Process Hacker
kphdata.c
Go to the documentation of this file.
1 /*
2  * Process Hacker -
3  * KProcessHacker dynamic data definitions
4  *
5  * Copyright (C) 2011-2013 wj32
6  *
7  * This file is part of Process Hacker.
8  *
9  * Process Hacker is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 3 of the License, or
12  * (at your option) any later version.
13  *
14  * Process Hacker is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with Process Hacker. If not, see <http://www.gnu.org/licenses/>.
21  */
22 
23 #include <ph.h>
24 #include <kphuser.h>
25 
26 #ifdef _WIN64
27 
28 ULONG KphpGetKernelRevisionNumber(
29  VOID
30  )
31 {
32  ULONG result;
33  PPH_STRING kernelFileName;
34  PVOID versionInfo;
35  VS_FIXEDFILEINFO *rootBlock;
36  ULONG rootBlockLength;
37 
38  result = 0;
39  kernelFileName = PhGetKernelFileName();
40  PhMoveReference(&kernelFileName, PhGetFileName(kernelFileName));
41  versionInfo = PhGetFileVersionInfo(kernelFileName->Buffer);
42  PhDereferenceObject(kernelFileName);
43 
44  if (versionInfo && VerQueryValue(versionInfo, L"\\", &rootBlock, &rootBlockLength) && rootBlockLength != 0)
45  result = rootBlock->dwFileVersionLS & 0xffff;
46 
47  PhFree(versionInfo);
48 
49  return result;
50 }
51 
52 NTSTATUS KphInitializeDynamicPackage(
53  _Out_ PKPH_DYN_PACKAGE Package
54  )
55 {
56  ULONG majorVersion, minorVersion, servicePack, buildNumber;
57 
58  majorVersion = PhOsVersion.dwMajorVersion;
59  minorVersion = PhOsVersion.dwMinorVersion;
60  servicePack = PhOsVersion.wServicePackMajor;
61  buildNumber = PhOsVersion.dwBuildNumber;
62 
63  memset(&Package->StructData, -1, sizeof(KPH_DYN_STRUCT_DATA));
64 
65  Package->MajorVersion = (USHORT)majorVersion;
66  Package->MinorVersion = (USHORT)minorVersion;
67  Package->ServicePackMajor = (USHORT)servicePack;
68  Package->BuildNumber = -1;
69 
70  // Windows Vista, Windows Server 2008
71  if (majorVersion == 6 && minorVersion == 0)
72  {
73  Package->ResultingNtVersion = PHNT_VISTA;
74 
75  if (servicePack == 0)
76  {
77  Package->StructData.OtName = 0x78;
78  Package->StructData.OtIndex = 0x90;
79  }
80  else if (servicePack == 1)
81  {
82  Package->StructData.OtName = 0x10;
83  Package->StructData.OtIndex = 0x28;
84  }
85  else if (servicePack == 2)
86  {
87  Package->StructData.OtName = 0x10;
88  Package->StructData.OtIndex = 0x28;
89  }
90  else
91  {
92  return STATUS_NOT_SUPPORTED;
93  }
94 
95  Package->StructData.EgeGuid = 0x14;
96  Package->StructData.EpObjectTable = 0x160;
97  Package->StructData.EpRundownProtect = 0xd8;
98  Package->StructData.EreGuidEntry = 0x10;
99  }
100  // Windows 7, Windows Server 2008 R2
101  else if (majorVersion == 6 && minorVersion == 1)
102  {
103  Package->ResultingNtVersion = PHNT_WIN7;
104 
105  if (servicePack == 0)
106  {
107  }
108  else if (servicePack == 1)
109  {
110  }
111  else
112  {
113  return STATUS_NOT_SUPPORTED;
114  }
115 
116  Package->StructData.EgeGuid = 0x14;
117  Package->StructData.EpObjectTable = 0x200;
118  Package->StructData.EpRundownProtect = 0x178;
119  Package->StructData.EreGuidEntry = 0x10;
120  Package->StructData.OtName = 0x10;
121  Package->StructData.OtIndex = 0x28; // now only a UCHAR, not a ULONG
122  }
123  // Windows 8, Windows Server 2012
124  else if (majorVersion == 6 && minorVersion == 2 && buildNumber == 9200)
125  {
126  Package->BuildNumber = 9200;
127  Package->ResultingNtVersion = PHNT_WIN8;
128 
129  Package->StructData.EgeGuid = 0x14;
130  Package->StructData.EpObjectTable = 0x408;
131  Package->StructData.EpRundownProtect = 0x2d8;
132  Package->StructData.EreGuidEntry = 0x10;
133  Package->StructData.HtHandleContentionEvent = 0x30;
134  Package->StructData.OtName = 0x10;
135  Package->StructData.OtIndex = 0x28;
136  Package->StructData.ObDecodeShift = 19;
137  Package->StructData.ObAttributesShift = 20;
138  }
139  // Windows 8.1, Windows Server 2012 R2
140  else if (majorVersion == 6 && minorVersion == 3 && buildNumber == 9600)
141  {
142  ULONG revisionNumber = KphpGetKernelRevisionNumber();
143 
144  Package->BuildNumber = 9600;
145  Package->ResultingNtVersion = PHNT_WINBLUE;
146 
147  Package->StructData.EgeGuid = 0x18;
148  Package->StructData.EpObjectTable = 0x408;
149  Package->StructData.EpRundownProtect = 0x2d8;
150  Package->StructData.EreGuidEntry = revisionNumber >= 17736 ? 0x20 : 0x10;
151  Package->StructData.HtHandleContentionEvent = 0x30;
152  Package->StructData.OtName = 0x10;
153  Package->StructData.OtIndex = 0x28;
154  Package->StructData.ObDecodeShift = 16;
155  Package->StructData.ObAttributesShift = 17;
156  }
157  else
158  {
159  return STATUS_NOT_SUPPORTED;
160  }
161 
162  return STATUS_SUCCESS;
163 }
164 
165 #else
166 
167 NTSTATUS KphInitializeDynamicPackage(
168  _Out_ PKPH_DYN_PACKAGE Package
169  )
170 {
171  ULONG majorVersion, minorVersion, servicePack, buildNumber;
172 
173  majorVersion = PhOsVersion.dwMajorVersion;
174  minorVersion = PhOsVersion.dwMinorVersion;
175  servicePack = PhOsVersion.wServicePackMajor;
176  buildNumber = PhOsVersion.dwBuildNumber;
177 
178  memset(&Package->StructData, -1, sizeof(KPH_DYN_STRUCT_DATA));
179 
180  Package->MajorVersion = (USHORT)majorVersion;
181  Package->MinorVersion = (USHORT)minorVersion;
182  Package->ServicePackMajor = (USHORT)servicePack;
183  Package->BuildNumber = -1;
184 
185  // Nothing here yet
186  {
187  return STATUS_NOT_SUPPORTED;
188  }
189 
190  return STATUS_SUCCESS;
191 }
192 
193 #endif