Topic: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?  (Read 16722 times)

0 Members and 1 Guest are viewing this topic.

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #140 on: April 15, 2017, 01:02:24 AM »

noelBlanc

  • Chef
  • ***
  • Date Registered: Dec 2013
  • Posts: 115
Hi slore,
Thank for your feedback. My English is so poor that sometime, someone can't undestrand me.
When i said
Quote
And Yes, this solution is not a good idea because with the next version of winpe, the address will be modify.
I speak about "my" solution because address base + 2F9 can change with a new version of windows.
And yes, the WinpeSe team's solution with wind+MsgHook" is the best solution because it doesn't use an "hard" address but implement all the code that explorer.exe doesn't do.
And no, i'm not good in disassembling program. I use Windbg like a beginner.
Quote
just write 100 lines code in 1 or 2 hours
Bravo! i don't be able to do that.

You said
Quote
I want make a hard patch to switch the default jump, but the explorer.exe cann't startup with the change
- i use a exe and hook.dll to do that "dynamicaly" and put it on early posts
- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
- can you see with procmon64 some thing or make a save file .PML ?

note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8. 
Quote
00007ff6`01c96a7f 418887f9020000  mov     byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba
00007ff6`01c96a86 84c0            test    al,al
00007ff6`01c96a88 0f851f660700    jne     explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a8e 4138bff8020000  cmp     byte ptr [r15+2F8h],dil
00007ff6`01c96a95 0f8512660700    jne     explorer!`TileBadgeProviderLogging::Instance'::`2'::`   >>>>>>>>> change jne to je
So, twice 6  "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.

See you later
« Last Edit: April 15, 2017, 03:54:01 AM by noelBlanc, Reason: also modify the first jne »

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #141 on: April 15, 2017, 07:57:46 AM »

slore

  • Jr. Chef
  • **
  • Date Registered: Jun 2016
  • Posts: 23
hi, noelBlanc

so quick reply.

>just write 100 lines code in 1 or 2 hours
EnumWindow,check window state and save them, then ShowWindow(Sync), some thing like this,
for me that is easy rather than ~"Windbg" things.~

>- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
yes, 0f85xxxxx -> 0f84xxxxx, and PEchecksum.exe explorer_modifed.exe.

- can you see with procmon64 some thing or make a save file .PML ?
I will try this.

>note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8. 
sorry, I had a typo on it.I was changed the first jne not the second one.
(learn the windbg skill from you, I follow the Tray::ModeChange message get the BASE+171h in my version,and it is the first check in Tray::_RaiseDesktop)

>use a exe and hook.dll to do that "dynamicaly" and put it on early posts
I change the BASE+171h,or the jne to je in  "dynamicaly" with Visual Studio, That also worked.

>twice 6  "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.
I will try the 909090909090

thank again, that you is sharing your research(also the process), and How to  disassemble explorer.exe with windbg. :thumbsup:

 

Powered by EzPortal