NTSTATUS KphDynamicDataInitialization(
VOID
)
{
NTSTATUS status = STATUS_SUCCESS;
PAGED_CODE();
// Get Windows version information.
KphDynOsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
status = RtlGetVersion((PRTL_OSVERSIONINFOW)&KphDynOsVersionInfo);
if (!NT_SUCCESS(status))
return status;
// Dynamic data should be read from the registry, but we use the fallback
// function here if needed.
if (KphDynNtVersion == 0)
{
#ifdef _X86_
KphpX86DataInitialization();
#else
KphpAmd64DataInitialization();
#endif
}
return status;
}
/***********************************************************************
* GetVersionExA (KERNEL32.@)
*/
BOOL WINAPI GetVersionExA(OSVERSIONINFOA *v)
{
RTL_OSVERSIONINFOEXW infoW;
if (v->dwOSVersionInfoSize != sizeof(OSVERSIONINFOA) &&
v->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXA))
{
WARN("wrong OSVERSIONINFO size from app (got: %d)\n",
v->dwOSVersionInfoSize );
SetLastError(ERROR_INSUFFICIENT_BUFFER);
return FALSE;
}
infoW.dwOSVersionInfoSize = sizeof(infoW);
if (RtlGetVersion( &infoW ) != STATUS_SUCCESS) return FALSE;
v->dwMajorVersion = infoW.dwMajorVersion;
v->dwMinorVersion = infoW.dwMinorVersion;
v->dwBuildNumber = infoW.dwBuildNumber;
v->dwPlatformId = infoW.dwPlatformId;
WideCharToMultiByte( CP_ACP, 0, infoW.szCSDVersion, -1,
v->szCSDVersion, sizeof(v->szCSDVersion), NULL, NULL );
if(v->dwOSVersionInfoSize == sizeof(OSVERSIONINFOEXA))
{
LPOSVERSIONINFOEXA vex = (LPOSVERSIONINFOEXA) v;
vex->wServicePackMajor = infoW.wServicePackMajor;
vex->wServicePackMinor = infoW.wServicePackMinor;
vex->wSuiteMask = infoW.wSuiteMask;
vex->wProductType = infoW.wProductType;
}
return TRUE;
}
/*
* @implemented
*/
BOOL
WINAPI
GetVersionExW(IN LPOSVERSIONINFOW lpVersionInformation)
{
NTSTATUS Status;
LPOSVERSIONINFOEXW lpVersionInformationEx;
if ((lpVersionInformation->dwOSVersionInfoSize != sizeof(OSVERSIONINFOW)) &&
(lpVersionInformation->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW)))
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
return FALSE;
}
Status = RtlGetVersion((PRTL_OSVERSIONINFOW)lpVersionInformation);
if (Status == STATUS_SUCCESS)
{
if (lpVersionInformation->dwOSVersionInfoSize == sizeof(OSVERSIONINFOEXW))
{
lpVersionInformationEx = (PVOID)lpVersionInformation;
lpVersionInformationEx->wReserved = 0;
}
return TRUE;
}
return FALSE;
}
gboolean
wing_get_version_number (gint *major,
gint *minor)
{
typedef NTSTATUS (WINAPI fRtlGetVersion) (PRTL_OSVERSIONINFOEXW);
OSVERSIONINFOEXW osverinfo;
fRtlGetVersion *RtlGetVersion;
HMODULE hmodule;
hmodule = LoadLibraryW (L"ntdll.dll");
g_return_val_if_fail (hmodule != NULL, FALSE);
RtlGetVersion = (fRtlGetVersion *)GetProcAddress (hmodule, "RtlGetVersion");
g_return_val_if_fail (RtlGetVersion != NULL, FALSE);
memset (&osverinfo, 0, sizeof (OSVERSIONINFOEXW));
osverinfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW);
RtlGetVersion (&osverinfo);
FreeLibrary (hmodule);
*major = osverinfo.dwMajorVersion;
*minor = osverinfo.dwMinorVersion;
return TRUE;
}
/*
* WinObjInitGlobals
*
* Purpose:
*
* Initialize global variables.
*
*/
BOOL WinObjInitGlobals()
{
SIZE_T cch;
BOOL bResult = FALSE, bCond = FALSE;
do {
RtlSecureZeroMemory(&g_WinObj, sizeof(g_WinObj));
//
// Query version info.
//
g_WinObj.osver.dwOSVersionInfoSize = sizeof(g_WinObj.osver);
RtlGetVersion(&g_WinObj.osver);
//
// Remember hInstance.
//
g_WinObj.hInstance = GetModuleHandle(NULL);
//
// Create dedicated heap.
//
g_WinObj.Heap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
if (g_WinObj.Heap == NULL)
break;
RtlSetHeapInformation(g_WinObj.Heap, HeapEnableTerminationOnCorruption, NULL, 0);
RtlInitializeCriticalSection(&g_WinObj.Lock);
//
// Remember %TEMP% directory.
//
cch = ExpandEnvironmentStrings(L"%temp%", g_WinObj.szTempDirectory, MAX_PATH);
if ((cch == 0) || (cch > MAX_PATH))
break;
//
// Remember Windows directory.
//
if (!GetWindowsDirectory(g_WinObj.szWindowsDirectory, MAX_PATH))
break;
//
// Remember System32 directory.
//
if (!GetSystemDirectory(g_WinObj.szSystemDirectory, MAX_PATH))
break;
bResult = TRUE;
} while (bCond);
if (bResult == FALSE) {
if (g_WinObj.Heap)
RtlDestroyHeap(g_WinObj.Heap);
}
return bResult;
}
/***********************************************************************
* GetVersionExW (KERNEL32.@)
*/
BOOL WINAPI GetVersionExW( OSVERSIONINFOW *info )
{
if (info->dwOSVersionInfoSize != sizeof(OSVERSIONINFOW) &&
info->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW))
{
WARN("wrong OSVERSIONINFO size from app (got: %d)\n",
info->dwOSVersionInfoSize);
return FALSE;
}
return (RtlGetVersion( (RTL_OSVERSIONINFOEXW *)info ) == STATUS_SUCCESS);
}
PVOID GetAcpiHandle(PVOID in_pdo)
{
//KdPrint(("GetAcpiHandle Input:0x%X\n",in_pdo));
PVOID pvRet=0;
PVOID temp;
RTL_OSVERSIONINFOW osvx={0};
osvx.dwOSVersionInfoSize=sizeof(RTL_OSVERSIONINFOW);
RtlGetVersion(&osvx);
temp = ((PDEVICE_OBJECT)in_pdo)->DeviceObjectExtension->DeviceObject->DeviceExtension;
pvRet = *((PVOID *)((ULONG_PTR)temp + g_ulACPIHandleOffset));
if((osvx.dwMajorVersion == 6 && osvx.dwMinorVersion == 3) || osvx.dwMajorVersion == 10)
{
pvRet = *((PVOID*)pvRet);
}
return pvRet;
/*__asm
{
push eax
push ebx
push ecx
push edx
mov ecx,temp
mov edx,g_ulACPIHandleOffset
add ecx,edx
mov ebx,[ecx]
mov pvRet,ebx
pop edx
pop ecx
pop ebx
pop eax
}*/
/*__asm
{
push eax
push ebx
push ecx
push edx
mov ecx,in_pdo
mov ecx,[ecx+0xb0]
mov ecx,[ecx+4]
mov ecx,[ecx+0x28]
mov edx,g_ulACPIHandleOffset
add ecx,edx
mov ebx,[ecx]
mov pvRet,ebx
pop edx
pop ecx
pop ebx
pop eax
}*/
//KdPrint(("GetAcpiHandle Returns:0x%X\n",pvRet));
return pvRet;
}
ULONG GetOsVersion()
{
ULONG ulOsVersion;
RTL_OSVERSIONINFOW OsVersionInfo;
PAGED_CODE();
OsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
if (!NT_SUCCESS(RtlGetVersion(&OsVersionInfo)))
return OS_VERSION_ERROR;
switch (OsVersionInfo.dwBuildNumber) {
case 2195:
ulOsVersion = OS_VERSION_2000;
break;
case 2600:
ulOsVersion = OS_VERSION_XP;
break;
case 3790:
ulOsVersion = OS_VERSION_SERVER_2003;
break;
case 6000:
ulOsVersion = OS_VERSION_VISTA;
break;
case 6001:
ulOsVersion = OS_VERSION_VISTA_SP1;
break;
case 6002:
ulOsVersion = OS_VERSION_VISTA_SP2;
break;
case 7600:
ulOsVersion = OS_VERSION_WIN7;
break;
case 7601:
ulOsVersion = OS_VERSION_WIN7_SP1;
break;
default:
ulOsVersion = OS_VERSION_ERROR;
}
return ulOsVersion;
}
static FORCEINLINE
__SystemGetVersionInformation(
VOID
)
{
RTL_OSVERSIONINFOEXW VersionInformation;
ULONG Bit;
ASSERT3U(KeGetCurrentIrql(), ==, PASSIVE_LEVEL);
RtlZeroMemory(&VersionInformation, sizeof (RTL_OSVERSIONINFOEXW));
VersionInformation.dwOSVersionInfoSize = sizeof (RTL_OSVERSIONINFOEXW);
RtlGetVersion((PRTL_OSVERSIONINFOW)&VersionInformation);
#if defined(__i386__)
Info("KERNEL: %d.%d (BUILD %d) PLATFORM %s\n",
VersionInformation.dwMajorVersion,
VersionInformation.dwMinorVersion,
VersionInformation.dwBuildNumber,
__PlatformIdName(VersionInformation.dwPlatformId));
#elif defined(__x86_64__)
Info("KERNEL: %d.%d (BUILD %d) PLATFORM %s (x64)\n",
VersionInformation.dwMajorVersion,
VersionInformation.dwMinorVersion,
VersionInformation.dwBuildNumber,
__PlatformIdName(VersionInformation.dwPlatformId));
#else
#error 'Unrecognised architecture'
#endif
if (VersionInformation.wServicePackMajor != 0 ||
VersionInformation.wServicePackMinor != 0)
Info("SP: %d.%d (%s)\n",
VersionInformation.wServicePackMajor,
VersionInformation.wServicePackMinor,
VersionInformation.szCSDVersion);
Info("SUITES:\n");
Bit = 0;
while (VersionInformation.wSuiteMask != 0) {
if (VersionInformation.wSuiteMask & 0x0001)
Info("- %s\n", __SuiteName(Bit));
VersionInformation.wSuiteMask >>= 1;
Bit++;
}
Info("TYPE: %s\n", __ProductTypeName(VersionInformation.wProductType));
}
NTSTATUS KphDynamicDataInitialization(
VOID
)
{
NTSTATUS status = STATUS_SUCCESS;
PAGED_CODE();
// Get Windows version information.
KphDynOsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
status = RtlGetVersion((PRTL_OSVERSIONINFOW)&KphDynOsVersionInfo);
return status;
}
int main()
{
RTLGETVERSION RtlGetVersion=(RTLGETVERSION)GetProcAddress(GetModuleHandleA("ntdll.dll"),"RtlGetVersion");
OSVERSIONINFO osv1={0},osv2={0};
//way 1
osv1.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(&osv1);
printf("Get Build Number by GetVersionEx: %ld\n",osv1.dwBuildNumber);
//way 2
osv2.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
RtlGetVersion(&osv2);
printf("Get Build Number by RtlGetVersion: %ld\n",osv2.dwBuildNumber);
//show info
getchar();
return 0;
}
//
// e.g. WinXP SP2 : 0x05010200
//
inline ULONG GetOsVersion()
{
RTL_OSVERSIONINFOW ver_info = {};
ver_info.dwOSVersionInfoSize = sizeof(ver_info);
auto status = RtlGetVersion(&ver_info);
Assert(NT_SUCCESS(status));
auto ver = ver_info.dwMajorVersion << 24 | ver_info.dwMinorVersion << 16;
if (0 == ver_info.szCSDVersion[0])
{
return ver;
}
if (Equals(ver_info.szCSDVersion, L"Service Pack 1", false))
{
return ver |= 0x0100;
}
if (Equals(ver_info.szCSDVersion, L"Service Pack 2", false))
{
return ver |= 0x0200;
}
if (Equals(ver_info.szCSDVersion, L"Service Pack 3", false))
{
return ver |= 0x0300;
}
if (Equals(ver_info.szCSDVersion, L"Service Pack 4", false))
{
return ver |= 0x0400;
}
if (Equals(ver_info.szCSDVersion, L"Service Pack 5", false))
{
return ver |= 0x0500;
}
if (Equals(ver_info.szCSDVersion, L"Service Pack 6", false))
{
return ver |= 0x0600;
}
return ver;
}
/***********************************************************************
* GetVersion (KERNEL.3)
*/
DWORD WINAPI GetVersion16(void)
{
static WORD dosver, winver;
if (!dosver) /* not determined yet */
{
RTL_OSVERSIONINFOEXW info;
info.dwOSVersionInfoSize = sizeof(info);
if (RtlGetVersion( &info )) return 0;
if (info.dwMajorVersion <= 3)
winver = MAKEWORD( info.dwMajorVersion, info.dwMinorVersion );
else
winver = MAKEWORD( 3, 95 );
switch(info.dwPlatformId)
{
case VER_PLATFORM_WIN32s:
switch(MAKELONG( info.dwMinorVersion, info.dwMajorVersion ))
{
case 0x0200:
dosver = 0x0303; /* DOS 3.3 for Windows 2.0 */
break;
case 0x0300:
dosver = 0x0500; /* DOS 5.0 for Windows 3.0 */
break;
default:
dosver = 0x0616; /* DOS 6.22 for Windows 3.1 and later */
break;
}
break;
case VER_PLATFORM_WIN32_WINDOWS:
/* DOS 8.0 for WinME, 7.0 for Win95/98 */
if (info.dwMinorVersion >= 90) dosver = 0x0800;
else dosver = 0x0700;
break;
case VER_PLATFORM_WIN32_NT:
dosver = 0x0500; /* always DOS 5.0 for NT */
break;
}
TRACE( "DOS %d.%02d Win %d.%02d\n",
HIBYTE(dosver), LOBYTE(dosver), LOBYTE(winver), HIBYTE(winver) );
}
return MAKELONG( winver, dosver );
}
VOID
XenPci_PatchKernel(PXENPCI_DEVICE_DATA xpdd, PVOID base, ULONG length) {
patch_info_t patch_info;
#if (NTDDI_VERSION >= NTDDI_WINXP)
RTL_OSVERSIONINFOEXW version_info;
#endif
FUNCTION_ENTER();
/* if we're compiled for 2000 then assume we need patching */
#if (NTDDI_VERSION >= NTDDI_WINXP)
version_info.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
RtlGetVersion((PRTL_OSVERSIONINFOW)&version_info);
if (version_info.dwMajorVersion >= 6) {
FUNCTION_MSG("Vista or newer - no need for patch\n");
return;
}
if (version_info.dwMajorVersion == 5
&& version_info.dwMinorVersion > 2) {
FUNCTION_MSG("Windows 2003 sp2 or newer - no need for patch\n");
return;
}
if (version_info.dwMajorVersion == 5
&& version_info.dwMinorVersion == 2
&& version_info.wServicePackMajor >= 2) {
FUNCTION_MSG("Windows 2003 sp2 or newer - no need for patch\n");
return;
}
#endif
if (IsMoveCr8Supported()) {
FUNCTION_MSG("Using LOCK MOVE CR0 TPR patch\n");
patch_method = PATCH_METHOD_LOCK_MOVE_CR0;
} else {
FUNCTION_MSG("Using cached TPR patch\n");
patch_method = PATCH_METHOD_CACHED_TPR;
}
patch_info.base = base;
patch_info.length = length;
XenPci_HighSync(XenPci_DoPatchKernel0, XenPci_DoPatchKernelN, &patch_info);
xpdd->removable = FALSE;
FUNCTION_EXIT();
}
// Test if the system is one of supported OS versions
_Use_decl_annotations_ bool DriverpIsSuppoetedOS() {
PAGED_CODE();
RTL_OSVERSIONINFOW os_version = {};
auto status = RtlGetVersion(&os_version);
if (!NT_SUCCESS(status)) {
return false;
}
if (os_version.dwMajorVersion != 6 && os_version.dwMajorVersion != 10) {
return false;
}
// 4-gigabyte tuning (4GT) should not be enabled
if (!IsX64() &&
reinterpret_cast<ULONG_PTR>(MmSystemRangeStart) != 0x80000000) {
return false;
}
return true;
}
/*
* ucmInit
*
* Purpose:
*
* Prestart phase.
*
*/
UINT ucmInit(
VOID
)
{
//fill common data block
RtlSecureZeroMemory(&g_ldp, sizeof(g_ldp));
//remember dll handles
g_ldp.hKernel32 = GetModuleHandleW(L"kernel32.dll");
if (g_ldp.hKernel32 == NULL) {
return ERROR_INVALID_HANDLE;
}
g_ldp.hOle32 = GetModuleHandleW(L"ole32.dll");
if (g_ldp.hOle32 == NULL) {
g_ldp.hOle32 = LoadLibraryW(L"ole32.dll");
if (g_ldp.hOle32 == NULL) {
return ERROR_INVALID_HANDLE;
}
}
g_ldp.hShell32 = GetModuleHandleW(L"shell32.dll");
if (g_ldp.hShell32 == NULL) {
g_ldp.hShell32 = LoadLibraryW(L"shell32.dll");
if (g_ldp.hShell32 == NULL) {
return ERROR_INVALID_HANDLE;
}
}
//query basic directories
if (GetSystemDirectoryW(g_ldp.szSystemDirectory, MAX_PATH) == 0) {
return ERROR_INVALID_DATA;
}
//query build number
RtlSecureZeroMemory(&g_ldp.osver, sizeof(g_ldp.osver));
g_ldp.osver.dwOSVersionInfoSize = sizeof(g_ldp.osver);
if (!NT_SUCCESS(RtlGetVersion(&g_ldp.osver))) {
return ERROR_INVALID_ACCESS;
}
g_ldp.IsWow64 = supIsProcess32bit(GetCurrentProcess());
return ERROR_SUCCESS;
}
// Initializes GuardMon components
_Use_decl_annotations_ NTSTATUS GMonInitialization() {
PAGED_CODE();
GMonpDemoStl();
g_gmonp_ExAcquireResourceSharedLite =
UtilGetSystemProcAddress(L"ExAcquireResourceSharedLite");
if (!g_gmonp_ExAcquireResourceSharedLite) {
return STATUS_PROCEDURE_NOT_FOUND;
}
RTL_OSVERSIONINFOW os_version = {};
auto status = RtlGetVersion(&os_version);
if (!NT_SUCCESS(status)) {
return status;
}
if (os_version.dwMajorVersion == 10 && os_version.dwMinorVersion == 0) {
g_pgmon_IsWindows10 = true;
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {
NTSTATUS ntStatus;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszDeviceString;
UNICODE_STRING uszProcessEventString;
PDEVICE_OBJECT pDeviceObject;
PDEVICE_EXTENSION extension;
HANDLE hProcessHandle;
RTL_OSVERSIONINFOW version;
RtlInitUnicodeString(&uszDriverString, L"\\Device\\hookdetect");
ntStatus = IoCreateDevice(DriverObject,sizeof(DEVICE_EXTENSION),&uszDriverString,FILE_DEVICE_UNKNOWN,0,FALSE,&pDeviceObject);
if(ntStatus != STATUS_SUCCESS)
return ntStatus;
extension = pDeviceObject->DeviceExtension;
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\hookdetect");
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS){
IoDeleteDevice(pDeviceObject);
return ntStatus;
}
g_pDeviceObject = pDeviceObject;
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
version.dwOSVersionInfoSize = sizeof(version);
RtlGetVersion(&version);
if (((version.dwMajorVersion << 8) | version.dwMinorVersion) >= 0x0601) {
g_win7 = 1;
} else {
g_win7 = 0;
}
return ntStatus;
}
/*
* DetectSystemInfo
*
* Purpose:
*
* Remember system version and system info to global variables.
*
*/
VOID DetectSystemInfo(
VOID
)
{
NTSTATUS Status;
g_IsWin64 = supIs64BitWindows(&g_IsWow64);
if (g_IsWow64) {
GetNativeSystemInfo(&g_siSysInfo);
}
else {
GetSystemInfo(&g_siSysInfo);
}
RtlSecureZeroMemory(&g_osver, sizeof(g_osver));
g_osver.dwOSVersionInfoSize = sizeof(g_osver);
Status = RtlGetVersion(&g_osver);
if (NT_SUCCESS(Status)) {
if (g_osver.dwMajorVersion < 6) {
supEnablePrivilege(SE_DEBUG_PRIVILEGE, TRUE);
}
}
}
ULONG GetOsVersion()
/*++
Routine Description:
Gets OS Version
Arguments:
None.
Return Value:
returns OS Version.
Author:
xiaonie
2012/07/12
--*/
{
ULONG ulOsVersion;
RTL_OSVERSIONINFOW OsVersionInfo;
OsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
if (!NT_SUCCESS(RtlGetVersion(&OsVersionInfo)))
return OS_VERSION_ERROR;
switch (OsVersionInfo.dwBuildNumber) {
case 2195:
ulOsVersion = OS_VERSION_2000;
break;
case 2600:
ulOsVersion = OS_VERSION_XP;
break;
case 3790:
ulOsVersion = OS_VERSION_SERVER_2003;
break;
case 6000:
ulOsVersion = OS_VERSION_VISTA;
break;
case 6001:
ulOsVersion = OS_VERSION_VISTA_SP1;
break;
case 6002:
ulOsVersion = OS_VERSION_VISTA_SP2;
break;
case 7600:
ulOsVersion = OS_VERSION_WIN7;
break;
case 7601:
ulOsVersion = OS_VERSION_WIN7_SP1;
break;
default:
ulOsVersion = OS_VERSION_ERROR;
}
return ulOsVersion;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Description : initializes the driver and the filter port, registers driver and registry callbacks.
//
// Parameters :
// _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver.
// _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver
// was stored.
// Return value :
// NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed
// Process :
// Defines hidden / blocked processes names.
// Creates the device driver and its symbolic link.
// Sets IRP callbacks.
// Creates filter communication port to send logs from the driver to the userland process.
// Creates logs mutex.
// Register image load and registry callbacks.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
PVOID adrFunc;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING usDriverName;
UNICODE_STRING filterPortName;
UNICODE_STRING function;
OBJECT_ATTRIBUTES objAttr;
RTL_OSVERSIONINFOW osInfo;
PSECURITY_DESCRIPTOR securityDescriptor;
NTSTATUS status;
ULONG i;
// import some functions we will need
RtlInitUnicodeString(&function, L"ZwQueryInformationThread");
ZwQueryInformationThread = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQueryInformationProcess");
ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQuerySystemInformation");
ZwQuerySystemInformation = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT");
RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT");
status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
if(!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
if(!NT_SUCCESS(status))
return status;
pDeviceObject->Flags |= DO_BUFFERED_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = ioctl_NotSupported;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl;
monitored_process_list = NULL;
hidden_process_list = NULL;
monitored_handle_list = NULL;
// initialize every function pointers to null
oldNtMapViewOfSection = NULL;
oldNtSetContextThread = NULL;
oldNtCreateThread = NULL;
oldNtQueueApcThread = NULL;
oldNtCreateProcess = NULL;
oldNtSystemDebugControl = NULL;
oldNtCreateProcessEx = NULL;
oldNtWriteVirtualMemory = NULL;
oldNtDebugActiveProcess = NULL;
oldNtOpenProcess = NULL;
oldNtOpenThread = NULL;
oldNtQuerySystemInformation = NULL;
oldNtCreateFile = NULL;
oldNtReadFile = NULL;
oldNtWriteFile = NULL;
oldNtDeleteFile = NULL;
oldNtSetInformationFile = NULL;
oldNtQueryInformationFile = NULL;
oldNtCreateMutant = NULL;
oldNtDeviceIoControlFile = NULL;
oldNtTerminateProcess = NULL;
oldNtDelayExecution = NULL;
oldNtQueryValueKey = NULL;
oldNtQueryAttributesFile = NULL;
oldNtReadVirtualMemory = NULL;
oldNtResumeThread = NULL;
oldNtCreateSection = NULL;
oldNtUserCallOneParam = NULL;
oldNtUserCallNoParam = NULL;
oldNtClose = NULL;
oldNtOpenFile = NULL;
#ifdef DEBUG
DbgPrint("IOCTL_CUCKOO_PATH : 0x%08x\n", IOCTL_CUCKOO_PATH);
#endif
// get os version
if(!NT_SUCCESS(RtlGetVersion(&osInfo)))
return status;
// check os version
if(osInfo.dwMajorVersion == 5 && osInfo.dwMinorVersion == 1) // xp 32 bits
{
is_xp = 1;
#ifdef DEBUG
DbgPrint("windows xp !\n");
#endif
}
else if(osInfo.dwMajorVersion == 6 && osInfo.dwMinorVersion == 1) // win 7
{
is_xp = 0;
#ifdef DEBUG
DbgPrint("windows 7!\n");
#endif
}
else
{
#ifdef DEBUG
DbgPrint("error : not supported os\n");
#endif
return -1;
}
status = FltRegisterFilter(pDriverObject,®istration,&filter);
if(!NT_SUCCESS(status))
return status;
RtlInitUnicodeString(&filterPortName, L"\\FilterPort");
status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS);
if(!NT_SUCCESS(status))
return status;
InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor);
status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1);
FltFreeSecurityDescriptor(securityDescriptor);
if(!NT_SUCCESS(status))
return status;
KeInitializeMutex(&mutex, 0);
status = CmRegisterCallback(regCallback, NULL, &cookie);
if(!NT_SUCCESS(status))
return status;
status = PsSetLoadImageNotifyRoutine(imageCallback);
if(!NT_SUCCESS(status))
return status;
KeServiceDescriptorTableShadow = getShadowTableAddress();
if(!KeServiceDescriptorTableShadow)
{
#ifdef DEBUG
DbgPrint("error : couldn't retrieve Shadow SSDT\n");
#endif
return STATUS_UNSUCCESSFUL;
}
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
static VOID PhInitializeWindowsVersion(
VOID
)
{
RTL_OSVERSIONINFOEXW versionInfo;
ULONG majorVersion;
ULONG minorVersion;
versionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
if (!NT_SUCCESS(RtlGetVersion((PRTL_OSVERSIONINFOW)&versionInfo)))
{
WindowsVersion = WINDOWS_NEW;
return;
}
memcpy(&PhOsVersion, &versionInfo, sizeof(RTL_OSVERSIONINFOEXW));
majorVersion = versionInfo.dwMajorVersion;
minorVersion = versionInfo.dwMinorVersion;
if (majorVersion == 5 && minorVersion < 1 || majorVersion < 5)
{
WindowsVersion = WINDOWS_ANCIENT;
}
/* Windows XP */
else if (majorVersion == 5 && minorVersion == 1)
{
WindowsVersion = WINDOWS_XP;
}
/* Windows Server 2003 */
else if (majorVersion == 5 && minorVersion == 2)
{
WindowsVersion = WINDOWS_SERVER_2003;
}
/* Windows Vista, Windows Server 2008 */
else if (majorVersion == 6 && minorVersion == 0)
{
WindowsVersion = WINDOWS_VISTA;
}
/* Windows 7, Windows Server 2008 R2 */
else if (majorVersion == 6 && minorVersion == 1)
{
WindowsVersion = WINDOWS_7;
}
/* Windows 8 */
else if (majorVersion == 6 && minorVersion == 2)
{
WindowsVersion = WINDOWS_8;
}
/* Windows 8.1 */
else if (majorVersion == 6 && minorVersion == 3)
{
WindowsVersion = WINDOWS_8_1;
}
/* Windows 10 */
else if (majorVersion == 10 && minorVersion == 0)
{
WindowsVersion = WINDOWS_10;
}
else if (majorVersion == 10 && minorVersion > 0 || majorVersion > 10)
{
WindowsVersion = WINDOWS_NEW;
}
if (WINDOWS_HAS_LIMITED_ACCESS)
{
ProcessQueryAccess = PROCESS_QUERY_LIMITED_INFORMATION;
ProcessAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1fff;
ThreadQueryAccess = THREAD_QUERY_LIMITED_INFORMATION;
ThreadSetAccess = THREAD_SET_LIMITED_INFORMATION;
ThreadAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff;
}
else
{
ProcessQueryAccess = PROCESS_QUERY_INFORMATION;
ProcessAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff;
ThreadQueryAccess = THREAD_QUERY_INFORMATION;
ThreadSetAccess = THREAD_SET_INFORMATION;
ThreadAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff;
}
}
/// <summary>
/// Initialize dynamic data.
/// </summary>
/// <param name="pData">Data to initialize</param>
/// <returns>Status code</returns>
NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
{
NTSTATUS status = STATUS_SUCCESS;
RTL_OSVERSIONINFOEXW verInfo = { 0 };
ULONG buildNo = 0;
if (pData == NULL)
return STATUS_INVALID_ADDRESS;
RtlZeroMemory( pData, sizeof( DYNAMIC_DATA ) );
verInfo.dwOSVersionInfoSize = sizeof( verInfo );
status = RtlGetVersion( (PRTL_OSVERSIONINFOW)&verInfo );
if (status == STATUS_SUCCESS)
{
ULONG ver_short = (verInfo.dwMajorVersion << 8) | (verInfo.dwMinorVersion << 4) | verInfo.wServicePackMajor;
pData->ver = (WinVer)ver_short;
// Get kernel build number
status = BBGetBuildNO( &buildNo );
// Validate current driver version
pData->correctBuild = TRUE;
#if defined(_WIN7_)
if (ver_short != WINVER_7 && ver_short != WINVER_7_SP1)
return STATUS_NOT_SUPPORTED;
if(ver_short == WINVER_7_SP1 && buildNo != 18700)
pData->correctBuild = FALSE;
#elif defined(_WIN8_)
if (ver_short != WINVER_8)
return STATUS_NOT_SUPPORTED;
#elif defined (_WIN81_)
if (ver_short != WINVER_81)
return STATUS_NOT_SUPPORTED;
if (buildNo != 17328)
pData->correctBuild = FALSE;
#elif defined (_WIN10_)
if (ver_short != WINVER_10)
return STATUS_NOT_SUPPORTED;
if (verInfo.dwBuildNumber != 9926)
pData->correctBuild = FALSE;
#endif
DPRINT(
"BlackBone: OS version %d.%d.%d.%d.%d.%d - 0x%x\n",
verInfo.dwMajorVersion,
verInfo.dwMinorVersion,
verInfo.dwBuildNumber,
verInfo.wServicePackMajor,
verInfo.wServicePackMinor,
buildNo,
ver_short
);
switch (ver_short)
{
// Windows 7
// Windows 7 SP1, build 18700
case WINVER_7:
case WINVER_7_SP1:
pData->KExecOpt = 0x0D2;
pData->Protection = 0x43C; // Bitfield, bit index - 0xB
pData->ObjTable = 0x200;
pData->VadRoot = 0x448;
pData->NtProtectIndex = 0x04D;
pData->NtCreateThdIndex = 0x0A5;
pData->NtTermThdIndex = 0x50;
pData->PrevMode = 0x1F6;
pData->ExitStatus = 0x380;
pData->MiAllocPage = (ver_short == WINVER_7_SP1) ? 0x410D70 : 0x40A9C0;
pData->ExRemoveTable = (ver_short == WINVER_7_SP1) ? 0x330048 : 0x32D404;
break;
// Windows 8
case WINVER_8:
pData->KExecOpt = 0x1B7;
pData->Protection = 0x648;
pData->ObjTable = 0x408;
pData->VadRoot = 0x590;
pData->NtProtectIndex = 0x04E;
pData->NtCreateThdIndex = 0x0AF;
pData->NtTermThdIndex = 0x51;
pData->PrevMode = 0x232;
pData->ExitStatus = 0x450;
pData->MiAllocPage = 0x3AF374;
pData->ExRemoveTable = 0x487518;
break;
// Windows 8.1, build 17328
case WINVER_81:
pData->KExecOpt = 0x1B7;
pData->Protection = 0x67A;
pData->ObjTable = 0x408;
pData->VadRoot = 0x5D8;
pData->NtCreateThdIndex = 0xB0;
pData->NtTermThdIndex = 0x52;
pData->PrevMode = 0x232;
pData->ExitStatus = 0x6D8;
pData->MiAllocPage = 0;
pData->ExRemoveTable = 0x432A88; // 0x38E320;
break;
// Windows 10, technical preview, build 9926
case WINVER_10:
pData->KExecOpt = 0x1BF;
pData->Protection = 0x69A;
pData->ObjTable = 0x418;
pData->VadRoot = 0x5F8;
pData->NtCreateThdIndex = 0xB2;
pData->NtTermThdIndex = 0x53;
pData->PrevMode = 0x232;
pData->ExitStatus = 0x6E0;
pData->MiAllocPage = 0;
pData->ExRemoveTable = 0x4645B0;
break;
default:
break;
}
return (pData->VadRoot != 0 ? status : STATUS_INVALID_KERNEL_INFO_VERSION);
}
return status;
}
/*
* ldrMain
*
* Purpose:
*
* Program entry point.
*
*/
void ldrMain(
VOID
)
{
BOOL cond = FALSE;
LONG x;
ULONG l = 0, dwCmd;
HANDLE hDevice;
PVOID DataBuffer;
BOOL bConDisabled, bUsbMonDisabled;
WCHAR cmdLineParam[MAX_PATH + 1];
WCHAR szDriverBuffer[MAX_PATH * 2];
__security_init_cookie();
bConDisabled = FALSE;
bUsbMonDisabled = FALSE;
DataBuffer = NULL;
hDevice = NULL;
dwCmd = 0;
do {
//
// Check OS version.
//
RtlSecureZeroMemory(&g_osv, sizeof(g_osv));
g_osv.dwOSVersionInfoSize = sizeof(g_osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv);
//
// We support only Vista based OS.
//
if (g_osv.dwMajorVersion < 6) {
MessageBox(GetDesktopWindow(), TEXT("Unsupported OS."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check number of instances running.
//
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
break;
}
//
// Check if any VBox instances are running, they must be closed before our usage.
//
if (supProcessExist(L"VirtualBox.exe")) {
MessageBox(GetDesktopWindow(), TEXT("VirtualBox is running, close it before."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Query command line.
//
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &l);
if (l == 0) {
//
// Nothing in command line, simple display help and leave.
//
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check known command.
//
if (_strcmpi(cmdLineParam, TEXT("-l")) == 0) {
dwCmd = TSMI_INSTALL;
}
else {
if (_strcmpi(cmdLineParam, TEXT("-u")) == 0) {
dwCmd = TSMI_REMOVE;
}
}
if (dwCmd == 0) {
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Init ldr and DSEFix.
//
if (!ldrInit(dwCmd)) {
break;
}
//
// Process command.
//
switch (dwCmd) {
case TSMI_INSTALL:
// Backup vboxdrv if exists.
supBackupVBoxDrv(FALSE);
// Stop VBox Networking and USB driver.
bConDisabled = (SUCCEEDED(supNetworkConnectionEnable(VBoxNetConnect, FALSE)));
bUsbMonDisabled = dsfStopDriver(VBoxUsbMon);
dsfStopDriver(VBoxDrvSvc);
// Load vulnerable VBoxDrv, disable VBox Network if exist.
RtlSecureZeroMemory(szDriverBuffer, sizeof(szDriverBuffer));
if (GetSystemDirectory(szDriverBuffer, MAX_PATH) == 0) {
MessageBox(GetDesktopWindow(), TEXT("Cannot find System32 directory."),
NULL, MB_ICONINFORMATION);
break;
}
_strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys"));
hDevice = dsfLoadVulnerableDriver(szDriverBuffer);
if (hDevice) {
//
// Disable DSE so we can load monitor.
// Device handle closed by DSEFix routine.
//
if (ldrPatchDSE(hDevice, TRUE)) {
// Stop our VBoxDrv, need reloading for 2nd usage.
dsfStopDriver(VBoxDrvSvc);
// Load custom patch table, if present.
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 2, cmdLineParam, MAX_PATH, &l);
if (l > 0) {
l = 0;
DataBuffer = ldrFetchCustomPatchData(cmdLineParam, &l);
if ((DataBuffer != NULL) && (l > 0)) {
g_TsmiPatchDataValue = DataBuffer;
g_TsmiPatchDataValueSize = l;
}
}
// Install and run monitor.
if (!ldrSetMonitor()) {
MessageBox(GetDesktopWindow(),
TEXT("Error loading Tsugumi"), NULL, MB_ICONERROR);
}
// Enable DSE back.
hDevice = NULL;
if (dsfStartDriver(VBoxDrvSvc, &hDevice)) {
ldrPatchDSE(hDevice, FALSE);
}
}
else { //ldrPatchDSE failure case
// Unknown error during DSE disabling attempt.
MessageBox(GetDesktopWindow(),
TEXT("Error disabling DSE"), NULL, MB_ICONERROR);
}
// Finally, remove our vboxdrv file and restore backup.
dsfStopDriver(VBoxDrvSvc);
DeleteFile(szDriverBuffer);
supBackupVBoxDrv(TRUE);
// Restart installed VBoxDrv.
dsfStartDriver(VBoxDrvSvc, NULL);
}
else { //dsfLoadVulnerableDriver failure case.
// Load error, show error message and restore backup.
supBackupVBoxDrv(TRUE);
MessageBox(GetDesktopWindow(),
TEXT("Error loading VBoxDrv"), NULL, MB_ICONERROR);
}
break;
//
// Remove command, unload our driver and purge file/memory list cache.
//
case TSMI_REMOVE:
scmUnloadDeviceDriver(TsmiDrvName);
supPurgeSystemCache();
break;
}
} while (cond);
//
// Cleanup after install.
//
if (dwCmd == TSMI_INSTALL) {
// Re-enable VBox Network, UsbMonitor if they're disabled.
if (bConDisabled) {
supNetworkConnectionEnable(VBoxNetConnect, TRUE);
}
if (bUsbMonDisabled) {
dsfStartDriver(VBoxUsbMon, NULL);
}
// Free memory allocated for custom patch table.
if (DataBuffer != NULL) {
HeapFree(GetProcessHeap(), 0, DataBuffer);
}
}
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(0);
return;
}
// Locate MmPfnDatabase
_Use_decl_annotations_ static NTSTATUS MmonpInitializeMmPfnDatabase() {
PAGED_CODE();
RTL_OSVERSIONINFOW os_version = {};
auto status = RtlGetVersion(&os_version);
if (!NT_SUCCESS(status)) {
return status;
}
// Set appropriate patterns and based on an OS version
struct MmPfnDatabaseSearchPattern {
const UCHAR *bytes;
SIZE_T bytes_size;
bool hard_coded;
};
MmPfnDatabaseSearchPattern patterns[2] = {};
if (IsX64()) {
// Win 10 build 14316 is the first version implements randomized page tables
if (os_version.dwMajorVersion < 10 || os_version.dwBuildNumber < 14316) {
// PFN database is at the constant location on older x64 Windows
g_mmonp_MmPfnDatabase = reinterpret_cast<void *>(0xfffffa8000000000);
return STATUS_SUCCESS;
}
// Windows 10 x64 Build 14332+
static const UCHAR kPatternWin10x64[] = {
0x48, 0x8B, 0xC1, // mov rax, rcx
0x48, 0xC1, 0xE8, 0x0C, // shr rax, 0Ch
0x48, 0x8D, 0x14, 0x40, // lea rdx, [rax + rax * 2]
0x48, 0x03, 0xD2, // add rdx, rdx
0x48, 0xB8, // mov rax, 0FFFFFA8000000008h
};
patterns[0].bytes = kPatternWin10x64;
patterns[0].bytes_size = sizeof(kPatternWin10x64);
patterns[0].hard_coded = true;
} else {
// x86
if (os_version.dwMajorVersion == 6 && os_version.dwMinorVersion == 1) {
// Windows 7 (No PAE)
static const UCHAR kPatternWin7[] = {
0x6B, 0xC0, 0x18, // imul eax, 18h
0x8B, 0x0D, // mov ecx, ds:_MmPfnDatabase
};
// Windows 7 (PAE)
static const UCHAR kPatternWin7Pae[] = {
0x6B, 0xC0, 0x1C, // imul eax, 1Ch
0x8B, 0x0D, // mov ecx, ds:_MmPfnDatabase
};
if (UtilIsX86Pae()) {
patterns[0].bytes = kPatternWin7Pae;
patterns[0].bytes_size = sizeof(kPatternWin7Pae);
patterns[0].hard_coded = false;
} else {
patterns[0].bytes = kPatternWin7;
patterns[0].bytes_size = sizeof(kPatternWin7);
patterns[0].hard_coded = false;
}
} else if ((os_version.dwMajorVersion == 6 &&
os_version.dwMinorVersion == 3) ||
(os_version.dwMajorVersion == 10 &&
os_version.dwMinorVersion == 0)) {
// Windows 8.1 and 10
static const UCHAR kPatternWin81And10_0[] = {
0xC1, 0xF8, 0x0C, // sar eax, 0Ch
0xA1, // mov eax, ds:_MmPfnDatabase
};
static const UCHAR kPatternWin81And10_1[] = {
0xC1, 0xE8, 0x0C, // shr eax, 0Ch
0xA1, // mov eax, ds:_MmPfnDatabase
};
patterns[0].bytes = kPatternWin81And10_0;
patterns[0].bytes_size = sizeof(kPatternWin81And10_0);
patterns[0].hard_coded = false;
patterns[1].bytes = kPatternWin81And10_1;
patterns[1].bytes_size = sizeof(kPatternWin81And10_1);
patterns[1].hard_coded = false;
} else {
// Unknown x86 OS version
return STATUS_UNSUCCESSFUL;
}
}
// Search the patterns from MmGetVirtualForPhysical
const auto p_MmGetVirtualForPhysical = reinterpret_cast<UCHAR *>(
UtilGetSystemProcAddress(L"MmGetVirtualForPhysical"));
if (!p_MmGetVirtualForPhysical) {
return STATUS_PROCEDURE_NOT_FOUND;
}
for (const auto &pattern : patterns) {
if (!pattern.bytes) {
break; // no more patterns
}
auto found = reinterpret_cast<UCHAR *>(UtilMemMem(
p_MmGetVirtualForPhysical, 0x20, pattern.bytes, pattern.bytes_size));
if (!found) {
continue;
}
// Get an address of PFN database
found += pattern.bytes_size;
if (pattern.hard_coded) {
HYPERPLATFORM_LOG_DEBUG("Found a hard coded PFN database address at %p",
found);
g_mmonp_MmPfnDatabase = *reinterpret_cast<void **>(found);
} else {
HYPERPLATFORM_LOG_DEBUG("Found a reference to MmPfnDatabase at %p",
found);
const auto mmpfn_address = *reinterpret_cast<ULONG_PTR *>(found);
g_mmonp_MmPfnDatabase = *reinterpret_cast<void **>(mmpfn_address);
}
// On Windows 10 RS, a value has 0x8. Delete it.
g_mmonp_MmPfnDatabase = PAGE_ALIGN(g_mmonp_MmPfnDatabase);
break;
}
HYPERPLATFORM_LOG_DEBUG("MmPfnDatabase = %p", g_mmonp_MmPfnDatabase);
if (!g_mmonp_MmPfnDatabase) {
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
/*******************************************************************************
*
* 函 数 名 : InitlizedDeviceExtension
* 功能描述 : 初始化DeviceExtension中一些SSDT函数索引,系统结构体偏移值
* 参数列表 : pde -- PDEVICE_EXTENSION 结构体
* 说 明 :
* 返回结果 : 函数成功返回true,失败返回false
*
*******************************************************************************/
bool InitlizedDeviceExtension(PDEVICE_EXTENSION pde)
{
RTL_OSVERSIONINFOW osi ={0} ;
osi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW) ;
RtlGetVersion(&osi) ;
if (NULL == pde)
{
return false ;
}
KeInitializeMutex(&pde->DeviceIoControlMutex, 0) ;
KeInitializeMutex(&pde->MyThreadMutex, 0) ;
// 判断系统版本,填充相应的值
switch(osi.dwPlatformId)
{
case VER_PLATFORM_WIN32_NT:
{
switch(osi.dwMajorVersion)
{
case 0:
case 1:
case 2:
case 3:
case 4:
// 这里的话是Windows NT系统
// 添加相应的代码
{
}
break ;
// 2k xp 2003
case 5:
{
switch(osi.dwMinorVersion)
{
// 2000的系统
case 0:
{
pde->uNtQuerySystemInformationIndex = 151 ;
pde->uNtOpenProcessIndex = 106 ;
}
break ;
// xp的系统
case 1:
{
pde->uNtQuerySystemInformationIndex = 173 ;
pde->uNtOpenProcessIndex = 122 ;
pde->uActiveProcessLinksOffset = 0x88 ;
pde->UniqueProcessIdOffset = 0x84 ;
}
break ;
// 2003的系统
case 2:
{
pde->uNtQuerySystemInformationIndex = 181 ;
pde->uNtOpenProcessIndex = 128 ;
pde->uActiveProcessLinksOffset = 152 ;
pde->UniqueProcessIdOffset = 148 ;
}
break ;
}// end of switch(osi.dwMinorVersion)
} // end of case 5
break ;
// vista 2008 win 7
case 6:
{
switch(osi.dwMinorVersion)
{
// vista 2008
case 0:
{
pde->uNtQuerySystemInformationIndex = 248 ;
pde->uNtOpenProcessIndex = 194 ;
}
break ;
// win 7 2008 r2
case 1:
{
pde->uNtQuerySystemInformationIndex = 260 ;
pde->uNtOpenProcessIndex = 189 ;
pde->uActiveProcessLinksOffset = 0xb8 ;
pde->UniqueProcessIdOffset = 0xb4 ;
}
break ;
}
}
break ;
default:
break ;
}
}
break ;
}
return true ;
}
void DolphinAnalytics::MakeBaseBuilder()
{
Common::AnalyticsReportBuilder builder;
// Version information.
builder.AddData("version-desc", Common::scm_desc_str);
builder.AddData("version-hash", Common::scm_rev_git_str);
builder.AddData("version-branch", Common::scm_branch_str);
builder.AddData("version-dist", Common::scm_distributor_str);
// Auto-Update information.
builder.AddData("update-track", SConfig::GetInstance().m_auto_update_track);
// CPU information.
builder.AddData("cpu-summary", cpu_info.Summarize());
// OS information.
#if defined(_WIN32)
builder.AddData("os-type", "windows");
// Windows 8 removes support for GetVersionEx and such. Stupid.
DWORD(WINAPI * RtlGetVersion)(LPOSVERSIONINFOEXW);
*(FARPROC*)&RtlGetVersion = GetProcAddress(GetModuleHandle(TEXT("ntdll")), "RtlGetVersion");
OSVERSIONINFOEXW winver;
winver.dwOSVersionInfoSize = sizeof(winver);
if (RtlGetVersion != nullptr)
{
RtlGetVersion(&winver);
builder.AddData("win-ver-major", static_cast<u32>(winver.dwMajorVersion));
builder.AddData("win-ver-minor", static_cast<u32>(winver.dwMinorVersion));
builder.AddData("win-ver-build", static_cast<u32>(winver.dwBuildNumber));
builder.AddData("win-ver-spmajor", static_cast<u32>(winver.wServicePackMajor));
builder.AddData("win-ver-spminor", static_cast<u32>(winver.wServicePackMinor));
}
#elif defined(ANDROID)
builder.AddData("os-type", "android");
builder.AddData("android-manufacturer", s_get_val_func("DEVICE_MANUFACTURER"));
builder.AddData("android-model", s_get_val_func("DEVICE_MODEL"));
builder.AddData("android-version", s_get_val_func("DEVICE_OS"));
#elif defined(__APPLE__)
builder.AddData("os-type", "osx");
SInt32 osxmajor, osxminor, osxbugfix;
// Gestalt is deprecated, but the replacement (NSProcessInfo
// operatingSystemVersion) is only available on OS X 10.10, so we need to use
// it anyway. Change this someday when Dolphin depends on 10.10+.
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
Gestalt(gestaltSystemVersionMajor, &osxmajor);
Gestalt(gestaltSystemVersionMinor, &osxminor);
Gestalt(gestaltSystemVersionBugFix, &osxbugfix);
#pragma GCC diagnostic pop
builder.AddData("osx-ver-major", osxmajor);
builder.AddData("osx-ver-minor", osxminor);
builder.AddData("osx-ver-bugfix", osxbugfix);
#elif defined(__linux__)
builder.AddData("os-type", "linux");
#elif defined(__FreeBSD__)
builder.AddData("os-type", "freebsd");
#else
builder.AddData("os-type", "unknown");
#endif
m_base_builder = builder;
}
NTSTATUS
AFSInitRDRDevice()
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING uniDeviceName;
AFSDeviceExt *pDeviceExt = NULL;
UNICODE_STRING uniFsRtlRegisterUncProviderEx;
FsRtlRegisterUncProviderEx_t pFsRtlRegisterUncProviderEx = NULL;
RTL_OSVERSIONINFOW sysVersion;
ULONG ulDeviceCharacteristics = FILE_REMOTE_DEVICE;
__Enter
{
RtlZeroMemory( &sysVersion,
sizeof( RTL_OSVERSIONINFOW));
sysVersion.dwOSVersionInfoSize = sizeof( RTL_OSVERSIONINFOW);
RtlGetVersion( &sysVersion);
RtlInitUnicodeString( &uniDeviceName,
AFS_RDR_DEVICE_NAME);
RtlInitUnicodeString( &uniFsRtlRegisterUncProviderEx,
L"FsRtlRegisterUncProviderEx");
pFsRtlRegisterUncProviderEx = (FsRtlRegisterUncProviderEx_t)MmGetSystemRoutineAddress(&uniFsRtlRegisterUncProviderEx);
//
// On 32-bit Windows XP, do not set FILE_DEVICE_SECURE_OPEN
// flag as it interferes with initial access to \\afs from
// limited user accounts.
//
if(!(sysVersion.dwMajorVersion == 5 &&
sysVersion.dwMinorVersion == 1))
{
ulDeviceCharacteristics |= FILE_DEVICE_SECURE_OPEN;
}
ntStatus = IoCreateDevice( AFSDriverObject,
sizeof( AFSDeviceExt),
pFsRtlRegisterUncProviderEx ? NULL : &uniDeviceName,
FILE_DEVICE_NETWORK_FILE_SYSTEM,
ulDeviceCharacteristics,
FALSE,
&AFSRDRDeviceObject);
if( !NT_SUCCESS( ntStatus))
{
AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
AFS_TRACE_LEVEL_ERROR,
"AFSInitRDRDevice IoCreateDevice failure %08lX\n",
ntStatus));
try_return( ntStatus);
}
pDeviceExt = (AFSDeviceExt *)AFSRDRDeviceObject->DeviceExtension;
RtlZeroMemory( pDeviceExt,
sizeof( AFSDeviceExt));
//
// Initialize resources
//
pDeviceExt->Specific.RDR.VolumeTree.TreeLock = &pDeviceExt->Specific.RDR.VolumeTreeLock;
ExInitializeResourceLite( pDeviceExt->Specific.RDR.VolumeTree.TreeLock);
pDeviceExt->Specific.RDR.VolumeTree.TreeHead = NULL;
ExInitializeResourceLite( &pDeviceExt->Specific.RDR.VolumeListLock);
pDeviceExt->Specific.RDR.VolumeListHead = NULL;
pDeviceExt->Specific.RDR.VolumeListTail = NULL;
KeInitializeEvent( &pDeviceExt->Specific.RDR.QueuedReleaseExtentEvent,
NotificationEvent,
TRUE);
ExInitializeResourceLite( &pDeviceExt->Specific.RDR.RootCellTreeLock);
pDeviceExt->Specific.RDR.RootCellTree.TreeLock = &pDeviceExt->Specific.RDR.RootCellTreeLock;
pDeviceExt->Specific.RDR.RootCellTree.TreeHead = NULL;
ExInitializeResourceLite( &pDeviceExt->Specific.RDR.ProviderListLock);
ntStatus = AFSInitRdrFcb( &pDeviceExt->Fcb);
if ( !NT_SUCCESS(ntStatus))
{
AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
AFS_TRACE_LEVEL_ERROR,
"AFSInitRDRDevice AFSInitRdrFcb failure %08lX\n",
ntStatus));
try_return( ntStatus);
}
//
// Clear the initializing bit
//
AFSRDRDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
//
// Increase the StackSize to support the extra stack frame required
// for use of IoCompletion routines.
//
AFSRDRDeviceObject->StackSize++;
//
// Register this device with MUP with FilterMgr if Vista or above
//
if( pFsRtlRegisterUncProviderEx)
{
ntStatus = pFsRtlRegisterUncProviderEx( &AFSMUPHandle,
&uniDeviceName,
AFSRDRDeviceObject,
0);
if ( !NT_SUCCESS( ntStatus))
{
AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
AFS_TRACE_LEVEL_ERROR,
"AFSInitRDRDevice FsRtlRegisterUncProvider failure %08lX\n",
ntStatus));
}
}
else
{
ntStatus = FsRtlRegisterUncProvider( &AFSMUPHandle,
&uniDeviceName,
FALSE);
if ( NT_SUCCESS( ntStatus))
{
IoRegisterFileSystem( AFSRDRDeviceObject);
}
else
{
AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING,
AFS_TRACE_LEVEL_ERROR,
"AFSInitRDRDevice FsRtlRegisterUncProvider failure %08lX\n",
ntStatus));
}
}
//
// Good to go, all registered and ready to start receiving requests
//
try_exit:
if( !NT_SUCCESS( ntStatus))
{
//
// Delete our device and bail
//
ExDeleteResourceLite( pDeviceExt->Specific.RDR.VolumeTree.TreeLock);
ExDeleteResourceLite( &pDeviceExt->Specific.RDR.VolumeListLock);
ExDeleteResourceLite( &pDeviceExt->Specific.RDR.RootCellTreeLock);
ExDeleteResourceLite( &pDeviceExt->Specific.RDR.ProviderListLock);
IoDeleteDevice( AFSRDRDeviceObject);
AFSRDRDeviceObject = NULL;
try_return( ntStatus);
}
}
return ntStatus;
}
void main()
{
LONG x;
ULONG ParamLen;
HANDLE hDevice = NULL;
WCHAR cmdLineParam[MAX_PATH + 1];
BOOL bDisable = TRUE, cond = FALSE;
__security_init_cookie();
//
// Output DSEFix banner.
//
ShowServiceMessage("DSEFix v1.1.0 started");
ShowServiceMessage("(c) 2014 - 2015 DSEFix Project");
ShowServiceMessage("Supported x64 OS : Vista / 7 / 8 / 8.1 / 10");
do {
//
// Check single instance.
//
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
ShowServiceMessage("Another instance running, close it before");
break;
}
//
// Check supported OS.
//
RtlSecureZeroMemory(&osv, sizeof(osv));
osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
if (osv.dwMajorVersion < 6) {
ShowServiceMessage("Unsupported OS");
break;
}
//
// Query command line parameters.
//
ParamLen = 0;
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &ParamLen);
if (_strcmpi(cmdLineParam, TEXT("-e")) == 0) {
ShowServiceMessage("DSE will be (re)enabled");
bDisable = FALSE;
}
else {
ShowServiceMessage("DSE will be disabled");
bDisable = TRUE;
}
//
// Load vulnerable driver and open it device.
//
hDevice = LoadVulnerableDriver();
if (hDevice == NULL) {
ShowServiceMessage("Failed to load vulnerable driver");
break;
}
else {
ShowServiceMessage("Vulnerable VirtualBox driver loaded");
}
//
// Manipulate kernel variable.
//
if (DoWork(hDevice, bDisable)) {
ShowServiceMessage("Kernel memory patched");
}
else {
ShowServiceMessage("Failed to patch kernel memory");
}
//
// Do basic cleanup.
//
ShowServiceMessage("Cleaning up");
UnloadVulnerableDriver();
ShowServiceMessage("Finish");
} while (cond);
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(0);
}
/*
* @implemented
*/
NTSTATUS
NTAPI
RtlVerifyVersionInfo(IN PRTL_OSVERSIONINFOEXW VersionInfo,
IN ULONG TypeMask,
IN ULONGLONG ConditionMask)
{
NTSTATUS Status;
RTL_OSVERSIONINFOEXW ver;
BOOLEAN Comparison;
/* FIXME:
- Check the following special case on Windows (various versions):
o lp->wSuiteMask == 0 and ver.wSuiteMask != 0 and VER_AND/VER_OR
o lp->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW)
- MSDN talks about some tests being impossible. Check what really happens.
*/
ver.dwOSVersionInfoSize = sizeof(ver);
Status = RtlGetVersion((PRTL_OSVERSIONINFOW)&ver);
if (Status != STATUS_SUCCESS) return Status;
if (!TypeMask || !ConditionMask) return STATUS_INVALID_PARAMETER;
if (TypeMask & VER_PRODUCT_TYPE)
{
Comparison = RtlpVerCompare(ver.wProductType,
VersionInfo->wProductType,
RtlpVerGetCondition(ConditionMask, VER_PRODUCT_TYPE));
if (!Comparison)
return STATUS_REVISION_MISMATCH;
}
if (TypeMask & VER_SUITENAME)
{
switch (RtlpVerGetCondition(ConditionMask, VER_SUITENAME))
{
case VER_AND:
if ((VersionInfo->wSuiteMask & ver.wSuiteMask) != VersionInfo->wSuiteMask)
{
return STATUS_REVISION_MISMATCH;
}
break;
case VER_OR:
if (!(VersionInfo->wSuiteMask & ver.wSuiteMask) && VersionInfo->wSuiteMask)
{
return STATUS_REVISION_MISMATCH;
}
break;
default:
return STATUS_INVALID_PARAMETER;
}
}
if (TypeMask & VER_PLATFORMID)
{
Comparison = RtlpVerCompare(ver.dwPlatformId,
VersionInfo->dwPlatformId,
RtlpVerGetCondition(ConditionMask, VER_PLATFORMID));
if (!Comparison)
return STATUS_REVISION_MISMATCH;
}
if (TypeMask & VER_BUILDNUMBER)
{
Comparison = RtlpVerCompare(ver.dwBuildNumber,
VersionInfo->dwBuildNumber,
RtlpVerGetCondition(ConditionMask, VER_BUILDNUMBER));
if (!Comparison)
return STATUS_REVISION_MISMATCH;
}
TypeMask &= VER_MAJORVERSION|VER_MINORVERSION|VER_SERVICEPACKMAJOR|VER_SERVICEPACKMINOR;
if (TypeMask)
{
BOOLEAN do_next_check = TRUE;
/*
* Select the leading comparison operator (for example, the comparison
* operator for VER_MAJORVERSION supersedes the others for VER_MINORVERSION,
* VER_SERVICEPACKMAJOR and VER_SERVICEPACKMINOR).
*/
UCHAR Condition = RtlpVerGetCondition(ConditionMask, TypeMask);
Comparison = TRUE;
if (TypeMask & VER_MAJORVERSION)
{
Comparison = RtlpVerCompare(ver.dwMajorVersion,
VersionInfo->dwMajorVersion,
Condition);
do_next_check = (ver.dwMajorVersion == VersionInfo->dwMajorVersion) &&
((Condition != VER_EQUAL) || Comparison);
}
if ((TypeMask & VER_MINORVERSION) && do_next_check)
{
Comparison = RtlpVerCompare(ver.dwMinorVersion,
VersionInfo->dwMinorVersion,
Condition);
do_next_check = (ver.dwMinorVersion == VersionInfo->dwMinorVersion) &&
((Condition != VER_EQUAL) || Comparison);
}
if ((TypeMask & VER_SERVICEPACKMAJOR) && do_next_check)
{
Comparison = RtlpVerCompare(ver.wServicePackMajor,
VersionInfo->wServicePackMajor,
Condition);
do_next_check = (ver.wServicePackMajor == VersionInfo->wServicePackMajor) &&
((Condition != VER_EQUAL) || Comparison);
}
if ((TypeMask & VER_SERVICEPACKMINOR) && do_next_check)
{
Comparison = RtlpVerCompare(ver.wServicePackMinor,
VersionInfo->wServicePackMinor,
Condition);
}
if (!Comparison)
return STATUS_REVISION_MISMATCH;
}
return STATUS_SUCCESS;
}
