static
void AppendSystemFamily(PWSTR pBuf, SIZE_T cchBuf, PCHAR * DmiStrings, PWSTR dev)
{
static const PCSTR KnownFamilies[] =
{
"Eee PC", // ASUS
"ThinkPad", // Lenovo
"IdeaPad", // Lenovo
"IdeaCentre", // Lenovo
};
static const PCWSTR Aliases[] =
{
NULL,
NULL,
NULL,
L"IdeaCenter",
};
UINT i;
WCHAR wideStr[128];
for (i = 0; i < _countof(KnownFamilies); i++)
{
StringCchPrintfW(wideStr, _countof(wideStr), L"%S", KnownFamilies[i]);
if (wcsistr(dev, wideStr) == NULL &&
(!Aliases[i] || wcsistr(dev, Aliases[i]) == NULL) &&
DmiStrings[SYS_FAMILY] != NULL &&
!stricmp(DmiStrings[SYS_FAMILY], KnownFamilies[i]))
{
if (wcslen(pBuf) > 0 && wcslen(dev) > 0)
{
StringCchCatW(pBuf, cchBuf, L" ");
}
StringCchCatW(pBuf, cchBuf, wideStr);
}
}
}
static
wchar_t * wcsistr_plus(const wchar_t *s, wchar_t *b)
{
wchar_t * result = wcsistr(s, b);
UINT len = wcslen(b);
// workarounds
if (!result && b[len - 1] == L' ' && wcschr(s, L',') != NULL)
{
b[len - 1] = L',';
result = wcsistr(s, b);
b[len - 1] = L' ';
if (!result)
{
b[0] = L',';
result = wcsistr(s, b);
b[0] = L' ';
}
}
if (!result && b[len - 1] == L' ' && wcschr(s, L'(') != NULL)
{
b[len - 1] = L'(';
result = wcsistr(s, b);
b[len - 1] = L' ';
}
if (!result && b[len - 1] == L' ' && wcschr(s, L'_') != NULL)
{
b[0] = L'_';
result = wcsistr(s, b);
b[0] = L' ';
}
if (!result && b[0] == L' ' && b[len - 1] == L' ' && wcschr(s, L')') != NULL)
{
b[0] = L')';
result = wcsistr(s, b);
if (!result && wcschr(s, L'.'))
{
b[len - 1] = L'.';
result = wcsistr(s, b);
b[len - 1] = L' ';
}
b[0] = L' ';
}
return result;
}
PLOOKUP_ENTRY GetVirtualizationPlatform() {
DWORD i = 0;
DWORD dwVirtPlatform = VIRT_PLATFORM_NONE;
PSMBIOS_STRUCT_HEADER sysTable = GetNextStructureOfType(NULL, SMB_TABLE_SYSTEM);
LPTSTR szManufacturer = NULL;
LPTSTR szProduct = NULL;
// Return cached result
if (NULL != VIRT_PLATFORM)
return VIRT_PLATFORM;
// Validate SMBIOS data
if (NULL == sysTable) {
SetError(ERR_CRIT, 0, _T("Unable to determine Virtualization status from SBMIOS System Table (Type %u)"), SMB_TABLE_SYSTEM);
VIRT_PLATFORM = &VIRT_UNKNOWN;
return VIRT_PLATFORM;
}
// Default to physical
VIRT_PLATFORM = &VIRT_PHYSICAL;
// Search for platform names in SMBIOS System Manufacturer and Product strings
szManufacturer = GetSmbiosString(sysTable, BYTE_AT_OFFSET(sysTable, 0x04));
szProduct = GetSmbiosString(sysTable, BYTE_AT_OFFSET(sysTable, 0x05));
for (i = 0; i < ARRAYSIZE(VIRT_VENDORS); i++)
{
if (NULL != wcsistr(szManufacturer, VIRT_VENDORS[i].Code) || NULL != wcsstr(szProduct, VIRT_VENDORS[i].Code)) {
VIRT_PLATFORM = &VIRT_VENDORS[i];
break;
}
}
LocalFree(szManufacturer);
LocalFree(szProduct);
return VIRT_PLATFORM;
}
BOOL GetSystemName(PWSTR pBuf, SIZE_T cchBuf)
{
static const VENDOR_LONG_NAME LongNames[] =
{
{ L"ASUSTeK", L"ASUS" },
{ L"First International Computer", L"FIC" },
{ L"Hewlett-Packard", L"HP" },
{ L"MICRO-STAR", L"MSI" },
{ L"SGI.COM", L"SGI" },
{ L"Silicon Graphics International", L"SGI" },
{ L"Intel(R) Client Systems", L"Intel" },
{ L"InformationComputerSystems", L"ICS" },
{ L"CHUWI INNOVATION AND TECHNOLOGY", L"CHUWI" },
{ L"http://www.abit.com.tw/", L"ABIT" },
{ L"www.abit.com.tw", L"ABIT" },
{ L"CASPER BILGISAYAR SISTEMLERI A.S", L"Casper" },
{ L"Colorful Technology And Development", L"Colorful" },
{ L"Colorful Yu Gong Technology And Development", L"Colorful Yu Gong" },
{ L"HaierComputer", L"Haier" },
{ L"HELIOS BUSINESS COMPUTER", L"HELIOS" },
{ L"Shanghai Zongzhi InfoTech", L"Zongzhi" },
{ L"TSING HUA TONGFANG CO.,LTD", L"TSINGHUA TONGFANG" },
{ L"Yeston Digital Technology Co.,LTD", L"Yeston" },
};
static const REDUNDANT_WORD RedundantWords[] =
{
{ L"Corporation", FALSE },
{ L"Communication", FALSE },
{ L"Computer", FALSE },
{ L"Computers", FALSE },
{ L"Group", FALSE },
{ L"Cloud", FALSE },
{ L"Center", FALSE },
{ L"Systems", FALSE },
{ L"Microsystems", FALSE },
{ L"Infosystems", FALSE },
{ L"Electronics", FALSE },
{ L"Electric", FALSE },
{ L"Software", FALSE },
{ L"Foundation", FALSE },
{ L"International", FALSE },
{ L"Interantonal", FALSE }, // on purpose (some MSI boards)
{ L"INTERANTIONAL", FALSE }, // on purpose (some MSI boards)
{ L"Industrial", FALSE },
{ L"Information", FALSE },
{ L"Informatica", FALSE },
{ L"Technology", FALSE },
{ L"Tecohnology", FALSE }, // on purpose (some Gigabyte boards)
{ L"Technologies", FALSE },
{ L"Tecnologia", FALSE },
{ L"Limited", FALSE },
{ L"Int", FALSE },
{ L"Inc", FALSE },
{ L"Co", FALSE },
{ L"Corp", FALSE },
{ L"Crop", FALSE },
{ L"Ltd", FALSE },
{ L"LTDA", FALSE },
{ L"GmbH", FALSE },
{ L"S.p.A", FALSE },
{ L"A.S.", FALSE },
{ L"S.A", FALSE },
{ L"S.A.S", FALSE },
{ L"S/A", FALSE },
{ L"SA", FALSE },
{ L"SAS", FALSE },
{ L"BV", FALSE },
{ L"AG", FALSE },
{ L"OOO", TRUE },
{ L"CJSC", FALSE },
{ L"INT'L", FALSE },
{ L"plc", FALSE },
};
PVOID SMBiosBuf;
PCHAR DmiStrings[ID_STRINGS_MAX] = { 0 };
WCHAR ven[512], dev[512];
CHAR tmpstr[512];
BOOL bTrimProduct, bTrimFamily, bGenericName, bRemove;
UINT i;
PWCHAR j;
SMBiosBuf = LoadSMBiosData(DmiStrings);
if (!SMBiosBuf)
{
return FALSE;
}
TrimNonPrintable(DmiStrings[SYS_VENDOR]);
bTrimProduct = TrimNonPrintable(DmiStrings[SYS_PRODUCT]);
TrimNonPrintable(DmiStrings[SYS_VERSION]);
bTrimFamily = TrimNonPrintable(DmiStrings[SYS_FAMILY]);
TrimNonPrintable(DmiStrings[BOARD_VENDOR]);
TrimNonPrintable(DmiStrings[BOARD_NAME]);
TrimNonPrintable(DmiStrings[BOARD_VERSION]);
if (bTrimProduct)
{
if (DmiStrings[SYS_FAMILY] && !bTrimFamily)
{
DmiStrings[SYS_PRODUCT] = DmiStrings[SYS_FAMILY];
bTrimProduct = FALSE;
}
}
GetSMBiosStringW(DmiStrings[SYS_VENDOR], ven, _countof(ven), TRUE);
GetSMBiosStringW(DmiStrings[SYS_PRODUCT], dev, _countof(dev), TRUE);
bGenericName = IsGenericSystemName(ven, dev, NULL) || bTrimProduct;
if (wcslen(dev) == 0 ||
!wcscmp(dev, ven) ||
bGenericName)
{
BOOL bGenericVen = FALSE, bGenericDev = (wcslen(dev) == 0 || !wcscmp(dev, ven) || bTrimProduct);
if (bGenericName && IsGenericSystemName(ven, NULL, &bRemove))
{
if (bRemove)
{
*ven = 0;
}
bGenericVen = TRUE;
}
if (bGenericName && IsGenericSystemName(NULL, dev, &bRemove))
{
if (bRemove)
{
*dev = 0;
}
bGenericDev = TRUE;
}
// system strings are unusable, use board strings
if (DmiStrings[BOARD_VENDOR] != NULL || !bGenericName)
{
if ((DmiStrings[BOARD_VENDOR] &&
strlen(DmiStrings[BOARD_VENDOR]) >= 2 &&
strstr(DmiStrings[BOARD_VENDOR], " ") != DmiStrings[BOARD_VENDOR]) ||
bGenericVen)
{
GetSMBiosStringW(DmiStrings[BOARD_VENDOR], ven, _countof(ven), TRUE);
}
GetSMBiosStringW(DmiStrings[BOARD_NAME], dev, _countof(dev), TRUE);
if (IsGenericSystemName(ven, NULL, &bRemove) && bRemove)
{
*ven = 0;
}
if (IsGenericSystemName(NULL, dev, &bRemove) && bRemove)
{
*dev = 0;
if (!bGenericDev)
{
GetSMBiosStringW(DmiStrings[SYS_PRODUCT], dev, _countof(dev), TRUE);
}
}
if (wcslen(dev) == 0 &&
DmiStrings[SYS_VERSION] != NULL)
{
GetSMBiosStringW(DmiStrings[SYS_VERSION], dev, _countof(dev), TRUE);
if (IsGenericSystemName(NULL, dev, &bRemove) && bRemove)
{
*dev = 0;
}
}
if (wcslen(dev) == 0 &&
DmiStrings[BOARD_VERSION] != NULL)
{
GetSMBiosStringW(DmiStrings[BOARD_VERSION], dev, _countof(dev), TRUE);
if (IsGenericSystemName(NULL, dev, &bRemove) && bRemove)
{
*dev = 0;
}
}
}
if (wcslen(ven) == 0 && wcslen(dev) == 0)
{
// board strings are empty, use BIOS vendor string
GetSMBiosStringW(DmiStrings[BIOS_VENDOR], ven, _countof(ven), TRUE);
}
}
else
{
if (wcslen(ven) < 2)
{
GetSMBiosStringW(DmiStrings[BOARD_VENDOR], ven, _countof(ven), TRUE);
if (IsGenericSystemName(ven, NULL, &bRemove) && bRemove)
{
*ven = 0;
}
}
}
// workaround for LORD ELECTRONICS
if (((j = wcsstr(ven, L" ")) != NULL) && (j - ven > 2))
{
i = j - ven;
if (!wcsncmp(ven + wcslen(ven) - i, ven, i))
{
ven[wcslen(ven) - i] = L'\0';
}
}
// make vendor strings shorter
for (i = 0; i < _countof(LongNames); i++)
{
if (wcsstr(dev, LongNames[i].pwLongName) == dev)
{
// swap ven and dev
StringCchCopyW(pBuf, cchBuf, ven);
StringCchCopyW(ven, _countof(ven), dev);
StringCchCopyW(dev, _countof(dev), pBuf);
}
wcsrep(ven, LongNames[i].pwLongName, LongNames[i].pwShortName, TRUE);
}
// remove redundant words
for (i = 0; i < _countof(RedundantWords); i++)
{
wcsrep(ven, RedundantWords[i].pwStr, L"", RedundantWords[i].bReplaceFirstWord);
}
for (i = 0; i < _countof(RedundantWords); i++)
{
StringCchCopyW(pBuf, cchBuf, RedundantWords[i].pwStr);
StringCchCatW(pBuf, cchBuf, L".");
wcsrep(ven, pBuf, L"", RedundantWords[i].bReplaceFirstWord);
}
// workaround for LENOVO notebooks
if (!wcsicmp(ven, L"LENOVO"))
{
StringCchCopyW(ven, _countof(ven), L"Lenovo");
if (DmiStrings[SYS_VERSION] != NULL)
{
if (!strncmp(DmiStrings[SYS_VERSION], "ThinkPad ", 11))
{
DmiStrings[SYS_VERSION][8] = L'\0';
}
if (wcslen(dev) > 0 &&
(!strcmp(DmiStrings[SYS_VERSION], "IdeaCentre") ||
!strcmp(DmiStrings[SYS_VERSION], "ThinkPad")))
{
DmiStrings[SYS_FAMILY] = DmiStrings[SYS_VERSION];
DmiStrings[SYS_VERSION] = NULL;
}
else
{
StringCchCopyA(tmpstr, _countof(tmpstr), DmiStrings[SYS_VERSION]);
_strupr(tmpstr);
}
}
if (DmiStrings[SYS_VERSION] != NULL &&
strcmp(tmpstr, " ") &&
strcmp(tmpstr, "LENOVO") &&
strstr(tmpstr, "LENOVO ") == NULL &&
strstr(tmpstr, "LENOVO PRODUCT") == NULL &&
strstr(tmpstr, "INVALID") == NULL &&
strncmp(tmpstr, " ", 3) &&
strstr(DmiStrings[SYS_VERSION], "Rev ") == NULL &&
strstr(DmiStrings[SYS_VERSION], "1.") == NULL &&
wcsistr(dev, L"System ") == NULL && // includes System x and ThinkSystem
wcsistr(dev, L"IdeaPad ") == NULL &&
wcsistr(dev, L"ThinkServer ") == NULL)
{
GetSMBiosStringW(DmiStrings[SYS_VERSION], dev, _countof(dev), TRUE);
}
if (wcsstr(dev, L"Lenovo-") == dev)
{
// replace "-" with space
dev[6] = L' ';
}
if (!wcscmp(dev, L"Lenovo"))
{
GetSMBiosStringW(DmiStrings[BOARD_NAME], dev, _countof(dev), TRUE);
}
}
if (!wcscmp(ven, L"IBM") &&
DmiStrings[SYS_VERSION] != NULL &&
(strstr(DmiStrings[SYS_VERSION], "ThinkPad ") != NULL ||
strstr(DmiStrings[SYS_VERSION], "ThinkCentre ") != NULL))
{
GetSMBiosStringW(DmiStrings[SYS_VERSION], dev, _countof(dev), TRUE);
}
// workaround for DEXP
if (!wcscmp(ven, L"DEXP"))
{
if (DmiStrings[SYS_PRODUCT] != NULL &&
DmiStrings[SYS_VERSION] != NULL &&
(!stricmp(DmiStrings[SYS_PRODUCT], "Tablet PC") ||
!stricmp(DmiStrings[SYS_PRODUCT], "Notebook") ||
!stricmp(DmiStrings[SYS_PRODUCT], "Decktop")))
{
GetSMBiosStringW(DmiStrings[SYS_VERSION], dev, _countof(dev), TRUE);
}
}
// workaround for Razer Blade
if (!wcscmp(ven, L"Razer") && !wcscmp(dev, L"Blade"))
{
if (DmiStrings[SYS_VERSION] != NULL)
{
StringCchCopyW(ven, _countof(ven), L"Razer Blade");
GetSMBiosStringW(DmiStrings[SYS_VERSION], dev, _countof(dev), TRUE);
}
}
// workaround for MSI motherboards
if (!wcscmp(ven, L"MSI") &&
wcsstr(dev, L"MS-") != NULL &&
DmiStrings[BOARD_NAME] != NULL &&
strstr(DmiStrings[BOARD_NAME], "(MS-") != NULL)
{
GetSMBiosStringW(DmiStrings[BOARD_NAME], dev, _countof(dev), TRUE);
}
if (wcslen(ven) == 0 &&
wcsstr(dev, L"MS-") == dev)
{
StringCchCopyW(ven, _countof(ven), L"MSI");
}
// trim redundant characters
TrimPunctuation(ven);
TrimPunctuation(dev);
if (wcsistr(dev, ven) == dev ||
(!wcscmp(ven, L"ASUS") && wcsstr(dev, L"ASUS") != NULL) ||
(!wcscmp(ven, L"HP") && wcsstr(dev, L" by HP") != NULL) ||
(!wcscmp(ven, L"INTEL") && wcsstr(dev, L" INTEL") != NULL))
{
// device string contains vendor string, use second only
StringCchCopyW(pBuf, cchBuf, dev);
}
else
{
if (wcslen(ven) > 0 && wcslen(dev) > 0 && (j = wcschr(dev, L' ')))
{
// check if vendor string ends with first word of device string
i = j - dev;
if (wcslen(ven) > i && !_wcsnicmp(ven + wcslen(ven) - i, dev, i))
{
ven[wcslen(ven) - i] = L'\0';
TrimPunctuation(ven);
}
}
StringCchCopyW(pBuf, cchBuf, ven);
AppendSystemFamily(pBuf, cchBuf, DmiStrings, dev);
if (wcslen(pBuf) > 0 && wcslen(dev) > 0)
{
StringCchCatW(pBuf, cchBuf, L" ");
}
StringCchCatW(pBuf, cchBuf, dev);
}
FreeSMBiosData(SMBiosBuf);
return (wcslen(pBuf) > 0);
}
wchar_t* wcsistr(wchar_t *str, const wchar_t *subStr)
{return (wchar_t*)wcsistr((const wchar_t*)str, subStr);}
NTSTATUS Hooked_NtQueryAttributesFile(__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PFILE_BASIC_INFORMATION FileInformation)
{
NTSTATUS statusCall, exceptionCode;
ULONG currentProcessId;
UNICODE_STRING kObjectName;
PWCHAR parameter = NULL;
PAGED_CODE();
currentProcessId = (ULONG)PsGetCurrentProcessId();
statusCall = Orig_NtQueryAttributesFile(ObjectAttributes, FileInformation);
if(IsProcessInList(currentProcessId, pMonitoredProcessListHead) && (ExGetPreviousMode() != KernelMode))
{
Dbg("Call NtQueryAttributesFile\n");
parameter = PoolAlloc(MAX_SIZE * sizeof(WCHAR));
kObjectName.Buffer = NULL;
if(NT_SUCCESS(statusCall))
{
__try
{
if(ObjectAttributes != NULL)
{
ProbeForRead(ObjectAttributes, sizeof(OBJECT_ATTRIBUTES), 1);
ProbeForRead(ObjectAttributes->ObjectName, sizeof(UNICODE_STRING), 1);
ProbeForRead(ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->Length, 1);
kObjectName.Length = ObjectAttributes->ObjectName->Length;
kObjectName.MaximumLength = ObjectAttributes->ObjectName->MaximumLength;
kObjectName.Buffer = PoolAlloc(kObjectName.MaximumLength);
RtlCopyUnicodeString(&kObjectName, ObjectAttributes->ObjectName);
}
else
RtlInitUnicodeString(&kObjectName, L"");
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
exceptionCode = GetExceptionCode();
if(parameter && NT_SUCCESS(RtlStringCchPrintfW(parameter, MAX_SIZE, L"0,%d,sss,FileHandle->0,buffer->ERROR,offset->0", exceptionCode)))
SendLogs(currentProcessId, SIG_ntdll_NtQueryAttributesFile, parameter);
else
SendLogs(currentProcessId, SIG_ntdll_NtQueryAttributesFile, L"0,-1,sss,FileHandle->0,buffer->ERROR,offset->0");
if(parameter != NULL)
PoolFree(parameter);
return statusCall;
}
if(wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\drivers\\VBoxMouse.sys") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\drivers\\VBoxGuest.sys") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\drivers\\VBoxSF.sys") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\drivers\\VBoxVideo.sys") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxControl.exe") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxDisp.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxHook.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxMRXNP.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxOGL.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxOGLarrayspu.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxOGLcrutil.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxOGLerrorspu.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxOGLfeedbackspu.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxOGLpackspu.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxOGLpassthroughspu.dll") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxService.exe") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\VBoxTray.exe") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\drivers\\vmmouse.sys") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Windows\\system32\\drivers\\vmhgfs.sys") ||
wcsistr(kObjectName.Buffer, L"\\??\\C:\\Program Files\\oracle\\virtualbox guest additions\\"))
{
if(parameter && NT_SUCCESS(RtlStringCchPrintfW(parameter, MAX_SIZE, L"0,-1,s,filepath->%wZ", &kObjectName)))
SendLogs(currentProcessId, SIG_ntdll_NtQueryAttributesFile, parameter);
else
SendLogs(currentProcessId, SIG_ntdll_NtQueryAttributesFile, L"0,-1,s,filepath->ERROR");
if(parameter != NULL)
PoolFree(parameter);
return INVALID_FILE_ATTRIBUTES;
}
}
if(parameter != NULL)
PoolFree(parameter);
}
