
  50. The loader knows to look in the registry for patch data if the MCF_MODPATCH
  51. bit is set in the [ModuleCompatibility] section in win.ini.
  52. eg.
  53. [ModuleCompatibility]
  54. GENERIC=0x0002
  56. All registry keys and values for module-patching are stored
  57. under HKEY_LOCAL_MACHINE under REGSTR_PATH_APPPATCH:
  58. (from dev\sdk\inc\regstr.h)
  59. #define REGSTR_PATH_APPPATCH "System\\CurrentControlSet\\Control\\SessionManager\\AppPatches"
  61. The actual patches are values stored in the registry under
  62. REGSTR_PATH_APPPATCH\<mod_name>\<signature>\<segment_number>
  63. where
  64. mod_name = the module name
  65. signature = a signature string identifying the module version
  66. segment_number = the hex number of the segment receiving the patches
  69. Signatures:
  70. -----------
  71. Signatures are strings of ANSI characters representing hex numbers
  72. in nibble-swapped byte format (what you see in wdeb386 if you type
  73. db). Blanks and commas are ignored, and may be included for readability.
  75. The easiest way to create a signature is to run dev\tools\binw\gensig.
  76. eg. If you want to patch segment 3 in foo.dll, run "gensig foo.exe 3"
  77. and a tight signature will be written to stdout.
  79. type-1 and -2 signatures:
  80. A type-1 signature specifies a list of byte sequences with byte offsets
  81. (type-2 has word offsets) which must all match for the signature to match.
  82. A 0 byte-count marks the end of the list.
  83. A match-any-file signature is "0100".
  84. eg. signature = "01 02,00,4e,45 02,3e,0a,03 00" is a type-1 signature which
  85. || || || || || || || || || ||
  86. type --------++ || || || || || || || || ||
  87. || || || || || || || || ||
  88. byte count------++ || || || || || || || ||
  89. offset-------------++ || || || || || || ||
  90. match bytes-----------++-++ || || || || ||
  91. || || || || ||
  92. byte count------------------++ || || || ||
  93. offset-------------------------++ || || ||
  94. match bytes-----------------------++-++ ||
  95. ||
  96. terminating byte count------------------++
  97. matches if the 2 bytes starting at offset 0 in the exe header match
  98. 4e,45 ("NE") and if the 2 bytes starting at offset 3e match 0a,03.
  99. Note- DO NOT include a match on NE in your signature. This is just
  100. for illustrative purposes. The windows version and size(s) of the
  101. segment(s) being patched are good candidates.
  104. type-3, -4 and -5 signatures:
  105. Type-3, -4 and -5 signatures are similar to type-1 and -2 signatures,
  106. except that the offsets are offsets in the module file. Type-3 takes
  107. word offsets, type-4 takes 3-byte offsets, and type-5 takes dword offsets.
  108. eg. signature = "03,03,67,05,c2,0a,00,00"
  109. || || || || || || || ||
  110. type---------++ || || || || || || ||
  111. || || || || || || ||
  112. byte count------++ || || || || || ||
  113. file offset--------++-++ || || || ||
  114. match bytes--------------++-++-++ ||
  115. ||
  116. terminating byte count------------++
  117. matches if the 3 bytes at offset 567h in the file match c2,0a,00.
  120. type-6, -7 and -8 signatures:
  121. Type-6, -7 and -8 signatures specify the file size of the matching
  122. module. The number of bytes used to specify the matching file size
  123. is 2, 3 or 4 respectively.
  124. eg. signature = "06,d0,0c"
  125. || || ||
  126. type---------++ || ||
  127. file size-------++-++
  128. matches if the file size is 0cd0h.
  131. type-ff signatures:
  132. Type-ff signatures are meta-signatures and consist of a list of the
  133. other types of signatures. Each list element consists of a byte count
  134. and a sub-signature. A 0 byte-count ends the list.
  135. eg. signature = "ff 06,01,02,3e,0a,03,00 03,06,d0,0c 00"
  136. || || || || || || || || || || || || ||
  137. type---------++ || || || || || || || || || || || ||
  138. || || || || || || || || || || || ||
  139. byte count------++ || || || || || || || || || || ||
  140. sub-type-----------++ || || || || || || || || || ||
  141. sub-byte-count--------++ || || || || || || || || ||
  142. hExe offset--------------++ || || || || || || || ||
  143. match bytes-----------------++-++ || || || || || ||
  144. sub-type terminator---------------++ || || || || ||
  145. || || || || ||
  146. byte count---------------------------++ || || || ||
  147. sub-type--------------------------------++ || || ||
  148. file size----------------------------------++-++ ||
  149. ||
  150. terminating byte count---------------------------++
  151. matches if the 2 bytes at offset 3eh in the exe header match 0a,03
  152. and the file size is 0cd0h.
  155. Criteria for selecting a signature:
  156. -----------------------------------
  157. In terms of time required to validate a signature, the hExe types are
  158. the fastest, the file size types are next-fastest, and the file data
  159. types are the slowest. A signature specifying the expected Windows
  160. version (hExe offset 3e) and the file size is probably sufficient
  161. for most cases, since almost any code change changes the file size.
  162. A signature which also requires a file match on the bytes being replaced
  163. (if they are not fixed up and they are in a segment, they must be
  164. somewhere in the file!) is very good, but might be overkill.
  165. Since file match signatures hit the disk, they might noticeably increase
  166. the load time of the module.
  168. DO NOT match on the NE signature in the module header. This is
  169. just a waste of bytes, since it always matches.
  170. DO match on the file size unless you have a very good reason not to.
  171. If going through the ifs, this is a very cheap test.
  172. DO match on something, since we don't want to rely on just the
  173. name of the module. We have signatures. Use them. If you have
  174. no better idea (eg. there is only one version), match on the
  175. windows version, the size(s) of the segment(s) being patched, and
  176. the file size.
  179. Patch data:
  180. -----------
  181. The patch values specify sequences of bytes to add or replace.
  182. Add's must be placed after the end of the unpatched segment.
  183. The segment is GlobalReAlloc'd as necessary to contain the new code.
  184. Replace's must be within the limits of the unpatched segment,
  185. and they must match the sequence of old bytes in the patch value.
  186. Obviously, replaced bytes cannot contain fixups.
  187. The contents of the value string are not used, except to be sent
  188. to the debugger as a debugging aid when the value is loaded from
  189. the registry. The contents of the value data must be in REG_BINARY
  190. format.
  192. Example:
  193. --------
  194. Note: The registry key show below will not work as shown, since it
  195. has been broken into multiple lines for legibility. Join the lines
  196. together and it works.
  198. ==================================================================
  199. REGEDIT4
  201. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\SessionManager
  202. \AppPatches\GENERIC
  203. \ff 06,01,02,3e,0a,03,00 03,06,d0,0c 08,03,03,67,05,c2,0a,00,00 00
  204. \1]
  205. "Add"=hex:02,08,f0,03,03,c2,0a,00
  206. "Replace"=hex:01,0b,67,00,03,c2,0a,00,e9,86,03
  207. ==================================================================
  209. The Add value has data with a size of 8 bytes, saying that at offset
  210. 3f0h that the 3 bytes c2,0a,00 should be added.
  211. "Add"=hex:02,08,f0,03,03,c2,0a,00
  212. || || || || || || || ||
  213. type=Add--++ || || || || || || ||
  214. total bytes--++ || || || || || ||
  215. offset----------++-++ || || || ||
  216. byte count------------++ || || ||
  217. bytes to add-------------++-++-++
  219. The Replace value has data with a size of 0bh bytes, saying that at
  220. offset 67h that the 3 bytes c2,0a,00 should be replaced with e9,86,03.
  221. "Replace"=hex:01,0b,67,00,03,c2,0a,00,e9,86,03
  222. || || || || || || || || || || ||
  223. type=Replace--++ || || || || || || || || || ||
  224. total bytes------++ || || || || || || || || ||
  225. offset--------------++-++ || || || || || || ||
  226. byte count----------------++ || || || || || ||
  227. old bytes--------------------++-++-++ || || ||
  228. new bytes-----------------------------++-++-++
  230. The combined effect of these two changes is to replace a "retn a" at 67
  231. with "jmp 3f0" and, at 3f0 to add "retn a". The app runs exactly as
  232. before in this case, except for a small detour. When it reaches ip=67,
  233. instead of doing "retn a", it does a "jmp 3f0" and then the "retn a".
  237. Example for code segment 1 of module "INSTALL":
  238. We want to change the message number they are checking against in a WndProc
  239. from 181 to 402. So here's what ya gatta do....
  241. 1. Open a patch.ini file in your favorite editor
  244. 2. Run private\tools16\gensig.exe : gensig file.exe seg#
  245. where seg# is the 1-based HEX value of the segment you want to patch. You
  246. will see the correct segment number to use if you do a "vdmexts!lm sel"
  247. dump for the selector of interest under ntsd (it will be under the "Seg"
  248. heading).
  249. gensig install.exe 1
  250. ff06010242136500030600d600 <--- resulting hex string signature
  253. 3. Grab the resulting hex string & paste it in your patch.ini file with the
  254. following format: RegistryPath\ModuleName\HexSignature\SegNum
  256. \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppPatches\INSTALL\ff06010242136500030600d600\1
  259. 4. Now the fun part. The patch bytes list needs to be done in groups of 4 bytes
  260. because it will be converted to DWORDS later.
  262. The first DWORD is the 1-Byte_ByteCount with a bunch of leading zeros:
  263. 0x0000000B Note: this must match the 1-Byte_ByteCount in the next DWORD
  264. See "^^Note:" at the end of this section on how to
  265. calculate this.
  267. The second DWORD takes the following format:
  268. 2-Byte_CodeOffset 1-Byte_ByteCount 1-Byte_PatchCode
  269. where the 2-Byte_CodeOffset is the same offset you would type to
  270. disassemble the code under ntsd: u seg:off
  271. For this example we want to alter 3 bytes at 1:305 so we need to write:
  272. 0x03050B01
  273. \__/\/\/
  274. \ \ \___ The 1-Byte_PatchCode (01 = "replace")
  275. \ \____ The 1-Byte_ByteCount (# bytes in the entire patch string)
  276. \______ The code offset
  278. Next write a 1-Byte_PatchByteCount followed by the PatchBytes. For the 3
  279. bytes we are replacing in this example:
  280. 03 2d 81 01 2d 02 04 00
  281. \/ \/ \___/ \/ \___/ \/ ______
  282. \ \ \ \ \ \___ Zero pad the DWORD |
  283. \ \ \ \ \_______ The value "402" |
  284. \ \ \ \__________ "Sub" instruction code |-- PatchBytes
  285. \ \ \________________ The value "181" |
  286. \ \___________________ "Sub" instruction ______|
  287. \_____________________ 1-Byte_PatchByteCount
  289. Now DWORD arrange the above 4-byte clusters:
  290. 0x01812d03 0x0004022d
  292. Put this all together as follows:
  293. Change1 = REG_BINARY 0x0000000B 0x03050B01 0x01812d03 0x0004022d
  294. \/ \/
  295. \________\__ These two will be the same
  297. ^^Note: the 1-Byte_ByteCount is the count of the bytes in all of the
  298. DWORDS we built except the first one (0x0000000B in this
  299. case) and doesn't count any of the padding zeros in the
  300. last DWORD. See below:
  302. 0 bytes 4 bytes 4 bytes 3 bytes
  303. Change1 = REG_BINARY 0x0000000B 0x03050B01 0x01812d03 0x0004022d
  305. 1-Byte_ByteCount = 4 + 4 + 3 = 0xB
  309. 5. Next add another registry path entry to the "ModuleCompatibility" section:
  310. \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ModuleCompatibility
  312. Followed by a REG_SZ entry for the Module:
  313. INSTALL = REG_SZ "0x0002"
  314. \____/
  315. \____ use "0x0002" for WOW in general
  316. and "0x8000" for RISC WOW only
  319. 6. The resulting patch.ini file should look like this:
  321. \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppPatches\INSTALL\ff06010242136500030600d600\1
  322. Change1 = REG_BINARY 0x0000000B 0x03050B01 0x01812d03 0x0004022d
  324. \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ModuleCompatibility
  325. INSTALL = REG_SZ "0x0002"
  328. 7. Run "regini patch.ini" to update the registry
  330. 8. Install a checked krnl386 and run the app under ntsd to see any patching
  331. messages when the module loads. If you have any problems set a bp at
  332. PatchAppSegWorker in krnl386 (source: wow16\kernel31\patch.asm) and step
  333. through what's going on. Chances are you have the byte order mixed up and
  334. you can see how you will need to re-arrange the PatchBytes in patch.ini
  335. to get what you really want.