This repository was archived by the owner on Jan 22, 2024. It is now read-only.
This repository was archived by the owner on Jan 22, 2024. It is now read-only.
SMBIOs not spoofing in VM - Windows 10 22H2. #21
Description
Windows 10, 22H2
Build: Debug, x64
Character Set: User Multi-Byte Character Set
Checking SMBIOs data before and after loading with OSR is use: https://github.com/KunYi/DumpSMBIOS/tree/main
DriverEntry
`extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = Unload;
DbgPrint("[*]\tDriver ini...");
DbgPrint ("[*]\tRunning SpoofSMBIOSCleaner");
SpoofSMBIOSCleaner();
DbgPrint("[*]\tFinished running SpoofSMBIOSCleaner");
return STATUS_SUCCESS;
}`
RandomText/GetString/RandomizeString
`void RandomText(char* text, const int length)
{
if (!text)
{
DbgPrint ("[!] RandomText: text is null\n");
return;
}
static const char alphanum[] =
"0123456789"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz";
auto seed = KeQueryTimeIncrement();
for (auto n = 0; n <= length; n++)
{
auto key = RtlRandomEx(&seed) % static_cast<int>(sizeof(alphanum) - 1);
text[n] = alphanum[key];
}
}
char* GetString(SMBIOS_HEADER* header, SMBIOS_STRING string)
{
const auto* start = reinterpret_cast<const char*>(header) + header->Length;
if (!string || *start == 0)
{
DbgPrint ("[!] GetString: string is null\n");
return nullptr;
}
while (--string)
{
start += strlen(start) + 1;
}
return const_cast<char*>(start);
}
void RandomizeString(char* string)
{
if (!string) { DbgPrint ("[!] RandomizeString: string is null\n"); return; }
const auto length = static_cast<int>(strlen(string));
auto* buffer = static_cast<char*>(ExAllocatePoolWithTag(NonPagedPool, length, 'ref0'));
if (sizeof(buffer) == 0)
{
DbgPrint ("[!] RandomizeString: buffer is null\n");
return;
}
RandomText(buffer, length);
buffer[length] = '\0';
if (sizeof(buffer) == 0)
{
DbgPrint("[!] RandomizeString: buffer is null after termination\n");
return;
}
memcpy(string, buffer, length);
ExFreePool(buffer);
}`
ProcessTable/LoopTables/SpoofSMBIOSCleaner
`
void ProcessTable(SMBIOS_HEADER* header)
{
if (header->Type == 0)
{
auto* type0 = reinterpret_cast<SMBIOS_TYPE0*>(header);
auto* vendor = GetString(header, type0->Vendor);
RandomizeString(vendor);
}
if (header->Type == 1)
{
auto* type1 = reinterpret_cast<SMBIOS_TYPE1*>(header);
auto* manufacturer = GetString(header, type1->Manufacturer);
RandomizeString(manufacturer);
auto* productName = GetString(header, type1->ProductName);
RandomizeString(productName);
auto* serialNumber = GetString(header, type1->SerialNumber);
RandomizeString(serialNumber);
}
if (header->Type == 2)
{
auto* type2 = reinterpret_cast<SMBIOS_TYPE2*>(header);
auto* manufacturer = GetString(header, type2->Manufacturer);
RandomizeString(manufacturer);
auto* productName = GetString(header, type2->ProductName);
RandomizeString(productName);
auto* serialNumber = GetString(header, type2->SerialNumber);
RandomizeString(serialNumber);
}
if (header->Type == 3)
{
auto* type3 = reinterpret_cast<SMBIOS_TYPE3*>(header);
auto* manufacturer = GetString(header, type3->Manufacturer);
RandomizeString(manufacturer);
auto* serialNumber = GetString(header, type3->SerialNumber);
RandomizeString(serialNumber);
}
}
void LoopTables(void* mapped, ULONG size)
{
auto* endAddress = static_cast<char*>(mapped) + size;
if (endAddress == nullptr)
{
DbgPrint ("Failed to get end address");
}
while (true)
{
auto* header = static_cast<SMBIOS_HEADER*>(mapped);
if (header->Type == 127 && header->Length == 4)
break;
ProcessTable(header);
auto* end = static_cast<char*>(mapped) + header->Length;
while (0 != (*end | *(end + 1))) end++;
end += 2;
if (end >= endAddress)
break;
mapped = end;
}
}
void SpoofSMBIOSCleaner()
{
auto* base = GetModuleBase("ntoskrnl.exe");
if (!base)
{
DbgPrint("Failed to get ntoskrnl.exe base address");
}
auto* physicalAddress = static_cast<PPHYSICAL_ADDRESS>(FindPatternImage(base, "\x48\x8B\x0D\x00\x00\x00\x00\x48\x85\xC9\x74\x00\x8B\x15", "xxx????xxxx?xx")); // WmipFindSMBiosStructure -> WmipSMBiosTablePhysicalAddress
if (!physicalAddress)
{
DbgPrint("Failed to find WmipSMBiosTablePhysicalAddress");
}
physicalAddress = reinterpret_cast<PPHYSICAL_ADDRESS>(reinterpret_cast<char*>(physicalAddress) + 7 + *reinterpret_cast<int*>(reinterpret_cast<char*>(physicalAddress) + 3));
if (!physicalAddress)
{
DbgPrint("Failed to get physical address");
}
auto* sizeScan = FindPatternImage(base, "\x8B\x1D\x00\x00\x00\x00\x48\x8B\xD0\x44\x8B\xC3\x48\x8B\xCD\xE8\x00\x00\x00\x00\x8B\xD3\x48\x8B", "xx????xxxxxxxxxx????xxxx"); // WmipFindSMBiosStructure -> WmipSMBiosTableLength
if (!sizeScan)
{
DbgPrint("Failed to find WmipSMBiosTableLength");
}
const auto size = *reinterpret_cast<ULONG*>(static_cast<char*>(sizeScan) + 6 + *reinterpret_cast<int*>(static_cast<char*>(sizeScan) + 2));
if (!size)
{
DbgPrint("Failed to get size");
}
auto* mapped = MmMapIoSpace(*physicalAddress, size, MmNonCached);
if (!mapped)
{
DbgPrint("Failed to map physical address");
}
LoopTables(mapped, size);
MmUnmapIoSpace(mapped, size);
}
`
In my kernel debug log I'm getting error for ..
[!] GetString: string is null
[!] RandomizeString: string is null
And that's it, just once for each.. no other errors are raised... any solution for this, or does this method not work for 22h2 ?