Well this is my second post,

Was fooling around with notepad of window 2000 on windows98se though I knew it would not run,I put the notepad through some PE editors and modifiers and deleted some of its import functions to the (I recall) printer driver normally some priting API funtions.Well then validated it,well it never ran but some questions I got were is this possible.Any body have any programs or ideas

Another thing is what is meant by attaching a program to a live process ?


Then about the VBOX(till ver 4.3(?) protection system well if you properly clean out the register keys using the AMOK VBOX cleaner etc,you can reintall the program and it works,then I wonder what more is left in the protection.

Thank

nyx

Hello nyx !

There is a big problem using programs which come with different windows version on each other.
Normally these program's imports are bound.
You can be sure most time that these programs use some undocumented functions.
Also the memory structures can differ from version to version.

And if there is a call to an import and you simply delete this import, what will happen?
Either there will be a 00000000h in the import table which marks it's end and skips all other imports following (=crash) or all import entrys will be moved one entry back and all following calls to imports will point to the wrong import. (=crash)

Why do you want to use Win2000's notepad on Win98? Just because of "New Search", "Mark All" or "Replace"? You can find ways how to implement this functions on Win98 on this board and on Fravia's Mirror

Well I'm learning VC++ just time before I break into Windows.....

Bound imports are only used if the addresses are right. If not, the loader uses the original imports.

As for Notepad, under Win2000 it imports some Wide char APIs. 98SE doesn't support Wide char APIs, therefore it will not work.

Normal executables have their import addresses resolved at load-time. When a PE file is loaded, it requests to be loaded into a certain base address (indicated in the PE file headers). If that address isn't available, then it has to go somewhere else and the loader has to fix up all the addresses that changed.

A Bound PE file forgoes the ability to have it's DLLs relocate in order to speed up load times. Essentially, it assumes that all the base addresses for its imports will be available. This is a reasonable assumption for a system tool like Notepad because Win32 runs each process in its own address space, and all the import DLLs are written and controlled by Microsoft.

When you load a PE file and it's import DLLs, the IAT is filled in with all the addresses it needs. The IAT then becomes something of a jump table for import functions. When the PE file is bound, this process takes place once and is permanently stored.

The fundamental reasons why you can't run Win2000 Notepad on Win98 is because the EXE is bound, and the underlying DLLs have different base addresses.

cheers,
-Notbob

PS - This was all from memory and it's been a little while since I've forked with PE internals, so if I'm a little off, please let me know.

notbot,

you're right in your explanation, but i guess the problem is another. to check the vality of the BOUNDed imports, the loader check the dll time stamp against the bound import descriptor time field.

if they dont match, normal imports is used. and i bet they dont match between w9x kernel32.dll and w2k notepad.exe

ancev