Dear all,
Please excuse me if this is a repost ( I’ve tried first the web
interface but it didn’t show up ) or if is some kind of faq issue.
I have a kernel mode USB WDM driver that was intended strictly for XP
32/64 and no other OS version, now some “eager beavers” are loading
them on Vista/Win 7 by hacking the INF file and bypassing the
signature as well and this causes us big problems.
I know that is a bit of a naive/newbie question but how do you
actually detect from inside a driver the OS version, is there some
canonical/recommended way to do it, and while here what is the highest
level of “precision” attainable, ie. SP level and so on.
Any pointer helps a lot.
Best regards,
Mircea
> Please excuse me if this is a repost ( I’ve tried first the web
interface but it didn’t show up ) or if is some kind of faq issue.
I have a kernel mode USB WDM driver that was intended strictly for XP
32/64 and no other OS version, now some “eager beavers” are loading
them on Vista/Win 7 by hacking the INF file and bypassing the
signature as well and this causes us big problems.
I know that is a bit of a naive/newbie question but how do you
actually detect from inside a driver the OS version, is there some
canonical/recommended way to do it, and while here what is the highest
level of “precision” attainable, ie. SP level and so on.
Any pointer helps a lot.
Best regards,
Mircea
If your users are happy to edit the INF and ignore signature problems then I suspect they will not worry about the consequences of reverse engineering your driver to find the OS check and neutralising it by editing the binary. Is this an arms race you have time to fight?
Good luck,
Tim.
Hi,
Tim is absolutely right on what he said, but for completeness have a look at this:
http://msdn.microsoft.com/en-us/library/ff561910(VS.85).aspx
K.
On Mon, Nov 1, 2010 at 11:32 AM, Tim Green wrote:
>> ?Please excuse me if this is a repost ( I’ve tried first the web
>> interface but it didn’t show up ) or if is some kind of ?faq issue.
>> I have a kernel mode USB ?WDM driver that was intended strictly for XP
>> 32/64 and no other OS version, now some “eager beavers” are loading
>> them on Vista/Win 7 by hacking the INF file and bypassing the
>> signature as well and this causes us big problems.
>> I know that is a bit of a naive/newbie question but how do you
>> actually detect from inside a driver the OS version, is there some
>> canonical/recommended way to do it, and while here what is the highest
>> level of “precision” attainable, ie. SP level and so on.
>> Any pointer helps a lot.
>>
>> ?Best regards,
>> ?Mircea
>
> If your users are happy to edit the INF and ignore signature problems then I suspect they will not worry about the consequences of reverse engineering your driver to find the OS check and neutralising it by editing the binary. Is this an arms race you have time to fight?
>
> Good luck,
> Tim.
>
Hi Tim,
I only care about the possibility to have the unmodified binary not
load on OS versions other than the intended one, from here on my
responsibility ends, I do not want to write complicated co-installers
and other strange things, just to detect the OS version and if it’s
not the one the driver is build for to not register, that’s it and now
I’m kind of stumped on how to do it.
I’m not concerned of “real” hacking, once the .sys has been touched my
role ends.
Best regards,
Mircea
On Mon, Nov 1, 2010 at 11:43 AM, wrote:
> Hi,
>
> Tim is absolutely right on what he said, but for completeness have a look at this:
>
> http://msdn.microsoft.com/en-us/library/ff561910(VS.85).aspx
>
>
> K.
>
That was it, really complicated :)), I’ve probably got blind from
lack of caffeine :(, thanks good Mr/Mrs K. for the info and of course
Tim is right but I’ve got a PHBs getting ballistic of users being able
to load the driver despite being labeled strictly for XP, so much for
compatibility :(.
Thank you all,
Mircea
You can check OS version using IoIsWdmVersionAvailable(…) function. For XP, I guess it will be something like this:
if (IoIsWdmVersionAvailable(1, 0x20))
{
…
}
However, bad guys can just NOP your call.
A better solution will be to use some function which exist in XP, but does not in Windows 7, thus the driver would not load with “not resolved” error, as import table does not contact that function (in order to solve this case you will have to dig into import table of driver, it is harder). It is easy to do for the reversed scenario - to use driver only on 7 and not on XP as the set of functions is bigger. For you case - don’t know … Search for functions in documentation …
Silly question, but why in the world would any sane developer, or vender,
attempt to limit their driver to an OS that is half a decade old? Would it
not be a better choice to “fix” the issues found in later versions of the OS
and broaden your market? Do you not test your driver across multiple version
of Windows, or hide your head and pretend that the world of OS development
ended with XP?
As far as creative customers are concerned, thank them for the bug-report
and refer them to the next release, which will run thanks to their
bug-report.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mircea Ciocan
Sent: Monday, November 01, 2010 5:46 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Detecting OS version from inside a kernel driver
On Mon, Nov 1, 2010 at 11:32 AM, Tim Green
wrote:
>> ?Please excuse me if this is a repost ( I’ve tried first the web
>> interface but it didn’t show up ) or if is some kind of ?faq issue.
>> I have a kernel mode USB ?WDM driver that was intended strictly for
>> XP
>> 32/64 and no other OS version, now some “eager beavers” are loading
>> them on Vista/Win 7 by hacking the INF file and bypassing the
>> signature as well and this causes us big problems.
>> I know that is a bit of a naive/newbie question but how do you
>> actually detect from inside a driver the OS version, is there some
>> canonical/recommended way to do it, and while here what is the
>> highest level of “precision” attainable, ie. SP level and so on.
>> Any pointer helps a lot.
>>
>> ?Best regards,
>> ?Mircea
>
> If your users are happy to edit the INF and ignore signature problems then
I suspect they will not worry about the consequences of reverse engineering
your driver to find the OS check and neutralising it by editing the binary.
Is this an arms race you have time to fight?
>
> Good luck,
> Tim.
>
Hi Tim,
I only care about the possibility to have the unmodified binary not load on
OS versions other than the intended one, from here on my responsibility
ends, I do not want to write complicated co-installers and other strange
things, just to detect the OS version and if it’s not the one the driver is
build for to not register, that’s it and now I’m kind of stumped on how to
do it.
I’m not concerned of “real” hacking, once the .sys has been touched my role
ends.
Best regards,
Mircea
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Information from ESET Smart Security, version of virus signature
database 5582 (20101101)
The message was checked by ESET Smart Security.
http://www.eset.com
Licensing issues? We limit on purpose our software for servers. As price for server license is higher …
> I have a kernel mode USB WDM driver that was intended strictly for XP
32/64 and no other OS version
RtlIsNtDdiVersionAvailable is the current correct way to get the OS version.
XP 64 is the same as Srv2003, you will need to read the ProductType (WinNT or ServerNT or LanmanNT) registry to differ between them.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
RTL_OSVERSIONINFOEXW::ProductType can tell xp64 vs w2k3.
MSDN site used to have a comprehensive matrix on interpreting the
RTL_OSVERxxx table.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, November 01, 2010 1:11 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Detecting OS version from inside a kernel driver
I have a kernel mode USB WDM driver that was intended strictly for XP
32/64 and no other OS version
RtlIsNtDdiVersionAvailable is the current correct way to get the OS version.
XP 64 is the same as Srv2003, you will need to read the ProductType (WinNT
or ServerNT or LanmanNT) registry to differ between them.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Some people just want to hurt their own business…
> Some people just want to hurt their own business…
Not many companies are gathering the “long tail”, and NT4 was the “long tail” in 2005 already, being stopped in support in 2006.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com