创建时间:2005-04-13 更新时间:2005-04-14文章属性:翻译文章提交:sFqRy (mqphk163_at_163.com)非API函数检测操作系统类型作者:Thomas Kruse,nbw来源:The Assembly-Programming-Journal, Vol. 1, No. 1 (2004)http://www.Assembly-Journal.comAbstract概要Today nearly all programmers use the Advanced Programming Interface (API) to receive information's about given systemvalues. By using this API's, we don't have to take care which operating system is currently available.现在几乎所有的程序员都采用扩展程序接口(API)来获取操作系统信息。采用AIP函数,我们不需要关心当前所用的操作系统具体状况。But sometimes it might be needful to avoid the usage of such API's. This situation is given during development of softwareprotections in order to avoid importing functions which - eventually - will point a reverse engineer to a solution.但是有时候不能采用API函数。比如开发保护软件时候,防止给逆向者透漏引用的函数信息信息。This essay show up a way to detect the today given operating systems from Microsoft: Windows 95, 98, ME - the non NT-basedoperating systems - and Windows NT4, 2000, XP, 2003 - the NT-based operating systems.这篇文章介绍了如何检测当前用到的操作系统,微软: Windows 95, 98, ME - 非NT内核,以及 Windows NT4,2000,XP -NT内核系统。The shown source code is in Microsoft Assembler style (MASM [3]).这里给出的代码是微软汇编体系(MASM[3])。Keywords: Microsoft Operating Systems, Software Protection, Assembly Programming, System Internals关键词: 微软操作系统,软件保护,汇编程序,系统内核The author Thomas Kruse has his main research focus on operating-system independent code optimising and software-protection development. He is AssociateEditor of Assembly-Journal and CodeBreakers-Journal.本文作者作者 Thomas Kruse 致力于独立于操作系统的代码和软件保护系统的研究,也是Assembly-Journal 和 CodeBreakers-Journal的编辑。I. Introduction介绍When analysing the structure of the Thread Environment Block (TEB - also known as Thread Information Block TIB) ondifferent operating systems, we find additional data followed by this structure. This additional data seems to have - on nonNT-based operating systems - no logical structure or length definition, where NT-based operating systems store the informationinside the Process Environment Block (PEB). The only way to figure out the meaning of this data for non NT-based operatingsystems is to debug the same application on different operation systems[2].分析不同操作系统的线程环境块(TEB --- 也叫做线程信息块 TIB),我们可以看到这个结构的附加数据。对于非NT内核的系统,这些附加数据没有逻辑结构或者长度定义,而对于NT内核的系统他们保存了进程环境块(PEB)的信息。确定非NT内核系统中这些数据意义的唯一方法,就是在不同的操作系统中调试同一个程序。II. Application start程序开始There are many ways in detecting an operating system. It could be done by using the Windows API function GetVersionEx[1]and checking the version values returned in structure OSVERSIONINFO(EX)[1], or by accessing Register CS. Another way isanalysing the registers during start up of an application. There are several rules for them on how operating systems prepareseveral registers before executing the first instruction:有很多方法可以检测操作系统。可以采用Windows API函数 GetVersionEx[1],然后检查返回值或者检查CS寄存器。另外一个方法就是分析程序开始运行时候寄存器的值。在操作系统执行程序第一条指令以前,有很多处理寄存器的规则可以被利用。Startup values for Windows 95/98/MEWindows 95/98/ME启动值(译注:程序临执行以前)EAX == Application Entry PointEAX == 程序入口EBX == 00530000h, a fixed value确定值Startup values for Windows NT/2000/XP/2003Windows NT/2000/XP/2003启动值EAX == NULLEBX == 7FFDF000h, pointer to (PEB)EBX == 7FFDF000h, PEB指针By knowing this rules we where able to check the operating system base during start up. But then we need to store the registervalues of EAX and EBX for further usage - or resolve them in a different way.利用上面的特点,我们可以在启动时候确定操作系统类型。但是为了以后使用我们需要存储EAX,EBX或者也可以采用其他方法处理。A. Thread Environment BlockA.线程环境块The TEB is prepared during application start up and contain pointers to thread related additional data. The TEB structure isavailable on all operating systems. It's size is defined to 34h Bytes. The TEB address could be resolved by accessing thesegment register FS in the following way:程序启动前TEB便被初始化并且含有线程重定位数据指针。TEB结构在所有的操作系统中都是有效的。它的大小是34字节。TEB地址可以利用FS寄存器配合下面的方法来获取:assume fs:nothingmov eax,fs:[18h]The register EAX will contain the base address of this block. The TEB contains - at address 18h inside the structure - a pointerto itself:EAX寄存器含有TEB地址。TEB结构中第18h位为指向该TEB的指针。pSelf DWORD ? ; 18h pointer to TEB/TIBThe last entry of TEB is the pointer to process database. On NT-based operating systems this value will point to the addressof Process Environment Block (see Section II-C)TEB最后的内容为指向进程数据的指针。在NT内核系统中,这个值指向进程环境块(参考 II-C 部分)B. Additional data following TEBB. TEB附加数据Told in Section I, this additional data has no logical structure and differs on each non NT-based operating system. On WindowsNT, 2000, XP and 2003 this additional Data is defined as follows:第I部分说过,在每个非NT内核系统中附加数据块没有逻辑结构和具体定义(译注:这里好像应该是NT内核结构)。在Windows NT,2000,XP和2003,这些数据如下:NT_TEB_ADDON structLastErrorValue DWORD ? ; 00h (34h TEB)LastStatusValue DWORD ? ; 04h (38h TEB)CountOwnedLocks DWORD ? ; 08h (3Ch TEB)HardErrorsMode DWORD ? ; 0Ch (40h TEB)NT_TEB_ADDON endsWindows 95, 98, ME didn't have such a structure; the additional data is scrambled!Windows 95, 98, ME 没有这些数据结构。附加数据完全很混乱!C. Process Environment BlockC. 进程环境块Windows NT-based operating systems store process related data inside the Process Environment Block. The address of thisstructure is avaliable by accessing the segment register FS:NT内核的系统把进程相关数据存储在进程环境块中。这个结构的地址可以通过操作FS寄存器来获取:assume fs:nothingmov eax,fs:[30h]The register EAX will contain the base address of PEB.EAX寄存器中便是PEB基地址。pProcess DWORD ? ; 30h pointer to process databaseThe version information is stored inside the PEB structure:操作系统信息被存储在PEB结构中:OSMajorVersion DWORD ? ; A4h <=4->NT / 5->2K/XP/2K3OSMinorVersion DWORD ? ; A8h 0->2K / 1->XP / 2->2K3D. NT-based definitionsD. NT内核中的定义Windows NT, 2000, XP and 2003 use fixed addresses to store PEB and TEB. The PEB is always stored at address 7FFDF000hand TEB is starting at 7FFDE000h. By knowing these two fixed values, it is possible to detect the operating system base.Windows NT, 2000, XP and 2003采用固定数据存储PEB和TEB。PEB总是被存放在7FFDF000h,TEB总是从7FFDE000h开始。知道了这2个固定数据,就可以检测出来操作系统类型。III. The TrickIII. 一些技巧Section II-B has shown an add-on structure for NT-based operating systems. The data exists on non NT-based operatingsystems, too. But it is stored in a different way. To resolve correct memory positions - related to detect the operating system第II-B 部分介绍了附加数据在NT内核系统中的存储。在非NT内核系统中,也存在这些数据。但是存储方式不一样。通过获取这些数据的位置,可以检测出来操作系统类型。- we use a trick the analyse the additional data.- 我们采用一些技巧来分析这些附加数据If we take a closer look to the NT TEB ADDON structure shown in Section II-B, we see the entry LastErrorValue. Nearlyall Windows API's will return an error value which is accessible via GetLastError[1]. In addition to this, it is possible tomanipulate the LastErrorValue via SetLastError[1] API. By using this API and monitoring the memory area behind the TEB,the locations for the LastErrorValue are:如果仔细看一下II-B部分说的NT TEB附加数据,可以发现入口处的LastErrorValue。几乎所有跟GetLastError[1]有关系的API都要返回一个错误值。可以采用一些技巧来利用SetLastError[1] 返回的这个Error值,为了使用这个API并且检测TEB后面的内存,下面列出来LastErrorValue 的位置:Windows 95 - TEB-base + 60hWindows 98 - TEB-base + 60hWindows ME - TEB-base + 74hNow we are able to detect Windows ME or Windows 95/98. First step to our solution, but not the final one. It is possible todetect a difference between Windows 95 and Windows 98.现在就可以检测出来Windows ME 或者 Windows 95/98。这是解决问题的第一步,并没有到最后。有可能检测出来Windows 95 和 Windows 98之间的不同。Section II showed the start up values and their rules. The start up value of EBX on non NT-based OS is 00530000h. Exactlythis value will be found inside the additional data part - close to the now resolved LastErrorValue. By analysing it's location,the result will be:第II 部分说明了初始化值和他们的规律。对于非NT内核的系统,EBX初始为00530000h。并且这个值可以从附加数据中查出来 - 与LastErrorValue非常近。为了分析这个数据,下面列出来具体位置:Windows 95 - TEB-base + 58hWindows 98 - TEB-base + 54hWindows ME - TEB-base + 7ChNow we are able to differ between each non NT-based operating system.现在我们就可以区分没一个非NT内核的系统。IV. Code creationIV. 创建代码Right now, we where able the detect the version information for each operating system. We want an operating systemindependent code, we need to structure the given information's. Also it should be possible to resolve the version informationworkflow independent. Section VI will show the complete solution in Assembler.现在,我们可以检测每个操作系统的版本信息。为了让代码不依赖于操作系统,我们需要把需要的信息组织成一个结构。并且有必要让类型信息独立起来。第VI 部分将给出完全的汇编解决方案。First of all, we get the base addresses of PEB and TEB and resolve the operating system base by analysing them:首先,获取PEB和TEB的基地址,通过分析他们获取不同的操作系统信息。assume fs:nothingmov ebx,fs:[18h] ; get self pointer from TEBmov eax,fs:[30h] ; get pointer to PEB / database.if eax==7FFDF000h && ebx==7FFDE000h; WinNT based.else; Win9X based.endif ; of base check NT/9XThe version information for NT-based operation systems is stored inside PEB. We only have to analyse the values ofNT内核的版本信息存储在PEB中。我们仅仅需要分析这些数据:OSMajorVersion and OSMinorVersion:mov ebx,[eax+0A8h] ; get OSMinorVersionmov eax,[eax+0A4h] ; get OSMajorVersion.if eax==5 && ebx==0 ; is it Windows 2000?.elseif eax==5 && ebx==1 ; is it Windows XP?.elseif eax==5 && ebx==2 ; is it Windows 2003?.elseif eax<=4 ; is it Windows NT?.endifNon NT-based operating systems could be detected by analysing the additional data area behind TEB, searching the value00530000h:非NT内核的操作系统可以通过分析TEB附加数据,搜索00530000h:mov edx,00530000h ; the value to searchmov eax,fs:[18h] ; get the TEB base addressmov ebx,[eax+58h] ; TEB-base + 58h (W95)mov ecx,[eax+7Ch] ; TEB-base + 7Ch (WME)mov eax,[eax+54h] ; TEB-base + 54h (W98).if ebx==edx ; is it Windows 95?.elseif eax==edx ; is it Windows 98?.elseif ecx==edx ; is it Windows ME?.endifV. ConclusionsV. 结论Resolving the operating system by using this technique is only one possibility to avoid the usage of Advanced ProgrammingInterface functions. Other functions, for example GetCommandLine[1], IsDebuggerPresent[1] or named functions in this essaycould be "rewritten" in the same way. In other words: the reverse engineer isn't able to set breakpoints on API function calls,because they didn't exist. And mixing different operating system solutions together makes life even harder for him.采用这个技术,不过是避免使用API函数一种方法。其他很多函数,例如GetCommandLine[1], IsDebuggerPresent[1] 或者这篇文章中的一些函数都可以采用同样的方法被重写。换句话说:逆向人员不会拦截到相关API函数,因为根本就没有使用他们。并且,如果把对不同操作系统的处理都混杂在一起,对他们分析来说,会更加困难。VI. AppendixVI. 附录.const;-- return values from OS_GetOSOS_UNKNOWN equ -1OS_WIN95 equ 1OS_WIN98 equ 2OS_WINME equ 3OS_WINNT equ 4OS_WIN2K equ 5OS_WINXP equ 6OS_WIN2K3 equ 7.codeOS_GetOS proclocal _theReturnValue:DWORDpushad ; store all registersmov _theReturnValue,OS_UNKNOWNassume fs:nothingmov ebx,fs:[18h] ; get self pointer from TEBmov eax,fs:[30h] ; get pointer to PEB / database.if eax==7FFDF000h && ebx==7FFDE000h ; WinNT basedmov ebx,[eax+0A8h] ; get OSMinorVersionmov eax,[eax+0A4h] ; get OSMajorVersion.if eax==5 && ebx==0 ; is it Windows 2000?mov _theReturnValue,OS_WIN2K.elseif eax==5 && ebx==1 ; is it Windows XP?mov _theReturnValue,OS_WINXP.elseif eax==5 && ebx==2 ; is it Windows 2003?mov _theReturnValue,OS_WIN2K3.elseif eax<=4 ; is it Windows NT?mov _theReturnValue,OS_WINNT.endif.else ; Win9X basedmov edx,00530000h ; the magic value to searchmov eax,fs:[18h] ; get the TEB base addressmov ebx,[eax+58h] ; TEB-base + 58h (W95)mov ecx,[eax+7Ch] ; TEB-base + 7Ch (WME)mov eax,[eax+54h] ; TEB-base + 54h (W98).if ebx==edx ; is it Windows 95?mov _theReturnValue,OS_WIN95.elseif eax==edx ; is it Windows 98?mov _theReturnValue,OS_WIN98.elseif ecx==edx ; is it Windows ME?mov _theReturnValue,OS_WINME.endif.endif ; of base check NT/9Xpopad ; restore all registersmov eax,_theReturnValueret ; return to callerOS_GetOS endp
更多文章请点击左边的“文章”和“存档”分类
