NTSTATUS KphDynamicDataInitialization( VOID ) { NTSTATUS status = STATUS_SUCCESS; PAGED_CODE(); // Get Windows version information. KphDynOsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW); status = RtlGetVersion((PRTL_OSVERSIONINFOW)&KphDynOsVersionInfo); if (!NT_SUCCESS(status)) return status; // Dynamic data should be read from the registry, but we use the fallback // function here if needed. if (KphDynNtVersion == 0) { #ifdef _X86_ KphpX86DataInitialization(); #else KphpAmd64DataInitialization(); #endif } return status; }
/*********************************************************************** * GetVersionExA (KERNEL32.@) */ BOOL WINAPI GetVersionExA(OSVERSIONINFOA *v) { RTL_OSVERSIONINFOEXW infoW; if (v->dwOSVersionInfoSize != sizeof(OSVERSIONINFOA) && v->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXA)) { WARN("wrong OSVERSIONINFO size from app (got: %d)\n", v->dwOSVersionInfoSize ); SetLastError(ERROR_INSUFFICIENT_BUFFER); return FALSE; } infoW.dwOSVersionInfoSize = sizeof(infoW); if (RtlGetVersion( &infoW ) != STATUS_SUCCESS) return FALSE; v->dwMajorVersion = infoW.dwMajorVersion; v->dwMinorVersion = infoW.dwMinorVersion; v->dwBuildNumber = infoW.dwBuildNumber; v->dwPlatformId = infoW.dwPlatformId; WideCharToMultiByte( CP_ACP, 0, infoW.szCSDVersion, -1, v->szCSDVersion, sizeof(v->szCSDVersion), NULL, NULL ); if(v->dwOSVersionInfoSize == sizeof(OSVERSIONINFOEXA)) { LPOSVERSIONINFOEXA vex = (LPOSVERSIONINFOEXA) v; vex->wServicePackMajor = infoW.wServicePackMajor; vex->wServicePackMinor = infoW.wServicePackMinor; vex->wSuiteMask = infoW.wSuiteMask; vex->wProductType = infoW.wProductType; } return TRUE; }
/* * @implemented */ BOOL WINAPI GetVersionExW(IN LPOSVERSIONINFOW lpVersionInformation) { NTSTATUS Status; LPOSVERSIONINFOEXW lpVersionInformationEx; if ((lpVersionInformation->dwOSVersionInfoSize != sizeof(OSVERSIONINFOW)) && (lpVersionInformation->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW))) { SetLastError(ERROR_INSUFFICIENT_BUFFER); return FALSE; } Status = RtlGetVersion((PRTL_OSVERSIONINFOW)lpVersionInformation); if (Status == STATUS_SUCCESS) { if (lpVersionInformation->dwOSVersionInfoSize == sizeof(OSVERSIONINFOEXW)) { lpVersionInformationEx = (PVOID)lpVersionInformation; lpVersionInformationEx->wReserved = 0; } return TRUE; } return FALSE; }
gboolean wing_get_version_number (gint *major, gint *minor) { typedef NTSTATUS (WINAPI fRtlGetVersion) (PRTL_OSVERSIONINFOEXW); OSVERSIONINFOEXW osverinfo; fRtlGetVersion *RtlGetVersion; HMODULE hmodule; hmodule = LoadLibraryW (L"ntdll.dll"); g_return_val_if_fail (hmodule != NULL, FALSE); RtlGetVersion = (fRtlGetVersion *)GetProcAddress (hmodule, "RtlGetVersion"); g_return_val_if_fail (RtlGetVersion != NULL, FALSE); memset (&osverinfo, 0, sizeof (OSVERSIONINFOEXW)); osverinfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW); RtlGetVersion (&osverinfo); FreeLibrary (hmodule); *major = osverinfo.dwMajorVersion; *minor = osverinfo.dwMinorVersion; return TRUE; }
/* * WinObjInitGlobals * * Purpose: * * Initialize global variables. * */ BOOL WinObjInitGlobals() { SIZE_T cch; BOOL bResult = FALSE, bCond = FALSE; do { RtlSecureZeroMemory(&g_WinObj, sizeof(g_WinObj)); // // Query version info. // g_WinObj.osver.dwOSVersionInfoSize = sizeof(g_WinObj.osver); RtlGetVersion(&g_WinObj.osver); // // Remember hInstance. // g_WinObj.hInstance = GetModuleHandle(NULL); // // Create dedicated heap. // g_WinObj.Heap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL); if (g_WinObj.Heap == NULL) break; RtlSetHeapInformation(g_WinObj.Heap, HeapEnableTerminationOnCorruption, NULL, 0); RtlInitializeCriticalSection(&g_WinObj.Lock); // // Remember %TEMP% directory. // cch = ExpandEnvironmentStrings(L"%temp%", g_WinObj.szTempDirectory, MAX_PATH); if ((cch == 0) || (cch > MAX_PATH)) break; // // Remember Windows directory. // if (!GetWindowsDirectory(g_WinObj.szWindowsDirectory, MAX_PATH)) break; // // Remember System32 directory. // if (!GetSystemDirectory(g_WinObj.szSystemDirectory, MAX_PATH)) break; bResult = TRUE; } while (bCond); if (bResult == FALSE) { if (g_WinObj.Heap) RtlDestroyHeap(g_WinObj.Heap); } return bResult; }
/*********************************************************************** * GetVersionExW (KERNEL32.@) */ BOOL WINAPI GetVersionExW( OSVERSIONINFOW *info ) { if (info->dwOSVersionInfoSize != sizeof(OSVERSIONINFOW) && info->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW)) { WARN("wrong OSVERSIONINFO size from app (got: %d)\n", info->dwOSVersionInfoSize); return FALSE; } return (RtlGetVersion( (RTL_OSVERSIONINFOEXW *)info ) == STATUS_SUCCESS); }
PVOID GetAcpiHandle(PVOID in_pdo) { //KdPrint(("GetAcpiHandle Input:0x%X\n",in_pdo)); PVOID pvRet=0; PVOID temp; RTL_OSVERSIONINFOW osvx={0}; osvx.dwOSVersionInfoSize=sizeof(RTL_OSVERSIONINFOW); RtlGetVersion(&osvx); temp = ((PDEVICE_OBJECT)in_pdo)->DeviceObjectExtension->DeviceObject->DeviceExtension; pvRet = *((PVOID *)((ULONG_PTR)temp + g_ulACPIHandleOffset)); if((osvx.dwMajorVersion == 6 && osvx.dwMinorVersion == 3) || osvx.dwMajorVersion == 10) { pvRet = *((PVOID*)pvRet); } return pvRet; /*__asm { push eax push ebx push ecx push edx mov ecx,temp mov edx,g_ulACPIHandleOffset add ecx,edx mov ebx,[ecx] mov pvRet,ebx pop edx pop ecx pop ebx pop eax }*/ /*__asm { push eax push ebx push ecx push edx mov ecx,in_pdo mov ecx,[ecx+0xb0] mov ecx,[ecx+4] mov ecx,[ecx+0x28] mov edx,g_ulACPIHandleOffset add ecx,edx mov ebx,[ecx] mov pvRet,ebx pop edx pop ecx pop ebx pop eax }*/ //KdPrint(("GetAcpiHandle Returns:0x%X\n",pvRet)); return pvRet; }
ULONG GetOsVersion() { ULONG ulOsVersion; RTL_OSVERSIONINFOW OsVersionInfo; PAGED_CODE(); OsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW); if (!NT_SUCCESS(RtlGetVersion(&OsVersionInfo))) return OS_VERSION_ERROR; switch (OsVersionInfo.dwBuildNumber) { case 2195: ulOsVersion = OS_VERSION_2000; break; case 2600: ulOsVersion = OS_VERSION_XP; break; case 3790: ulOsVersion = OS_VERSION_SERVER_2003; break; case 6000: ulOsVersion = OS_VERSION_VISTA; break; case 6001: ulOsVersion = OS_VERSION_VISTA_SP1; break; case 6002: ulOsVersion = OS_VERSION_VISTA_SP2; break; case 7600: ulOsVersion = OS_VERSION_WIN7; break; case 7601: ulOsVersion = OS_VERSION_WIN7_SP1; break; default: ulOsVersion = OS_VERSION_ERROR; } return ulOsVersion; }
static FORCEINLINE __SystemGetVersionInformation( VOID ) { RTL_OSVERSIONINFOEXW VersionInformation; ULONG Bit; ASSERT3U(KeGetCurrentIrql(), ==, PASSIVE_LEVEL); RtlZeroMemory(&VersionInformation, sizeof (RTL_OSVERSIONINFOEXW)); VersionInformation.dwOSVersionInfoSize = sizeof (RTL_OSVERSIONINFOEXW); RtlGetVersion((PRTL_OSVERSIONINFOW)&VersionInformation); #if defined(__i386__) Info("KERNEL: %d.%d (BUILD %d) PLATFORM %s\n", VersionInformation.dwMajorVersion, VersionInformation.dwMinorVersion, VersionInformation.dwBuildNumber, __PlatformIdName(VersionInformation.dwPlatformId)); #elif defined(__x86_64__) Info("KERNEL: %d.%d (BUILD %d) PLATFORM %s (x64)\n", VersionInformation.dwMajorVersion, VersionInformation.dwMinorVersion, VersionInformation.dwBuildNumber, __PlatformIdName(VersionInformation.dwPlatformId)); #else #error 'Unrecognised architecture' #endif if (VersionInformation.wServicePackMajor != 0 || VersionInformation.wServicePackMinor != 0) Info("SP: %d.%d (%s)\n", VersionInformation.wServicePackMajor, VersionInformation.wServicePackMinor, VersionInformation.szCSDVersion); Info("SUITES:\n"); Bit = 0; while (VersionInformation.wSuiteMask != 0) { if (VersionInformation.wSuiteMask & 0x0001) Info("- %s\n", __SuiteName(Bit)); VersionInformation.wSuiteMask >>= 1; Bit++; } Info("TYPE: %s\n", __ProductTypeName(VersionInformation.wProductType)); }
NTSTATUS KphDynamicDataInitialization( VOID ) { NTSTATUS status = STATUS_SUCCESS; PAGED_CODE(); // Get Windows version information. KphDynOsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW); status = RtlGetVersion((PRTL_OSVERSIONINFOW)&KphDynOsVersionInfo); return status; }
int main() { RTLGETVERSION RtlGetVersion=(RTLGETVERSION)GetProcAddress(GetModuleHandleA("ntdll.dll"),"RtlGetVersion"); OSVERSIONINFO osv1={0},osv2={0}; //way 1 osv1.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); GetVersionEx(&osv1); printf("Get Build Number by GetVersionEx: %ld\n",osv1.dwBuildNumber); //way 2 osv2.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); RtlGetVersion(&osv2); printf("Get Build Number by RtlGetVersion: %ld\n",osv2.dwBuildNumber); //show info getchar(); return 0; }
// // e.g. WinXP SP2 : 0x05010200 // inline ULONG GetOsVersion() { RTL_OSVERSIONINFOW ver_info = {}; ver_info.dwOSVersionInfoSize = sizeof(ver_info); auto status = RtlGetVersion(&ver_info); Assert(NT_SUCCESS(status)); auto ver = ver_info.dwMajorVersion << 24 | ver_info.dwMinorVersion << 16; if (0 == ver_info.szCSDVersion[0]) { return ver; } if (Equals(ver_info.szCSDVersion, L"Service Pack 1", false)) { return ver |= 0x0100; } if (Equals(ver_info.szCSDVersion, L"Service Pack 2", false)) { return ver |= 0x0200; } if (Equals(ver_info.szCSDVersion, L"Service Pack 3", false)) { return ver |= 0x0300; } if (Equals(ver_info.szCSDVersion, L"Service Pack 4", false)) { return ver |= 0x0400; } if (Equals(ver_info.szCSDVersion, L"Service Pack 5", false)) { return ver |= 0x0500; } if (Equals(ver_info.szCSDVersion, L"Service Pack 6", false)) { return ver |= 0x0600; } return ver; }
/*********************************************************************** * GetVersion (KERNEL.3) */ DWORD WINAPI GetVersion16(void) { static WORD dosver, winver; if (!dosver) /* not determined yet */ { RTL_OSVERSIONINFOEXW info; info.dwOSVersionInfoSize = sizeof(info); if (RtlGetVersion( &info )) return 0; if (info.dwMajorVersion <= 3) winver = MAKEWORD( info.dwMajorVersion, info.dwMinorVersion ); else winver = MAKEWORD( 3, 95 ); switch(info.dwPlatformId) { case VER_PLATFORM_WIN32s: switch(MAKELONG( info.dwMinorVersion, info.dwMajorVersion )) { case 0x0200: dosver = 0x0303; /* DOS 3.3 for Windows 2.0 */ break; case 0x0300: dosver = 0x0500; /* DOS 5.0 for Windows 3.0 */ break; default: dosver = 0x0616; /* DOS 6.22 for Windows 3.1 and later */ break; } break; case VER_PLATFORM_WIN32_WINDOWS: /* DOS 8.0 for WinME, 7.0 for Win95/98 */ if (info.dwMinorVersion >= 90) dosver = 0x0800; else dosver = 0x0700; break; case VER_PLATFORM_WIN32_NT: dosver = 0x0500; /* always DOS 5.0 for NT */ break; } TRACE( "DOS %d.%02d Win %d.%02d\n", HIBYTE(dosver), LOBYTE(dosver), LOBYTE(winver), HIBYTE(winver) ); } return MAKELONG( winver, dosver ); }
VOID XenPci_PatchKernel(PXENPCI_DEVICE_DATA xpdd, PVOID base, ULONG length) { patch_info_t patch_info; #if (NTDDI_VERSION >= NTDDI_WINXP) RTL_OSVERSIONINFOEXW version_info; #endif FUNCTION_ENTER(); /* if we're compiled for 2000 then assume we need patching */ #if (NTDDI_VERSION >= NTDDI_WINXP) version_info.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW); RtlGetVersion((PRTL_OSVERSIONINFOW)&version_info); if (version_info.dwMajorVersion >= 6) { FUNCTION_MSG("Vista or newer - no need for patch\n"); return; } if (version_info.dwMajorVersion == 5 && version_info.dwMinorVersion > 2) { FUNCTION_MSG("Windows 2003 sp2 or newer - no need for patch\n"); return; } if (version_info.dwMajorVersion == 5 && version_info.dwMinorVersion == 2 && version_info.wServicePackMajor >= 2) { FUNCTION_MSG("Windows 2003 sp2 or newer - no need for patch\n"); return; } #endif if (IsMoveCr8Supported()) { FUNCTION_MSG("Using LOCK MOVE CR0 TPR patch\n"); patch_method = PATCH_METHOD_LOCK_MOVE_CR0; } else { FUNCTION_MSG("Using cached TPR patch\n"); patch_method = PATCH_METHOD_CACHED_TPR; } patch_info.base = base; patch_info.length = length; XenPci_HighSync(XenPci_DoPatchKernel0, XenPci_DoPatchKernelN, &patch_info); xpdd->removable = FALSE; FUNCTION_EXIT(); }
// Test if the system is one of supported OS versions _Use_decl_annotations_ bool DriverpIsSuppoetedOS() { PAGED_CODE(); RTL_OSVERSIONINFOW os_version = {}; auto status = RtlGetVersion(&os_version); if (!NT_SUCCESS(status)) { return false; } if (os_version.dwMajorVersion != 6 && os_version.dwMajorVersion != 10) { return false; } // 4-gigabyte tuning (4GT) should not be enabled if (!IsX64() && reinterpret_cast<ULONG_PTR>(MmSystemRangeStart) != 0x80000000) { return false; } return true; }
/* * ucmInit * * Purpose: * * Prestart phase. * */ UINT ucmInit( VOID ) { //fill common data block RtlSecureZeroMemory(&g_ldp, sizeof(g_ldp)); //remember dll handles g_ldp.hKernel32 = GetModuleHandleW(L"kernel32.dll"); if (g_ldp.hKernel32 == NULL) { return ERROR_INVALID_HANDLE; } g_ldp.hOle32 = GetModuleHandleW(L"ole32.dll"); if (g_ldp.hOle32 == NULL) { g_ldp.hOle32 = LoadLibraryW(L"ole32.dll"); if (g_ldp.hOle32 == NULL) { return ERROR_INVALID_HANDLE; } } g_ldp.hShell32 = GetModuleHandleW(L"shell32.dll"); if (g_ldp.hShell32 == NULL) { g_ldp.hShell32 = LoadLibraryW(L"shell32.dll"); if (g_ldp.hShell32 == NULL) { return ERROR_INVALID_HANDLE; } } //query basic directories if (GetSystemDirectoryW(g_ldp.szSystemDirectory, MAX_PATH) == 0) { return ERROR_INVALID_DATA; } //query build number RtlSecureZeroMemory(&g_ldp.osver, sizeof(g_ldp.osver)); g_ldp.osver.dwOSVersionInfoSize = sizeof(g_ldp.osver); if (!NT_SUCCESS(RtlGetVersion(&g_ldp.osver))) { return ERROR_INVALID_ACCESS; } g_ldp.IsWow64 = supIsProcess32bit(GetCurrentProcess()); return ERROR_SUCCESS; }
// Initializes GuardMon components _Use_decl_annotations_ NTSTATUS GMonInitialization() { PAGED_CODE(); GMonpDemoStl(); g_gmonp_ExAcquireResourceSharedLite = UtilGetSystemProcAddress(L"ExAcquireResourceSharedLite"); if (!g_gmonp_ExAcquireResourceSharedLite) { return STATUS_PROCEDURE_NOT_FOUND; } RTL_OSVERSIONINFOW os_version = {}; auto status = RtlGetVersion(&os_version); if (!NT_SUCCESS(status)) { return status; } if (os_version.dwMajorVersion == 10 && os_version.dwMinorVersion == 0) { g_pgmon_IsWindows10 = true; } return STATUS_SUCCESS; }
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { NTSTATUS ntStatus; UNICODE_STRING uszDriverString; UNICODE_STRING uszDeviceString; UNICODE_STRING uszProcessEventString; PDEVICE_OBJECT pDeviceObject; PDEVICE_EXTENSION extension; HANDLE hProcessHandle; RTL_OSVERSIONINFOW version; RtlInitUnicodeString(&uszDriverString, L"\\Device\\hookdetect"); ntStatus = IoCreateDevice(DriverObject,sizeof(DEVICE_EXTENSION),&uszDriverString,FILE_DEVICE_UNKNOWN,0,FALSE,&pDeviceObject); if(ntStatus != STATUS_SUCCESS) return ntStatus; extension = pDeviceObject->DeviceExtension; RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\hookdetect"); ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString); if(ntStatus != STATUS_SUCCESS){ IoDeleteDevice(pDeviceObject); return ntStatus; } g_pDeviceObject = pDeviceObject; DriverObject->DriverUnload = UnloadDriver; DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl; version.dwOSVersionInfoSize = sizeof(version); RtlGetVersion(&version); if (((version.dwMajorVersion << 8) | version.dwMinorVersion) >= 0x0601) { g_win7 = 1; } else { g_win7 = 0; } return ntStatus; }
/* * DetectSystemInfo * * Purpose: * * Remember system version and system info to global variables. * */ VOID DetectSystemInfo( VOID ) { NTSTATUS Status; g_IsWin64 = supIs64BitWindows(&g_IsWow64); if (g_IsWow64) { GetNativeSystemInfo(&g_siSysInfo); } else { GetSystemInfo(&g_siSysInfo); } RtlSecureZeroMemory(&g_osver, sizeof(g_osver)); g_osver.dwOSVersionInfoSize = sizeof(g_osver); Status = RtlGetVersion(&g_osver); if (NT_SUCCESS(Status)) { if (g_osver.dwMajorVersion < 6) { supEnablePrivilege(SE_DEBUG_PRIVILEGE, TRUE); } } }
ULONG GetOsVersion() /*++ Routine Description: Gets OS Version Arguments: None. Return Value: returns OS Version. Author: xiaonie 2012/07/12 --*/ { ULONG ulOsVersion; RTL_OSVERSIONINFOW OsVersionInfo; OsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW); if (!NT_SUCCESS(RtlGetVersion(&OsVersionInfo))) return OS_VERSION_ERROR; switch (OsVersionInfo.dwBuildNumber) { case 2195: ulOsVersion = OS_VERSION_2000; break; case 2600: ulOsVersion = OS_VERSION_XP; break; case 3790: ulOsVersion = OS_VERSION_SERVER_2003; break; case 6000: ulOsVersion = OS_VERSION_VISTA; break; case 6001: ulOsVersion = OS_VERSION_VISTA_SP1; break; case 6002: ulOsVersion = OS_VERSION_VISTA_SP2; break; case 7600: ulOsVersion = OS_VERSION_WIN7; break; case 7601: ulOsVersion = OS_VERSION_WIN7_SP1; break; default: ulOsVersion = OS_VERSION_ERROR; } return ulOsVersion; }
////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Description : initializes the driver and the filter port, registers driver and registry callbacks. // // Parameters : // _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver. // _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver // was stored. // Return value : // NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed // Process : // Defines hidden / blocked processes names. // Creates the device driver and its symbolic link. // Sets IRP callbacks. // Creates filter communication port to send logs from the driver to the userland process. // Creates logs mutex. // Register image load and registry callbacks. ////////////////////////////////////////////////////////////////////////////////////////////////////////////// NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { PVOID adrFunc; PDEVICE_OBJECT pDeviceObject; UNICODE_STRING usDriverName; UNICODE_STRING filterPortName; UNICODE_STRING function; OBJECT_ATTRIBUTES objAttr; RTL_OSVERSIONINFOW osInfo; PSECURITY_DESCRIPTOR securityDescriptor; NTSTATUS status; ULONG i; // import some functions we will need RtlInitUnicodeString(&function, L"ZwQueryInformationThread"); ZwQueryInformationThread = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&function, L"ZwQueryInformationProcess"); ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&function, L"ZwQuerySystemInformation"); ZwQuerySystemInformation = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT"); RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT"); status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject); if(!NT_SUCCESS(status)) return status; status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName); if(!NT_SUCCESS(status)) return status; pDeviceObject->Flags |= DO_BUFFERED_IO; pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING); for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++) pDriverObject->MajorFunction[i] = ioctl_NotSupported; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl; monitored_process_list = NULL; hidden_process_list = NULL; monitored_handle_list = NULL; // initialize every function pointers to null oldNtMapViewOfSection = NULL; oldNtSetContextThread = NULL; oldNtCreateThread = NULL; oldNtQueueApcThread = NULL; oldNtCreateProcess = NULL; oldNtSystemDebugControl = NULL; oldNtCreateProcessEx = NULL; oldNtWriteVirtualMemory = NULL; oldNtDebugActiveProcess = NULL; oldNtOpenProcess = NULL; oldNtOpenThread = NULL; oldNtQuerySystemInformation = NULL; oldNtCreateFile = NULL; oldNtReadFile = NULL; oldNtWriteFile = NULL; oldNtDeleteFile = NULL; oldNtSetInformationFile = NULL; oldNtQueryInformationFile = NULL; oldNtCreateMutant = NULL; oldNtDeviceIoControlFile = NULL; oldNtTerminateProcess = NULL; oldNtDelayExecution = NULL; oldNtQueryValueKey = NULL; oldNtQueryAttributesFile = NULL; oldNtReadVirtualMemory = NULL; oldNtResumeThread = NULL; oldNtCreateSection = NULL; oldNtUserCallOneParam = NULL; oldNtUserCallNoParam = NULL; oldNtClose = NULL; oldNtOpenFile = NULL; #ifdef DEBUG DbgPrint("IOCTL_CUCKOO_PATH : 0x%08x\n", IOCTL_CUCKOO_PATH); #endif // get os version if(!NT_SUCCESS(RtlGetVersion(&osInfo))) return status; // check os version if(osInfo.dwMajorVersion == 5 && osInfo.dwMinorVersion == 1) // xp 32 bits { is_xp = 1; #ifdef DEBUG DbgPrint("windows xp !\n"); #endif } else if(osInfo.dwMajorVersion == 6 && osInfo.dwMinorVersion == 1) // win 7 { is_xp = 0; #ifdef DEBUG DbgPrint("windows 7!\n"); #endif } else { #ifdef DEBUG DbgPrint("error : not supported os\n"); #endif return -1; } status = FltRegisterFilter(pDriverObject,®istration,&filter); if(!NT_SUCCESS(status)) return status; RtlInitUnicodeString(&filterPortName, L"\\FilterPort"); status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS); if(!NT_SUCCESS(status)) return status; InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor); status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1); FltFreeSecurityDescriptor(securityDescriptor); if(!NT_SUCCESS(status)) return status; KeInitializeMutex(&mutex, 0); status = CmRegisterCallback(regCallback, NULL, &cookie); if(!NT_SUCCESS(status)) return status; status = PsSetLoadImageNotifyRoutine(imageCallback); if(!NT_SUCCESS(status)) return status; KeServiceDescriptorTableShadow = getShadowTableAddress(); if(!KeServiceDescriptorTableShadow) { #ifdef DEBUG DbgPrint("error : couldn't retrieve Shadow SSDT\n"); #endif return STATUS_UNSUCCESSFUL; } pDriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }
static VOID PhInitializeWindowsVersion( VOID ) { RTL_OSVERSIONINFOEXW versionInfo; ULONG majorVersion; ULONG minorVersion; versionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW); if (!NT_SUCCESS(RtlGetVersion((PRTL_OSVERSIONINFOW)&versionInfo))) { WindowsVersion = WINDOWS_NEW; return; } memcpy(&PhOsVersion, &versionInfo, sizeof(RTL_OSVERSIONINFOEXW)); majorVersion = versionInfo.dwMajorVersion; minorVersion = versionInfo.dwMinorVersion; if (majorVersion == 5 && minorVersion < 1 || majorVersion < 5) { WindowsVersion = WINDOWS_ANCIENT; } /* Windows XP */ else if (majorVersion == 5 && minorVersion == 1) { WindowsVersion = WINDOWS_XP; } /* Windows Server 2003 */ else if (majorVersion == 5 && minorVersion == 2) { WindowsVersion = WINDOWS_SERVER_2003; } /* Windows Vista, Windows Server 2008 */ else if (majorVersion == 6 && minorVersion == 0) { WindowsVersion = WINDOWS_VISTA; } /* Windows 7, Windows Server 2008 R2 */ else if (majorVersion == 6 && minorVersion == 1) { WindowsVersion = WINDOWS_7; } /* Windows 8 */ else if (majorVersion == 6 && minorVersion == 2) { WindowsVersion = WINDOWS_8; } /* Windows 8.1 */ else if (majorVersion == 6 && minorVersion == 3) { WindowsVersion = WINDOWS_8_1; } /* Windows 10 */ else if (majorVersion == 10 && minorVersion == 0) { WindowsVersion = WINDOWS_10; } else if (majorVersion == 10 && minorVersion > 0 || majorVersion > 10) { WindowsVersion = WINDOWS_NEW; } if (WINDOWS_HAS_LIMITED_ACCESS) { ProcessQueryAccess = PROCESS_QUERY_LIMITED_INFORMATION; ProcessAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1fff; ThreadQueryAccess = THREAD_QUERY_LIMITED_INFORMATION; ThreadSetAccess = THREAD_SET_LIMITED_INFORMATION; ThreadAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff; } else { ProcessQueryAccess = PROCESS_QUERY_INFORMATION; ProcessAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff; ThreadQueryAccess = THREAD_QUERY_INFORMATION; ThreadSetAccess = THREAD_SET_INFORMATION; ThreadAllAccess = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff; } }
/// <summary> /// Initialize dynamic data. /// </summary> /// <param name="pData">Data to initialize</param> /// <returns>Status code</returns> NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData ) { NTSTATUS status = STATUS_SUCCESS; RTL_OSVERSIONINFOEXW verInfo = { 0 }; ULONG buildNo = 0; if (pData == NULL) return STATUS_INVALID_ADDRESS; RtlZeroMemory( pData, sizeof( DYNAMIC_DATA ) ); verInfo.dwOSVersionInfoSize = sizeof( verInfo ); status = RtlGetVersion( (PRTL_OSVERSIONINFOW)&verInfo ); if (status == STATUS_SUCCESS) { ULONG ver_short = (verInfo.dwMajorVersion << 8) | (verInfo.dwMinorVersion << 4) | verInfo.wServicePackMajor; pData->ver = (WinVer)ver_short; // Get kernel build number status = BBGetBuildNO( &buildNo ); // Validate current driver version pData->correctBuild = TRUE; #if defined(_WIN7_) if (ver_short != WINVER_7 && ver_short != WINVER_7_SP1) return STATUS_NOT_SUPPORTED; if(ver_short == WINVER_7_SP1 && buildNo != 18700) pData->correctBuild = FALSE; #elif defined(_WIN8_) if (ver_short != WINVER_8) return STATUS_NOT_SUPPORTED; #elif defined (_WIN81_) if (ver_short != WINVER_81) return STATUS_NOT_SUPPORTED; if (buildNo != 17328) pData->correctBuild = FALSE; #elif defined (_WIN10_) if (ver_short != WINVER_10) return STATUS_NOT_SUPPORTED; if (verInfo.dwBuildNumber != 9926) pData->correctBuild = FALSE; #endif DPRINT( "BlackBone: OS version %d.%d.%d.%d.%d.%d - 0x%x\n", verInfo.dwMajorVersion, verInfo.dwMinorVersion, verInfo.dwBuildNumber, verInfo.wServicePackMajor, verInfo.wServicePackMinor, buildNo, ver_short ); switch (ver_short) { // Windows 7 // Windows 7 SP1, build 18700 case WINVER_7: case WINVER_7_SP1: pData->KExecOpt = 0x0D2; pData->Protection = 0x43C; // Bitfield, bit index - 0xB pData->ObjTable = 0x200; pData->VadRoot = 0x448; pData->NtProtectIndex = 0x04D; pData->NtCreateThdIndex = 0x0A5; pData->NtTermThdIndex = 0x50; pData->PrevMode = 0x1F6; pData->ExitStatus = 0x380; pData->MiAllocPage = (ver_short == WINVER_7_SP1) ? 0x410D70 : 0x40A9C0; pData->ExRemoveTable = (ver_short == WINVER_7_SP1) ? 0x330048 : 0x32D404; break; // Windows 8 case WINVER_8: pData->KExecOpt = 0x1B7; pData->Protection = 0x648; pData->ObjTable = 0x408; pData->VadRoot = 0x590; pData->NtProtectIndex = 0x04E; pData->NtCreateThdIndex = 0x0AF; pData->NtTermThdIndex = 0x51; pData->PrevMode = 0x232; pData->ExitStatus = 0x450; pData->MiAllocPage = 0x3AF374; pData->ExRemoveTable = 0x487518; break; // Windows 8.1, build 17328 case WINVER_81: pData->KExecOpt = 0x1B7; pData->Protection = 0x67A; pData->ObjTable = 0x408; pData->VadRoot = 0x5D8; pData->NtCreateThdIndex = 0xB0; pData->NtTermThdIndex = 0x52; pData->PrevMode = 0x232; pData->ExitStatus = 0x6D8; pData->MiAllocPage = 0; pData->ExRemoveTable = 0x432A88; // 0x38E320; break; // Windows 10, technical preview, build 9926 case WINVER_10: pData->KExecOpt = 0x1BF; pData->Protection = 0x69A; pData->ObjTable = 0x418; pData->VadRoot = 0x5F8; pData->NtCreateThdIndex = 0xB2; pData->NtTermThdIndex = 0x53; pData->PrevMode = 0x232; pData->ExitStatus = 0x6E0; pData->MiAllocPage = 0; pData->ExRemoveTable = 0x4645B0; break; default: break; } return (pData->VadRoot != 0 ? status : STATUS_INVALID_KERNEL_INFO_VERSION); } return status; }
/* * ldrMain * * Purpose: * * Program entry point. * */ void ldrMain( VOID ) { BOOL cond = FALSE; LONG x; ULONG l = 0, dwCmd; HANDLE hDevice; PVOID DataBuffer; BOOL bConDisabled, bUsbMonDisabled; WCHAR cmdLineParam[MAX_PATH + 1]; WCHAR szDriverBuffer[MAX_PATH * 2]; __security_init_cookie(); bConDisabled = FALSE; bUsbMonDisabled = FALSE; DataBuffer = NULL; hDevice = NULL; dwCmd = 0; do { // // Check OS version. // RtlSecureZeroMemory(&g_osv, sizeof(g_osv)); g_osv.dwOSVersionInfoSize = sizeof(g_osv); RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv); // // We support only Vista based OS. // if (g_osv.dwMajorVersion < 6) { MessageBox(GetDesktopWindow(), TEXT("Unsupported OS."), T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Check number of instances running. // x = InterlockedIncrement((PLONG)&g_lApplicationInstances); if (x > 1) { break; } // // Check if any VBox instances are running, they must be closed before our usage. // if (supProcessExist(L"VirtualBox.exe")) { MessageBox(GetDesktopWindow(), TEXT("VirtualBox is running, close it before."), T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Query command line. // RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam)); GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &l); if (l == 0) { // // Nothing in command line, simple display help and leave. // MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Check known command. // if (_strcmpi(cmdLineParam, TEXT("-l")) == 0) { dwCmd = TSMI_INSTALL; } else { if (_strcmpi(cmdLineParam, TEXT("-u")) == 0) { dwCmd = TSMI_REMOVE; } } if (dwCmd == 0) { MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Init ldr and DSEFix. // if (!ldrInit(dwCmd)) { break; } // // Process command. // switch (dwCmd) { case TSMI_INSTALL: // Backup vboxdrv if exists. supBackupVBoxDrv(FALSE); // Stop VBox Networking and USB driver. bConDisabled = (SUCCEEDED(supNetworkConnectionEnable(VBoxNetConnect, FALSE))); bUsbMonDisabled = dsfStopDriver(VBoxUsbMon); dsfStopDriver(VBoxDrvSvc); // Load vulnerable VBoxDrv, disable VBox Network if exist. RtlSecureZeroMemory(szDriverBuffer, sizeof(szDriverBuffer)); if (GetSystemDirectory(szDriverBuffer, MAX_PATH) == 0) { MessageBox(GetDesktopWindow(), TEXT("Cannot find System32 directory."), NULL, MB_ICONINFORMATION); break; } _strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys")); hDevice = dsfLoadVulnerableDriver(szDriverBuffer); if (hDevice) { // // Disable DSE so we can load monitor. // Device handle closed by DSEFix routine. // if (ldrPatchDSE(hDevice, TRUE)) { // Stop our VBoxDrv, need reloading for 2nd usage. dsfStopDriver(VBoxDrvSvc); // Load custom patch table, if present. RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam)); GetCommandLineParam(GetCommandLine(), 2, cmdLineParam, MAX_PATH, &l); if (l > 0) { l = 0; DataBuffer = ldrFetchCustomPatchData(cmdLineParam, &l); if ((DataBuffer != NULL) && (l > 0)) { g_TsmiPatchDataValue = DataBuffer; g_TsmiPatchDataValueSize = l; } } // Install and run monitor. if (!ldrSetMonitor()) { MessageBox(GetDesktopWindow(), TEXT("Error loading Tsugumi"), NULL, MB_ICONERROR); } // Enable DSE back. hDevice = NULL; if (dsfStartDriver(VBoxDrvSvc, &hDevice)) { ldrPatchDSE(hDevice, FALSE); } } else { //ldrPatchDSE failure case // Unknown error during DSE disabling attempt. MessageBox(GetDesktopWindow(), TEXT("Error disabling DSE"), NULL, MB_ICONERROR); } // Finally, remove our vboxdrv file and restore backup. dsfStopDriver(VBoxDrvSvc); DeleteFile(szDriverBuffer); supBackupVBoxDrv(TRUE); // Restart installed VBoxDrv. dsfStartDriver(VBoxDrvSvc, NULL); } else { //dsfLoadVulnerableDriver failure case. // Load error, show error message and restore backup. supBackupVBoxDrv(TRUE); MessageBox(GetDesktopWindow(), TEXT("Error loading VBoxDrv"), NULL, MB_ICONERROR); } break; // // Remove command, unload our driver and purge file/memory list cache. // case TSMI_REMOVE: scmUnloadDeviceDriver(TsmiDrvName); supPurgeSystemCache(); break; } } while (cond); // // Cleanup after install. // if (dwCmd == TSMI_INSTALL) { // Re-enable VBox Network, UsbMonitor if they're disabled. if (bConDisabled) { supNetworkConnectionEnable(VBoxNetConnect, TRUE); } if (bUsbMonDisabled) { dsfStartDriver(VBoxUsbMon, NULL); } // Free memory allocated for custom patch table. if (DataBuffer != NULL) { HeapFree(GetProcessHeap(), 0, DataBuffer); } } InterlockedDecrement((PLONG)&g_lApplicationInstances); ExitProcess(0); return; }
// Locate MmPfnDatabase _Use_decl_annotations_ static NTSTATUS MmonpInitializeMmPfnDatabase() { PAGED_CODE(); RTL_OSVERSIONINFOW os_version = {}; auto status = RtlGetVersion(&os_version); if (!NT_SUCCESS(status)) { return status; } // Set appropriate patterns and based on an OS version struct MmPfnDatabaseSearchPattern { const UCHAR *bytes; SIZE_T bytes_size; bool hard_coded; }; MmPfnDatabaseSearchPattern patterns[2] = {}; if (IsX64()) { // Win 10 build 14316 is the first version implements randomized page tables if (os_version.dwMajorVersion < 10 || os_version.dwBuildNumber < 14316) { // PFN database is at the constant location on older x64 Windows g_mmonp_MmPfnDatabase = reinterpret_cast<void *>(0xfffffa8000000000); return STATUS_SUCCESS; } // Windows 10 x64 Build 14332+ static const UCHAR kPatternWin10x64[] = { 0x48, 0x8B, 0xC1, // mov rax, rcx 0x48, 0xC1, 0xE8, 0x0C, // shr rax, 0Ch 0x48, 0x8D, 0x14, 0x40, // lea rdx, [rax + rax * 2] 0x48, 0x03, 0xD2, // add rdx, rdx 0x48, 0xB8, // mov rax, 0FFFFFA8000000008h }; patterns[0].bytes = kPatternWin10x64; patterns[0].bytes_size = sizeof(kPatternWin10x64); patterns[0].hard_coded = true; } else { // x86 if (os_version.dwMajorVersion == 6 && os_version.dwMinorVersion == 1) { // Windows 7 (No PAE) static const UCHAR kPatternWin7[] = { 0x6B, 0xC0, 0x18, // imul eax, 18h 0x8B, 0x0D, // mov ecx, ds:_MmPfnDatabase }; // Windows 7 (PAE) static const UCHAR kPatternWin7Pae[] = { 0x6B, 0xC0, 0x1C, // imul eax, 1Ch 0x8B, 0x0D, // mov ecx, ds:_MmPfnDatabase }; if (UtilIsX86Pae()) { patterns[0].bytes = kPatternWin7Pae; patterns[0].bytes_size = sizeof(kPatternWin7Pae); patterns[0].hard_coded = false; } else { patterns[0].bytes = kPatternWin7; patterns[0].bytes_size = sizeof(kPatternWin7); patterns[0].hard_coded = false; } } else if ((os_version.dwMajorVersion == 6 && os_version.dwMinorVersion == 3) || (os_version.dwMajorVersion == 10 && os_version.dwMinorVersion == 0)) { // Windows 8.1 and 10 static const UCHAR kPatternWin81And10_0[] = { 0xC1, 0xF8, 0x0C, // sar eax, 0Ch 0xA1, // mov eax, ds:_MmPfnDatabase }; static const UCHAR kPatternWin81And10_1[] = { 0xC1, 0xE8, 0x0C, // shr eax, 0Ch 0xA1, // mov eax, ds:_MmPfnDatabase }; patterns[0].bytes = kPatternWin81And10_0; patterns[0].bytes_size = sizeof(kPatternWin81And10_0); patterns[0].hard_coded = false; patterns[1].bytes = kPatternWin81And10_1; patterns[1].bytes_size = sizeof(kPatternWin81And10_1); patterns[1].hard_coded = false; } else { // Unknown x86 OS version return STATUS_UNSUCCESSFUL; } } // Search the patterns from MmGetVirtualForPhysical const auto p_MmGetVirtualForPhysical = reinterpret_cast<UCHAR *>( UtilGetSystemProcAddress(L"MmGetVirtualForPhysical")); if (!p_MmGetVirtualForPhysical) { return STATUS_PROCEDURE_NOT_FOUND; } for (const auto &pattern : patterns) { if (!pattern.bytes) { break; // no more patterns } auto found = reinterpret_cast<UCHAR *>(UtilMemMem( p_MmGetVirtualForPhysical, 0x20, pattern.bytes, pattern.bytes_size)); if (!found) { continue; } // Get an address of PFN database found += pattern.bytes_size; if (pattern.hard_coded) { HYPERPLATFORM_LOG_DEBUG("Found a hard coded PFN database address at %p", found); g_mmonp_MmPfnDatabase = *reinterpret_cast<void **>(found); } else { HYPERPLATFORM_LOG_DEBUG("Found a reference to MmPfnDatabase at %p", found); const auto mmpfn_address = *reinterpret_cast<ULONG_PTR *>(found); g_mmonp_MmPfnDatabase = *reinterpret_cast<void **>(mmpfn_address); } // On Windows 10 RS, a value has 0x8. Delete it. g_mmonp_MmPfnDatabase = PAGE_ALIGN(g_mmonp_MmPfnDatabase); break; } HYPERPLATFORM_LOG_DEBUG("MmPfnDatabase = %p", g_mmonp_MmPfnDatabase); if (!g_mmonp_MmPfnDatabase) { return STATUS_UNSUCCESSFUL; } return STATUS_SUCCESS; }
/******************************************************************************* * * 函 数 名 : InitlizedDeviceExtension * 功能描述 : 初始化DeviceExtension中一些SSDT函数索引,系统结构体偏移值 * 参数列表 : pde -- PDEVICE_EXTENSION 结构体 * 说 明 : * 返回结果 : 函数成功返回true,失败返回false * *******************************************************************************/ bool InitlizedDeviceExtension(PDEVICE_EXTENSION pde) { RTL_OSVERSIONINFOW osi ={0} ; osi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW) ; RtlGetVersion(&osi) ; if (NULL == pde) { return false ; } KeInitializeMutex(&pde->DeviceIoControlMutex, 0) ; KeInitializeMutex(&pde->MyThreadMutex, 0) ; // 判断系统版本,填充相应的值 switch(osi.dwPlatformId) { case VER_PLATFORM_WIN32_NT: { switch(osi.dwMajorVersion) { case 0: case 1: case 2: case 3: case 4: // 这里的话是Windows NT系统 // 添加相应的代码 { } break ; // 2k xp 2003 case 5: { switch(osi.dwMinorVersion) { // 2000的系统 case 0: { pde->uNtQuerySystemInformationIndex = 151 ; pde->uNtOpenProcessIndex = 106 ; } break ; // xp的系统 case 1: { pde->uNtQuerySystemInformationIndex = 173 ; pde->uNtOpenProcessIndex = 122 ; pde->uActiveProcessLinksOffset = 0x88 ; pde->UniqueProcessIdOffset = 0x84 ; } break ; // 2003的系统 case 2: { pde->uNtQuerySystemInformationIndex = 181 ; pde->uNtOpenProcessIndex = 128 ; pde->uActiveProcessLinksOffset = 152 ; pde->UniqueProcessIdOffset = 148 ; } break ; }// end of switch(osi.dwMinorVersion) } // end of case 5 break ; // vista 2008 win 7 case 6: { switch(osi.dwMinorVersion) { // vista 2008 case 0: { pde->uNtQuerySystemInformationIndex = 248 ; pde->uNtOpenProcessIndex = 194 ; } break ; // win 7 2008 r2 case 1: { pde->uNtQuerySystemInformationIndex = 260 ; pde->uNtOpenProcessIndex = 189 ; pde->uActiveProcessLinksOffset = 0xb8 ; pde->UniqueProcessIdOffset = 0xb4 ; } break ; } } break ; default: break ; } } break ; } return true ; }
void DolphinAnalytics::MakeBaseBuilder() { Common::AnalyticsReportBuilder builder; // Version information. builder.AddData("version-desc", Common::scm_desc_str); builder.AddData("version-hash", Common::scm_rev_git_str); builder.AddData("version-branch", Common::scm_branch_str); builder.AddData("version-dist", Common::scm_distributor_str); // Auto-Update information. builder.AddData("update-track", SConfig::GetInstance().m_auto_update_track); // CPU information. builder.AddData("cpu-summary", cpu_info.Summarize()); // OS information. #if defined(_WIN32) builder.AddData("os-type", "windows"); // Windows 8 removes support for GetVersionEx and such. Stupid. DWORD(WINAPI * RtlGetVersion)(LPOSVERSIONINFOEXW); *(FARPROC*)&RtlGetVersion = GetProcAddress(GetModuleHandle(TEXT("ntdll")), "RtlGetVersion"); OSVERSIONINFOEXW winver; winver.dwOSVersionInfoSize = sizeof(winver); if (RtlGetVersion != nullptr) { RtlGetVersion(&winver); builder.AddData("win-ver-major", static_cast<u32>(winver.dwMajorVersion)); builder.AddData("win-ver-minor", static_cast<u32>(winver.dwMinorVersion)); builder.AddData("win-ver-build", static_cast<u32>(winver.dwBuildNumber)); builder.AddData("win-ver-spmajor", static_cast<u32>(winver.wServicePackMajor)); builder.AddData("win-ver-spminor", static_cast<u32>(winver.wServicePackMinor)); } #elif defined(ANDROID) builder.AddData("os-type", "android"); builder.AddData("android-manufacturer", s_get_val_func("DEVICE_MANUFACTURER")); builder.AddData("android-model", s_get_val_func("DEVICE_MODEL")); builder.AddData("android-version", s_get_val_func("DEVICE_OS")); #elif defined(__APPLE__) builder.AddData("os-type", "osx"); SInt32 osxmajor, osxminor, osxbugfix; // Gestalt is deprecated, but the replacement (NSProcessInfo // operatingSystemVersion) is only available on OS X 10.10, so we need to use // it anyway. Change this someday when Dolphin depends on 10.10+. #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wdeprecated-declarations" Gestalt(gestaltSystemVersionMajor, &osxmajor); Gestalt(gestaltSystemVersionMinor, &osxminor); Gestalt(gestaltSystemVersionBugFix, &osxbugfix); #pragma GCC diagnostic pop builder.AddData("osx-ver-major", osxmajor); builder.AddData("osx-ver-minor", osxminor); builder.AddData("osx-ver-bugfix", osxbugfix); #elif defined(__linux__) builder.AddData("os-type", "linux"); #elif defined(__FreeBSD__) builder.AddData("os-type", "freebsd"); #else builder.AddData("os-type", "unknown"); #endif m_base_builder = builder; }
NTSTATUS AFSInitRDRDevice() { NTSTATUS ntStatus = STATUS_SUCCESS; UNICODE_STRING uniDeviceName; AFSDeviceExt *pDeviceExt = NULL; UNICODE_STRING uniFsRtlRegisterUncProviderEx; FsRtlRegisterUncProviderEx_t pFsRtlRegisterUncProviderEx = NULL; RTL_OSVERSIONINFOW sysVersion; ULONG ulDeviceCharacteristics = FILE_REMOTE_DEVICE; __Enter { RtlZeroMemory( &sysVersion, sizeof( RTL_OSVERSIONINFOW)); sysVersion.dwOSVersionInfoSize = sizeof( RTL_OSVERSIONINFOW); RtlGetVersion( &sysVersion); RtlInitUnicodeString( &uniDeviceName, AFS_RDR_DEVICE_NAME); RtlInitUnicodeString( &uniFsRtlRegisterUncProviderEx, L"FsRtlRegisterUncProviderEx"); pFsRtlRegisterUncProviderEx = (FsRtlRegisterUncProviderEx_t)MmGetSystemRoutineAddress(&uniFsRtlRegisterUncProviderEx); // // On 32-bit Windows XP, do not set FILE_DEVICE_SECURE_OPEN // flag as it interferes with initial access to \\afs from // limited user accounts. // if(!(sysVersion.dwMajorVersion == 5 && sysVersion.dwMinorVersion == 1)) { ulDeviceCharacteristics |= FILE_DEVICE_SECURE_OPEN; } ntStatus = IoCreateDevice( AFSDriverObject, sizeof( AFSDeviceExt), pFsRtlRegisterUncProviderEx ? NULL : &uniDeviceName, FILE_DEVICE_NETWORK_FILE_SYSTEM, ulDeviceCharacteristics, FALSE, &AFSRDRDeviceObject); if( !NT_SUCCESS( ntStatus)) { AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING, AFS_TRACE_LEVEL_ERROR, "AFSInitRDRDevice IoCreateDevice failure %08lX\n", ntStatus)); try_return( ntStatus); } pDeviceExt = (AFSDeviceExt *)AFSRDRDeviceObject->DeviceExtension; RtlZeroMemory( pDeviceExt, sizeof( AFSDeviceExt)); // // Initialize resources // pDeviceExt->Specific.RDR.VolumeTree.TreeLock = &pDeviceExt->Specific.RDR.VolumeTreeLock; ExInitializeResourceLite( pDeviceExt->Specific.RDR.VolumeTree.TreeLock); pDeviceExt->Specific.RDR.VolumeTree.TreeHead = NULL; ExInitializeResourceLite( &pDeviceExt->Specific.RDR.VolumeListLock); pDeviceExt->Specific.RDR.VolumeListHead = NULL; pDeviceExt->Specific.RDR.VolumeListTail = NULL; KeInitializeEvent( &pDeviceExt->Specific.RDR.QueuedReleaseExtentEvent, NotificationEvent, TRUE); ExInitializeResourceLite( &pDeviceExt->Specific.RDR.RootCellTreeLock); pDeviceExt->Specific.RDR.RootCellTree.TreeLock = &pDeviceExt->Specific.RDR.RootCellTreeLock; pDeviceExt->Specific.RDR.RootCellTree.TreeHead = NULL; ExInitializeResourceLite( &pDeviceExt->Specific.RDR.ProviderListLock); ntStatus = AFSInitRdrFcb( &pDeviceExt->Fcb); if ( !NT_SUCCESS(ntStatus)) { AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING, AFS_TRACE_LEVEL_ERROR, "AFSInitRDRDevice AFSInitRdrFcb failure %08lX\n", ntStatus)); try_return( ntStatus); } // // Clear the initializing bit // AFSRDRDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; // // Increase the StackSize to support the extra stack frame required // for use of IoCompletion routines. // AFSRDRDeviceObject->StackSize++; // // Register this device with MUP with FilterMgr if Vista or above // if( pFsRtlRegisterUncProviderEx) { ntStatus = pFsRtlRegisterUncProviderEx( &AFSMUPHandle, &uniDeviceName, AFSRDRDeviceObject, 0); if ( !NT_SUCCESS( ntStatus)) { AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING, AFS_TRACE_LEVEL_ERROR, "AFSInitRDRDevice FsRtlRegisterUncProvider failure %08lX\n", ntStatus)); } } else { ntStatus = FsRtlRegisterUncProvider( &AFSMUPHandle, &uniDeviceName, FALSE); if ( NT_SUCCESS( ntStatus)) { IoRegisterFileSystem( AFSRDRDeviceObject); } else { AFSDbgTrace(( AFS_SUBSYSTEM_INIT_PROCESSING, AFS_TRACE_LEVEL_ERROR, "AFSInitRDRDevice FsRtlRegisterUncProvider failure %08lX\n", ntStatus)); } } // // Good to go, all registered and ready to start receiving requests // try_exit: if( !NT_SUCCESS( ntStatus)) { // // Delete our device and bail // ExDeleteResourceLite( pDeviceExt->Specific.RDR.VolumeTree.TreeLock); ExDeleteResourceLite( &pDeviceExt->Specific.RDR.VolumeListLock); ExDeleteResourceLite( &pDeviceExt->Specific.RDR.RootCellTreeLock); ExDeleteResourceLite( &pDeviceExt->Specific.RDR.ProviderListLock); IoDeleteDevice( AFSRDRDeviceObject); AFSRDRDeviceObject = NULL; try_return( ntStatus); } } return ntStatus; }
void main() { LONG x; ULONG ParamLen; HANDLE hDevice = NULL; WCHAR cmdLineParam[MAX_PATH + 1]; BOOL bDisable = TRUE, cond = FALSE; __security_init_cookie(); // // Output DSEFix banner. // ShowServiceMessage("DSEFix v1.1.0 started"); ShowServiceMessage("(c) 2014 - 2015 DSEFix Project"); ShowServiceMessage("Supported x64 OS : Vista / 7 / 8 / 8.1 / 10"); do { // // Check single instance. // x = InterlockedIncrement((PLONG)&g_lApplicationInstances); if (x > 1) { ShowServiceMessage("Another instance running, close it before"); break; } // // Check supported OS. // RtlSecureZeroMemory(&osv, sizeof(osv)); osv.dwOSVersionInfoSize = sizeof(osv); RtlGetVersion((PRTL_OSVERSIONINFOW)&osv); if (osv.dwMajorVersion < 6) { ShowServiceMessage("Unsupported OS"); break; } // // Query command line parameters. // ParamLen = 0; RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam)); GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &ParamLen); if (_strcmpi(cmdLineParam, TEXT("-e")) == 0) { ShowServiceMessage("DSE will be (re)enabled"); bDisable = FALSE; } else { ShowServiceMessage("DSE will be disabled"); bDisable = TRUE; } // // Load vulnerable driver and open it device. // hDevice = LoadVulnerableDriver(); if (hDevice == NULL) { ShowServiceMessage("Failed to load vulnerable driver"); break; } else { ShowServiceMessage("Vulnerable VirtualBox driver loaded"); } // // Manipulate kernel variable. // if (DoWork(hDevice, bDisable)) { ShowServiceMessage("Kernel memory patched"); } else { ShowServiceMessage("Failed to patch kernel memory"); } // // Do basic cleanup. // ShowServiceMessage("Cleaning up"); UnloadVulnerableDriver(); ShowServiceMessage("Finish"); } while (cond); InterlockedDecrement((PLONG)&g_lApplicationInstances); ExitProcess(0); }
/* * @implemented */ NTSTATUS NTAPI RtlVerifyVersionInfo(IN PRTL_OSVERSIONINFOEXW VersionInfo, IN ULONG TypeMask, IN ULONGLONG ConditionMask) { NTSTATUS Status; RTL_OSVERSIONINFOEXW ver; BOOLEAN Comparison; /* FIXME: - Check the following special case on Windows (various versions): o lp->wSuiteMask == 0 and ver.wSuiteMask != 0 and VER_AND/VER_OR o lp->dwOSVersionInfoSize != sizeof(OSVERSIONINFOEXW) - MSDN talks about some tests being impossible. Check what really happens. */ ver.dwOSVersionInfoSize = sizeof(ver); Status = RtlGetVersion((PRTL_OSVERSIONINFOW)&ver); if (Status != STATUS_SUCCESS) return Status; if (!TypeMask || !ConditionMask) return STATUS_INVALID_PARAMETER; if (TypeMask & VER_PRODUCT_TYPE) { Comparison = RtlpVerCompare(ver.wProductType, VersionInfo->wProductType, RtlpVerGetCondition(ConditionMask, VER_PRODUCT_TYPE)); if (!Comparison) return STATUS_REVISION_MISMATCH; } if (TypeMask & VER_SUITENAME) { switch (RtlpVerGetCondition(ConditionMask, VER_SUITENAME)) { case VER_AND: if ((VersionInfo->wSuiteMask & ver.wSuiteMask) != VersionInfo->wSuiteMask) { return STATUS_REVISION_MISMATCH; } break; case VER_OR: if (!(VersionInfo->wSuiteMask & ver.wSuiteMask) && VersionInfo->wSuiteMask) { return STATUS_REVISION_MISMATCH; } break; default: return STATUS_INVALID_PARAMETER; } } if (TypeMask & VER_PLATFORMID) { Comparison = RtlpVerCompare(ver.dwPlatformId, VersionInfo->dwPlatformId, RtlpVerGetCondition(ConditionMask, VER_PLATFORMID)); if (!Comparison) return STATUS_REVISION_MISMATCH; } if (TypeMask & VER_BUILDNUMBER) { Comparison = RtlpVerCompare(ver.dwBuildNumber, VersionInfo->dwBuildNumber, RtlpVerGetCondition(ConditionMask, VER_BUILDNUMBER)); if (!Comparison) return STATUS_REVISION_MISMATCH; } TypeMask &= VER_MAJORVERSION|VER_MINORVERSION|VER_SERVICEPACKMAJOR|VER_SERVICEPACKMINOR; if (TypeMask) { BOOLEAN do_next_check = TRUE; /* * Select the leading comparison operator (for example, the comparison * operator for VER_MAJORVERSION supersedes the others for VER_MINORVERSION, * VER_SERVICEPACKMAJOR and VER_SERVICEPACKMINOR). */ UCHAR Condition = RtlpVerGetCondition(ConditionMask, TypeMask); Comparison = TRUE; if (TypeMask & VER_MAJORVERSION) { Comparison = RtlpVerCompare(ver.dwMajorVersion, VersionInfo->dwMajorVersion, Condition); do_next_check = (ver.dwMajorVersion == VersionInfo->dwMajorVersion) && ((Condition != VER_EQUAL) || Comparison); } if ((TypeMask & VER_MINORVERSION) && do_next_check) { Comparison = RtlpVerCompare(ver.dwMinorVersion, VersionInfo->dwMinorVersion, Condition); do_next_check = (ver.dwMinorVersion == VersionInfo->dwMinorVersion) && ((Condition != VER_EQUAL) || Comparison); } if ((TypeMask & VER_SERVICEPACKMAJOR) && do_next_check) { Comparison = RtlpVerCompare(ver.wServicePackMajor, VersionInfo->wServicePackMajor, Condition); do_next_check = (ver.wServicePackMajor == VersionInfo->wServicePackMajor) && ((Condition != VER_EQUAL) || Comparison); } if ((TypeMask & VER_SERVICEPACKMINOR) && do_next_check) { Comparison = RtlpVerCompare(ver.wServicePackMinor, VersionInfo->wServicePackMinor, Condition); } if (!Comparison) return STATUS_REVISION_MISMATCH; } return STATUS_SUCCESS; }