Windows 7: How to change boot animation in Windows 7

joakim · 02 Oct 2010

Just confirming that theory works. I managed to change the startup text color to light green.

old code

Code:

offset          machine code    assembler
.text:0044399C  832100          and     dword ptr [ecx], 0
.text:0044399F  834B1CFF        or      dword ptr [ebx+1Ch], 0FFFFFFFFh

new code

Code:

offset          machine code    assembler
.text:0044399C  E85F380200      call    sub_467200
.text:004439A1  90              nop
.text:004439A2  90              nop

old code

Code:

offset           machine code     assembler
.rdata:00467200  00               db    0
.rdata:00467201  00               db    0
.rdata:00467202  00               db    0
.rdata:00467203  00               db    0
.rdata:00467204  00               db    0
.rdata:00467205  00               db    0
.rdata:00467206  00               db    0
.rdata:00467207  00               db    0
.rdata:00467208  00               db    0
.rdata:00467209  00               db    0
.rdata:0046720A  00               db    0
.rdata:0046720B  00               db    0
.rdata:0046720C  00               db    0

new code

Code:

offset           machine code         assembler
.rdata:00467200  832100               and     dword ptr [ecx], 0
.rdata:00467203  C7431C00FF00FF       mov     dword ptr [ebx+1Ch], 0FF00FF00h
.rdata:0046720A  C20400               retn    4

So the actual color code are stored at va 00467206 or offset 0x64A06. I'm sure thaimin has something useful to add about these color code.

About your concerns regarding the bootmgr patch. Here's what I change;

old code

Code:

offset          machine code  assembler
.text:00421EC5  7416          jz      short loc_421EDD

new code

Code:

offset          machine code  assembler
.text:00421EC5  90            nop
.text:00421EC6  90            nop

This is to disable the signature verification of the embedded bootmgr.exe (itself). This patch will also let you run modified bootmgr(.exe) in debug mode.

Joakim

thaimin · 04 Oct 2010

@joakim

First color stuff: First, isn't .rdata not allowed to be executed as code? How can you call a function in it? Wouldn't it be better to put it at the end of .text? According to the header information, .text has 48 bytes extra on disk (difference of Raw Size and Virtual Size) which is enough for your trick (which requires 13). Additionally, the end of a section is easy to find and I know I won't be destroying any important data.
But otherwise, that is awesome! I will try a version of it in a bit.

The value "7416" doesn't show up in the standard Windows 7 bootmgr until you are already in bootmgr.exe (so it isn't in the stub). Since the previous hack started with the same thing, I had to double check, and my program was silently failing to update the bootmgr stub. Oops! So apparently that hack only works for PXE bootmgr stub. Maybe if I can find the equivalent thing to change in the standard Windows 7 one then one of the tricks I found for bootmgr.exe will possibly work. I know I properly make that change (but I am unable to test it...).

joakim · 04 Oct 2010

What do you mean by not finding 7416? You are supposed to find 7403 at 0x105e in bootmgr (to disable checksum verification of bootmgr.exe). This is in the stub.

Now, to disable the signature verification we must patch bootmgr.exe. One way is the patch I've posted concerning 00421ec5.

Another way to disable signature verification, that I just discovered, is to make a far jmp inside the function BlImgVerifySignedPeImageFileContents, and effectively walking past every hash calculation;

old code

Code:

.text:00421063                 mov     ebx, eax
.text:00421065                 test    ebx, ebx
.text:00421067                 jnz     short loc_421073

new code

Code:

.text:00421063                 mov     ebx, eax
.text:00421065                 jmp     loc_421172

Lastly, the reason why I chose a place with such a big code cave to put the stuff, was in case we wanted to put more new code somewhere. Then it would not be spread all over, and easier to manage. So don't worry about it being in the .rdata section as long as it works (I've verified green text)..

Btw, did you manage to draw the animation with bigger size? If so, where and what did you do?

Joakim

thaimin · 04 Oct 2010

Okay, I thought all your fixes you were mentioning before were for bootmgr stub! This clears up a lot.

The bootmgr stub change is unnecessary since the checksum is updated, right?

I have integrated your ideas about changing startup message color and that led to me making it so the copyright text could be any length. Inspection of the files looks good and I will be testing in a VM in a bit.

I hope one of your 3 bootmgr.exe self-verify hacks plus one of my 2 bootmgr.exe winload.exe-verify hacks works (now that I will be properly applying the self-verify checks).

The animation size, frame rate, position, etc is all done by NTOSKRNL which I am not going to be editing, so it won't happen, although maybe possible, but that is too much for me.

joakim · 05 Oct 2010

Yes you are right that the stub hack is only necessary when the embedded bootmgr.exe has a bad checksum.

And it is sufficient to implement only 1 of the 2 signature hacks (I just wanted to mention a second way).

I hope you find a way to disable the checksum verification of winload.exe..

So I will not bother with NTOSKRNL, at least not on x64.

Joakim

thaimin · 05 Oct 2010

Quote: Originally Posted by joakim

Yes you are right that the stub hack is only necessary when the embedded bootmgr.exe has a bad checksum.

Awesome!

Quote: Originally Posted by joakim

And it is sufficient to implement only 1 of the 2 signature hacks (I just wanted to mention a second way).

That's what I meant.

Quote: Originally Posted by joakim

I hope you find a way to disable the checksum verification of winload.exe..

Have you tried either of the hacks I have posted? I believe at least one should allow you to use use an unsigned winload.exe.

I tested my program with the new color code and longer copyright text. The longer copyright text worked, but the color failed. Right when it was about to draw the text it just hung. My guess is I did something wrong, I will inspect further to see if I can get it to work.

joakim · 05 Oct 2010

Quote: Originally Posted by thaimin

Have you tried either of the hacks I have posted? I believe at least one should allow you to use use an unsigned winload.exe.

No unfortunately not. Was that a bootmgr patch? Could you be kind and repost it with the relevant offsets?

thaimin · 05 Oct 2010

I don't know the offsets, but they are unique in bootmgr.exe:

Code:

80 7D 0B 00 74 04 33 F6 EB 03 6A 30 5E        80 7D 0B 00 74 04 33 F6 EB 03 6A 00 5E
89 55 B4 83 65 B4 10                          89 55 B4 83 65 B4 00

You only need one of them.

razooi12 · 06 Oct 2010

tnx for this post...nice tutorial...

______________________
best registry cleaner

joakim · 06 Oct 2010

Nothing new, just found yet another way to disable signature check in bootmgr. Overwrite with 6 nop's (909090909090) at this location;

Code:

.text:00401237                 jl      loc_40142A

zzzzzzzzzzzzzzzzz (works while not debugging).

Joakim

Windows 7: How to change boot animation in Windows 7

How to change boot animation in Windows 7 problems?