Patch to eliminate GDI32 Escape() functionality in Windows98SE

This is a quick patch which prevents use of GDI32 Escape() on Win9x. This may close (unknown) Win9x holes in SetAbortProc() or others. MS deprecated all Escapes() except QUERYESCSUPPORT and PASSTHROUGH by October 2001 per my MSDN docs. My printer works, both network and local, both spooling and spool management (job cancel) with this patch in place.
This was inspired by Ilfak’s fix for XP. I have several machines that still run 98 (I actually do have a pretty good set of excuses for this :-) ). I heard that MS may not be planning to provide a patch, so … The code is copyleft, and you’re use if any is at your own risk. I wrote this for me, I’m happy with it’s effect, but I have no idea if it’s going to be good for you.
There is a source + executable buildable tree (VC6)
or just the release executable in a zip
a readme provides a somewhat terse overview

If you decide to use this patch…
fixgdi -
will provide instructions
fixgdi
will install the patch into gdi32.dl2

The code ‘edits’ the code for gdi32 in a file on the disk. Natually it can’t do this on the copy that windows is currently running, so it does this on a copy of the file – gdi32.dl2. After the program confirms the edit with “Update successful…” you may need to boot to “DOS” (or edit autoexec.bat and reboot) in order to copy gdi32.dl2 to gdi32.dll

If you have Windows File Protection or similar features enabled, it may be difficult to replace your original gdi32.dll

REMEMBER TO MAKE A BACKUP OF YOUR ORIGINAL GDI32.DLL.
YOU MIGHT FIND A PROBLEM THAT I HAVEN’T SEEN AND NEED IT!!

REMEMBER THAT ANYTHING YOU DO WITH THIS CODE IS AT YOUR OWN RISK;
YOUR USE OF THIS CODE CERTIFIES THAT YOU ARE ABLE TO EVALUATE THAT RISK

So, if you still want to use this :-)
The code substitutes

xor eax, eax
ret 0×14

in place of the Escape() entry code. The effect is to simply return zero from any call to Escape(). I have no idea whether any existing programs depend on Escape() functionality. Many pieces of code insist on ‘finding’ the Escape() function, but so far I’ve seen no anomalies associated with Escape() doing ‘nothing’. The function definitions are in wingdi.h. Incidentally, I have verified that the printer escape example from the Oct ’01 MSDN docs doesn’t in fact work on the existing unmodified GDI32.DLL FWIW.

Share
  • vsms

    Is this a start of a new trend? patching your Windows whenever Microsoft fails to do so, or when it lags behind the 0 day vulnerability?

  • http://www.whyimright.com Kevin

    Steve Gibson (www.grc.com) also noted that he will be providing a 9x patch if need be, as well.

  • Tom

    I heard Steve say that in the interview show & tried to get ahold of him by email to offer this to him, but wasn’t able to get ahold of him. c’est la vie

    If I get time, I’ll determine whether any application is actually trying to use Escape().
    I’ll post anything I find out here.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    This patch seems risky from an app compat POV. A cleaner fix is to do as MS does and noop only ESCAPE type 9 (METAESCAPE_SETABORTPROC).

  • Tom

    Matthew-
    If we could identify any application that made use of this functionality, I’d be more concerned about the compatibility issue. Absent that, I’m more concerned that the generally naive coding could have yet undiscovered issues. Eliminating the apparently un-needed support seems best to me at this time.
    Any thoughts on ExtEscape() or ExtCreateRegion()?
    -Tom

  • Pingback: SecuriTeam Blogs » Advanced targeted comment spam and FP decision making

  • http://HCCNET.NL J.A.DE.WITTE

    Hi,
    why not fore win98se,there are network problems too!
    Your progran could solve thi nasty problem.

    Thanks.