I am trying to make my driver modify the processor count for use inside my VM but I am not able to find proper resources on this topic. So far I made a detour trampoline hook for NtQuerySystemInformation and have been able to intercept calls to SystemBasicInformation and modify the processor count. However, user land programs requests for SystemBasicInformation seem to not use NtQuerySystemInformation behind the scenes at all. For example from user land a user can call the following to pull processor count bypassing my kernel level hook.
[DllImport("kernel32.dll")]
public static extern void GetSystemInfo(out SYSTEM_INFO lpSystemInfo);
SYSTEM_INFO sysInfo;
GetSystemInfo(out sysInfo);
Console.WriteLine($"Number of Processors: {sysInfo.dwNumberOfProcessors}");
Next I tried modifying KUSER_SHARED_DATA because I know its mapped into every process at 0x7FFE0000 so I tried modifying this structures value in memory in hopes it would also be updated in new user land processes.
This did not seem to really do much though. I was not able to actually print out the process count from userland using this structure located at 0x7FFE0000 in its virtual address space however, calls to GetSystemInfo still reflects the old processor count values.
So my question is from a kernel driver what should I modify in order to spoof processor count especially from user land processes?
Why would you want to spoof processor count to UM applications? What possible purpose could that serve?
I have not looked at this in some years, but there are (or were) ways to hot add memory or CPU resources. Which was created for certain high end servers, but might be very useful for a hypervisor.
But indicating a number of CPUs that is different from the number actually used by the schedule to a UM program seems to have no use
I mean yea there are very limited use cases but its just a random project that can help me learn things in a more fun way. The main idea is to just change my VM to make random processes not know my pc specs. Of course just changing processor count wont do a whole lot but its a start. Do you happen to have any suggestions? Next I plan to look into memory.
What do you think that's going to accomplish? The vast majority of applications do not ask how many processors there are, nor how much memory there is. They rely on the scheduler and the memory manager to assign the resources they ask for. THOSE are the components that need to know, and they probably have some deeply ingrained sources for that information.
You have proposed writing software that has no useful purpose, and may cause some applications to malfunction. If that's not malware, then what's your definition?
My definition of malware is writing software with malicious intent that causes harm to other people. You are anthropomorphizing software by acting like possibly deceiving software is inherently bad hence your use of the word "malware" which obviously carries a very negative connotation. This is absurd simply "tricking" software running on my own VM does not harm a single living creature and causes no actual issues. Using my own VM as a box where I can experiment and learn things is not a negative thing. Calling every non cookie cutter project malware is absurd and reduces the actual gravity of malware.
You have proposed writing software that has no useful purpose, and may cause some applications to malfunction
sometimes there is a use in 'tricking' existing code that you can't change. That's not the case when you say the word arbitrary.
maybe you are planning on learning. well, maybe we could help, but remember that everything we say lives forever on the internet and that has gotten us in trouble before when people who don't plan on simply learning read and use that information. Besides if you really want to learn, help from a forum like this is counter productive - unless you have a much more specific question
I have tried to help people on this and other forums for a long time. And I will try to help you to. But I won't help you if I suspect your motives, and even less if you suspect mine