BetaArchive Logo
Navigation Home Database Screenshots Gallery Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 54d, 8h, 13m | CPU: 16% | MEM: 5957MB of 12287MB used
{The community for beta collectors}

Post new topic Reply to topic  [ 15 posts ] 
Author Message
 PostPost subject: The Longhorn Kernel-Mode Timebomb        Posted: Sat May 04, 2019 11:24 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Mon Jul 23, 2012 9:40 pm

Posts
1017

Location
MD N10DC

Favourite OS
NT3.X Family
For a while every time I mention it, some users have scoffed at the idea of a "secret/special" kernel-mode timebomb present within many pre-reset longhorn builds. I have now evidence of its existence:

Image
This came up in a Longhorn 4042 install. All employable methods to disable the timebomb have been used. This is not faked.
Lenovo x230t with i7-3520m. The computer does not restart automatically unlike a proper kemode.

There is no circumstance in particular that triggers it, other than being run past expiry date. Maybe it comes up after 2 hours of use, maybe it comes up after 6. It just comes up whenever.
In Longhorn 4033 in particular, the timebomb involves many services directly started by Winlogon. They will cease to function when the timebomb is set to go off. Then some time later, the above blue-screen invades the screen.

For some reason this special timebomb does not work in virtual machines. Only on true hardware which is why nobody else has ever seen it. I'm currently looking in on this, and I would like to know of other user's perspectives. As per forum rules, this is not a request for a debomb. But information on how it works.

It is interesting to note that this bugcheck (or one like it) is not seen again until Windows 7 development. How it is triggered there is undoubtably different.

_________________
Quote:
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Sun May 05, 2019 9:09 am 
Reply with quote
Offline

Joined
Wed Feb 19, 2014 5:09 pm

Posts
13

Favourite OS
4074
I think this after 6 hours, because my friend not shutting down PC and get this bsod


Top  Profile  WWW
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Sun May 05, 2019 9:42 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed May 02, 2012 12:57 am

Posts
374

Favourite OS
Windows NT 3.x
NT4 has a similar bugcheck that is tied to the kernel synchronizing its internal clock (with the CMOS clock, even though the generally more accurate system clock is also available). The system won't immediately fail upon expiry, but will set a flag that will fall through to the bug check the next time the system decides to synchronize its internal clock, which might be whenever. Maybe it's related, or not...


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Sun May 05, 2019 10:05 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Apr 17, 2019 2:29 pm

Posts
7

Favourite OS
3683
Interesting, I'm currently trying to install Longhorn 3718 on a real pc.


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Sun May 05, 2019 3:40 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Oct 25, 2012 8:19 pm

Posts
1820

Location
shell32.dll
I did actually have it trigger on a 4042 VMware VM back ages ago when I was discussing this exact thing with someone else. I ended up patching the kernel to remove the entire BSOD, which is pretty nuclear but it seemed to work.

_________________
Windows Defender for great justice! Bugs are an international trading company. I need to defeat the anti-debugging and obfuscation methods. It wasn't for Intel's absurd ability to load in ie6. Why even waste time with people in an envelope?


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Sun May 05, 2019 10:05 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Mon Jul 23, 2012 9:40 pm

Posts
1017

Location
MD N10DC

Favourite OS
NT3.X Family
3155ffGd wrote:
NT4 has a similar bugcheck that is tied to the kernel synchronizing its internal clock (with the CMOS clock, even though the generally more accurate system clock is also available).
[SNIP]
Maybe it's related, or not...

That may be sort of related with 4033, except controlled with a user-mode service. When I connect to any network with internet access I guess something synchronizes with a time server, setting a trip flag in winlogon killing every services controlled/started by winlogon. Shortly after, that kemode "crash" comes up. Since winlogon has ties with kernel mode, it is plausable it can trip it.
If I do not connect to a network, all is fine. Very intriguing.
And again I've never had it occur in a VM. Only a real pc.

>Wheatley
What vmware version may I ask? I use workstation 7.1 and I've never had it happen.

>Rexon
AFAIK, M3 builds do not posess the "enhanced" timebomb. TweakNT and the winlogon hack and you're good to go. Maybe even slap AntiWPA into the mix.

_________________
Quote:
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Mon May 06, 2019 10:21 am 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Oct 25, 2012 8:19 pm

Posts
1820

Location
shell32.dll
yourepicfailure wrote:
>Wheatley
What vmware version may I ask? I use workstation 7.1 and I've never had it happen.

Something > 10, can't remember. This was a few years ago, so I don't have a more accurate version number to give.

_________________
Windows Defender for great justice! Bugs are an international trading company. I need to defeat the anti-debugging and obfuscation methods. It wasn't for Intel's absurd ability to load in ie6. Why even waste time with people in an envelope?


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Mon May 06, 2019 8:11 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Mon Jul 23, 2012 9:40 pm

Posts
1017

Location
MD N10DC

Favourite OS
NT3.X Family
Thanks to Wheatley for helping point me in the right direction over pm.

I went through ntoskrnl with ida. In essence, at some point during the system initialization a query is made to find the current system time, KeQuerySystemTime. It then checks if that value is greater than or equal to a hard-coded expiry date value. If that condition is met, a variable is written as 1, or true. A KeSetTimer is made to restart that check later. When the timer finishes, this query code is rerun. This time because that special variable is now true, the next time this check is made an if condition is met within that code making a call to undocumented API PoShutdownBugCheck with bugcheckparameter1 0x98u. And to quote https://supportline.microfocus.com/kbdocs/KBdo10789.HTM
PoShutdownBugCheck essentially enables a controlled "crash" like KeBugCheckEX, except providing a choice of power option to do after, e.g. halt or restart. In this case the choice is to halt without reboot.

Basically, this kernel timebomb checks the date/time and if past expiry date says "hey we might be running past the expiry date. Throw expired as true and 2 hours later rerun this check to make sure we're really expired and if so let's tell the user by crashing."

This is very similar to what 3155ffGd described.

_________________
Quote:
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Wed May 15, 2019 6:46 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Mon Jul 23, 2012 9:40 pm

Posts
1017

Location
MD N10DC

Favourite OS
NT3.X Family
I have successfully disabled 4042's kernel timebomb, removing the 2 hour blue-screen. See "System Up Time"
Image

As per forum policy I can't publish the patched kernel files, but I'll leave some information on it. This is a comparison between the unpatched ntkrnlmp and the patched version in ida.
Image

I opted to use jump if not equal to replace the jump if less than, because there is a 99.99% chance nobody will boot their system with perfect timing to get their date/time equal to the hardcoded kill date when the check is run. I used a jump if equal to replace the jump if greater than because even if someone did get the timing perfect, two hours later the date/time check code will be rerun and will bypass the jz (which triggers the timebomb crash on the second go around) because the current date/time will no longer be equal to the kill date.

Here are the addresses to jump to for that bit of code:
ntkrnlmp.exe - loc_5DA255
ntkrnlpa.exe - loc_5E08E5
ntkrnlup.exe - loc_5CF8E5
ntoskrnl will likely be ntkrnlmp.exe. Compare your file sizes for confirmation.

I have no idea of the addresses to jump to for other builds of Longhorn, haven't tried them yet. But the timebomb code should be similar across the pre-reset builds. The keyword to search for is "PoShutdownBugCheck." Searching for that in ida and eventually you'll get to the right area.

I will not patch the files for you. Please don't ask.

_________________
Quote:
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Thu May 16, 2019 4:53 am 
Reply with quote
Donator
Offline

Joined
Sat Sep 09, 2006 6:43 am

Posts
773

Favourite OS
Win10/Debian Linux
Hopefully this is ok. I looked at your patching locations and came up with the following, which may be applicable to other kernels (untested):

ntkrnlmp:
Search for: 7C 63 7F 0B 8B 45 F4 3B 05 00 79 60 00 72 56 38
Replace with: 75 63 7F 0B 8B 45 F4 3B 05 00 79 60 00 72 56 38

Search for: 7F 0B 8B 45 F4 3B 05 00 79 60 00 72 56 38 1D 10
Replace with: 74 0B 8B 45 F4 3B 05 00 79 60 00 72 56 38 1D 10

_________________
Need disks scanned in the USA? I have a Kryoflux, and am willing to help get your disks archived! I also offer xbox and xbox 360 repair and modding services. PM me for details!


Top  Profile  WWW
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Thu May 16, 2019 5:20 am 
Reply with quote
Donator
User avatar
Offline

Joined
Mon Jul 23, 2012 9:40 pm

Posts
1017

Location
MD N10DC

Favourite OS
NT3.X Family
Looks about right for those with only hex editors. I'll come up with the hexes for pa and up soon. I should've provided hex as well in the first place...
Maybe in the future we can make something for Melcher to put on his site, but it can't be posted here. thinking universal tool?

Me personally I'm trying to keep this on the low because lately staff has been cracking down on... cracks and timebomb defeats. So I apologize for the meanish tone.

EDIT: The hexes for pa and up:
Image
Modified on top, original on bottom.

Are the same for all kernel variants. Just different addresses.
So jimmsta, it appears the hex should work for other variants. Now to determine if it'll work on other builds.

I combined the two because I know some users out there will be confused.
search for: 7C 63 7F 0B 8B 45 F4 3B 05 00 79 60 00 72 56 38
replace with: 75 63 74 0B 8B 45 F4 3B 05 00 79 60 00 72 56 38

_________________
Quote:
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Thu May 16, 2019 5:38 pm 
Reply with quote
Donator
Offline

Joined
Sat Sep 09, 2006 6:43 am

Posts
773

Favourite OS
Win10/Debian Linux
I tend to just use 86Box and set its time to a time of the build's era. Patching the kernel is a modification, and obviously frowned down upon -- especially if someone goes and patches the builds and then releases them as real builds -- fakes are a huge problem. I only did this as an exercise for myself in building binary patches.

_________________
Need disks scanned in the USA? I have a Kryoflux, and am willing to help get your disks archived! I also offer xbox and xbox 360 repair and modding services. PM me for details!


Top  Profile  WWW
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Thu May 16, 2019 6:15 pm 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Sep 13, 2017 1:26 am

Posts
335

Location
Tlajomulco de Zuñiga, Jalisco, Mexico.

Favourite OS
Windows Longhorn 6.0.4093
Offtopic Comment
Who would release these "fakes"? Taking in mind the fact that they should recompile an entire ISO

_________________
Image
Registrations are now open. Join us today!


Top  Profile  YIM
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Thu May 16, 2019 9:45 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Oct 25, 2012 8:19 pm

Posts
1820

Location
shell32.dll
Offtopic Comment
Honestly, I find the possibility of fakes as a reason for frowning upon kernel and other modifications lousy at best - in order to do a convincing job at it, too much effort is needed for pretty much no gain. Sure, some aspects of the patching could be automated, but after that it would be too easy to miss important details, such as:
- File creation/modification times
- Slightly less obvious files with build numbers and/or dates in them
- Binary comparisons showing all parts except the build number as identical to the "base build" - this would be found out near-instantly the second one opens a few files in a hex editor.

Anyway, I'm not entirely sure what this has to do with a very specific kernel patch that has nothing to do with build tags...

_________________
Windows Defender for great justice! Bugs are an international trading company. I need to defeat the anti-debugging and obfuscation methods. It wasn't for Intel's absurd ability to load in ie6. Why even waste time with people in an envelope?


Top  Profile
 PostPost subject: Re: The Longhorn Kernel-Mode Timebomb        Posted: Thu May 16, 2019 10:42 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Mon Jul 23, 2012 9:40 pm

Posts
1017

Location
MD N10DC

Favourite OS
NT3.X Family
Offtopic Comment
Not to mention there are folks that like to go digging through files...


Through digging within 4033-4074, I can confirm this is the final hex to search for:
7C 63 7F 0B 8B 45 F4 3B

Replace with:
75 63 74 0B 8B 45 F4 3B

It remains unchanged throughout that build range. All other builds are unverified.
There is only one instance of that set of bytes for these kernel binaries.

_________________
Quote:
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"


Top  Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 




Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2019

 

Sitemap | XML | RSS


Affiliate