Do you want to modify the Win2000 system kernel file? (Such as: ntoskrnl.exe or hal.dll) If you modify NTOSKRNL.exe, then copy it to the System32 directory, the Win2000 system will restore the system kernel files you overwrite. The simplest solution is to replicate after booting with a guide disk. But is this? No. Because after restarting, select the security mode with command line prompts in the Windows 2000 Advanced Options menu to display the following:
Windows 2000 cannot start because of the damage or loss of the following file:
Why do you have this problem? The answer is in the NTLDR file, the Win32 program Osloader.exe. The OSLoader program function is to load the system kernel files and drivers. In order to facilitate the analysis program, I exported OsLoader.exe from the NTLDR file. Inside an output function is Bl linkimage, the function of this function is to load the executable to memory, and the original file is modified while loading. Below is a small part of the BLLOADIMAGE function:
003016BD 0FB7CA movzx ecx, dx003016C0 03C1 add eax, ecx003016C2 3B4758 cmp eax, dword ptr [edi 58] 003016C5 7407 je 003016CE003016C7 C7451404000000 mov [ebp 14], 00000004003016CE FF7508 push [ebp 08] 003016D1 E83CF9FFFF call 00301012003016D6 837D1400 cmp dword ptr [ebp 14], 00000000003016DA 0F8597000000 jne 00301777; to 6 90H003016E0 A108243300 mov eax, dword ptr [00332408] 003016E5 85C0 test eax, eax003016E7 7436 je 0030171F003016E9 BB0400FFFF mov ebx, FFFF0004003016EE 6A04 push 00000004003016F0 53 push ebx003016F1 6A00 push 00000000003016F3 03C6 add EAX, ESI
Use the hex editor to open the NTLDR file. The system I use is WIN2000 5.00.2195.1, so after the analysis, the data in 635A to 635F is 6 90h, which is NOP instruction. Behind you can modify the system kernel files. Note: Before you operate, you must keep the original procedure in case. Don't use it, the consequences are at your own risk.
