IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Loading an alternative SOFTWARE hive on XP, Whatever workaround will be accepted
joakim
post Feb 6 2010, 07:41 PM
Post #1


Silver Member
***

Group: Members
Posts: 110
Joined: 10-December 08
From: Norway, Bergen
Member No.: 43,999



I am simply wondering if anybody ever managed to successfully boot with an alternative SOFTWARE hive. And if you did, what exactly did you do?

The theories are many, I don't want them. I want a verified working sample solution..

I am simply looking for a way to load a renamed SOFTWARE hive (read not SYSTEM hive)!

Does not matter if PE or not.

Thanks

Joakim
Go to the top of the page
 
+Quote Post
JFX
post Feb 7 2010, 06:10 AM
Post #2


Member
**

Group: Advanced Member
Posts: 78
Joined: 21-December 07
Member No.: 33,820



Renaming the hive doesn't work, but renaming the folder does.

In ntoskrnl.exe (or the respective other kernel) search for all Unicode occurrence of

\SystemRoot\System32\config\ and replace it to your like.

Note there is still the system hive in \SystemRoot\System32\config\ needed, but just to verify that it exist.

All hives will be loaded from new folder.

This post has been edited by JFX: Feb 7 2010, 06:10 AM
Go to the top of the page
 
+Quote Post
jaclaz
post Feb 7 2010, 07:56 AM
Post #3


The Finder
******

Group: Moderator
Posts: 6,962
Joined: 25-July 04
From: Italy
Member No.: 6,779



I'll throw this oneliner in, only for the fun of it.

QUOTE
On NTFS, think about using hard links.


jaclaz
Go to the top of the page
 
+Quote Post
joakim
post Feb 7 2010, 06:48 PM
Post #4


Silver Member
***

Group: Members
Posts: 110
Joined: 10-December 08
From: Norway, Bergen
Member No.: 43,999



@JFX
Thanks for the hint. I never thought of renaming the path. I was too focused on renaming the hive.. Renaming the 2 occurences of \config\ did not work. Even patching ntldr did not work. Not entirely true, as it is possible to patch ntldr to load an alternative SYSTEM hive, but it will bsod when the SOFTWARE hive is not found. What I did was; patch them to search in \confag\ instead of \config\. I renamed the folder so that \config\ is non-existent. It's too late to dig further and I will be away for the next 3 days. Maybe you would describe in detail how you managed to load an alternatively placed SOFTWARE hive..

@jaclaz
I don't know what a hardlink or junction point will make for a difference. Last time I studied its features I got the impression that it was only linking 1 level without any options to choose from, when executing the link. The point is to have 2 SOFTWARE hives and be able to choose at boot-time which one to load (assuming an alternative to something implies at least 2 of its kind).

Joakim
Go to the top of the page
 
+Quote Post
CWorks
post Feb 7 2010, 07:29 PM
Post #5


Simple Minded Fool
*****

Group: Members
Posts: 1,690
Joined: 21-October 03
From: In the garden, & feeling fine
Member No.: 2,134



QUOTE (JFX @ Feb 7 2010, 05:50 AM) *
Note there is still the system hive in \SystemRoot\System32\config\ needed, but just to verify that it exist.

All hives will be loaded from new folder.
Go to the top of the page
 
+Quote Post
jaclaz
post Feb 8 2010, 06:45 AM
Post #6


The Finder
******

Group: Moderator
Posts: 6,962
Joined: 25-July 04
From: Italy
Member No.: 6,779



QUOTE (joakim @ Feb 8 2010, 12:28 AM) *
@jaclaz
I don't know what a hardlink or junction point will make for a difference. Last time I studied its features I got the impression that it was only linking 1 level without any options to choose from, when executing the link. The point is to have 2 SOFTWARE hives and be able to choose at boot-time which one to load (assuming an alternative to something implies at least 2 of its kind).

Well, you didn't state the bolded italic part in your original post. wink.gif

The idea is to make on the NTFS filesystem (while "main" system is "offline") a Hard Link to another location for each of the files.
Then see if it works.
Then when wanting to "exchange" hives, do a pre-boot in another OS and change the hard links targets to the "other set" of hives.
I presume that it is possible to write a "direct disk editor" capable of altering the data in the NTFS filesystem in a pre-boot environment (like grub4dos).

There are source code examples for making hard links:
http://win32.mvps.org/ntfs/lnw.html
http://www.delphisources.ru/pages/faq/base...bolic_link.html
http://www.delphi3000.com/articles/article...sp?SK=hardlinks

Some interesting info on hard links:
http://schinagl.priv.at/
http://schinagl.priv.at/nt/hardlinkshellex...nkshellext.html
http://schinagl.priv.at/nt/ln/ln.html

What I tried (and works) is (on an offline system volume):
create a <drive letter>\WINDOWS\System32\confag directory
move to it from <drive letter>\WINDOWS\System32\config:
  • DEFAULT
  • DEFAULT.LOG
  • SAM
  • SAM.LOG
  • SECURITY
  • SECURITY.LOG
  • SOFTWARE
  • SOFTWARE.LOG
  • SYSTEM
  • SYSTEM.LOG

Create corresponding hard links:

CODE
fsutil hardlink create K:\WINDOWS\system32\config\DEFAULT K:\WINDOWS\system32\confag\DEFAULT
fsutil hardlink create K:\WINDOWS\system32\config\DEFAULT.LOG K:\WINDOWS\system32\confag\DEFAULT.LOG
fsutil hardlink create K:\WINDOWS\system32\config\SAM K:\WINDOWS\system32\confag\SAM
fsutil hardlink create K:\WINDOWS\system32\config\SAM.LOG K:\WINDOWS\system32\confag\SAM.LOG
fsutil hardlink create K:\WINDOWS\system32\config\SECURITY K:\WINDOWS\system32\confag\SECURITY
fsutil hardlink create K:\WINDOWS\system32\config\SECURITY.LOG K:\WINDOWS\system32\confag\SECURITY.LOG
fsutil hardlink create K:\WINDOWS\system32\config\SOFTWARE K:\WINDOWS\system32\confag\SOFTWARE
fsutil hardlink create K:\WINDOWS\system32\config\SOFTWARE.LOG K:\WINDOWS\system32\confag\SOFTWARE.LOG
fsutil hardlink create K:\WINDOWS\system32\config\SYSTEM K:\WINDOWS\system32\confag\SYSTEM
fsutil hardlink create K:\WINDOWS\system32\config\SYSTEM.LOG K:\WINDOWS\system32\confag\SYSTEM.LOG


I tested on the very minimal XPCLI, and it booted allright. smile.gif

jaclaz

P.S.: Just tried with a junction point of the whole "config" folder, but it did not work sad.gif, so it seems like hard links 1 - Junction Points 0
Go to the top of the page
 
+Quote Post
JFX
post Feb 8 2010, 10:28 AM
Post #7


Member
**

Group: Advanced Member
Posts: 78
Joined: 21-December 07
Member No.: 33,820



@joakim
I have just replaced unicode string \SystemRoot\System32\config\ with \SystemRoot\System32\confi1\ in ntoskrnl.exe with winhex and saved it as ntoskrn1.exe

Then fixed PE Checksum with modifype. (vista version may also need a new certificate and testsigning switch on)

Then I copied the config folder to confi1 and add this line to boot.ini:

CODE
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows 2003 confi1" /KERNEL=ntoskrn1.exe /noexecute=optout /fastdetect


Default, sam, security and software hive will be loaded from confi1 folder

But with the system hive i may was wrong, your right it's loaded by ntldr. It seems to cause problem if both are not identical.
(Wonder how i could boot with a 0 byte dummy one wacko.gif may I mixed things up with PE mode)

Best idea would be to also adjust NTLDR to load it from different folder.

Just a theory why renaming the hive don't work. I guess kernel use the string 'Software' for both file name and target location under \REGISTRY\MACHINE\.
So a renamed hive would not be loaded as \REGISTRY\MACHINE\SOFTWARE.

However this method will waste a lot of disk space if used together with detecthal feature thumbdown.gif
Go to the top of the page
 
+Quote Post
joakim
post Feb 9 2010, 01:45 PM
Post #8


Silver Member
***

Group: Members
Posts: 110
Joined: 10-December 08
From: Norway, Bergen
Member No.: 43,999



I am writing from a mob phone so its short. I did in fact try to patch both the ntldr and ntoskrnl without luck. I think it makes no difference to patch the registry mount point of software inside the kernel. But will try when I am back anyway. Btw, how can we make grldr rename a file on an ntfs volume? Patching the mft perhaps? Joakim
Go to the top of the page
 
+Quote Post
jaclaz
post Feb 9 2010, 03:35 PM
Post #9


The Finder
******

Group: Moderator
Posts: 6,962
Joined: 25-July 04
From: Italy
Member No.: 6,779



QUOTE (joakim @ Feb 9 2010, 07:25 PM) *
Btw, how can we make grldr rename a file on an ntfs volume? Patching the mft perhaps? Joakim


Yes, some good ol' disk editing would do, though cannot say if it is possible (I mean easily) with grub4dos dd commands. unsure.gif

I'll throw this in also, seemingly unrelated:
http://www.boot-land.net/forums/index.php?showtopic=7329

There is an entire world of OSless programming at GRUB/grub4dos reach.....

jaclaz
Go to the top of the page
 
+Quote Post
joakim
post Feb 9 2010, 04:07 PM
Post #10


Silver Member
***

Group: Members
Posts: 110
Joined: 10-December 08
From: Norway, Bergen
Member No.: 43,999



I thought about that too. Do you have a working sample on how to perform rename operation of a windows boot critical file on ntfs with grldr? Regardless of the complexity of it. I know its likely difficult. About the other thing, maybe it would be easier to code a system boot=1 driver that could do file and or registry operations this early in the boot process, as opposed to coding a real mode equivalent program... Joakim
Go to the top of the page
 
+Quote Post
jaclaz
post Feb 10 2010, 05:20 AM
Post #11


The Finder
******

Group: Moderator
Posts: 6,962
Joined: 25-July 04
From: Italy
Member No.: 6,779



QUOTE (joakim @ Feb 9 2010, 09:47 PM) *
I thought about that too. Do you have a working sample on how to perform rename operation of a windows boot critical file on ntfs with grldr? Regardless of the complexity of it. I know its likely difficult.


Come on, get real! whistling.gif

If I had such a thing wouldn't I had already posted it on 911CD and over half the internet technical boards, instead of "pushing" you towards writing one? hmm.gif

I have to make a few checks, but I don't think that it should be overly complex, if we take approach #2 (see below).

QUOTE (joakim @ Feb 9 2010, 09:47 PM) *
About the other thing, maybe it would be easier to code a system boot=1 driver that could do file and or registry operations this early in the boot process, as opposed to coding a real mode equivalent program...

As I see it there are two possible approach:
  1. "universal" solution, a "smart" kind of program that detects where the hard links are on the NTFS filesystem and changes them to point to whatever you want
  2. "specific" solution, a "dumb" kind of program that analyzes the differences between two specific NTFS filesystem, the first with hard links from "config" pointing to "confag" and the second with hard links from "config" pointing to "confbg", and then can at boot time, "patch" that specific NTFS filesystem to have the one or the other set of "pointers"


As I see it, #1 is the "right" thing to do, but it is obviously complex, whilst #2 is relatively simple, it needs some "preparatory" work for each given filesystem (but that can be done from a "full fledged" running OS) and in it's essence is nothing more than a hex patcher with direct disk access.

Time permitting, I'll check what are the differences between the two NTFS filesystem with different pointers, but I do expect that it is a matter of changing some a's to b's and possibly recalculate a checksum of some kind...

As a side note, and remember that I have NO idea how it is made ph34r.gif, but RPM (Ranish Partition Manager) and XOSL also can boot without any DOS OS, and have direct disk access.
I don't think that there is Source code for RPM post 2.37 available, but I guess that if the "base code" is sound enough, one can use this old version allright to have a good start.

jaclaz

P.S.: Probably useful:
http://www.alex-ionescu.com/NTFS.pdf
Go to the top of the page
 
+Quote Post
joakim
post Mar 5 2010, 02:15 AM
Post #12


Silver Member
***

Group: Members
Posts: 110
Joined: 10-December 08
From: Norway, Bergen
Member No.: 43,999



For parts of the software hive, it is possible to transform it into a hardware profile. Or maybe more descriptively called "software profile": http://technet.microsoft.com/en-us/library...525(WS.10).aspx

(It sometimes pays off to take your time at msdn and technet)

Joakim
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



Lo-Fi Version Time is now: 31st March 2014 - 10:07 AM