//
// TODO: Instead of returning TRUE/FALSE, it would be nice to return
// a flag indicating:
// - whether the installation is actually valid;
// - if it's broken or not (aka. needs for repair, or just upgrading).
//
static BOOLEAN
IsValidNTOSInstallationByHandle(
IN HANDLE SystemRootDirectory)
{
BOOLEAN Success = FALSE;
PCWSTR PathName;
USHORT i;
UNICODE_STRING VendorName;
WCHAR VendorNameBuffer[MAX_PATH];
/* Check for the existence of \SystemRoot\System32 */
PathName = L"System32\\";
if (!DoesPathExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
/* Check for the existence of \SystemRoot\System32\drivers */
PathName = L"System32\\drivers\\";
if (!DoesPathExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
/* Check for the existence of \SystemRoot\System32\config */
PathName = L"System32\\config\\";
if (!DoesPathExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
#if 0
/*
* Check for the existence of SYSTEM and SOFTWARE hives in \SystemRoot\System32\config
* (but we don't check here whether they are actually valid).
*/
PathName = L"System32\\config\\SYSTEM";
if (!DoesFileExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
PathName = L"System32\\config\\SOFTWARE";
if (!DoesFileExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
#endif
RtlInitEmptyUnicodeString(&VendorName, VendorNameBuffer, sizeof(VendorNameBuffer));
/* Check for the existence of \SystemRoot\System32\ntoskrnl.exe and retrieves its vendor name */
PathName = L"System32\\ntoskrnl.exe";
Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &VendorName);
if (!Success)
DPRINT1("Kernel executable '%S' is either not a PE file, or does not have any vendor?\n", PathName);
/* The kernel gives the OS its flavour */
if (Success)
{
for (i = 0; i < ARRAYSIZE(KnownVendors); ++i)
{
Success = !!FindSubStrI(VendorName.Buffer, KnownVendors[i]);
if (Success)
{
/* We have found a correct vendor combination */
DPRINT1("IsValidNTOSInstallation: We've got an NTOS installation from %S !\n", KnownVendors[i]);
break;
}
}
}
/* OPTIONAL: Check for the existence of \SystemRoot\System32\ntkrnlpa.exe */
/* Check for the existence of \SystemRoot\System32\ntdll.dll and retrieves its vendor name */
PathName = L"System32\\ntdll.dll";
Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &VendorName);
if (!Success)
DPRINT1("User-mode DLL '%S' is either not a PE file, or does not have any vendor?\n", PathName);
if (Success)
{
for (i = 0; i < ARRAYSIZE(KnownVendors); ++i)
{
if (!!FindSubStrI(VendorName.Buffer, KnownVendors[i]))
{
/* We have found a correct vendor combination */
DPRINT1("IsValidNTOSInstallation: The user-mode DLL '%S' is from %S\n", PathName, KnownVendors[i]);
break;
}
}
}
return Success;
}
//
// TODO: Instead of returning TRUE/FALSE, it would be nice to return
// a flag indicating:
// - whether the installation is actually valid;
// - if it's broken or not (aka. needs for repair, or just upgrading).
//
static BOOLEAN
IsValidNTOSInstallationByHandle(
IN HANDLE SystemRootDirectory,
OUT PUSHORT Machine OPTIONAL,
OUT PUNICODE_STRING VendorName OPTIONAL)
{
BOOLEAN Success = FALSE;
PCWSTR PathName;
USHORT i;
USHORT LocalMachine;
UNICODE_STRING LocalVendorName;
WCHAR VendorNameBuffer[MAX_PATH];
/* Check for VendorName validity */
if (VendorName->MaximumLength < sizeof(UNICODE_NULL))
{
/* Don't use it, invalidate the pointer */
VendorName = NULL;
}
else
{
/* Zero it out */
*VendorName->Buffer = UNICODE_NULL;
VendorName->Length = 0;
}
/* Check for the existence of \SystemRoot\System32 */
PathName = L"System32\\";
if (!DoesDirExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
/* Check for the existence of \SystemRoot\System32\drivers */
PathName = L"System32\\drivers\\";
if (!DoesDirExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
/* Check for the existence of \SystemRoot\System32\config */
PathName = L"System32\\config\\";
if (!DoesDirExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open directory '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
#if 0
/*
* Check for the existence of SYSTEM and SOFTWARE hives in \SystemRoot\System32\config
* (but we don't check here whether they are actually valid).
*/
PathName = L"System32\\config\\SYSTEM";
if (!DoesFileExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
PathName = L"System32\\config\\SOFTWARE";
if (!DoesFileExist(SystemRootDirectory, PathName))
{
// DPRINT1("Failed to open file '%S', Status 0x%08lx\n", PathName, Status);
return FALSE;
}
#endif
RtlInitEmptyUnicodeString(&LocalVendorName, VendorNameBuffer, sizeof(VendorNameBuffer));
/* Check for the existence of \SystemRoot\System32\ntoskrnl.exe and retrieves its vendor name */
PathName = L"System32\\ntoskrnl.exe";
Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &LocalMachine, &LocalVendorName);
if (!Success)
DPRINT1("Kernel executable '%S' is either not a PE file, or does not have any vendor?\n", PathName);
/*
* The kernel gives the OS its flavour. If we failed due to the absence of
* ntoskrnl.exe this might be due to the fact this particular installation
* uses a custom kernel that has a different name, overridden in the boot
* parameters. We then rely on the existence of ntdll.dll, which cannot be
* renamed on a valid NT system.
*/
if (Success)
{
for (i = 0; i < ARRAYSIZE(KnownVendors); ++i)
{
Success = !!FindSubStrI(LocalVendorName.Buffer, KnownVendors[i]);
if (Success)
{
/* We have found a correct vendor combination */
DPRINT("IsValidNTOSInstallation: We've got an NTOS installation from %S !\n", KnownVendors[i]);
break;
}
}
/* Return the target architecture */
if (Machine)
{
/* Copy the value and invalidate the pointer */
*Machine = LocalMachine;
Machine = NULL;
}
/* Return the vendor name */
if (VendorName)
{
/* Copy the string and invalidate the pointer */
RtlCopyUnicodeString(VendorName, &LocalVendorName);
VendorName = NULL;
}
}
/* OPTIONAL: Check for the existence of \SystemRoot\System32\ntkrnlpa.exe */
/* Check for the existence of \SystemRoot\System32\ntdll.dll and retrieves its vendor name */
PathName = L"System32\\ntdll.dll";
Success = CheckForValidPEAndVendor(SystemRootDirectory, PathName, &LocalMachine, &LocalVendorName);
if (!Success)
DPRINT1("User-mode DLL '%S' is either not a PE file, or does not have any vendor?\n", PathName);
if (Success)
{
for (i = 0; i < ARRAYSIZE(KnownVendors); ++i)
{
if (!!FindSubStrI(LocalVendorName.Buffer, KnownVendors[i]))
{
/* We have found a correct vendor combination */
DPRINT("IsValidNTOSInstallation: The user-mode DLL '%S' is from %S\n", PathName, KnownVendors[i]);
break;
}
}
/* Return the target architecture if not already obtained */
if (Machine)
{
/* Copy the value and invalidate the pointer */
*Machine = LocalMachine;
Machine = NULL;
}
/* Return the vendor name if not already obtained */
if (VendorName)
{
/* Copy the string and invalidate the pointer */
RtlCopyUnicodeString(VendorName, &LocalVendorName);
VendorName = NULL;
}
}
return Success;
}
