Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help With running on Windows Server 2008 #3

Open
DavidSMoore11 opened this issue Oct 13, 2021 · 4 comments
Open

Help With running on Windows Server 2008 #3

DavidSMoore11 opened this issue Oct 13, 2021 · 4 comments

Comments

@DavidSMoore11
Copy link

Hello!
I tried running it on windows 10, and it's working perfectly. so I decided to run it also on other OS.
I took Windows Server 2008 R2 (6.1.7601) and tested it on it - I don't know why, but it's crashing :(.
after a bit debugging the code I saw that it's crashing in the getDllBase. and the crash is because dll_name->pBuffer is 0x400.

Why should it not work on Windows Server 2008? and how can I 'Patch' it so it will work? looks like all the dlls are existing...

Thank you !
@cwdel
Copy link
Contributor

cwdel commented Oct 13, 2021
edited
Loading

We did the build on Windows Server editions but not on 2008 ... we'll look into it

@DavidSMoore11
Copy link
Author

So, after a bit of debugging I got the problem.
one of the used dlls is - api-ms-win-core-version-l1-1-0.dll which is a bit diffrent between Windows 10 and Windows 2008.
Two function are used -
GetFileVersionInfoSizeW and GetFileVersionInfoW
The problem is that in Windows 2008 these function does not exist, instead of these 2 function there are 2 another -
GetFileVersionInfoSizeExW and GetFileVersionInfoExW.
(btw, the DLL is built in, but downloading and placing in System32 worked like a charm).

Maybe later I will do a PR, but for now, the fix is -
in APIResolve.h file replace the hashes to the following -
// ---- Api-ms-win-core-version-l1-1-0.dll
#define CRYPTED_HASH_API_MS_WIN_CORE_DLL 0xf5ce0ebb
#define CRYPTED_HASH_GETFILEVERSIONINFOSIZEW 0x1fac9342
#define CRYPTED_HASH_GETFILEVERSIONINFOW 0x47da936f
#define CRYPTED_HASH_VERQUERYVALUEW 0x3927db18

then, change the functions signatures -
typedef DWORD(WINAPI* GETFILEVERSIONINFOSIZEW)(DWORD, LPCWSTR, LPDWORD);
typedef BOOL(WINAPI* GETFILEVERSIONINFOW)(DWORD, LPCWSTR, DWORD, DWORD, LPVOID);

these functions are called in DumpTools.c, so you need to change the call too -
if ((sz = function_ptrs->_GetFileVersionInfoSizeW(0x01, filename, &handle)))
{
void* info = function_ptrs->_HeapAlloc(function_ptrs->_GetProcessHeap(), 0, sz);
if (info && function_ptrs->_GetFileVersionInfoW(0x01, filename, handle, sz, info))
{
VS_FIXEDFILEINFO* ptr;
UINT len;

Now, It should work.

Another error that I saw is that for no reason that I can think about, there is a DLL which name's address is 0x400.... and it's crashing because of that.
so some another fix (if we can call it like that) is to just ignore that dll.
change getDllBase function from -
if (unicode_djb2(toLower(dll_name->pBuffer)) == xor_hash(crypted_dll_hash))
return (uint64_t)ptr_module_entry->DllBase;

to -
if (dll_name->pBuffer != 0x400){
if (unicode_djb2(toLower(dll_name->pBuffer)) == xor_hash(crypted_dll_hash))
return (uint64_t)ptr_module_entry->DllBase;
}

I am sorry that I didn't create a PR, will do later.

@thefLink
Copy link
Collaborator

This looks great, thanks for your analysis!

I will look into it very soon and update the code :-)

thefLink added a commit that referenced this issue Oct 16, 2021
@thefLink
should fix #3
f5368d1
@thefLink
Copy link
Collaborator

Can you verify if the changes fix your issue on server2008?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thefLink @cwdel @DavidSMoore11