本文为看雪论坛精华文章
看雪论坛作者ID:shinratensei
1
分析环境
软件版本 :11.1.6.31 (PCManager_Setup_11.1.6.31(C233D005).exe)
虚拟机 :windows 10 21H2 x64
真机 :windows 10 21H1 x64
工具 :IDA 、VS 2019
测试手机 :华为 Mate 30 5G
2
首次安装运行分析
3
分析安装包
4
分析安装流程中的模块
BIOS Information (Type 0)
System Information (Type 1)
Baseboard (or Module) Information (Type 2)
System Enclosure (Type 3)
OEM Strings (Type 11)
5
模块分析总结
DWORD error = ERROR_SUCCESS;
DWORD smBiosDataSize = 0;
RawSMBIOSData* smBiosData = NULL; // Defined in this link
DWORD bytesWritten = 0;
// Query size of SMBIOS data.
// 第一次调用时为了获取SMBIOSData的数据大小
smBiosDataSize = GetSystemFirmwareTable('RSMB', 0, NULL, 0);
// Allocate memory for SMBIOS data
smBiosData = (RawSMBIOSData*) HeapAlloc(GetProcessHeap(), 0, smBiosDataSize);
if (!smBiosData) {
error = ERROR_OUTOFMEMORY;
goto exit;
}
// Retrieve the SMBIOS table
// 第二次调用时为了获取SMBIOSData的数据
bytesWritten = GetSystemFirmwareTable('RSMB', 0, smBiosData, smBiosDataSize);
if (bytesWritten != smBiosDataSize) {
error = ERROR_INVALID_DATA;
goto exit;
}
// Process the SMBIOS data and free the memory under an exit label
UINT WINAPI Hooked_GetSystemFirmwareTable(
_In_ DWORD FirmwareTableProviderSignature,
_In_ DWORD FirmwareTableID,
_Out_writes_bytes_to_opt_(BufferSize, return) PVOID pFirmwareTableBuffer,
_In_ DWORD BufferSize
)
{
PTF_LOG_A("Hooked_GetSystemFirmwareTable.");
UINT uRetValue = 0;
uRetValue = g_FUNC_GetSystemFirmwareTable(FirmwareTableProviderSignature, FirmwareTableID, pFirmwareTableBuffer, BufferSize);
if (FirmwareTableProviderSignature != 'RSMB')
{
PTF_LOG_A("Hooked_GetSystemFirmwareTable. Signature is not \'RSMB\'");
return uRetValue;
}
if (pFirmwareTableBuffer != NULL && BufferSize > 0 && uRetValue <= BufferSize)
{
PTF_LOG_A("Hooked_GetSystemFirmwareTable. Modify Data.");
const PRawSMBIOSData pDMIData = (PRawSMBIOSData)pFirmwareTableBuffer;
//修改返回数据
DumpSMBIOSStruct(pDMIData, pDMIData->Length);
PTF_LOG_A("Hooked_GetSystemFirmwareTable. Modify Data Finish.");
}
return uRetValue;
}
void DumpSMBIOSStruct(void* pAddress, unsigned int Len)
{
LPBYTE p = (LPBYTE)(pAddress);
const LPBYTE lastAddress = p + Len;
PSMBIOSHEADER pHeader;
for (;;) {
pHeader = (PSMBIOSHEADER)p;
if (ModiySysInfo(pHeader) == true)
break;
if ((pHeader->Type == 127) && (pHeader->Length == 4))
break; // last avaiable tables
LPBYTE nt = p + pHeader->Length; // point to struct end
while (0 != (*nt | *(nt + 1))) nt++; // skip string area
nt += 2;
if (nt >= lastAddress)
break;
p = nt;
}
}
/*
ModiySysInfo 函数 为了防止格式识别错误,最好是删除当前System Information节。
自己重新构建一个节并添加到全部数据的尾部。
同时需要更新GetSystemFirmwareTable返回值的大小。
以上前提是提供给GetSystemFirmwareTable的输出缓冲区足够长。
*/
bool ModiySysInfo(PSMBIOSHEADER pHeader)
{
if (pHeader->Type == 1)
{
/*https://consumer.huawei.com/cn/support/laptops/matebook-e/*/
PSystemInfo pSystem = (PSystemInfo)pHeader;
char* str = (char *)pHeader + pHeader->Length;
const char* pszManufacturer = "HUAWEI";//主板厂商
const char* pszProductName = "BLl-W19";//产品名
const char* pszVersion = "1.0";//版本
//https://consumer.huawei.com/cn/support/warranty-query/
//这里的SerialNumber在测试中发现了个小问题
//如果未提供一个可用的SN则不能在软件中使用某些联网功能
//如 "玩机技巧" "快捷服务" 等
const char* pszSerialNumber = "ASM51ASMASM51ASM";//16位主板序列号
//获取原各字段信息
const char* pszOldManufacturer = LocateStringA(str, pSystem->Manufacturer);
const char* pszOldProductName = LocateStringA(str, pSystem->ProductName);
const char* pszOldVersion = LocateStringA(str, pSystem->Version);
const char* pszOldSerialNumber = LocateStringA(str, pSystem->SN);
if (
strlen(pszOldManufacturer) > strlen(pszManufacturer) &&
strlen(pszOldProductName) > strlen(pszProductName)&&
strlen(pszOldVersion) > strlen(pszVersion)&&
strlen(pszOldSerialNumber) > strlen(pszSerialNumber)
)
{
//如果原主板信息足够长则可以直接修改
PTF_LOG_A("Data length enough.");
str = ModiyStringData(str, pszManufacturer);
str = ModiyStringData(str, pszProductName);
str = ModiyStringData(str, pszVersion);
str = ModiyStringData(str, pszSerialNumber);
return true;
}
else
{
//原主板信息较短,则需要另辟蹊径
//...
}
}
return false;
}
char * ModiyStringData(char* pAddress, const char* pszTargetData)
{
if (0 == *pAddress)
return pAddress;
int nTragetLen = strlen(pszTargetData) + 1;
strcpy_s(pAddress, nTragetLen, pszTargetData);
return (pAddress + nTragetLen);
}
6
最终效果
看雪ID:shinratensei
https://bbs.pediy.com/user-home-840395.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!