// // TODO: Instead of returning TRUE/FALSE, it would be nice to return // a flag indicating: // - whether the installation is actually valid; // - if it's broken or not (aka. needs for repair, or just upgrading). // static BOOLEAN IsValidNTOSInstallationByHandle( IN HANDLE SystemRootDirectory) { BOOLEAN Success = FALSE; PCWSTR PathName; USHORT i; UNICODE_STRING VendorName; WCHAR VendorNameBuffer[MAX_PATH]; /* Check for the existence of \SystemRoot\System32 */ PathName = L"System32\\"; if (!DoesPathExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } /* Check for the existence of \SystemRoot\System32\drivers */ PathName = L"System32\\drivers\\"; if (!DoesPathExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } /* Check for the existence of \SystemRoot\System32\config */ PathName = L"System32\\config\\"; if (!DoesPathExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } #if 0 /* * Check for the existence of SYSTEM and SOFTWARE hives in \SystemRoot\System32\config * (but we don't check here whether they are actually valid). */ PathName = L"System32\\config\\SYSTEM"; if (!DoesFileExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } PathName = L"System32\\config\\SOFTWARE"; if (!DoesFileExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } #endif RtlInitEmptyUnicodeString(&VendorName, VendorNameBuffer, sizeof(VendorNameBuffer)); /* Check for the existence of \SystemRoot\System32\ntoskrnl.exe and retrieves its vendor name */ PathName = L"System32\\ntoskrnl.exe"; Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &VendorName); if (!Success) DPRINT1("Kernel executable '%S' is either not a PE file, or does not have any vendor?\n", PathName); /* The kernel gives the OS its flavour */ if (Success) { for (i = 0; i < ARRAYSIZE(KnownVendors); ++i) { Success = !!FindSubStrI(VendorName.Buffer, KnownVendors[i]); if (Success) { /* We have found a correct vendor combination */ DPRINT1("IsValidNTOSInstallation: We've got an NTOS installation from %S !\n", KnownVendors[i]); break; } } } /* OPTIONAL: Check for the existence of \SystemRoot\System32\ntkrnlpa.exe */ /* Check for the existence of \SystemRoot\System32\ntdll.dll and retrieves its vendor name */ PathName = L"System32\\ntdll.dll"; Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &VendorName); if (!Success) DPRINT1("User-mode DLL '%S' is either not a PE file, or does not have any vendor?\n", PathName); if (Success) { for (i = 0; i < ARRAYSIZE(KnownVendors); ++i) { if (!!FindSubStrI(VendorName.Buffer, KnownVendors[i])) { /* We have found a correct vendor combination */ DPRINT1("IsValidNTOSInstallation: The user-mode DLL '%S' is from %S\n", PathName, KnownVendors[i]); break; } } } return Success; }
// // TODO: Instead of returning TRUE/FALSE, it would be nice to return // a flag indicating: // - whether the installation is actually valid; // - if it's broken or not (aka. needs for repair, or just upgrading). // static BOOLEAN IsValidNTOSInstallationByHandle( IN HANDLE SystemRootDirectory, OUT PUSHORT Machine OPTIONAL, OUT PUNICODE_STRING VendorName OPTIONAL) { BOOLEAN Success = FALSE; PCWSTR PathName; USHORT i; USHORT LocalMachine; UNICODE_STRING LocalVendorName; WCHAR VendorNameBuffer[MAX_PATH]; /* Check for VendorName validity */ if (VendorName->MaximumLength < sizeof(UNICODE_NULL)) { /* Don't use it, invalidate the pointer */ VendorName = NULL; } else { /* Zero it out */ *VendorName->Buffer = UNICODE_NULL; VendorName->Length = 0; } /* Check for the existence of \SystemRoot\System32 */ PathName = L"System32\\"; if (!DoesDirExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } /* Check for the existence of \SystemRoot\System32\drivers */ PathName = L"System32\\drivers\\"; if (!DoesDirExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } /* Check for the existence of \SystemRoot\System32\config */ PathName = L"System32\\config\\"; if (!DoesDirExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } #if 0 /* * Check for the existence of SYSTEM and SOFTWARE hives in \SystemRoot\System32\config * (but we don't check here whether they are actually valid). */ PathName = L"System32\\config\\SYSTEM"; if (!DoesFileExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } PathName = L"System32\\config\\SOFTWARE"; if (!DoesFileExist(SystemRootDirectory, PathName)) { // DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status); return FALSE; } #endif RtlInitEmptyUnicodeString(&LocalVendorName, VendorNameBuffer, sizeof(VendorNameBuffer)); /* Check for the existence of \SystemRoot\System32\ntoskrnl.exe and retrieves its vendor name */ PathName = L"System32\\ntoskrnl.exe"; Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &LocalMachine, &LocalVendorName); if (!Success) DPRINT1("Kernel executable '%S' is either not a PE file, or does not have any vendor?\n", PathName); /* * The kernel gives the OS its flavour. If we failed due to the absence of * ntoskrnl.exe this might be due to the fact this particular installation * uses a custom kernel that has a different name, overridden in the boot * parameters. We then rely on the existence of ntdll.dll, which cannot be * renamed on a valid NT system. */ if (Success) { for (i = 0; i < ARRAYSIZE(KnownVendors); ++i) { Success = !!FindSubStrI(LocalVendorName.Buffer, KnownVendors[i]); if (Success) { /* We have found a correct vendor combination */ DPRINT("IsValidNTOSInstallation: We've got an NTOS installation from %S !\n", KnownVendors[i]); break; } } /* Return the target architecture */ if (Machine) { /* Copy the value and invalidate the pointer */ *Machine = LocalMachine; Machine = NULL; } /* Return the vendor name */ if (VendorName) { /* Copy the string and invalidate the pointer */ RtlCopyUnicodeString(VendorName, &LocalVendorName); VendorName = NULL; } } /* OPTIONAL: Check for the existence of \SystemRoot\System32\ntkrnlpa.exe */ /* Check for the existence of \SystemRoot\System32\ntdll.dll and retrieves its vendor name */ PathName = L"System32\\ntdll.dll"; Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &LocalMachine, &LocalVendorName); if (!Success) DPRINT1("User-mode DLL '%S' is either not a PE file, or does not have any vendor?\n", PathName); if (Success) { for (i = 0; i < ARRAYSIZE(KnownVendors); ++i) { if (!!FindSubStrI(LocalVendorName.Buffer, KnownVendors[i])) { /* We have found a correct vendor combination */ DPRINT("IsValidNTOSInstallation: The user-mode DLL '%S' is from %S\n", PathName, KnownVendors[i]); break; } } /* Return the target architecture if not already obtained */ if (Machine) { /* Copy the value and invalidate the pointer */ *Machine = LocalMachine; Machine = NULL; } /* Return the vendor name if not already obtained */ if (VendorName) { /* Copy the string and invalidate the pointer */ RtlCopyUnicodeString(VendorName, &LocalVendorName); VendorName = NULL; } } return Success; }