Monday, April 21, 2008

Advapi32 patch for new Windows OS versions

This is an update of my previous post about the patching of advapi32 dll. You'll find here patches for Windows 2003 Server SP2, Windows Vista, Windows Server 2008 and Windows Vista SP1. The last two platforms share the same version of the advapi32 dll.
  • Windows 2003 SP2: advapi32 version = 5.2.3790.3959
    • At offset 0x11E3F : change 75 to 90
    • At offset 0x11E40 : change 08 to 90
    • At offset 0x11E47 : change 74 to EB
  • Windows Vista : advapi32 version = 6.0.6000.16386
    • At offset 0x37B7D : change 0F to 90
    • At offset 0x37B7E : change 84 to E9
    • At offset 0x4B66D : change 0F to 90
    • At offset 0x4B66E : change 85 to 90
    • At offset 0x4B66F : change 10 to 90
    • At offset 0x4B670 : change C5 to 90
    • At offset 0x4B671 : change FE to 90
    • At offset 0x4B672 : change FF to 90
  • Windows 2008 and Windows Vista SP1 : advapi32 version = 6.0.6001.18000
    • At offset 0x2420C : change 75 to 90
    • At offset 0x2420D : change 0C to 90
    • At offset 0x24214 : change 0F to 90
    • At offset 0x24215 : change 84 to E9

9 comments:

Unknown said...

Hi,
Have you maybe found patch for the 64-bit Vista SP1 (version 6.0.6001.18000)?
Thanks in advance!

Mounir IDRASSI said...

I didn't have the occasion to install this version of Vista and for the time being I don't think I'll have time to do this...Maybe in two weeks time...
If you are on a harry, you can send me your copy of advapi32 and I'll see if I can find a patch without running the system (possible but not always!!).
Cheers,

Anonymous said...
This comment has been removed by the author.
Anonymous said...

Hi,

Refer to ur post, you already informed that I need to change all the offset value.
My question is, I didn’t have the source for the advapi32.dll. How can I change the things?
I really appreciate ur answer coz I'm new with this security things.

Thanks.

Mounir IDRASSI said...

Hi,

Just copy the advapi32 file in System32 to another place and then use any hexadecimal editor to change the values at the indicated offsets. For example, you can use HxD for that (http://mh-nexus.de/en/).
Once you have the patched copy, you have to boot on another OS that shares that same drive or access directly the hard drive, in any case this must be done outside Vista. Then, replace the advapi32 in System32 by the one you modified following my indications.
You also must replace the one in the folder x86_microsoft-windows-advapi32_31bf3856ad364e35_
6.0.6001.18000_none_e34851aa8681b8b0
under C:\Windows\winsxs\.
Last thing to do is to rename the patched advapi32.dll file to x86_microsoft-windows-advapi32_31bf3856ad364e35_
6.0.6001.18000_none_e34851aa8681b8b0
_advapi32.dll_9512793c
and then put it in "C:\Windows\winsxs\Backup", thus overwriting the existing one.

Once all these actions done, start your Vista. The patched advapi32 should be working now.
You may also disable automatic Windows Updating because it can detect that the advapi32 has been altered and thus it will block your system.

Anonymous said...

Hi Mounir,

I already try to look for 2420C for Vista SP1-32 bit platform, but I couldn't find any. I already emailed to u the advapi32.dll.

Thank You.

Mounir IDRASSI said...

0x2420C is an offset (starting from the begining of the file). It's not a value content on the file.
An offset is the number of bytes you should skip before finding the right one. The offset is given in hexadecimal format because this is the standard way to do it. You can convert it to decimal: this will give you 147980, which means that you should go to the 147980th byte of the file.

Anonymous said...
This comment has been removed by the author.
Anonymous said...

Hi Mounir,

Thanks for ur help.

I almost done with my code. Thanks a lot.