I am trying to figure if there is a way to determine programatically if a PE
file is a checked or free build. In particular the HAL and the kernel.
Any suggestion would be appreciated.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Are you interested in doing this programatically at run time? Or in the
debugger?
The debugger is easy:
dd nt!ntbuildnumber
If the first character is a “c” it’s a checked build of the kernel and if
it’s an “f” it’s a free build. On x86, the HAL must match the kernel, so
you can know by inference.
–
Jake Oshins
Windows Kernel Group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Don Burn” wrote in message news:xxxxx@ntdev…
>I am trying to figure if there is a way to determine programatically if a
>PE
> file is a checked or free build. In particular the HAL and the kernel.
> Any suggestion would be appreciated.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
>
>
Actually, I was looking for a way given actual file, such as ntoskrnl.exe
that is not running to determine this. The only way I can think of is based
on the size since checked is a lot larger that free build, but this is a
kludge.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Jake Oshins” wrote in message
news:xxxxx@ntdev…
> Are you interested in doing this programatically at run time? Or in the
> debugger?
>
> The debugger is easy:
>
> dd nt!ntbuildnumber
>
> If the first character is a “c” it’s a checked build of the kernel and if
> it’s an “f” it’s a free build. On x86, the HAL must match the kernel, so
> you can know by inference.
>
> –
> Jake Oshins
> Windows Kernel Group
>
> This posting is provided “AS IS” with no warranties, and confers no
rights.
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
> >I am trying to figure if there is a way to determine programatically if a
> >PE
> > file is a checked or free build. In particular the HAL and the kernel.
> > Any suggestion would be appreciated.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >
> >
> >
> >
>
>
>
Tough question. Other than searching for constructs that would always be
optimized out, or looking for whether it imports DbgPrint :-), that
seems like a hard thing to determine generally. Both checked and free
drivers have their symbols stripped, so my first off-the-top-of-my-head
thought wouldn’t work…
Size does seem like an unreliable kludge, especially with multi- vs.
single- processor kernels being so different and with MS adding so much
code in service packs at random intervals…
I suppose if it’s a Microsoft file, you could ping the symbol server and
see what it says :-).
Don Burn wrote:
Actually, I was looking for a way given actual file, such as ntoskrnl.exe
that is not running to determine this. The only way I can think of is based
on the size since checked is a lot larger that free build, but this is a
kludge.
–
…/ray..
Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.
Where does the debugger get the build number from?
Chuck
----- Original Message -----
From: “Don Burn”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Saturday, August 14, 2004 12:56 AM
Subject: Re:[ntdev] Determing free or checked build from the PE file
> Actually, I was looking for a way given actual file, such as
ntoskrnl.exe
> that is not running to determine this. The only way I can think of is
based
> on the size since checked is a lot larger that free build, but this is
a
> kludge.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
> “Jake Oshins” wrote in message
> news:xxxxx@ntdev…
> > Are you interested in doing this programatically at run time? Or in
the
> > debugger?
> >
> > The debugger is easy:
> >
> > dd nt!ntbuildnumber
> >
> > If the first character is a “c” it’s a checked build of the kernel
and if
> > it’s an “f” it’s a free build. On x86, the HAL must match the
kernel, so
> > you can know by inference.
> >
> > –
> > Jake Oshins
> > Windows Kernel Group
> >
> > This posting is provided “AS IS” with no warranties, and confers no
> rights.
> >
> >
> > “Don Burn” wrote in message news:xxxxx@ntdev…
> > >I am trying to figure if there is a way to determine
programatically if a
> > >PE
> > > file is a checked or free build. In particular the HAL and the
kernel.
> > > Any suggestion would be appreciated.
> > >
> > >
> > > –
> > > Don Burn (MVP, Windows DDK)
> > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
Don Burn wrote:
Actually, I was looking for a way given actual file, such as
ntoskrnl.exe > that is not running to determine this. The only
way I can think of is based > on the size since checked is a lot
larger that free build, but this is a > kludge.
Load the NTOSKRNL file, get address of NtBuildNumber exported
symbol and check if it’s free or checked build. See code below.
/*
* Compiled with
* gcc -O3 -s checked.c -o checked.exe -lntdll
*/
#include <windows.h>
PVOID STDCALL RtlImageDirectoryEntryToData(PVOID, BOOLEAN, ULONG,
PULONG);
ULONG STDCALL
GetBuildNumber()
{
HANDLE hFile;
HANDLE hSection;
PBYTE Data;
PIMAGE_EXPORT_DIRECTORY ExportDir;
ULONG ExportDirSize;
ULONG Index;
PULONG_PTR ExFunctions;
PDWORD ExNames;
PUSHORT ExOrdinals;
PCHAR ExName;
PDWORD Function;
ULONG BuildNumber;
/*
* Map NTOSKRNL file into memory.
/
hFile = CreateFileW(L"ntoskrnl.exe", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == NULL)
return 0;
hSection = CreateFileMappingW(hFile, NULL, PAGE_READONLY, 0,
0, NULL); CloseHandle(hFile);
if (hSection == NULL)
return 0;
Data = MapViewOfFile(hSection, FILE_MAP_READ, 0, 0, 0);
CloseHandle(hSection);
if (Data == NULL)
return 0;
/
* Find the address of NtBuildNumber.
/
ExportDir = (PIMAGE_EXPORT_DIRECTORY)
RtlImageDirectoryEntryToData(Data, TRUE,
IMAGE_DIRECTORY_ENTRY_EXPORT,
&ExportDirSize);
if (ExportDir == NULL)
{
UnmapViewOfFile(Data);
return FALSE;
}
/
* Get header pointers
*/
ExNames = (PDWORD)(Data + ExportDir->AddressOfNames);
ExOrdinals = (PUSHORT)(Data +
ExportDir->AddressOfNameOrdinals); ExFunctions = (PDWORD)(Data
+ ExportDir->AddressOfFunctions);
for (Index = 0; Index < ExportDir->NumberOfNames; Index++)
{
ExName = (PCHAR)(Data + ExNames[Index]);
if (!lstrcmpA(ExName, “NtBuildNumber”))
{
Function = (PDWORD)(Data +
ExFunctions[ExOrdinals[Index]]); BuildNumber =
*Function;
break;
}
}
UnmapViewOfFile(Data);
return BuildNumber;
}
BOOL STDCALL
IsChecked(ULONG BuildNumber)
{
return BuildNumber & 0xF0000000 == 0xC0000000;
}
int main()
{
ULONG BuildNumber = GetBuildNumber();
if (BuildNumber == 0)
{
printf(“Can’t determine build number\n”);
}
else
{
printf(“Build Number: %x Checked: %s\n”, BuildNumber,
IsChecked(BuildNumber) ? “Yes” : “No”);
}
return 0;
}
–
Hrajte s n?mi o 1000 K? ka?d? den! P?ipojte se p?es VOLN? a
tipujte teplotu na vybran?m m?st? v ?esk? republice. U?ijte si
l?to s VOLN? na str?nk?ch http://soutez.volny.cz.</windows.h>
I appreciate the suggestions so far, but they do not solve the problem for
the HAL just the kernel.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
The problem is that .debug section on a PE is not mandatory, AFIAK. It could
be littered over individul section !!
May be PE doc and CV4 symbolic debugging infos doc might help, but seems
like the later one is not there at msdn !!
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Saturday, August 14, 2004 6:52 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Determing free or checked build from the PE file
I appreciate the suggestions so far, but they do not solve the problem for
the HAL just the kernel.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Jake O. said, “On x86, the HAL must match the kernel, so you can know by
inference.” Are you not on x86? Or do you need to determine this for
any arbitrary HAL that’s been separated from its kernel?
Chuck
----- Original Message -----
From: “Don Burn”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Saturday, August 14, 2004 8:52 PM
Subject: Re:[ntdev] Determing free or checked build from the PE file
> I appreciate the suggestions so far, but they do not solve the problem
for
> the HAL just the kernel.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
As I said, arbitrary files and that can include other than x86. I started
looking at this problem after a customer of mine had a disaster with MIS
running Windows Update on a bunch of checked build machines (talk about
flaky!).
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Chuck Batson” wrote in message
news:xxxxx@ntdev…
> Jake O. said, “On x86, the HAL must match the kernel, so you can know by
> inference.” Are you not on x86? Or do you need to determine this for
> any arbitrary HAL that’s been separated from its kernel?
>
> Chuck
>
> ----- Original Message -----
> From: “Don Burn”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, August 14, 2004 8:52 PM
> Subject: Re:[ntdev] Determing free or checked build from the PE file
>
>
> > I appreciate the suggestions so far, but they do not solve the problem
> for
> > the HAL just the kernel.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@cbatson.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
My general method to determine if a HAL is debug or release is to compare
the questionable file by date and file size to known debug and release HALs.
The debug HAL will almost always be a little larger than the corresponding
release HAL when symbol stripped, and a whole lot larger if the symbols
haven’t been stripped.
Some OEM HALs (ours, for instance) will tell you the version and if they are
debug or release on a boot-time display line. You can grep for that display
text in the file to see what it says.
Loren
----- Original Message -----
From: “Don Burn”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Sunday, August 15, 2004 5:16 PM
Subject: Re:[ntdev] Re:Determing free or checked build from the PE file
> As I said, arbitrary files and that can include other than x86. I started
> looking at this problem after a customer of mine had a disaster with MIS
> running Windows Update on a bunch of checked build machines (talk about
> flaky!).
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
> “Chuck Batson” wrote in message
> news:xxxxx@ntdev…
> > Jake O. said, “On x86, the HAL must match the kernel, so you can know by
> > inference.” Are you not on x86? Or do you need to determine this for
> > any arbitrary HAL that’s been separated from its kernel?
> >
> > Chuck
> >
> > ----- Original Message -----
> > From: “Don Burn”
> > Newsgroups: ntdev
> > To: “Windows System Software Devs Interest List”
> > Sent: Saturday, August 14, 2004 8:52 PM
> > Subject: Re:[ntdev] Determing free or checked build from the PE file
> >
> >
> > > I appreciate the suggestions so far, but they do not solve the problem
> > for
> > > the HAL just the kernel.
> > >
> > >
> > > –
> > > Don Burn (MVP, Windows DDK)
> > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@cbatson.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@earthlink.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
I don’t remember the initial post requiring this be done in KM. If
that’s a requirement, just delete this mail now. I also haven’t been
following this thread too closely, so I apologize if this has already
been suggested.
Checking the version resource should work for all Microsoft HALs and
most (if not all) 3rd party HALs. See GetFileVersionInfo() to load the
initial version resources and VerQueryValue() to load the specific
version info. In this case, I’d just look for VS_FF_DEBUG in
VS_FIXEDFILEINFO.dwFileFlags.
Omitting the error checking…
VS_FIXEDFILEINFO* vsFixedFileInfo;
UINT uiDataSize;
LPSTR lpszFileToCheck = argv[1];
DWORD dwSizeNeeded =
GetFileVersionInfoSize(lpszFileToCheck, NULL);
BYTE* pbData = (BYTE*)malloc(dwSizeNeeded+1);
GetFileVersionInfo(lpszFileToCheck, 0, dwSizeNeeded+1, pbData);
VerQueryValue(pbData, “\”, (LPVOID*)(&vsFixedFileInfo), &uiDataSize);
if (vsFixedFileInfo->dwFileFlags & VS_FF_DEBUG) {
printf(“%s is a checked build file\n”, argv[1]);
} else {
printf(“%s is a free build file\n”, argv[1]);
}
[You’ll need to add $(SDK_LIB_PATH)\version.lib to your TARGETLIBS.]
–Scott
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Loren Wilton
Sent: Monday, August 16, 2004 12:29 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Re:Determing free or checked build
from the PE fileMy general method to determine if a HAL is debug or release
is to compare the questionable file by date and file size to
known debug and release HALs. The debug HAL will almost
always be a little larger than the corresponding release HAL
when symbol stripped, and a whole lot larger if the symbols
haven’t been stripped.Some OEM HALs (ours, for instance) will tell you the version
and if they are debug or release on a boot-time display line.
You can grep for that display text in the file to see what it says.Loren
----- Original Message -----
From: “Don Burn”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, August 15, 2004 5:16 PM
> Subject: Re:[ntdev] Re:Determing free or checked build from
> the PE file
>
>
> > As I said, arbitrary files and that can include other than x86. I
> > started looking at this problem after a customer of mine had a
> > disaster with MIS running Windows Update on a bunch of
> checked build
> > machines (talk about flaky!).
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >
> >
> > “Chuck Batson” wrote in message
> > news:xxxxx@ntdev…
> > > Jake O. said, “On x86, the HAL must match the kernel, so you can
> > > know by inference.” Are you not on x86? Or do you need to
> > > determine this for any arbitrary HAL that’s been
> separated from its
> > > kernel?
> > >
> > > Chuck
> > >
> > > ----- Original Message -----
> > > From: “Don Burn”
> > > Newsgroups: ntdev
> > > To: “Windows System Software Devs Interest List”
>
> > > Sent: Saturday, August 14, 2004 8:52 PM
> > > Subject: Re:[ntdev] Determing free or checked build from
> the PE file
> > >
> > >
> > > > I appreciate the suggestions so far, but they do not solve the
> > > > problem
> > > for
> > > > the HAL just the kernel.
> > > >
> > > >
> > > > –
> > > > Don Burn (MVP, Windows DDK)
> > > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > > >
> > > > You are currently subscribed to ntdev as:
> > > > xxxxx@cbatson.com To unsubscribe send a blank
> email to
> > > > xxxxx@lists.osr.com
> > > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@earthlink.net To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as:
xxxxx@coffee-and-cigarettes.com To unsubscribe send a blank email to
xxxxx@lists.osr.com