Patch to eliminate GDI32 Escape() functionality in Windows98SE
January 14th, 2006 by tomw, Filed under: Microsoft
This is a quick patch which prevents use of GDI32 Escape() on Win9x. This may close (unknown) Win9x holes in SetAbortProc() or others. MS deprecated all Escapes() except QUERYESCSUPPORT and PASSTHROUGH by October 2001 per my MSDN docs. My printer works, both network and local, both spooling and spool management (job cancel) with this patch in place.
This was inspired by Ilfak’s fix for XP. I have several machines that still run 98 (I actually do have a pretty good set of excuses for this 
). I heard that MS may not be planning to provide a patch, so … The code is copyleft, and you’re use if any is at your own risk. I wrote this for me, I’m happy with it’s effect, but I have no idea if it’s going to be good for you.
There is a source + executable buildable tree (VC6)
or just the release executable in a zip
a readme provides a somewhat terse overview
If you decide to use this patch…
fixgdi -
will provide instructions
fixgdi
will install the patch into gdi32.dl2
The code ‘edits’ the code for gdi32 in a file on the disk. Natually it can’t do this on the copy that windows is currently running, so it does this on a copy of the file - gdi32.dl2. After the program confirms the edit with “Update successful…” you may need to boot to “DOS” (or edit autoexec.bat and reboot) in order to copy gdi32.dl2 to gdi32.dll
If you have Windows File Protection or similar features enabled, it may be difficult to replace your original gdi32.dll
REMEMBER TO MAKE A BACKUP OF YOUR ORIGINAL GDI32.DLL.
YOU MIGHT FIND A PROBLEM THAT I HAVEN’T SEEN AND NEED IT!!REMEMBER THAT ANYTHING YOU DO WITH THIS CODE IS AT YOUR OWN RISK;
YOUR USE OF THIS CODE CERTIFIES THAT YOU ARE ABLE TO EVALUATE THAT RISK
So, if you still want to use this
The code substitutes
xor eax, eax
ret 0×14
in place of the Escape() entry code. The effect is to simply return zero from any call to Escape(). I have no idea whether any existing programs depend on Escape() functionality. Many pieces of code insist on ‘finding’ the Escape() function, but so far I’ve seen no anomalies associated with Escape() doing ‘nothing’. The function definitions are in wingdi.h. Incidentally, I have verified that the printer escape example from the Oct ‘01 MSDN docs doesn’t in fact work on the existing unmodified GDI32.DLL FWIW.
-
Is your site safe from XSS Attacks? Sig nup for Beyond Security Vulnerability Scanner today!
Subscribe
Subscribe
Is this a start of a new trend? patching your Windows whenever Microsoft fails to do so, or when it lags behind the 0 day vulnerability?
Steve Gibson (www.grc.com) also noted that he will be providing a 9x patch if need be, as well.
I heard Steve say that in the interview show & tried to get ahold of him by email to offer this to him, but wasn’t able to get ahold of him. c’est la vie
If I get time, I’ll determine whether any application is actually trying to use Escape().
I’ll post anything I find out here.
This patch seems risky from an app compat POV. A cleaner fix is to do as MS does and noop only ESCAPE type 9 (METAESCAPE_SETABORTPROC).
Matthew-
If we could identify any application that made use of this functionality, I’d be more concerned about the compatibility issue. Absent that, I’m more concerned that the generally naive coding could have yet undiscovered issues. Eliminating the apparently un-needed support seems best to me at this time.
Any thoughts on ExtEscape() or ExtCreateRegion()?
-Tom
[…] The original post this was a comment for is: http://blogs.securiteam.com/index.php/archives/210 […]
Hi,
why not fore win98se,there are network problems too!
Your progran could solve thi nasty problem.
Thanks.