Beispiel #1
2
NTSTATUS KphDynamicDataInitialization(
    VOID
    )
{
    NTSTATUS status = STATUS_SUCCESS;

    PAGED_CODE();

    // Get Windows version information.

    KphDynOsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
    status = RtlGetVersion((PRTL_OSVERSIONINFOW)&KphDynOsVersionInfo);

    if (!NT_SUCCESS(status))
        return status;

    // Dynamic data should be read from the registry, but we use the fallback
    // function here if needed.
    if (KphDynNtVersion == 0)
    {
#ifdef _X86_
        KphpX86DataInitialization();
#else
        KphpAmd64DataInitialization();
#endif
    }

    return status;
}
Beispiel #2
0
/***********************************************************************
 *         GetVersionExA   (KERNEL32.@)
 */
BOOL WINAPI GetVersionExA(OSVERSIONINFOA *v)
{
    RTL_OSVERSIONINFOEXW infoW;

    if (v->dwOSVersionInfoSize != sizeof(OSVERSIONINFOA) &&
        v->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXA))
    {
        WARN("wrong OSVERSIONINFO size from app (got: %d)\n",
                        v->dwOSVersionInfoSize );
        SetLastError(ERROR_INSUFFICIENT_BUFFER);
        return FALSE;
    }

    infoW.dwOSVersionInfoSize = sizeof(infoW);
    if (RtlGetVersion( &infoW ) != STATUS_SUCCESS) return FALSE;

    v->dwMajorVersion = infoW.dwMajorVersion;
    v->dwMinorVersion = infoW.dwMinorVersion;
    v->dwBuildNumber  = infoW.dwBuildNumber;
    v->dwPlatformId   = infoW.dwPlatformId;
    WideCharToMultiByte( CP_ACP, 0, infoW.szCSDVersion, -1,
                         v->szCSDVersion, sizeof(v->szCSDVersion), NULL, NULL );

    if(v->dwOSVersionInfoSize == sizeof(OSVERSIONINFOEXA))
    {
        LPOSVERSIONINFOEXA vex = (LPOSVERSIONINFOEXA) v;
        vex->wServicePackMajor = infoW.wServicePackMajor;
        vex->wServicePackMinor = infoW.wServicePackMinor;
        vex->wSuiteMask        = infoW.wSuiteMask;
        vex->wProductType      = infoW.wProductType;
    }
    return TRUE;
}
Beispiel #3
0
/*
 * @implemented
 */
BOOL
WINAPI
GetVersionExW(IN LPOSVERSIONINFOW lpVersionInformation)
{
    NTSTATUS Status;
    LPOSVERSIONINFOEXW lpVersionInformationEx;

    if ((lpVersionInformation->dwOSVersionInfoSize != sizeof(OSVERSIONINFOW)) &&
        (lpVersionInformation->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW)))
    {
        SetLastError(ERROR_INSUFFICIENT_BUFFER);
        return FALSE;
    }

    Status = RtlGetVersion((PRTL_OSVERSIONINFOW)lpVersionInformation);
    if (Status == STATUS_SUCCESS)
    {
        if (lpVersionInformation->dwOSVersionInfoSize == sizeof(OSVERSIONINFOEXW))
        {
            lpVersionInformationEx = (PVOID)lpVersionInformation;
            lpVersionInformationEx->wReserved = 0;
        }

        return TRUE;
    }

    return FALSE;
}
Beispiel #4
0
gboolean
wing_get_version_number (gint *major,
                         gint *minor)
{
  typedef NTSTATUS (WINAPI fRtlGetVersion) (PRTL_OSVERSIONINFOEXW);
  OSVERSIONINFOEXW osverinfo;
  fRtlGetVersion *RtlGetVersion;
  HMODULE hmodule;

  hmodule = LoadLibraryW (L"ntdll.dll");
  g_return_val_if_fail (hmodule != NULL, FALSE);

  RtlGetVersion = (fRtlGetVersion *)GetProcAddress (hmodule, "RtlGetVersion");
  g_return_val_if_fail (RtlGetVersion != NULL, FALSE);

  memset (&osverinfo, 0, sizeof (OSVERSIONINFOEXW));
  osverinfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW);
  RtlGetVersion (&osverinfo);

  FreeLibrary (hmodule);

  *major = osverinfo.dwMajorVersion;
  *minor = osverinfo.dwMinorVersion;

  return TRUE;
}
Beispiel #5
0
/*
* WinObjInitGlobals
*
* Purpose:
*
* Initialize global variables.
*
*/
BOOL WinObjInitGlobals()
{
    SIZE_T cch;
    BOOL bResult = FALSE, bCond = FALSE;

    do {
        RtlSecureZeroMemory(&g_WinObj, sizeof(g_WinObj));

        //
        // Query version info.
        //
        g_WinObj.osver.dwOSVersionInfoSize = sizeof(g_WinObj.osver);
        RtlGetVersion(&g_WinObj.osver);

        //
        // Remember hInstance.
        //
        g_WinObj.hInstance = GetModuleHandle(NULL);

        //
        // Create dedicated heap.
        //
        g_WinObj.Heap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
        if (g_WinObj.Heap == NULL)
            break;

        RtlSetHeapInformation(g_WinObj.Heap, HeapEnableTerminationOnCorruption, NULL, 0);
        RtlInitializeCriticalSection(&g_WinObj.Lock);

        //
        // Remember %TEMP% directory.
        //
        cch = ExpandEnvironmentStrings(L"%temp%", g_WinObj.szTempDirectory, MAX_PATH);
        if ((cch == 0) || (cch > MAX_PATH))
            break;

        //
        // Remember Windows directory.
        //
        if (!GetWindowsDirectory(g_WinObj.szWindowsDirectory, MAX_PATH))
            break;

        //
        // Remember System32 directory.
        //
        if (!GetSystemDirectory(g_WinObj.szSystemDirectory, MAX_PATH))
            break;

        bResult = TRUE;

    } while (bCond);

    if (bResult == FALSE) {
        if (g_WinObj.Heap)
            RtlDestroyHeap(g_WinObj.Heap);
    }

    return bResult;
}
Beispiel #6
0
/***********************************************************************
 *         GetVersionExW   (KERNEL32.@)
 */
BOOL WINAPI GetVersionExW( OSVERSIONINFOW *info )
{
    if (info->dwOSVersionInfoSize != sizeof(OSVERSIONINFOW) &&
        info->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW))
    {
        WARN("wrong OSVERSIONINFO size from app (got: %d)\n",
                        info->dwOSVersionInfoSize);
        return FALSE;
    }
    return (RtlGetVersion( (RTL_OSVERSIONINFOEXW *)info ) == STATUS_SUCCESS);
}
Beispiel #7
0
PVOID GetAcpiHandle(PVOID in_pdo)
{
	//KdPrint(("GetAcpiHandle Input:0x%X\n",in_pdo));
	PVOID pvRet=0;
	PVOID temp;
	RTL_OSVERSIONINFOW osvx={0};
	osvx.dwOSVersionInfoSize=sizeof(RTL_OSVERSIONINFOW);
	RtlGetVersion(&osvx);
	temp = ((PDEVICE_OBJECT)in_pdo)->DeviceObjectExtension->DeviceObject->DeviceExtension;
	pvRet = *((PVOID *)((ULONG_PTR)temp + g_ulACPIHandleOffset));
	if((osvx.dwMajorVersion == 6 && osvx.dwMinorVersion == 3) || osvx.dwMajorVersion == 10)
	{
		pvRet = *((PVOID*)pvRet);
	}
	return pvRet;
	/*__asm
	{
		push eax
		push ebx
		push ecx
		push edx
		mov ecx,temp
		mov edx,g_ulACPIHandleOffset
		add ecx,edx
		mov ebx,[ecx]
		mov pvRet,ebx
		pop edx
		pop ecx
		pop ebx
		pop eax
	}*/
	/*__asm
	{
		push eax
		push ebx
		push ecx
		push edx
		mov ecx,in_pdo
		mov ecx,[ecx+0xb0]
		mov ecx,[ecx+4]
		mov ecx,[ecx+0x28]
		mov edx,g_ulACPIHandleOffset
		add ecx,edx
		mov ebx,[ecx]
		mov pvRet,ebx
		pop edx
		pop ecx
		pop ebx
		pop eax
	}*/
	//KdPrint(("GetAcpiHandle Returns:0x%X\n",pvRet));
	return pvRet;
}
Beispiel #8
0
ULONG GetOsVersion()
{

	ULONG ulOsVersion;
	RTL_OSVERSIONINFOW OsVersionInfo;

	PAGED_CODE();

	OsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);

	if (!NT_SUCCESS(RtlGetVersion(&OsVersionInfo)))
		return OS_VERSION_ERROR;

	switch (OsVersionInfo.dwBuildNumber) {
		case 2195:
			ulOsVersion = OS_VERSION_2000;
			break;

		case 2600:
			ulOsVersion = OS_VERSION_XP;
			break;

		case 3790:
			ulOsVersion = OS_VERSION_SERVER_2003;
			break;

		case 6000:
			ulOsVersion = OS_VERSION_VISTA;
			break;

		case 6001:
			ulOsVersion = OS_VERSION_VISTA_SP1;
			break;

		case 6002:
			ulOsVersion = OS_VERSION_VISTA_SP2;
			break;

		case 7600:
			ulOsVersion = OS_VERSION_WIN7;
			break;

		case 7601:
			ulOsVersion = OS_VERSION_WIN7_SP1;
			break;

		default:
			ulOsVersion = OS_VERSION_ERROR;
	}

	return ulOsVersion;
}
Beispiel #9
0
static FORCEINLINE
__SystemGetVersionInformation(
    VOID
    )
{
    RTL_OSVERSIONINFOEXW    VersionInformation;
    ULONG                   Bit;

    ASSERT3U(KeGetCurrentIrql(), ==, PASSIVE_LEVEL);

    RtlZeroMemory(&VersionInformation, sizeof (RTL_OSVERSIONINFOEXW));
    VersionInformation.dwOSVersionInfoSize = sizeof (RTL_OSVERSIONINFOEXW);

    RtlGetVersion((PRTL_OSVERSIONINFOW)&VersionInformation);

#if defined(__i386__)
    Info("KERNEL: %d.%d (BUILD %d) PLATFORM %s\n",
         VersionInformation.dwMajorVersion,
         VersionInformation.dwMinorVersion,
         VersionInformation.dwBuildNumber,
         __PlatformIdName(VersionInformation.dwPlatformId));
#elif defined(__x86_64__)
    Info("KERNEL: %d.%d (BUILD %d) PLATFORM %s (x64)\n",
         VersionInformation.dwMajorVersion,
         VersionInformation.dwMinorVersion,
         VersionInformation.dwBuildNumber,
         __PlatformIdName(VersionInformation.dwPlatformId));
#else
#error 'Unrecognised architecture'
#endif    

    if (VersionInformation.wServicePackMajor != 0 ||
        VersionInformation.wServicePackMinor != 0)
        Info("SP: %d.%d (%s)\n",
             VersionInformation.wServicePackMajor,
             VersionInformation.wServicePackMinor,
             VersionInformation.szCSDVersion);

    Info("SUITES:\n");
    Bit = 0;
    while (VersionInformation.wSuiteMask != 0) {
        if (VersionInformation.wSuiteMask & 0x0001)
            Info("- %s\n", __SuiteName(Bit));

        VersionInformation.wSuiteMask >>= 1;
        Bit++;
    }

    Info("TYPE: %s\n", __ProductTypeName(VersionInformation.wProductType));
}
Beispiel #10
0
NTSTATUS KphDynamicDataInitialization(
    VOID
    )
{
    NTSTATUS status = STATUS_SUCCESS;

    PAGED_CODE();

    // Get Windows version information.

    KphDynOsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
    status = RtlGetVersion((PRTL_OSVERSIONINFOW)&KphDynOsVersionInfo);

    return status;
}
Beispiel #11
0
int main()
{
    RTLGETVERSION RtlGetVersion=(RTLGETVERSION)GetProcAddress(GetModuleHandleA("ntdll.dll"),"RtlGetVersion");
    OSVERSIONINFO osv1={0},osv2={0};
    //way 1
    osv1.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
    GetVersionEx(&osv1);
    printf("Get Build Number by GetVersionEx: %ld\n",osv1.dwBuildNumber);
    //way 2
    osv2.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
    RtlGetVersion(&osv2);
    printf("Get Build Number by RtlGetVersion: %ld\n",osv2.dwBuildNumber);
    //show info
    getchar();
    return 0;
}
Beispiel #12
0
//
// e.g. WinXP SP2 : 0x05010200
//
inline ULONG GetOsVersion()
{
    RTL_OSVERSIONINFOW ver_info = {};
    ver_info.dwOSVersionInfoSize = sizeof(ver_info);

    auto status = RtlGetVersion(&ver_info);
    Assert(NT_SUCCESS(status));

    auto ver = ver_info.dwMajorVersion << 24 | ver_info.dwMinorVersion << 16;

    if (0 == ver_info.szCSDVersion[0])
    {
        return ver;
    }

    if (Equals(ver_info.szCSDVersion, L"Service Pack 1", false))
    {
        return ver |= 0x0100;
    }

    if (Equals(ver_info.szCSDVersion, L"Service Pack 2", false))
    {
        return ver |= 0x0200;
    }

    if (Equals(ver_info.szCSDVersion, L"Service Pack 3", false))
    {
        return ver |= 0x0300;
    }

    if (Equals(ver_info.szCSDVersion, L"Service Pack 4", false))
    {
        return ver |= 0x0400;
    }

    if (Equals(ver_info.szCSDVersion, L"Service Pack 5", false))
    {
        return ver |= 0x0500;
    }

    if (Equals(ver_info.szCSDVersion, L"Service Pack 6", false))
    {
        return ver |= 0x0600;
    }

    return ver;
}
Beispiel #13
0
/***********************************************************************
 *         GetVersion   (KERNEL.3)
 */
DWORD WINAPI GetVersion16(void)
{
    static WORD dosver, winver;

    if (!dosver)  /* not determined yet */
    {
        RTL_OSVERSIONINFOEXW info;

        info.dwOSVersionInfoSize = sizeof(info);
        if (RtlGetVersion( &info )) return 0;

        if (info.dwMajorVersion <= 3)
            winver = MAKEWORD( info.dwMajorVersion, info.dwMinorVersion );
        else
            winver = MAKEWORD( 3, 95 );

        switch(info.dwPlatformId)
        {
        case VER_PLATFORM_WIN32s:
            switch(MAKELONG( info.dwMinorVersion, info.dwMajorVersion ))
            {
            case 0x0200:
                dosver = 0x0303;  /* DOS 3.3 for Windows 2.0 */
                break;
            case 0x0300:
                dosver = 0x0500;  /* DOS 5.0 for Windows 3.0 */
                break;
            default:
                dosver = 0x0616;  /* DOS 6.22 for Windows 3.1 and later */
                break;
            }
            break;
        case VER_PLATFORM_WIN32_WINDOWS:
            /* DOS 8.0 for WinME, 7.0 for Win95/98 */
            if (info.dwMinorVersion >= 90) dosver = 0x0800;
            else dosver = 0x0700;
            break;
        case VER_PLATFORM_WIN32_NT:
            dosver = 0x0500;  /* always DOS 5.0 for NT */
            break;
        }
        TRACE( "DOS %d.%02d Win %d.%02d\n",
               HIBYTE(dosver), LOBYTE(dosver), LOBYTE(winver), HIBYTE(winver) );
    }
    return MAKELONG( winver, dosver );
}
VOID
XenPci_PatchKernel(PXENPCI_DEVICE_DATA xpdd, PVOID base, ULONG length) {
  patch_info_t patch_info;
#if (NTDDI_VERSION >= NTDDI_WINXP)
  RTL_OSVERSIONINFOEXW version_info;
#endif

  FUNCTION_ENTER();

/* if we're compiled for 2000 then assume we need patching */
#if (NTDDI_VERSION >= NTDDI_WINXP)
  version_info.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);

  RtlGetVersion((PRTL_OSVERSIONINFOW)&version_info);
  if (version_info.dwMajorVersion >= 6) {
    FUNCTION_MSG("Vista or newer - no need for patch\n");
    return;
  }
  if (version_info.dwMajorVersion == 5
      && version_info.dwMinorVersion > 2) {
    FUNCTION_MSG("Windows 2003 sp2 or newer - no need for patch\n");
    return;
  }
  if (version_info.dwMajorVersion == 5
      && version_info.dwMinorVersion == 2
      && version_info.wServicePackMajor >= 2) {
    FUNCTION_MSG("Windows 2003 sp2 or newer - no need for patch\n");
    return;
  }
#endif
  if (IsMoveCr8Supported()) {
    FUNCTION_MSG("Using LOCK MOVE CR0 TPR patch\n");
    patch_method = PATCH_METHOD_LOCK_MOVE_CR0;
  } else {
    FUNCTION_MSG("Using cached TPR patch\n");
    patch_method = PATCH_METHOD_CACHED_TPR;
  }
  patch_info.base = base;
  patch_info.length = length;
    
  XenPci_HighSync(XenPci_DoPatchKernel0, XenPci_DoPatchKernelN, &patch_info);
  
  xpdd->removable = FALSE;
  
  FUNCTION_EXIT();
}
Beispiel #15
0
// Test if the system is one of supported OS versions
_Use_decl_annotations_ bool DriverpIsSuppoetedOS() {
  PAGED_CODE();

  RTL_OSVERSIONINFOW os_version = {};
  auto status = RtlGetVersion(&os_version);
  if (!NT_SUCCESS(status)) {
    return false;
  }
  if (os_version.dwMajorVersion != 6 && os_version.dwMajorVersion != 10) {
    return false;
  }
  // 4-gigabyte tuning (4GT) should not be enabled
  if (!IsX64() &&
      reinterpret_cast<ULONG_PTR>(MmSystemRangeStart) != 0x80000000) {
    return false;
  }
  return true;
}
Beispiel #16
0
/*
* ucmInit
*
* Purpose:
*
* Prestart phase.
*
*/
UINT ucmInit(
	VOID
	)
{
	//fill common data block
	RtlSecureZeroMemory(&g_ldp, sizeof(g_ldp));

	//remember dll handles
	g_ldp.hKernel32 = GetModuleHandleW(L"kernel32.dll");
	if (g_ldp.hKernel32 == NULL) {
		return ERROR_INVALID_HANDLE;
	}
	g_ldp.hOle32 = GetModuleHandleW(L"ole32.dll");
	if (g_ldp.hOle32 == NULL) {
		g_ldp.hOle32 = LoadLibraryW(L"ole32.dll");
		if (g_ldp.hOle32 == NULL) {
			return ERROR_INVALID_HANDLE;
		}
	}
	g_ldp.hShell32 = GetModuleHandleW(L"shell32.dll");
	if (g_ldp.hShell32 == NULL) {
		g_ldp.hShell32 = LoadLibraryW(L"shell32.dll");
		if (g_ldp.hShell32 == NULL) {
			return ERROR_INVALID_HANDLE;
		}
	}

	//query basic directories
	if (GetSystemDirectoryW(g_ldp.szSystemDirectory, MAX_PATH) == 0) {
		return ERROR_INVALID_DATA;
	}

	//query build number
	RtlSecureZeroMemory(&g_ldp.osver, sizeof(g_ldp.osver));
	g_ldp.osver.dwOSVersionInfoSize = sizeof(g_ldp.osver);
	if (!NT_SUCCESS(RtlGetVersion(&g_ldp.osver))) {
		return ERROR_INVALID_ACCESS;
	}

	g_ldp.IsWow64 = supIsProcess32bit(GetCurrentProcess());

	return ERROR_SUCCESS;
}
Beispiel #17
0
// Initializes GuardMon components
_Use_decl_annotations_ NTSTATUS GMonInitialization() {
  PAGED_CODE();

  GMonpDemoStl();

  g_gmonp_ExAcquireResourceSharedLite =
      UtilGetSystemProcAddress(L"ExAcquireResourceSharedLite");
  if (!g_gmonp_ExAcquireResourceSharedLite) {
    return STATUS_PROCEDURE_NOT_FOUND;
  }

  RTL_OSVERSIONINFOW os_version = {};
  auto status = RtlGetVersion(&os_version);
  if (!NT_SUCCESS(status)) {
    return status;
  }
  if (os_version.dwMajorVersion == 10 && os_version.dwMinorVersion == 0) {
    g_pgmon_IsWindows10 = true;
  }
  return STATUS_SUCCESS;
}
Beispiel #18
0
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {
    NTSTATUS                  ntStatus;
    UNICODE_STRING            uszDriverString;
    UNICODE_STRING            uszDeviceString;
    UNICODE_STRING            uszProcessEventString;
    PDEVICE_OBJECT            pDeviceObject;
    PDEVICE_EXTENSION         extension;
    HANDLE                    hProcessHandle;
    RTL_OSVERSIONINFOW version;

    RtlInitUnicodeString(&uszDriverString, L"\\Device\\hookdetect");
    ntStatus = IoCreateDevice(DriverObject,sizeof(DEVICE_EXTENSION),&uszDriverString,FILE_DEVICE_UNKNOWN,0,FALSE,&pDeviceObject);
    if(ntStatus != STATUS_SUCCESS)
        return ntStatus;
    extension = pDeviceObject->DeviceExtension;
    RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\hookdetect");
    ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);

    if(ntStatus != STATUS_SUCCESS){
        IoDeleteDevice(pDeviceObject);
        return ntStatus;
    }
    g_pDeviceObject = pDeviceObject;
    DriverObject->DriverUnload                         = UnloadDriver;
    DriverObject->MajorFunction[IRP_MJ_CREATE]         = DispatchCreateClose;
    DriverObject->MajorFunction[IRP_MJ_CLOSE]          = DispatchCreateClose;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;

    version.dwOSVersionInfoSize = sizeof(version);
    RtlGetVersion(&version);
    if (((version.dwMajorVersion << 8) | version.dwMinorVersion) >= 0x0601) {
        g_win7 = 1;
    } else {
        g_win7 = 0;
    }

    return ntStatus;
}
Beispiel #19
0
/*
* DetectSystemInfo
*
* Purpose:
*
* Remember system version and system info to global variables.
*
*/
VOID DetectSystemInfo(
	VOID
	)
{
	NTSTATUS Status;

	g_IsWin64 = supIs64BitWindows(&g_IsWow64);
	if (g_IsWow64) {
		GetNativeSystemInfo(&g_siSysInfo);
	}
	else {
		GetSystemInfo(&g_siSysInfo);
	}

	RtlSecureZeroMemory(&g_osver, sizeof(g_osver));
	g_osver.dwOSVersionInfoSize = sizeof(g_osver);

	Status = RtlGetVersion(&g_osver);
	if (NT_SUCCESS(Status)) {
		if (g_osver.dwMajorVersion < 6) {
			supEnablePrivilege(SE_DEBUG_PRIVILEGE, TRUE);
		}
	}
}
Beispiel #20
0
ULONG GetOsVersion()
/*++

Routine Description:

	Gets OS Version


Arguments:

	None.


Return Value:

	returns OS Version.


Author:

	xiaonie

	2012/07/12


--*/
{
	ULONG ulOsVersion;
	RTL_OSVERSIONINFOW OsVersionInfo;

	OsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);

	if (!NT_SUCCESS(RtlGetVersion(&OsVersionInfo)))
		return OS_VERSION_ERROR;

	switch (OsVersionInfo.dwBuildNumber) {
	case 2195:
		ulOsVersion = OS_VERSION_2000;
		break;

	case 2600:
		ulOsVersion = OS_VERSION_XP;
		break;

	case 3790:
		ulOsVersion = OS_VERSION_SERVER_2003;
		break;

	case 6000:
		ulOsVersion = OS_VERSION_VISTA;
		break;

	case 6001:
		ulOsVersion = OS_VERSION_VISTA_SP1;
		break;

	case 6002:
		ulOsVersion = OS_VERSION_VISTA_SP2;
		break;

	case 7600:
		ulOsVersion = OS_VERSION_WIN7;
		break;

	case 7601:
		ulOsVersion = OS_VERSION_WIN7_SP1;
		break;

	default:
		ulOsVersion = OS_VERSION_ERROR;
	}
	return ulOsVersion;
}
Beispiel #21
0
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	Description : initializes the driver and the filter port, registers driver and registry callbacks.
//
//	Parameters : 
//		_in_ PDRIVER_OBJECT pDriverObject :	Data structure used to represent the driver.
//		_in_ PUNICODE_STRING pRegistryPath :	Registry location where the information for the driver
//							was stored.
//	Return value :
//		NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed
//	Process :
//		Defines hidden / blocked processes names.
//		Creates the device driver and its symbolic link.
//		Sets IRP callbacks.
//		Creates filter communication port to send logs from the driver to the userland process.
//		Creates logs mutex.
//		Register image load and registry callbacks.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
	PVOID adrFunc;
	PDEVICE_OBJECT pDeviceObject;
	UNICODE_STRING usDriverName;
	UNICODE_STRING filterPortName;
	UNICODE_STRING function;
	OBJECT_ATTRIBUTES objAttr;
	RTL_OSVERSIONINFOW osInfo;
	PSECURITY_DESCRIPTOR securityDescriptor;
	NTSTATUS status;
	ULONG i;

	// import some functions we will need
	RtlInitUnicodeString(&function, L"ZwQueryInformationThread");
	ZwQueryInformationThread = MmGetSystemRoutineAddress(&function);
	RtlInitUnicodeString(&function, L"ZwQueryInformationProcess");
	ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function);
	RtlInitUnicodeString(&function, L"ZwQuerySystemInformation");
	ZwQuerySystemInformation = MmGetSystemRoutineAddress(&function);
	
	RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT");
	RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT"); 
	status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
	if(!NT_SUCCESS(status))
		return status;
	
	status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
	if(!NT_SUCCESS(status))
		return status;
	
	pDeviceObject->Flags |= DO_BUFFERED_IO;
	pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
	for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
		pDriverObject->MajorFunction[i] = ioctl_NotSupported;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl;
	
	monitored_process_list = NULL;
	hidden_process_list = NULL;
	monitored_handle_list = NULL;
	
	// initialize every function pointers to null
	oldNtMapViewOfSection = NULL;
	oldNtSetContextThread = NULL;
	oldNtCreateThread = NULL;
	oldNtQueueApcThread = NULL;
	oldNtCreateProcess = NULL;
	oldNtSystemDebugControl = NULL;
	oldNtCreateProcessEx = NULL;
	oldNtWriteVirtualMemory = NULL;
	oldNtDebugActiveProcess = NULL;
	oldNtOpenProcess = NULL;
	oldNtOpenThread = NULL;
	oldNtQuerySystemInformation = NULL;
	oldNtCreateFile = NULL;
	oldNtReadFile = NULL;
	oldNtWriteFile = NULL;
	oldNtDeleteFile = NULL;
	oldNtSetInformationFile = NULL;
	oldNtQueryInformationFile = NULL;
	oldNtCreateMutant = NULL;
	oldNtDeviceIoControlFile = NULL;
	oldNtTerminateProcess = NULL;
	oldNtDelayExecution = NULL;
	oldNtQueryValueKey = NULL;
	oldNtQueryAttributesFile = NULL;
	oldNtReadVirtualMemory = NULL;
	oldNtResumeThread = NULL;
	oldNtCreateSection = NULL;
	oldNtUserCallOneParam = NULL;
	oldNtUserCallNoParam = NULL;
	oldNtClose = NULL;
	oldNtOpenFile = NULL;
	
	#ifdef DEBUG
	DbgPrint("IOCTL_CUCKOO_PATH : 0x%08x\n", IOCTL_CUCKOO_PATH);
	#endif
	
	// get os version
	if(!NT_SUCCESS(RtlGetVersion(&osInfo)))
		return status;

	// check os version	
	if(osInfo.dwMajorVersion == 5 && osInfo.dwMinorVersion == 1) // xp 32 bits
	{
		is_xp = 1;
		#ifdef DEBUG
		DbgPrint("windows xp !\n");
		#endif
	}
	else if(osInfo.dwMajorVersion == 6 && osInfo.dwMinorVersion == 1) // win 7
	{
		is_xp = 0;
		#ifdef DEBUG
		DbgPrint("windows 7!\n");
		#endif
	}
	else
	{
		#ifdef DEBUG
		DbgPrint("error : not supported os\n");
		#endif
		return -1;
	}
	
   	status = FltRegisterFilter(pDriverObject,&registration,&filter);
	if(!NT_SUCCESS(status))
		return status;
	
	RtlInitUnicodeString(&filterPortName, L"\\FilterPort");
	status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS);
	if(!NT_SUCCESS(status))
		return status;
	
	InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor); 
	
	status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1);
	FltFreeSecurityDescriptor(securityDescriptor);
	if(!NT_SUCCESS(status))
		return status;
	
	KeInitializeMutex(&mutex, 0);
	
	status = CmRegisterCallback(regCallback, NULL, &cookie);
	if(!NT_SUCCESS(status))
		return status;
	
	status = PsSetLoadImageNotifyRoutine(imageCallback);
	if(!NT_SUCCESS(status))
		return status;
	
	KeServiceDescriptorTableShadow = getShadowTableAddress();
	
	if(!KeServiceDescriptorTableShadow)
	{
		#ifdef DEBUG
		DbgPrint("error : couldn't retrieve Shadow SSDT\n");
		#endif
		return STATUS_UNSUCCESSFUL;
	}

	
	pDriverObject->DriverUnload = Unload;
	return STATUS_SUCCESS;
}
Beispiel #22
0
static VOID PhInitializeWindowsVersion(
    VOID
    )
{
    RTL_OSVERSIONINFOEXW versionInfo;
    ULONG majorVersion;
    ULONG minorVersion;

    versionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);

    if (!NT_SUCCESS(RtlGetVersion((PRTL_OSVERSIONINFOW)&versionInfo)))
    {
        WindowsVersion = WINDOWS_NEW;
        return;
    }

    memcpy(&PhOsVersion, &versionInfo, sizeof(RTL_OSVERSIONINFOEXW));
    majorVersion = versionInfo.dwMajorVersion;
    minorVersion = versionInfo.dwMinorVersion;

    if (majorVersion == 5 && minorVersion < 1 || majorVersion < 5)
    {
        WindowsVersion = WINDOWS_ANCIENT;
    }
    /* Windows XP */
    else if (majorVersion == 5 && minorVersion == 1)
    {
        WindowsVersion = WINDOWS_XP;
    }
    /* Windows Server 2003 */
    else if (majorVersion == 5 && minorVersion == 2)
    {
        WindowsVersion = WINDOWS_SERVER_2003;
    }
    /* Windows Vista, Windows Server 2008 */
    else if (majorVersion == 6 && minorVersion == 0)
    {
        WindowsVersion = WINDOWS_VISTA;
    }
    /* Windows 7, Windows Server 2008 R2 */
    else if (majorVersion == 6 && minorVersion == 1)
    {
        WindowsVersion = WINDOWS_7;
    }
    /* Windows 8 */
    else if (majorVersion == 6 && minorVersion == 2)
    {
        WindowsVersion = WINDOWS_8;
    }
    /* Windows 8.1 */
    else if (majorVersion == 6 && minorVersion == 3)
    {
        WindowsVersion = WINDOWS_8_1;
    }
    /* Windows 10 */
    else if (majorVersion == 10 && minorVersion == 0)
    {
        WindowsVersion = WINDOWS_10;
    }
    else if (majorVersion == 10 && minorVersion > 0 || majorVersion > 10)
    {
        WindowsVersion = WINDOWS_NEW;
    }

    if (WINDOWS_HAS_LIMITED_ACCESS)
    {
        ProcessQueryAccess = PROCESS_QUERY_LIMITED_INFORMATION;
        ProcessAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1fff;
        ThreadQueryAccess = THREAD_QUERY_LIMITED_INFORMATION;
        ThreadSetAccess = THREAD_SET_LIMITED_INFORMATION;
        ThreadAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff;
    }
    else
    {
        ProcessQueryAccess = PROCESS_QUERY_INFORMATION;
        ProcessAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff;
        ThreadQueryAccess = THREAD_QUERY_INFORMATION;
        ThreadSetAccess = THREAD_SET_INFORMATION;
        ThreadAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff;
    }
}
Beispiel #23
0
/// <summary>
/// Initialize dynamic data.
/// </summary>
/// <param name="pData">Data to initialize</param>
/// <returns>Status code</returns>
NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
{
    NTSTATUS status = STATUS_SUCCESS;
    RTL_OSVERSIONINFOEXW verInfo = { 0 };
    ULONG buildNo = 0;

    if (pData == NULL)
        return STATUS_INVALID_ADDRESS;

    RtlZeroMemory( pData, sizeof( DYNAMIC_DATA ) );

    verInfo.dwOSVersionInfoSize = sizeof( verInfo );
    status = RtlGetVersion( (PRTL_OSVERSIONINFOW)&verInfo );

    if (status == STATUS_SUCCESS)
    {
        ULONG ver_short = (verInfo.dwMajorVersion << 8) | (verInfo.dwMinorVersion << 4) | verInfo.wServicePackMajor;
        pData->ver = (WinVer)ver_short;

        // Get kernel build number
        status = BBGetBuildNO( &buildNo );

        // Validate current driver version
        pData->correctBuild = TRUE;
    #if defined(_WIN7_)
        if (ver_short != WINVER_7 && ver_short != WINVER_7_SP1)
            return STATUS_NOT_SUPPORTED;
        if(ver_short == WINVER_7_SP1 && buildNo != 18700)
            pData->correctBuild = FALSE;
    #elif defined(_WIN8_)
        if (ver_short != WINVER_8)
            return STATUS_NOT_SUPPORTED;
    #elif defined (_WIN81_)
        if (ver_short != WINVER_81)
            return STATUS_NOT_SUPPORTED;
        if (buildNo != 17328)
            pData->correctBuild = FALSE;
    #elif defined (_WIN10_)
        if (ver_short != WINVER_10)           
            return STATUS_NOT_SUPPORTED;
        if (verInfo.dwBuildNumber != 9926)
            pData->correctBuild = FALSE;
    #endif

        DPRINT( 
            "BlackBone: OS version %d.%d.%d.%d.%d.%d - 0x%x\n",
            verInfo.dwMajorVersion,
            verInfo.dwMinorVersion,
            verInfo.dwBuildNumber,
            verInfo.wServicePackMajor,
            verInfo.wServicePackMinor,
            buildNo,
            ver_short
            );

        switch (ver_short)
        {
                // Windows 7
                // Windows 7 SP1, build 18700
            case WINVER_7:
            case WINVER_7_SP1:
                pData->KExecOpt         = 0x0D2;
                pData->Protection       = 0x43C;  // Bitfield, bit index - 0xB
                pData->ObjTable         = 0x200;
                pData->VadRoot          = 0x448;
                pData->NtProtectIndex   = 0x04D;
                pData->NtCreateThdIndex = 0x0A5;
                pData->NtTermThdIndex   = 0x50;
                pData->PrevMode         = 0x1F6;
                pData->ExitStatus       = 0x380;
                pData->MiAllocPage      = (ver_short == WINVER_7_SP1) ? 0x410D70 : 0x40A9C0;
                pData->ExRemoveTable    = (ver_short == WINVER_7_SP1) ? 0x330048 : 0x32D404;
                break;

                // Windows 8
            case WINVER_8:
                pData->KExecOpt         = 0x1B7;
                pData->Protection       = 0x648;
                pData->ObjTable         = 0x408;
                pData->VadRoot          = 0x590;
                pData->NtProtectIndex   = 0x04E;
                pData->NtCreateThdIndex = 0x0AF;
                pData->NtTermThdIndex   = 0x51;
                pData->PrevMode         = 0x232;
                pData->ExitStatus       = 0x450;
                pData->MiAllocPage      = 0x3AF374;
                pData->ExRemoveTable    = 0x487518;
                break;

                // Windows 8.1, build 17328
            case WINVER_81:
                pData->KExecOpt         = 0x1B7;
                pData->Protection       = 0x67A;
                pData->ObjTable         = 0x408;
                pData->VadRoot          = 0x5D8;
                pData->NtCreateThdIndex = 0xB0;
                pData->NtTermThdIndex   = 0x52;
                pData->PrevMode         = 0x232;
                pData->ExitStatus       = 0x6D8;
                pData->MiAllocPage      = 0;
                pData->ExRemoveTable    = 0x432A88; // 0x38E320;
                break;

                // Windows 10, technical preview, build 9926
            case WINVER_10:
                pData->KExecOpt         = 0x1BF;
                pData->Protection       = 0x69A;
                pData->ObjTable         = 0x418;
                pData->VadRoot          = 0x5F8;
                pData->NtCreateThdIndex = 0xB2;
                pData->NtTermThdIndex   = 0x53;
                pData->PrevMode         = 0x232;
                pData->ExitStatus       = 0x6E0;
                pData->MiAllocPage      = 0;
                pData->ExRemoveTable    = 0x4645B0;
                break;

            default:
                break;
        }

        return (pData->VadRoot != 0 ? status : STATUS_INVALID_KERNEL_INFO_VERSION);
    }

    return status;
}
Beispiel #24
0
/*
* ldrMain
*
* Purpose:
*
* Program entry point.
*
*/
void ldrMain(
	VOID
	)
{
	BOOL	cond = FALSE;
	LONG	x;
	ULONG	l = 0, dwCmd;
	HANDLE	hDevice;
	PVOID	DataBuffer;
	BOOL	bConDisabled, bUsbMonDisabled;
	WCHAR	cmdLineParam[MAX_PATH + 1];
	WCHAR	szDriverBuffer[MAX_PATH * 2];

	__security_init_cookie();

	bConDisabled = FALSE;
	bUsbMonDisabled = FALSE;
	DataBuffer = NULL;
	hDevice = NULL;

	dwCmd = 0;
	do {

		//
		// Check OS version.
		//
		RtlSecureZeroMemory(&g_osv, sizeof(g_osv));
		g_osv.dwOSVersionInfoSize = sizeof(g_osv);
		RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv);

		//
		// We support only Vista based OS.
		//
		if (g_osv.dwMajorVersion < 6) {
			MessageBox(GetDesktopWindow(), TEXT("Unsupported OS."),
				T_PROGRAMTITLE, MB_ICONINFORMATION);
			break;
		}

		//
		// Check number of instances running.
		//
		x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
		if (x > 1) {
			break;
		}

		//
		// Check if any VBox instances are running, they must be closed before our usage.
		//
		if (supProcessExist(L"VirtualBox.exe")) {
			MessageBox(GetDesktopWindow(), TEXT("VirtualBox is running, close it before."),
				T_PROGRAMTITLE, MB_ICONINFORMATION);
			break;
		}

		//
		// Query command line.
		//
		RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
		GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &l);
		if (l == 0) {
			//
			// Nothing in command line, simple display help and leave.
			//
			MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
			break;
		}

		//
		// Check known command.
		//
		if (_strcmpi(cmdLineParam, TEXT("-l")) == 0) {
			dwCmd = TSMI_INSTALL;
		}
		else {
			if (_strcmpi(cmdLineParam, TEXT("-u")) == 0) {
				dwCmd = TSMI_REMOVE;
			}
		}
		if (dwCmd == 0) {
			MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
			break;
		}

		//
		// Init ldr and DSEFix.
		//
		if (!ldrInit(dwCmd)) {
			break;
		}

		//
		// Process command.
		//
		switch (dwCmd) {
			
			case TSMI_INSTALL:

				// Backup vboxdrv if exists.
				supBackupVBoxDrv(FALSE);

				// Stop VBox Networking and USB driver.
				bConDisabled = (SUCCEEDED(supNetworkConnectionEnable(VBoxNetConnect, FALSE)));
				bUsbMonDisabled = dsfStopDriver(VBoxUsbMon);
				dsfStopDriver(VBoxDrvSvc);

				// Load vulnerable VBoxDrv, disable VBox Network if exist.
				RtlSecureZeroMemory(szDriverBuffer, sizeof(szDriverBuffer));
				if (GetSystemDirectory(szDriverBuffer, MAX_PATH) == 0) {
					MessageBox(GetDesktopWindow(), TEXT("Cannot find System32 directory."),
						NULL, MB_ICONINFORMATION);
					break;
				}
				_strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys"));
				hDevice = dsfLoadVulnerableDriver(szDriverBuffer);
				if (hDevice) {

					//
					// Disable DSE so we can load monitor.
					// Device handle closed by DSEFix routine.
					//
					if (ldrPatchDSE(hDevice, TRUE)) {

						// Stop our VBoxDrv, need reloading for 2nd usage.
						dsfStopDriver(VBoxDrvSvc);

						// Load custom patch table, if present.
						RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
						GetCommandLineParam(GetCommandLine(), 2, cmdLineParam, MAX_PATH, &l);
						if (l > 0) {
							l = 0;
							DataBuffer = ldrFetchCustomPatchData(cmdLineParam, &l);
							if ((DataBuffer != NULL) && (l > 0)) {
								g_TsmiPatchDataValue = DataBuffer;
								g_TsmiPatchDataValueSize = l;
							}
						}

						// Install and run monitor.
						if (!ldrSetMonitor()) {
							MessageBox(GetDesktopWindow(),
								TEXT("Error loading Tsugumi"), NULL, MB_ICONERROR);
						}

						// Enable DSE back.
						hDevice = NULL;
						if (dsfStartDriver(VBoxDrvSvc, &hDevice)) {
							ldrPatchDSE(hDevice, FALSE);
						}

					}
					else { //ldrPatchDSE failure case

						// Unknown error during DSE disabling attempt.
						MessageBox(GetDesktopWindow(),
							TEXT("Error disabling DSE"), NULL, MB_ICONERROR);
					}

					// Finally, remove our vboxdrv file and restore backup.
					dsfStopDriver(VBoxDrvSvc);
					DeleteFile(szDriverBuffer);
					supBackupVBoxDrv(TRUE);

					// Restart installed VBoxDrv.
					dsfStartDriver(VBoxDrvSvc, NULL);

				}
				else { //dsfLoadVulnerableDriver failure case.

					// Load error, show error message and restore backup.
					supBackupVBoxDrv(TRUE);
					MessageBox(GetDesktopWindow(),
						TEXT("Error loading VBoxDrv"), NULL, MB_ICONERROR);
				}	
				break;
				
			//
			// Remove command, unload our driver and purge file/memory list cache.
			//
			case TSMI_REMOVE:
				scmUnloadDeviceDriver(TsmiDrvName);
				supPurgeSystemCache();
				break;

		}

	} while (cond);

	//
	// Cleanup after install.
	//
	if (dwCmd == TSMI_INSTALL) {

		// Re-enable VBox Network, UsbMonitor if they're disabled.
		if (bConDisabled) {
			supNetworkConnectionEnable(VBoxNetConnect, TRUE);
		}
		if (bUsbMonDisabled) {
			dsfStartDriver(VBoxUsbMon, NULL);
		}

		// Free memory allocated for custom patch table.
		if (DataBuffer != NULL) {
			HeapFree(GetProcessHeap(), 0, DataBuffer);
		}
	}

	InterlockedDecrement((PLONG)&g_lApplicationInstances);
	ExitProcess(0);
	return;
}
Beispiel #25
0
// Locate MmPfnDatabase
_Use_decl_annotations_ static NTSTATUS MmonpInitializeMmPfnDatabase() {
  PAGED_CODE();

  RTL_OSVERSIONINFOW os_version = {};
  auto status = RtlGetVersion(&os_version);
  if (!NT_SUCCESS(status)) {
    return status;
  }

  // Set appropriate patterns and based on an OS version
  struct MmPfnDatabaseSearchPattern {
    const UCHAR *bytes;
    SIZE_T bytes_size;
    bool hard_coded;
  };
  MmPfnDatabaseSearchPattern patterns[2] = {};

  if (IsX64()) {
    // Win 10 build 14316 is the first version implements randomized page tables
    if (os_version.dwMajorVersion < 10 || os_version.dwBuildNumber < 14316) {
      // PFN database is at the constant location on older x64 Windows
      g_mmonp_MmPfnDatabase = reinterpret_cast<void *>(0xfffffa8000000000);
      return STATUS_SUCCESS;
    }

    // Windows 10 x64 Build 14332+
    static const UCHAR kPatternWin10x64[] = {
        0x48, 0x8B, 0xC1,        // mov     rax, rcx
        0x48, 0xC1, 0xE8, 0x0C,  // shr     rax, 0Ch
        0x48, 0x8D, 0x14, 0x40,  // lea     rdx, [rax + rax * 2]
        0x48, 0x03, 0xD2,        // add     rdx, rdx
        0x48, 0xB8,              // mov     rax, 0FFFFFA8000000008h
    };
    patterns[0].bytes = kPatternWin10x64;
    patterns[0].bytes_size = sizeof(kPatternWin10x64);
    patterns[0].hard_coded = true;

  } else {
    // x86
    if (os_version.dwMajorVersion == 6 && os_version.dwMinorVersion == 1) {
      // Windows 7 (No PAE)
      static const UCHAR kPatternWin7[] = {
          0x6B, 0xC0, 0x18,  // imul    eax, 18h
          0x8B, 0x0D,        // mov     ecx, ds:_MmPfnDatabase
      };
      // Windows 7 (PAE)
      static const UCHAR kPatternWin7Pae[] = {
          0x6B, 0xC0, 0x1C,  // imul    eax, 1Ch
          0x8B, 0x0D,        // mov     ecx, ds:_MmPfnDatabase
      };

      if (UtilIsX86Pae()) {
        patterns[0].bytes = kPatternWin7Pae;
        patterns[0].bytes_size = sizeof(kPatternWin7Pae);
        patterns[0].hard_coded = false;
      } else {
        patterns[0].bytes = kPatternWin7;
        patterns[0].bytes_size = sizeof(kPatternWin7);
        patterns[0].hard_coded = false;
      }

    } else if ((os_version.dwMajorVersion == 6 &&
                os_version.dwMinorVersion == 3) ||
               (os_version.dwMajorVersion == 10 &&
                os_version.dwMinorVersion == 0)) {
      // Windows 8.1 and 10
      static const UCHAR kPatternWin81And10_0[] = {
          0xC1, 0xF8, 0x0C,  // sar     eax, 0Ch
          0xA1,              // mov     eax, ds:_MmPfnDatabase
      };
      static const UCHAR kPatternWin81And10_1[] = {
          0xC1, 0xE8, 0x0C,  // shr     eax, 0Ch
          0xA1,              // mov     eax, ds:_MmPfnDatabase
      };
      patterns[0].bytes = kPatternWin81And10_0;
      patterns[0].bytes_size = sizeof(kPatternWin81And10_0);
      patterns[0].hard_coded = false;
      patterns[1].bytes = kPatternWin81And10_1;
      patterns[1].bytes_size = sizeof(kPatternWin81And10_1);
      patterns[1].hard_coded = false;

    } else {
      // Unknown x86 OS version
      return STATUS_UNSUCCESSFUL;
    }
  }

  // Search the patterns from MmGetVirtualForPhysical
  const auto p_MmGetVirtualForPhysical = reinterpret_cast<UCHAR *>(
      UtilGetSystemProcAddress(L"MmGetVirtualForPhysical"));
  if (!p_MmGetVirtualForPhysical) {
    return STATUS_PROCEDURE_NOT_FOUND;
  }

  for (const auto &pattern : patterns) {
    if (!pattern.bytes) {
      break;  // no more patterns
    }

    auto found = reinterpret_cast<UCHAR *>(UtilMemMem(
        p_MmGetVirtualForPhysical, 0x20, pattern.bytes, pattern.bytes_size));
    if (!found) {
      continue;
    }

    // Get an address of PFN database
    found += pattern.bytes_size;
    if (pattern.hard_coded) {
      HYPERPLATFORM_LOG_DEBUG("Found a hard coded PFN database address at %p",
                              found);
      g_mmonp_MmPfnDatabase = *reinterpret_cast<void **>(found);
    } else {
      HYPERPLATFORM_LOG_DEBUG("Found a reference to MmPfnDatabase at %p",
                              found);
      const auto mmpfn_address = *reinterpret_cast<ULONG_PTR *>(found);
      g_mmonp_MmPfnDatabase = *reinterpret_cast<void **>(mmpfn_address);
    }

    // On Windows 10 RS, a value has 0x8. Delete it.
    g_mmonp_MmPfnDatabase = PAGE_ALIGN(g_mmonp_MmPfnDatabase);
    break;
  }

  HYPERPLATFORM_LOG_DEBUG("MmPfnDatabase = %p", g_mmonp_MmPfnDatabase);
  if (!g_mmonp_MmPfnDatabase) {
    return STATUS_UNSUCCESSFUL;
  }

  return STATUS_SUCCESS;
}
/*******************************************************************************
*
*   函 数 名 : InitlizedDeviceExtension
*  功能描述 : 初始化DeviceExtension中一些SSDT函数索引,系统结构体偏移值
*  参数列表 : pde    --  PDEVICE_EXTENSION 结构体
*   说      明 : 
*  返回结果 : 函数成功返回true,失败返回false
*
*******************************************************************************/
bool InitlizedDeviceExtension(PDEVICE_EXTENSION pde)
{
        RTL_OSVERSIONINFOW osi ={0} ;
        osi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW) ;
        RtlGetVersion(&osi) ;

        if (NULL == pde)
        {
                return false ;
        }

        KeInitializeMutex(&pde->DeviceIoControlMutex, 0) ;
        KeInitializeMutex(&pde->MyThreadMutex, 0) ;

        // 判断系统版本,填充相应的值
        switch(osi.dwPlatformId)
        {
                case VER_PLATFORM_WIN32_NT:
                {
                        switch(osi.dwMajorVersion)
                        {
                        case 0:
                        case 1:
                        case 2:
                        case 3:
                        case 4:
                                // 这里的话是Windows NT系统
                                // 添加相应的代码
                                {
                                }
                                break ;
                        // 2k xp 2003
                        case 5:
                                {
                                        switch(osi.dwMinorVersion)
                                        {
                                        // 2000的系统
                                        case 0:
                                                {
                                                        pde->uNtQuerySystemInformationIndex = 151 ;
                                                        pde->uNtOpenProcessIndex = 106 ;
                                                }
                                                break ;
                                        // xp的系统
                                        case 1:
                                                {
                                                        pde->uNtQuerySystemInformationIndex = 173 ;
                                                        pde->uNtOpenProcessIndex = 122 ;
                                                        pde->uActiveProcessLinksOffset = 0x88 ;
                                                        pde->UniqueProcessIdOffset      = 0x84 ;
                                                }
                                                break ;
                                        // 2003的系统
                                        case 2:
                                                {
                                                        pde->uNtQuerySystemInformationIndex = 181 ;
                                                        pde->uNtOpenProcessIndex       = 128 ;
                                                        pde->uActiveProcessLinksOffset = 152 ;
                                                        pde->UniqueProcessIdOffset      = 148 ;
                                                }
                                                break ;
                                        }// end of switch(osi.dwMinorVersion)
                                } // end of case 5
                                break ;
                        // vista 2008 win 7
                        case 6:
                                {
                                        switch(osi.dwMinorVersion)
                                        {
                                         // vista 2008
                                        case 0:
                                                {
                                                        pde->uNtQuerySystemInformationIndex = 248 ; 
                                                        pde->uNtOpenProcessIndex = 194 ;
                                                }
                                                break ;
                                        // win 7     2008 r2
                                        case 1:
                                                {
                                                        pde->uNtQuerySystemInformationIndex = 260 ;
                                                        pde->uNtOpenProcessIndex = 189 ;
                                                        pde->uActiveProcessLinksOffset = 0xb8 ;
                                                        pde->UniqueProcessIdOffset      = 0xb4 ;
                                                }
                                                break ;
                                        }
                                }
                                break ;
                        default:
                                break ;
                        }
                }
                break ;

        }

        return true ;
}
Beispiel #27
0
void DolphinAnalytics::MakeBaseBuilder()
{
  Common::AnalyticsReportBuilder builder;

  // Version information.
  builder.AddData("version-desc", Common::scm_desc_str);
  builder.AddData("version-hash", Common::scm_rev_git_str);
  builder.AddData("version-branch", Common::scm_branch_str);
  builder.AddData("version-dist", Common::scm_distributor_str);

  // Auto-Update information.
  builder.AddData("update-track", SConfig::GetInstance().m_auto_update_track);

  // CPU information.
  builder.AddData("cpu-summary", cpu_info.Summarize());

// OS information.
#if defined(_WIN32)
  builder.AddData("os-type", "windows");

  // Windows 8 removes support for GetVersionEx and such. Stupid.
  DWORD(WINAPI * RtlGetVersion)(LPOSVERSIONINFOEXW);
  *(FARPROC*)&RtlGetVersion = GetProcAddress(GetModuleHandle(TEXT("ntdll")), "RtlGetVersion");

  OSVERSIONINFOEXW winver;
  winver.dwOSVersionInfoSize = sizeof(winver);
  if (RtlGetVersion != nullptr)
  {
    RtlGetVersion(&winver);
    builder.AddData("win-ver-major", static_cast<u32>(winver.dwMajorVersion));
    builder.AddData("win-ver-minor", static_cast<u32>(winver.dwMinorVersion));
    builder.AddData("win-ver-build", static_cast<u32>(winver.dwBuildNumber));
    builder.AddData("win-ver-spmajor", static_cast<u32>(winver.wServicePackMajor));
    builder.AddData("win-ver-spminor", static_cast<u32>(winver.wServicePackMinor));
  }
#elif defined(ANDROID)
  builder.AddData("os-type", "android");
  builder.AddData("android-manufacturer", s_get_val_func("DEVICE_MANUFACTURER"));
  builder.AddData("android-model", s_get_val_func("DEVICE_MODEL"));
  builder.AddData("android-version", s_get_val_func("DEVICE_OS"));
#elif defined(__APPLE__)
  builder.AddData("os-type", "osx");

  SInt32 osxmajor, osxminor, osxbugfix;
// Gestalt is deprecated, but the replacement (NSProcessInfo
// operatingSystemVersion) is only available on OS X 10.10, so we need to use
// it anyway.  Change this someday when Dolphin depends on 10.10+.
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
  Gestalt(gestaltSystemVersionMajor, &osxmajor);
  Gestalt(gestaltSystemVersionMinor, &osxminor);
  Gestalt(gestaltSystemVersionBugFix, &osxbugfix);
#pragma GCC diagnostic pop

  builder.AddData("osx-ver-major", osxmajor);
  builder.AddData("osx-ver-minor", osxminor);
  builder.AddData("osx-ver-bugfix", osxbugfix);
#elif defined(__linux__)
  builder.AddData("os-type", "linux");
#elif defined(__FreeBSD__)
  builder.AddData("os-type", "freebsd");
#else
  builder.AddData("os-type", "unknown");
#endif

  m_base_builder = builder;
}
Beispiel #28
0
NTSTATUS
AFSInitRDRDevice()
{

    NTSTATUS       ntStatus = STATUS_SUCCESS;
    UNICODE_STRING uniDeviceName;
    AFSDeviceExt  *pDeviceExt = NULL;
    UNICODE_STRING uniFsRtlRegisterUncProviderEx;
    FsRtlRegisterUncProviderEx_t pFsRtlRegisterUncProviderEx = NULL;
    RTL_OSVERSIONINFOW sysVersion;
    ULONG ulDeviceCharacteristics = FILE_REMOTE_DEVICE;

    __Enter
    {

	RtlZeroMemory( &sysVersion,
		       sizeof( RTL_OSVERSIONINFOW));

	sysVersion.dwOSVersionInfoSize = sizeof( RTL_OSVERSIONINFOW);

	RtlGetVersion( &sysVersion);

        RtlInitUnicodeString( &uniDeviceName,
                              AFS_RDR_DEVICE_NAME);

        RtlInitUnicodeString( &uniFsRtlRegisterUncProviderEx,
                              L"FsRtlRegisterUncProviderEx");

        pFsRtlRegisterUncProviderEx = (FsRtlRegisterUncProviderEx_t)MmGetSystemRoutineAddress(&uniFsRtlRegisterUncProviderEx);

	//
	// On 32-bit Windows XP, do not set FILE_DEVICE_SECURE_OPEN
	// flag as it interferes with initial access to \\afs from
	// limited user accounts.
	//

	if(!(sysVersion.dwMajorVersion == 5 &&
	     sysVersion.dwMinorVersion == 1))
	{

	    ulDeviceCharacteristics |= FILE_DEVICE_SECURE_OPEN;
	}

        ntStatus = IoCreateDevice( AFSDriverObject,
                                   sizeof( AFSDeviceExt),
                                   pFsRtlRegisterUncProviderEx ? NULL : &uniDeviceName,
                                   FILE_DEVICE_NETWORK_FILE_SYSTEM,
				   ulDeviceCharacteristics,
                                   FALSE,
                                   &AFSRDRDeviceObject);

        if( !NT_SUCCESS( ntStatus))
        {

            AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
                          AFS_TRACE_LEVEL_ERROR,
                          "AFSInitRDRDevice IoCreateDevice failure %08lX\n",
                          ntStatus));

            try_return( ntStatus);
        }

        pDeviceExt = (AFSDeviceExt *)AFSRDRDeviceObject->DeviceExtension;

        RtlZeroMemory( pDeviceExt,
                       sizeof( AFSDeviceExt));

        //
        // Initialize resources
        //

        pDeviceExt->Specific.RDR.VolumeTree.TreeLock = &pDeviceExt->Specific.RDR.VolumeTreeLock;

        ExInitializeResourceLite( pDeviceExt->Specific.RDR.VolumeTree.TreeLock);

        pDeviceExt->Specific.RDR.VolumeTree.TreeHead = NULL;

        ExInitializeResourceLite( &pDeviceExt->Specific.RDR.VolumeListLock);

        pDeviceExt->Specific.RDR.VolumeListHead = NULL;

        pDeviceExt->Specific.RDR.VolumeListTail = NULL;

        KeInitializeEvent( &pDeviceExt->Specific.RDR.QueuedReleaseExtentEvent,
                           NotificationEvent,
                           TRUE);

        ExInitializeResourceLite( &pDeviceExt->Specific.RDR.RootCellTreeLock);

        pDeviceExt->Specific.RDR.RootCellTree.TreeLock = &pDeviceExt->Specific.RDR.RootCellTreeLock;

        pDeviceExt->Specific.RDR.RootCellTree.TreeHead = NULL;

        ExInitializeResourceLite( &pDeviceExt->Specific.RDR.ProviderListLock);

        ntStatus = AFSInitRdrFcb( &pDeviceExt->Fcb);

        if ( !NT_SUCCESS(ntStatus))
        {

            AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
                          AFS_TRACE_LEVEL_ERROR,
                          "AFSInitRDRDevice AFSInitRdrFcb failure %08lX\n",
                          ntStatus));

            try_return( ntStatus);
        }

        //
        // Clear the initializing bit
        //

        AFSRDRDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;

        //
        // Increase the StackSize to support the extra stack frame required
        // for use of IoCompletion routines.
        //

        AFSRDRDeviceObject->StackSize++;

        //
        // Register this device with MUP with FilterMgr if Vista or above
        //

        if( pFsRtlRegisterUncProviderEx)
        {

            ntStatus = pFsRtlRegisterUncProviderEx( &AFSMUPHandle,
                                                    &uniDeviceName,
                                                    AFSRDRDeviceObject,
                                                    0);
            if ( !NT_SUCCESS( ntStatus))
            {
                AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
                              AFS_TRACE_LEVEL_ERROR,
                              "AFSInitRDRDevice FsRtlRegisterUncProvider failure %08lX\n",
                              ntStatus));
            }
        }
        else
        {

            ntStatus = FsRtlRegisterUncProvider( &AFSMUPHandle,
                                                 &uniDeviceName,
                                                 FALSE);

            if ( NT_SUCCESS( ntStatus))
            {

                IoRegisterFileSystem( AFSRDRDeviceObject);
            }
            else
            {
                AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
                              AFS_TRACE_LEVEL_ERROR,
                              "AFSInitRDRDevice FsRtlRegisterUncProvider failure %08lX\n",
                              ntStatus));
            }
        }

        //
        // Good to go, all registered and ready to start receiving requests
        //

try_exit:

        if( !NT_SUCCESS( ntStatus))
        {

            //
            // Delete our device and bail
            //

            ExDeleteResourceLite( pDeviceExt->Specific.RDR.VolumeTree.TreeLock);

            ExDeleteResourceLite( &pDeviceExt->Specific.RDR.VolumeListLock);

            ExDeleteResourceLite( &pDeviceExt->Specific.RDR.RootCellTreeLock);

            ExDeleteResourceLite( &pDeviceExt->Specific.RDR.ProviderListLock);

            IoDeleteDevice( AFSRDRDeviceObject);

            AFSRDRDeviceObject = NULL;

            try_return( ntStatus);
        }
    }

    return ntStatus;
}
Beispiel #29
0
void main()
{
	LONG x;
	ULONG ParamLen;
	HANDLE hDevice = NULL;
	WCHAR cmdLineParam[MAX_PATH + 1];
	BOOL bDisable = TRUE, cond = FALSE;

	__security_init_cookie();

	//
	// Output DSEFix banner.
	//
	ShowServiceMessage("DSEFix v1.1.0 started");
	ShowServiceMessage("(c) 2014 - 2015 DSEFix Project");
	ShowServiceMessage("Supported x64 OS : Vista / 7 / 8 / 8.1 / 10");

	do {

		//
		// Check single instance.
		//
		x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
		if (x > 1) {
			ShowServiceMessage("Another instance running, close it before");
			break;
		}

		//
		// Check supported OS.
		//
		RtlSecureZeroMemory(&osv, sizeof(osv));
		osv.dwOSVersionInfoSize = sizeof(osv);
		RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
		if (osv.dwMajorVersion < 6) {
			ShowServiceMessage("Unsupported OS");
			break;
		}

		//
		// Query command line parameters.
		//
		ParamLen = 0;
		RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
		GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &ParamLen);
		if (_strcmpi(cmdLineParam, TEXT("-e")) == 0) {
			ShowServiceMessage("DSE will be (re)enabled");
			bDisable = FALSE;
		}
		else {
			ShowServiceMessage("DSE will be disabled");
			bDisable = TRUE;
		}

		//
		// Load vulnerable driver and open it device.
		//
		hDevice = LoadVulnerableDriver();
		if (hDevice == NULL) {
			ShowServiceMessage("Failed to load vulnerable driver");
			break;
		}
		else {
			ShowServiceMessage("Vulnerable VirtualBox driver loaded");
		}

		//
		// Manipulate kernel variable.
		//
		if (DoWork(hDevice, bDisable)) {
			ShowServiceMessage("Kernel memory patched");
		}
		else {
			ShowServiceMessage("Failed to patch kernel memory");
		}

		//
		// Do basic cleanup.
		//
		ShowServiceMessage("Cleaning up");
		UnloadVulnerableDriver();

		ShowServiceMessage("Finish");

	} while (cond);

	InterlockedDecrement((PLONG)&g_lApplicationInstances);
	ExitProcess(0);
}
Beispiel #30
0
/*
* @implemented
*/
NTSTATUS
NTAPI
RtlVerifyVersionInfo(IN PRTL_OSVERSIONINFOEXW VersionInfo,
                     IN ULONG TypeMask,
                     IN ULONGLONG ConditionMask)
{
    NTSTATUS Status;
    RTL_OSVERSIONINFOEXW ver;
    BOOLEAN Comparison;

    /* FIXME:
        - Check the following special case on Windows (various versions):
          o lp->wSuiteMask == 0 and ver.wSuiteMask != 0 and VER_AND/VER_OR
          o lp->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW)
        - MSDN talks about some tests being impossible. Check what really happens.
     */

    ver.dwOSVersionInfoSize = sizeof(ver);
    Status = RtlGetVersion((PRTL_OSVERSIONINFOW)&ver);
    if (Status != STATUS_SUCCESS) return Status;

    if (!TypeMask || !ConditionMask) return STATUS_INVALID_PARAMETER;

    if (TypeMask & VER_PRODUCT_TYPE)
    {
        Comparison = RtlpVerCompare(ver.wProductType,
                                    VersionInfo->wProductType,
                                    RtlpVerGetCondition(ConditionMask, VER_PRODUCT_TYPE));
        if (!Comparison)
            return STATUS_REVISION_MISMATCH;
    }

    if (TypeMask & VER_SUITENAME)
    {
        switch (RtlpVerGetCondition(ConditionMask, VER_SUITENAME))
        {
            case VER_AND:
                if ((VersionInfo->wSuiteMask & ver.wSuiteMask) != VersionInfo->wSuiteMask)
                {
                    return STATUS_REVISION_MISMATCH;
                }
                break;
            case VER_OR:
                if (!(VersionInfo->wSuiteMask & ver.wSuiteMask) && VersionInfo->wSuiteMask)
                {
                    return STATUS_REVISION_MISMATCH;
                }
                break;
            default:
                return STATUS_INVALID_PARAMETER;
        }
    }

    if (TypeMask & VER_PLATFORMID)
    {
        Comparison = RtlpVerCompare(ver.dwPlatformId,
                                    VersionInfo->dwPlatformId,
                                    RtlpVerGetCondition(ConditionMask, VER_PLATFORMID));
        if (!Comparison)
            return STATUS_REVISION_MISMATCH;
    }

    if (TypeMask & VER_BUILDNUMBER)
    {
        Comparison = RtlpVerCompare(ver.dwBuildNumber,
                                    VersionInfo->dwBuildNumber,
                                    RtlpVerGetCondition(ConditionMask, VER_BUILDNUMBER));
        if (!Comparison)
            return STATUS_REVISION_MISMATCH;
    }

    TypeMask &= VER_MAJORVERSION|VER_MINORVERSION|VER_SERVICEPACKMAJOR|VER_SERVICEPACKMINOR;
    if (TypeMask)
    {
        BOOLEAN do_next_check = TRUE;
        /*
         * Select the leading comparison operator (for example, the comparison
         * operator for VER_MAJORVERSION supersedes the others for VER_MINORVERSION,
         * VER_SERVICEPACKMAJOR and VER_SERVICEPACKMINOR).
         */
        UCHAR Condition = RtlpVerGetCondition(ConditionMask, TypeMask);

        Comparison = TRUE;
        if (TypeMask & VER_MAJORVERSION)
        {
            Comparison = RtlpVerCompare(ver.dwMajorVersion,
                                        VersionInfo->dwMajorVersion,
                                        Condition);
            do_next_check = (ver.dwMajorVersion == VersionInfo->dwMajorVersion) &&
                ((Condition != VER_EQUAL) || Comparison);
        }
        if ((TypeMask & VER_MINORVERSION) && do_next_check)
        {
            Comparison = RtlpVerCompare(ver.dwMinorVersion,
                                        VersionInfo->dwMinorVersion,
                                        Condition);
            do_next_check = (ver.dwMinorVersion == VersionInfo->dwMinorVersion) &&
                ((Condition != VER_EQUAL) || Comparison);
        }
        if ((TypeMask & VER_SERVICEPACKMAJOR) && do_next_check)
        {
            Comparison = RtlpVerCompare(ver.wServicePackMajor,
                                        VersionInfo->wServicePackMajor,
                                        Condition);
            do_next_check = (ver.wServicePackMajor == VersionInfo->wServicePackMajor) &&
                ((Condition != VER_EQUAL) || Comparison);
        }
        if ((TypeMask & VER_SERVICEPACKMINOR) && do_next_check)
        {
            Comparison = RtlpVerCompare(ver.wServicePackMinor,
                                        VersionInfo->wServicePackMinor,
                                        Condition);
        }

        if (!Comparison)
            return STATUS_REVISION_MISMATCH;
    }

    return STATUS_SUCCESS;
}