Preliminary Implementation of system-level interception applications to obtain the hard disk physical serial number

[Detailed process]
In the past, if you wanted to simulate a program to take the hard disk serial number, inject a DLL into it, intercept the return value of deviceiocontrol, and change it to the value of the target hard disk.
Later, we saw regmon intercept registry operations from ssdt. We could see any program's read/write operations, and changed the program. The test results can be similar
The serial number of the hard disk read by some programs, including asprotect and the descendant of the encryption algorithm using it :).

My idea is as follows:

1. First, use the program to obtain the actual hard disk serial number. Assume It is XXXX.

2. Intercept the zwdeviceiocontrolfile of the system and determine the iocontrolcode in the entry parameter. Only a few specific values are used to obtain the serial number,
Currently, I only find two hard disk serial numbers in all programs,
0x7c088 and 0x4d008
.

The first number 0x7c088 corresponds to the smart drive (ATA) hard disk interface, which is
Ntdddisk. h of ntddk is defined as follows:

Code:
  
//
// IOCTL support for smart drive fault prediction.
//

# Define smart_rcv_drive_data ctl_code (ioctl_disk_base, 0x0022, method_buffered, file_read_access | file_write_access)

  

 

Therefore, it is easier to understand the corresponding statement in the original text as follows:

Code:
  
If (smart_rcv_drive_data = iocontrolcode) & outputbufferlength> disk_serial_buff_length ){
Puchar locate = issubstring (outputbuffer ,__ diskserial, outputbufferlength, disk_serial_buff_length );
If (locate ){
Uchar I;
For (I = 0; I <20; I ++ ){
Locate [I] = _ changeto [I];
}
}
}
  

 

The description of smart_rcv_drive_data in DDK is as follows:

Code:
  
Smart_rcv_drive_data
Operation
Returns the ATA-2 identify data, the smart thresholds, or the smart attributes for the device. This IOCTL must be handled by drivers that support smart.

Input
The buffer at IRP-> associatedirp. systembuffer contains a sendcmdinparams structure that describes the request being sent to the device. the irdriveregs. bcommandreg Member specifies id_cmd when identify data is requested and smart_cmd when smart data is requested. if Smart Data is requested, the irdriveregs. bfeaturesreg Member specifies either read_attributes or read_thresholds.

Parameters. deviceiocontrol. inputbufferlength specifies the size in bytes of the input buffer, which must be >=( sizeof (sendcmdinparams)-1 ).

Parameters. deviceiocontrol. outputbufferlength specifies the size in bytes of the output buffer, which must be >=( sizeof (sendcmdoutparams)-1 + 512 ).

Output
The driver returns the sendcmdoutparams structure and a 512-byte buffer of drive data to the buffer at IRP-> associatedirp. systembuffer.

I/O status Block
The driver sets the information field to (sizeof (sendcmdoutparams)-1 + 512) when it sets the Status field to STATUS_SUCCESS. otherwise, the driver sets the information field to zero and the Status field to possibly status_invalid_parameter or status_insufficient_resources.

  

 

The second number 0x4d008 corresponds to the hard disk of the SCSI interface, which is defined in ntddscsi. h of ntddk:

Code:
  
//
// Ntdeviceiocontrolfile iocontrolcode values for this device.
//
// Warning: Remember that the low two bits of the Code specify how
// Buffers are passed to the driver!
//

# Define ioctl_scsi_miniport ctl_code (ioctl_scsi_base, 0x0402, method_buffered, file_read_access | file_write_access)

  

 

The description of ioctl_scsi_miniport in ntddk is as follows:

Code:
  
Ioctl_scsi_miniport
Operation
Sends a special control function to an HbA-specific miniport driver. results vary, depending on the specified miniport driver to which this request is forwarded. if the caller specifies a nonzero length, either the input or output buffer must be at least (sizeof (srb_io_control) + databufferlength )).

Input
The buffer at IRP-> associatedirp. systembuffer must contain an srb_io_control structure. parameters. deviceiocontrol. inputbufferlength indicates the size in bytes of the buffer, which must be at least sizeof (srb_io_control), with additional storage for data if the length field is nonzero.

Output
An updated srb_io_control structure is returned to the buffer at IRP-> associatedirp. systembuffer.

I/O status Block
The information field contains the number of bytes returned in the output buffer. The Status field indicates the results of the operation.


  

If iocontrolcode is the above value, read the system's original zwdeviceiocontrolfile and return the buffer.
The returned value exists.
XXXX does not exist. If so, replace it with the value to be spoofed.

The code is simple:

Uchar _ diskserial [disk_serial_buff_length] = {0 };
Uchar _ changeto [disk_serial_buff_length] = {0 };

// A simple low-rate string matching algorithm to determine whether a string S1 is a substring of another string S2

Puchar issubstring (puchar string, puchar substring, ulong stringlength, ulong substringlength)
{
Ulong I, J;
For (I = 0; I <stringlength-substringlength + 1; I ++ ){
For (j = 0; j <substringlength; j ++ ){
If (string [I + J]! = Substring [J])
Break;
}
If (j = substringlength) // match a substring
Return string + I;
}
Return NULL;
}

//----------------------------------------------------------------------
//
// Our own routine for zwdeviceiocontrolfile
// We change the hard disk serial number value requested by user
//

//----------------------------------------------------------------------
Ntstatus hookzwdeviceiocontrolfile (
In handle filehandle,
In handle event optional,

In pio_apc_routine apcroutine optional,
In pvoid apccontext optional,

Out pio_status_block iostatusblock,
In ulong iocontrolcode,
In pvoid inputbuffer optional,
In ulong inputbufferlength,
Out pvoid outputbuffer optional,
In ulong outputbufferlength
)
{
Ntstatus RC;

Rc = realzwdeviceiocontrolfile (
Filehandle,
Event,
Apcroutine,
Apccontext,
Iostatusblock,
Iocontrolcode,
Inputbuffer,
Inputbufferlength,
Outputbuffer,
Outputbufferlength
);
// Judge whether iocontrolcode is the value of the serial number.

If (0x7c088 = iocontrolcode) & outputbufferlength> disk_serial_buff_length ){

// Determine whether the returned value contains the current hard disk serial number. If yes, use a false replacement.

Puchar locate = issubstring (outputbuffer ,__ diskserial, outputbufferlength, disk_serial_buff_length );
If (locate ){
Uchar I;
For (I = 0; I <20; I ++ ){
Locate [I] = _ changeto [I];
}
}
}
Return (RC );
}


Currently, the driver only processes messages at several simple application layers, including stopping spoofing, starting spoofing, and setting new spoofing values.

Boolean hdhookdevicecontrol (in pfile_object fileobject, in Boolean wait,

In pvoid inputbuffer, in ulong inputbufferlength,

Out pvoid outputbuffer, in ulong outputbufferlength,

In ulong iocontrolcode, out pio_status_block iostatus,
In pdevice_object deviceobject ){
Boolean retval = false;
Ulong I;

// Its a message from our Gui!
Iostatus-> Status = STATUS_SUCCESS; // assume success

Iostatus-> information = 0; // assume nothing returned


Switch (iocontrolcode ){

// Start Spoofing

Case hdhook_hook:
Hookstart ();
Break;

// Stop Spoofing

Case hdhook_unhook:
Hookstop ();
Break;

// Tell the driver the serial number of the current hard disk.

Case hdhook_setselfvalue:

If (inputbufferlength <disk_serial_buff_length | inputbuffer = NULL ){
Iostatus-> Status = status_invalid_parameter;
Break;
}
For (I = 0; I <disk_serial_buff_length; I ++)
_ Diskserial [I] = (uchar *) inputbuffer) [I];

Break;

// Set the serial number of the new spoofed Hard Disk

Case hdhook_setemulablevalue:

If (inputbufferlength <disk_serial_buff_length | inputbuffer = NULL ){
Iostatus-> Status = status_invalid_parameter;
Break;
}

For (I = 0; I <disk_serial_buff_length; I ++)
_ Changeto [I] = (uchar *) inputbuffer) [I];

Break;

// Returns the driver version number.

Case hdhook_version:
If (outputbufferlength <sizeof (ulong) |
Outputbuffer = NULL ){
Iostatus-> Status = status_invalid_parameter;
Break;
}

* (Ulong *) outputbuffer = regmonversion;
Iostatus-> information = sizeof (ulong );
Break;

Default:
Iostatus-> Status = status_invalid_device_request;
Break;
}
Return true;
}


//////////////////////////////////////// ////////
The Application Layer program can communicate with the driver through the following simple code:

# Define hdhook_hook (ulong) ctl_code (file_device_regmon, 0x00, method_buffered, file_any_access)

# Define hdhook_unhook (ulong) ctl_code (file_device_regmon, 0x01, method_buffered, file_any_access)

# Define hdhook_version (ulong) ctl_code (file_device_regmon, 0x02, method_buffered, file_any_access)

# Define hdhook_setselfvalue (ulong) ctl_code (file_device_regmon, 0x03, method_buffered, file_any_access)

# Define hdhook_setemulablevalue (ulong) ctl_code (file_device_regmon, 0x04, method_buffered, file_any_access)

# Define disk_serial_buff_length 20

// Set the new serial number simulation value

Deviceiocontrol (_ syshandle, hdhook_setemulablevalue, szemulserial, disk_serial_buff_length, null, 0, & dwdummy, null );

// Tell the driver's hard drive serial number

Deviceiocontrol (_ syshandle, hdhook_setselfvalue, szbuffer, disk_serial_buff_length, null, 0, & dwdummy, null );

// Start Interception

Deviceiocontrol (_ syshandle, hdhook_hook, null, 0, null, 0, & dwdummy, null );


// Stop Interception

Deviceiocontrol (_ syshandle, hdhook_unhook, null, 0, null, 0, & dwdummy, null );

Here, _ syshandle is the handle for driver installation.

The idea of this article comes from regmon (regmon copyright statement I keep in the file). It is easy to write out programs that have genuine registration numbers and generate registration codes with hard drive serial numbers.
Everybody.

The attachment contains a simple UI that I wrote to communicate with the driver.

If you find it useful, hope someone can do the following:
1. Process filtering function, which only blocks specific programs.
2. Consider making the above string matching algorithm more efficient, and there is a ready-made data structure textbook :)
3. There are hard disk manufacturers, number of tracks, and other information in the returned values, complete the full simulation, and complete iocontrolcode.

If it is changed, I hope to send a copy to me :)