Topic: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?  (Read 29714 times)

0 Members and 1 Guest are viewing this topic.

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #140 on: April 15, 2017, 06:02:24 AM »

noelBlanc

  • Chef
  • ***
  • Date Registered: Dec 2013
  • Posts: 121
Hi slore,
Thank for your feedback. My English is so poor that sometime, someone can't undestrand me.
When i said
Quote
And Yes, this solution is not a good idea because with the next version of winpe, the address will be modify.
I speak about "my" solution because address base + 2F9 can change with a new version of windows.
And yes, the WinpeSe team's solution with wind+MsgHook" is the best solution because it doesn't use an "hard" address but implement all the code that explorer.exe doesn't do.
And no, i'm not good in disassembling program. I use Windbg like a beginner.
Quote
just write 100 lines code in 1 or 2 hours
Bravo! i don't be able to do that.

You said
Quote
I want make a hard patch to switch the default jump, but the explorer.exe cann't startup with the change
- i use a exe and hook.dll to do that "dynamicaly" and put it on early posts
- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
- can you see with procmon64 some thing or make a save file .PML ?

note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8. 
Quote
00007ff6`01c96a7f 418887f9020000  mov     byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba
00007ff6`01c96a86 84c0            test    al,al
00007ff6`01c96a88 0f851f660700    jne     explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a8e 4138bff8020000  cmp     byte ptr [r15+2F8h],dil
00007ff6`01c96a95 0f8512660700    jne     explorer!`TileBadgeProviderLogging::Instance'::`2'::`   >>>>>>>>> change jne to je
So, twice 6  "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.

See you later
« Last Edit: April 15, 2017, 08:54:01 AM by noelBlanc, Reason: also modify the first jne »

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #141 on: April 15, 2017, 12:57:46 PM »

slore

  • Jr. Chef
  • **
  • Date Registered: Jun 2016
  • Posts: 29
hi, noelBlanc

so quick reply.

>just write 100 lines code in 1 or 2 hours
EnumWindow,check window state and save them, then ShowWindow(Sync), some thing like this,
for me that is easy rather than ~"Windbg" things.~

>- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
yes, 0f85xxxxx -> 0f84xxxxx, and PEchecksum.exe explorer_modifed.exe.

- can you see with procmon64 some thing or make a save file .PML ?
I will try this.

>note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8. 
sorry, I had a typo on it.I was changed the first jne not the second one.
(learn the windbg skill from you, I follow the Tray::ModeChange message get the BASE+171h in my version,and it is the first check in Tray::_RaiseDesktop)

>use a exe and hook.dll to do that "dynamicaly" and put it on early posts
I change the BASE+171h,or the jne to je in  "dynamicaly" with Visual Studio, That also worked.

>twice 6  "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.
I will try the 909090909090

thank again, that you is sharing your research(also the process), and How to  disassemble explorer.exe with windbg. :thumbsup:

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #142 on: April 27, 2017, 03:48:33 PM »

noelBlanc

  • Chef
  • ***
  • Date Registered: Dec 2013
  • Posts: 121
Hi,
@ slore : i hope you get your goal.

I'm happy, i get a winpe for version 1703 (rs2) with my scripts wrote in PS. I detect many bugs.
The first (and i forget it each time i'm in front of a new version) is the missing D2D1.DLL.MUI. With DWM, winpe displays a black screen. Cursors are diplaying but not the border and not the text of a cmd box.
And for research, i use procmon and the functionality "capture on boot" : very friendly in a vhd and mode Flat !

Also, in my last PDF, i put an email address. And i'm happy to receive an email. And happy to help  to get a winpe ( 1607 ) producted by ADK and with mstsc and NLA , with nothing else.
For the fun i get mstsc with NLA in the winpe 1703 in which implementation of NLA is a little different than winpe 1607.

Currently, I meet a lot of anomalies with the 1703 version. The main: Desktop/explore hangs with the session System. And also delays for the ADM session.

I'm going to bike for a long time from 15 May. So not sure i can finish PDF and scripts. Maybe in a few months.
« Last Edit: May 05, 2017, 04:28:33 PM by noelBlanc, Reason: many anomalies with version 1703 »

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #143 on: October 04, 2017, 04:17:36 PM »

noelBlanc

  • Chef
  • ***
  • Date Registered: Dec 2013
  • Posts: 121
Hello
Version 1703 imposes many changes in the PDF file and in my scripts.
Several anomalies have appeared with this version.
I have very little tested and I have not made any changes in the scripts since I left in May.

MSTSC with NLA works in this version: This is the only point I really tested.

I just finished the update of the PDF file v 3.6. Main additions:
-an investigative method when switching to a new version when nothing works
-Launch of Procmon.exe automatically when starting WINPE : all activity is captured

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #144 on: November 16, 2017, 03:20:44 AM »

noelBlanc

  • Chef
  • ***
  • Date Registered: Dec 2013
  • Posts: 121
hello,
After more than a week without understanding why the popup menu "NEW" was empty, I ended up finding what Chrisr and the Theoven team had found Ben long ago.
And besides, I checked in their script as a final check, to be sure I had all the elements in hand.
Bravo to them.
I drop my scripts adapted for the V1709 which do not serve much but which are the result of my long evenings of laborious quest.
I will do a little bit of doc to explain another method of investigation:
From a freshly installed W10 in a VM, explain how to modify the essential hives to get a WinPE with "almost" all elements of W10, services, files, keys and also the elements added by the installation phase of W10 (very Important to keep that in mind)

But since I have to reinstall everything to validate, this will be for later.

In this new version for only v1709:

USB printers are always available. But requires a bit of personal work to inject the drivers of its printer and modify the scripts.
Network printers are available for the ADM session only.
I try to make them visible in the control Panel "devices and Printers"
IE64 ok for ADM, but F12 NOK and download NOK for System
MSTSC works from the System session with the NLA mode

I am trying to run Termservice (incoming call in WinPE). For fun because not really useful

"Tscon.exe 1" resists me.
(Because my bad english i use a translator...)

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #145 on: November 17, 2017, 09:27:58 PM »

slore

  • Jr. Chef
  • **
  • Date Registered: Jun 2016
  • Posts: 29
Hi, noelBlanc

nice to see you back, to continue some research.  :great:

Quote
I will do a little bit of doc to explain another method of investigation:
From a freshly installed W10 in a VM, explain how to modify the essential hives to get a WinPE with "almost" all elements of W10, services, files, keys and also the elements added by the installation phase of W10 (very Important to keep that in mind)

Re: MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?
« Reply #146 on: November 18, 2017, 04:08:11 PM »

noelBlanc

  • Chef
  • ***
  • Date Registered: Dec 2013
  • Posts: 121
hi Slore,
Happy to see you again. :smile:

My goal to occupy this early winter :
- in a VM (hyperV), i install a W10Ent
- i put new objects and modify some others
- and now the VM boot under Winpe with a "big" context ( files, keys, new objects, etc, which came with install)

It's well documented on internet ( perhaps in this site ). It's not the first time i use it. I think it's an other good way to investigate.
it's an easy way to disable services ou drivers, compare files, etc.
Need some time to modify manually.

I try to note the modifications in the attached files before to update my pdf.

The next action ( next week ) is to put the VHD in a USB disk and boot on a physical machine. I hope material recognition will be ok.

The real reason is that I do not find how to make the printers appear in the "classic" winpe configuration panel when they appear well in this "obese" winpe.
Idem for MSTSC from a computer to a winpe machine ( yes, not very usefull to see the screen of winpe on my computer, but funny to search ).
Session ADM not very good in this big winpe.

I just try the VHD in a physical machine : it works very well, mp4, printers, and i can use mstsc from an other computer via RDP.
« Last Edit: November 18, 2017, 05:55:38 PM by noelBlanc, Reason: test vhd in physical machine = OK »

 

Powered by EzPortal