Windows 8.1 detection

Anders · 14th May 2016, 19:33

If it is not affected, why do you bother looping with VerifyVersionInfo?

Anyway, I have seen RtlGetVersion on Vista SP2 return 5.1.2600 if you set compatibility to XP (don't remember if AcLayers was involved though).

On Windows 8 RtlGetVersion returns the correct value but then a hook overwrites parts of the result:

Quote:

call dword ptr [eax+54h] ds:002b:0056dfe4={ntdll!RtlGetVersion (77bf8b69)}
mov edi,eax
test edi,edi
js AcLayers!NS_WinXPSP3VersionLie::APIHook_RtlGetVersion+0x91 (5fc07c04)
cmp dword ptr [esi],11Ch
mov dword ptr [esi+4],5
mov dword ptr [esi+8],1
mov dword ptr [esi+0Ch],0A28h
mov dword ptr [esi+10h],2

and it got hooked because GetProcAddress is actually AcLayers!NS_WRPDllRegister::APIHook_GetProcAddress.

PHP Code:


			
System::Call '*(&l4,i,i,i,i,&w128,i,i)p.r0'

System::Call 'KERNEL32::LoadLibrary(t "NTDLL")p.s'

System::Call 'KERNEL32::GetProcAddress(ps, m "RtlGetVersion")p.r9'

IntFmt $9 "0x%p" $9

System::Call 'KERNEL32::GetModuleHandleEx(i4,pr9,*p0r8)'

System::Call 'KERNEL32::GetModuleFileName(pr8,t.r7,i999)'

DetailPrint "RtlGetVersion=$9 is in $7"

System::Call '::$9(pr0)'

System::Call '*$0(i,i.r1,i.r2)'

System::Free $0

DetailPrint $1.$2

LoRd_MuldeR · 15th May 2016, 18:38

Quote:

Originally Posted by Anders

If it is not affected, why do you bother looping with VerifyVersionInfo?

Because it is still required under some circumstances.

Windows 10 without compat mode:
http://pastie.org/10838499

Windows 10 with Win9x compat mode:
http://pastie.org/10838500

Windows 10 with WinXP compat mode:
http://pastie.org/10838502

In the last case even RtlGetVersion() lies, but RtlVerifyVersionInfo can reveal the expected result.

RealOSVersion.2016-05-15.zip

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode