Exception in pocc.exe

[HellOfMice]

https://learn.microsoft.com/en-us/cpp/build/prolog-and-epilog?view=msvc-170
https://www.sqlite.org/download.html rather than pathching all is moving

[HellOfMice]

I am not sure that SQLITE3 is updated very often, I do it but I am not sure there are many people that do it. if you patch SQLITE3 see with their site to tell us there are problems in their sotfware. AN update can just resolve any problem

For the other link I read that there was a norm in the epilog and that MS did not like those who did not like them.

My humor is what it is. If you like good if you don't like good too.

THIS AFTERNOON I TRIED TO DEBUG USING XMM AND AVX2 IT WAS NOT POSSIBLE BUT i think it less important that somerting we resolve with a batch file. There are place which are blocking and are IMPORTANT. I have pelles running from codeblock and notepad++ now. That goes to me.

While is there no stack registers for the FPU87, why XMM0 rather than tem.

Do you  use emms instruction after using XMM.

I put my main code in the start function before callink winmain for hiding what i DO. The debugger does not show my code. With all the nop used in alignment are you sure that the good patches are applyed at the good place. You can have self mofied code or unpacked code...

There are a lot of thing to thing

PHILIPPE

[HellOfMice]

hI TIMOSHINE & SUNVJL

I have nothing against anyone and surely not against SUNSHINE
i THINK THAT HIS SOLUTION HAS NOT BEEN VERY THOUGHT AND APPLYING A SYSTEMATIC SOLUTIONS CAN HIDE THE REAL ONE;
yOU SHOULD CONTACT OTHERS SOCIETES OR DEVELOPPER ON GIThUB; i HAVE ADDED 2 ISSUES FOR NOTEPAD++ RELATIVES TO THE SAME PROBLEM.

You should search for a replacement for pelles or how we will do it, other programs to develop?

[HellOfMice]

YES

[Robert]

I am still interest of Windows 11 24H2 ntdll.dll x64 rich header
A tool for find me some details of it

Code: [Select]

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "msvcrt")

int ProcessFile(HANDLE hFile, PBYTE pMem);

int __cdecl main(int argc, char **argv)
{
HANDLE hFile, hMapping;
VOID *pMem;

if (argc < 2) {
printf("Usage: PETestRichHdr.exe <file>\n");
return 1;
}
hFile = CreateFile(argv[1], GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
hMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL);
if (hMapping) {
pMem = MapViewOfFile(hMapping, FILE_MAP_WRITE, 0, 0, 0);
if (pMem) {
printf("%s\n", argv[1]);
ProcessFile(hFile, pMem);
UnmapViewOfFile(pMem);
} else
printf("File open error");
CloseHandle(hMapping);
} else
printf("FileMapping error");
CloseHandle(hFile);
} else
printf("File open error");
return 0;
}

int ProcessFile(HANDLE hFile, PBYTE pMem)
{
PIMAGE_DOS_HEADER pDosHdr;

pDosHdr = (PIMAGE_DOS_HEADER)pMem;
if (pDosHdr->e_magic != IMAGE_DOS_SIGNATURE)
return 1;
DWORD *pPtr = (DWORD*)(pMem+pDosHdr->e_lfanew);
DWORD *pMin = (DWORD*)(pMem+0x40);
while (pPtr > pMin && *((DWORD*)pPtr) != *((DWORD*)"Rich"))
pPtr--;
if (*pPtr == *((DWORD*)"Rich")) {
DWORD *pPtr2 = pPtr-1;
DWORD dwMask = *(pPtr+1);
DWORD dwTmp = *((DWORD*)"DanS") ^dwMask;
while (*pPtr2 && *pPtr2 != dwTmp)
pPtr2--;
if (*pPtr2) {
DWORD *pPtr3 = pPtr2+4;
//printf("%Xh %\n", *pPtr2^dwMask, *pPtr2^dwMask); //"DanS"
while (*pPtr3 != *((DWORD*)"Rich")) {
//WORD wId, wVer;
dwTmp = *pPtr3^dwMask;
printf("%08x ", *pPtr3^dwMask);
pPtr3++;
//printf("%Xh ", *pPtr3^dwMask);
if (*pPtr3 == *((DWORD*)"Rich")) break;
//printf("%Xh %d\n", LOWORD(*pPtr3^dwMask, *(pPtr3+1)^dwMask);
printf("id:%d\tversion:%d\ttimes:%d\n", HIWORD(dwTmp), LOWORD(dwTmp), *pPtr3^dwMask);
pPtr3++;
}
}
}

return 0;
}


Hi TimoVJL:

I'm not sure if you are asking a question but anyway,

"The Windows SDK documentation describes some, but not all, of the Nt entry points in Ntdll.lib. Most of the documented Nt routines are defined in the Winternl.h header file in the Windows SDK."

quoted from

https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/libraries-and-headers

[Vortex]

Hello,

Thanks for the patches. They are working fine on Windows 11 2024 H2.

[Vortex]

Hi Timo,

Here is my report on Win11 2024 H2 :

Code: [Select]

D:\>PETestRichHdr64.exe C:\Windows\system32\ntdll.dll
File open error

[TimoVJL]

Good to know.
I have to find access to Windows 11 24H2 myself, as site users can't / don't like to help me.
It was a your choice 

[John Z]

Windows 11 market share in total is only about 37% and WIN 11 24H2 is only a small portion of that.
So many forum members won't be able to assist with testing. For me I blocked WIN 11 24H2 until things settle out a bit more.

So I don't think the general lack of response/help is because forum members are unwilling, but more likely are unable.  I certainly don't think lack of help/testing is personal towards anyone, especially the longstanding, extremely helpful, forum members like TimoVJL, Frankie, MrBxc etc.

There is clearly some friction on the future use/path for Pelles C, some will stay some will go.

It is easy to get a bit irritated as we are still grieving over the apparent loss of Pelle, and the impact of WIN 11 24H2 issues. 

Stay positive, carry on, it will be fine!

John Z

[John Z]

I have to find access to Windows 11 24H2 myself, ....

I tried this site https://www.dll-files.com/ntdll.dll.html but it looks like the newest ntdl.dll has not yet been uploaded.  My Win 11 23H2 version is 2/11/2025, 10.0.022621.4830,  newest one in the DLL site is 10.0.19041.423 - so not there yet.

Maybe someone can zip it and post it for you.  Currently about 2Meg unzipped. I don't think that would violate anything.

Could be analyzed without installing/registering it I believe.

John Z

[TimoVJL]

No need to send that dll.
Earlier i just asked to run program with it and see result from it's rich header.
If it have file access in system32 folder, just a temporary copy of it in other folder might help.
Idea was to see, what msvc version is currently used in Windows files.