quinta-feira, 22 de setembro de 2011

MUI hell

How hateful can (some times) Microsoft Windows be? Let me count the times.... Well, this one happened while I was doing some experiments with Notepad.exe. As I needed to modify the Notepad.exe binary and didn't want to mess with the installation, I copied it to a temporary folder. Changed the binary afterwards and tried to run it.
Hmmm... Nothing happened. Run it again, and again, and again.... Nothing was happening. So, I recopied it again, and tried to run it to see if the failure was caused by the patching. Nope. Again, nothing was happening. Run it again, and again, and again.... Nothing.

I decided to run Procmon on it, and surprise, surprise, a couple of things failed to be found, namely: the MUI files.

Copying the missing files from Windows "en" and "en-US" subdirectories to the temp dir, and maintaining the
directories structures, notepad finally executed.
Doing the same with Calc.exe, guess what?

Who's responsible for this? A stupid function exported from ntdll called LdrpLoadResourceFromAlternativeModule.
This function get called when Notepad.exe and Calc.exe tries to load resource strings from the binary.

Oh, and this seems to break UPX....

What the hell?

Sem comentários: