TP的学习笔记:Ring3下获取当前系统的真实版本
近期在搞ARK,发现一件事情就是如果病毒木马在获取操作系统的版本值得路径上做手脚的话,比如设置兼容模式,就会引起杀毒软件报错从而无法加载,当然这个Bug一去不复返了。那么我们如何克服这个Bug呢?答案在内核文件上。我们要解析PE文件结构,本文偷懒,只搞了32位的版本。
总体思路如下:打开文件->读取NT文件头->读取可选文件头的MajorImageVersion、MinorImageVersion,这两个值就是GetVersionEx得到的NT主版本号和次版本号了!代码如下:
Public Sub GetFileVer(ByVal lpFileName As String,ByRef Version As Double)
Dim hFile As Long
Dim SecAttr As SECURITY_ATTRIBUTES
Dim DosHead As IMAGE_DOS_HEADER
Dim NtHead As IMAGE_NT_HEADERS
Dim dwRead As Long
Dim pBuffer As Long
SecAttr.nLength = 12
SecAttr.bInheritHandle = False
hFile = CreateFile(lpFileName, GENERIC_READ, 0, SecAttr, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0)
If hFile <> -1 Then
SetFilePointer hFile, 0, 0, 0
ReadFile hFile, VarPtr(DosHead), Len(DosHead), dwRead, ByVal &H0
If DosHead.Magic <> &H5A4D Then MsgBox "Invalid Application", vbExclamation, "Error": Exit Sub
pBuffer = VirtualAlloc(0, DosHead.lfanew + Len(NtHead), &H1000, &H4)
ReadFile hFile, pBuffer, DosHead.lfanew + Len(NtHead), dwRead, 0
RtlMoveMemory VarPtr(NtHead), pBuffer + DosHead.lfanew, Len(NtHead)
Version = NtHead.OptionalHeader.MajorImageVer + NtHead.OptionalHeader.MinorImageVer /10
CloseHandle hFile
Else
MsgBox "Failed to open file!", vbExclamation, "Error"
End If
End Sub
貌似对PE文件结构的定义,VB的coder对其各有各的定义,那么我贴出我这里的定义
Public Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Private Type IMAGE_DOS_HEADER
Magic As Integer
cblp As Integer
cp As Integer
crlc As Integer
cparhdrAs Integer
minalloc As Integer
maxalloc As Integer
ss As Integer
sp As Integer
csum As Integer
ip As Integer
cs As Integer
lfarlc As Integer
ovno As Integer
res(3) As Integer
oemid As Integer
oeminfoAs Integer
res2(9)As Integer
lfanew As Long
End Type
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOtionalHeaderAs Integer
Characteristics As Integer'标志Dll
End Type
Private Type IMAGE_DATA_DIRECTORY
DataRVA As Long
DataSize As Long
End Type
Private Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkVer As Byte
MinorLinkVer As Byte
CodeSize As Long
InitDataSize As Long
unInitDataSize As Long
EntryPoint As Long
CodeBase As Long
DataBase As Long
ImageBase As Long
SectionAlignmentAs Long
FileAlignment As Long
MajorOSVer As Integer
MinorOSVer As Integer
MajorImageVer As Integer
MinorImageVer As Integer
MajorSSVer As Integer
MinorSSVer As Integer
Win32Ver As Long
ImageSize As Long
HeaderSize As Long
Checksum As Long
Subsystem As Integer
DLLChars As Integer
StackRes As Long
StackCommit As Long
HeapReserve As Long
HeapCommit As Long
LoaderFlags As Long
RVAsAndSizes As Long
DataEntries(15) As IMAGE_DATA_DIRECTORY
End Type
Public Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
本文的代码中只要对文件结构的定义作出修改,改成PE32+的文件结构,就能兼容到Win64了。 兼容性那个CHEAT好像对VB6程序完全无效。
页:
[1]