Don Burn wrote:
Actually, I was looking for a way given actual file, such as
ntoskrnl.exe > that is not running to determine this. The only
way I can think of is based > on the size since checked is a lot
larger that free build, but this is a > kludge.
Load the NTOSKRNL file, get address of NtBuildNumber exported
symbol and check if it’s free or checked build. See code below.
- Filip
/*
* Compiled with
* gcc -O3 -s checked.c -o checked.exe -lntdll
*/
#include <windows.h>
PVOID STDCALL RtlImageDirectoryEntryToData(PVOID, BOOLEAN, ULONG,
PULONG);
ULONG STDCALL
GetBuildNumber()
{
HANDLE hFile;
HANDLE hSection;
PBYTE Data;
PIMAGE_EXPORT_DIRECTORY ExportDir;
ULONG ExportDirSize;
ULONG Index;
PULONG_PTR ExFunctions;
PDWORD ExNames;
PUSHORT ExOrdinals;
PCHAR ExName;
PDWORD Function;
ULONG BuildNumber;
/*
* Map NTOSKRNL file into memory.
/
hFile = CreateFileW(L"ntoskrnl.exe", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == NULL)
return 0;
hSection = CreateFileMappingW(hFile, NULL, PAGE_READONLY, 0,
0, NULL); CloseHandle(hFile);
if (hSection == NULL)
return 0;
Data = MapViewOfFile(hSection, FILE_MAP_READ, 0, 0, 0);
CloseHandle(hSection);
if (Data == NULL)
return 0;
/
* Find the address of NtBuildNumber.
/
ExportDir = (PIMAGE_EXPORT_DIRECTORY)
RtlImageDirectoryEntryToData(Data, TRUE,
IMAGE_DIRECTORY_ENTRY_EXPORT,
&ExportDirSize);
if (ExportDir == NULL)
{
UnmapViewOfFile(Data);
return FALSE;
}
/
* Get header pointers
*/
ExNames = (PDWORD)(Data + ExportDir->AddressOfNames);
ExOrdinals = (PUSHORT)(Data +
ExportDir->AddressOfNameOrdinals); ExFunctions = (PDWORD)(Data
+ ExportDir->AddressOfFunctions);
for (Index = 0; Index < ExportDir->NumberOfNames; Index++)
{
ExName = (PCHAR)(Data + ExNames[Index]);
if (!lstrcmpA(ExName, “NtBuildNumber”))
{
Function = (PDWORD)(Data +
ExFunctions[ExOrdinals[Index]]); BuildNumber =
*Function;
break;
}
}
UnmapViewOfFile(Data);
return BuildNumber;
}
BOOL STDCALL
IsChecked(ULONG BuildNumber)
{
return BuildNumber & 0xF0000000 == 0xC0000000;
}
int main()
{
ULONG BuildNumber = GetBuildNumber();
if (BuildNumber == 0)
{
printf(“Can’t determine build number\n”);
}
else
{
printf(“Build Number: %x Checked: %s\n”, BuildNumber,
IsChecked(BuildNumber) ? “Yes” : “No”);
}
return 0;
}
–
Hrajte s n?mi o 1000 K? ka?d? den! P?ipojte se p?es VOLN? a
tipujte teplotu na vybran?m m?st? v ?esk? republice. U?ijte si
l?to s VOLN? na str?nk?ch http://soutez.volny.cz.</windows.h>