Undocumented Windows functions.

Discussion in 'Mixed Languages' started by nononsence, Feb 18, 2012.

  1. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #1 nononsence, Feb 18, 2012
    Last edited by a moderator: Apr 20, 2017
    In this thread I am going to post a few undocumented Windows function I discovered writing the WindSLIC EFI installer
    this first one demonstrates an undocumented NtQuerySystemInformation function #90 which I use to detect an EFI
    system.

    in this code example I am using run time dynamic linking to retrieve a pointer to the NtQuerySystemInformation function
    in ntdll.dll which is similar to the pInvoke stuff in .net and is very handy when working with undocumented stuff.


    Code:
    #include <stdio.h>
    #include <Windows.h>
    
    typedef NTSTATUS (NTAPI *NtQuerySystemInformation) (
    ULONG SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength OPTIONAL
    );
    
    int main (void)
    {
    int ret = 0;
    DWORD Buffer[5] = {};
    ULONG CharsWritten;
    HMODULE hNtdll;
    wchar_t* out = L"not EFI\n";
    HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
    hNtdll = GetModuleHandle(L"ntdll.dll");
    if(hNtdll) {
    NtQuerySystemInformation pNtQuerySystemInformation = (NtQuerySystemInformation) GetProcAddress(hNtdll, "NtQuerySystemInformation");
    if (pNtQuerySystemInformation(90, Buffer, sizeof(Buffer), NULL) == 0 && Buffer[4] == 2) {
    ret++;
    out = L"is EFI\n";
    }
    WriteConsole(StdOut, out, lstrlen(out), &CharsWritten, NULL);
    }
    CloseHandle(StdOut);
    return ret;
    }
    
     

    Attached Files:

  2. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #2 nononsence, Feb 18, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    this next one is NtQuerySystemInformation function #98 which returns the system volume, I added dynamic memory
    allocation to this one.

    Code:
    #include <stdio.h>
    #include <Windows.h>
    
    typedef NTSTATUS (NTAPI *NtQuerySystemInformation) (
    ULONG SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength OPTIONAL
    );
    
    int main (void)
    {
    UCHAR* Buffer;
    wchar_t* Str;
    HMODULE hNtdll;
    UINT StrLen;
    HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
    NtQuerySystemInformation pNtQuerySystemInformation;
    HANDLE hHeap = HeapCreate(0, 512, 1024);
    if(hHeap) {
    Buffer = (UCHAR *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 128);
    hNtdll = GetModuleHandle(L"ntdll.dll");
    if (hNtdll) {
    pNtQuerySystemInformation = (NtQuerySystemInformation) GetProcAddress(hNtdll, "NtQuerySystemInformation");
    if(pNtQuerySystemInformation(98, Buffer, 128, NULL) == 0) {
    StrLen = lstrlenW((wchar_t *)(Buffer + 8)) * 2 + 2;
    Str = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, StrLen);
    lstrcpy(Str, (wchar_t *)(Buffer + 8));
    WriteConsole(StdOut, Str, lstrlenW((wchar_t*)(Buffer + 8)), NULL, NULL);
    HeapFree(hHeap, 0, Str);
    }
    }
    HeapFree(hHeap, 0, Buffer);
    }
    CloseHandle(StdOut);
    return 0;
    }
    
    output:
    Code:
    "\Device\HarddiskVolume1"
    
     

    Attached Files:

  3. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #3 nononsence, Feb 19, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    This one is how to install a product key with the SppComApi.dll COM object, I am using isolated COM and a patched sppcomapi.dll to display the
    key from the registry, you do not need to use the patched file to install a product key.

    Code:
    #include "stdafx.h"
    #include "ViewKey.h"
    #import "sppcomapi.tlb"
    using namespace SppComApiLib;
    
    wchar_t* PKeyIn = L"VQ3PY-VRX6D-CBG4J-8C6R2-TCVBD\0";
    
    int main(int argc, _TCHAR* argv[])
    {
    unsigned long Status;
    // COM
    ILicensingStateTools* LicensingStateTools = NULL;
    ISPPLUA* SPPLUA = NULL;
    IUnknown* IUkn = NULL;
    BSTR PKeyOut;
    HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
    HANDLE hHeap = GetProcessHeap();
    wchar_t* OutBuffer;
    if(CoInitialize(NULL) != ERROR_SUCCESS) {
    return 1;
    }
    if(CoCreateInstance(CLSID_SPPLUAObject, NULL, CLSCTX_INPROC_SERVER, IID_IUnknown, (LPVOID *)&IUkn) == ERROR_SUCCESS) {
    Status = IUkn->QueryInterface(IID_ISPPLUA, (LPVOID *)&SPPLUA);
    }
    if(CoCreateInstance(CLSID_LicensingStateTools, NULL, CLSCTX_INPROC_SERVER, IID_IUnknown, (LPVOID *)&IUkn) == ERROR_SUCCESS) {
    Status = IUkn->QueryInterface(IID_ILicensingStateTools, (LPVOID *)&LicensingStateTools);
    }
    OutBuffer = (wchar_t*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 1024);
    if(LicensingStateTools) {
    LicensingStateTools->get_DefaultKeyFromRegistry(&PKeyOut);
    wsprintf(OutBuffer,L"current product key: %s\n\n\0", PKeyOut);
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    }
    wsprintf(OutBuffer, L"installing key: %s\n\0", PKeyIn);
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    SAFEARRAY* SafeArray = (SAFEARRAY*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(SAFEARRAY));
    GUID* pPKeyId = (GUID*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(GUID));
    if(SPPLUA && SPPLUA->SLLUAInstallProofOfPurchase(L"msft:rm/algorithm/pkey/2005\0", PKeyIn, SafeArray, pPKeyId) == ERROR_SUCCESS) {
    wsprintf(OutBuffer, L"key installed successfully\n\n\0");
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    }
    
    if(LicensingStateTools) {
    LicensingStateTools->get_DefaultKeyFromRegistry(&PKeyOut);
    wsprintf(OutBuffer, L"new Key: %s\n\0", PKeyOut);
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    }
    if(LicensingStateTools) {
    Status = LicensingStateTools->Release();
    }
    if(SPPLUA) {
    Status = SPPLUA->Release();
    }
    Status = IUkn->Release();
    CoUninitialize();
    CloseHandle(StdOut);
    HeapFree(hHeap, 0, SafeArray);
    HeapFree(hHeap, 0, pPKeyId);
    HeapFree(hHeap, 0, OutBuffer);
    return Status;
    }
    
    source code:

    http://www.mediafire.com/?o9cm38w5je3x3p0
     
  4. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #4 nononsence, Feb 19, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Dont like COM? this is the native way to install a key.
    I don't know if calling SLClose() is necessary but it seems logical to do so.
    Code:
    #include "stdafx.h"
    
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLInstallProofOfPurchase)(HANDLE Ukn, wchar_t* PKeyType, wchar_t* PKeyIn, ULONG PKeyDataSize, wchar_t* PKeyData, GUID* PKeyId);
    wchar_t* PKeyIn = L"FJGCP-4DFJD-GJY49-VJBQ7-HYRR2\0";
    wchar_t* PKeyType = L"msft:rm/algorithm/pkey/2005\0";
    
    int main()
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLInstallProofOfPurchase pSLInstallProofOfPurchase = NULL;
    HMODULE hSlc = NULL;
    HANDLE spp = NULL;
    GUID PKeyId = GUID_NULL;
    hSlc = LoadLibrary(L"slc.dll");
    if(hSlc) {
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLInstallProofOfPurchase = (SLInstallProofOfPurchase) GetProcAddress(hSlc, "SLInstallProofOfPurchase");
    if(pSLOpen(&spp) == ERROR_SUCCESS) {
    Status = pSLInstallProofOfPurchase(spp, PKeyType, PKeyIn, 0, 0, &PKeyId);
    pSLClose(spp);
    }
    FreeLibraryAndExitThread(hSlc, Status);
    }
    return Status;
    }
    
     

    Attached Files:

  5. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #5 nononsence, Feb 20, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    and my last one for now is how to install the a certificate natively.
    Code:
    #include "stdafx.h"
    #include "cert.h"
    
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLInstallLicense)(HANDLE Ukn, ULONG CertLength, UCHAR* Cert, GUID* pPkeyId);
    
    int main()
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLInstallLicense pSLInstallLicense = NULL;
    HMODULE hSlc = NULL;
    HANDLE hSl = NULL;
    ULONG CertSize = sizeof(Cert);
    GUID pKeyId = GUID_NULL;
    hSlc = LoadLibrary(L"slc.dll");
    if (hSlc) {
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLInstallLicense = (SLInstallLicense) GetProcAddress(hSlc, "SLInstallLicense");
    if(pSLOpen(&hSl) == ERROR_SUCCESS) {
    Status = pSLInstallLicense(hSl, CertSize, Cert, &pKeyId);
    pSLClose(hSl);
    }
    FreeLibraryAndExitThread(hSlc, Status);
    }
    return Status;
    }
    
     

    Attached Files:

  6. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #6 nononsence, Feb 20, 2012
    Last edited: Mar 5, 2012
    (OP)
    a quick key/certificate installer installs an Acer certificate and key.

    EDIT:

    added supported OS/Product range checking
     

    Attached Files:

  7. Alphawaves

    Alphawaves Super Moderator/Developer
    Staff Member

    Aug 11, 2008
    6,218
    22,277
    210
  8. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #8 nononsence, Feb 24, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    found this today, when you install/uninstall the key or cert you have to fire the "licensingstatechanged" event
    or reboot. I wont post a working example but will post enough to get you started
    Code:
    typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid);
    wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0";
    #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f};
    
     
  9. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #9 nononsence, Feb 24, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Uninstalling a product key
    Code:
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLUninstallProofOfPurchase)(HANDLE Ukn, int PKeyId);
    typedef int (WINAPI *SLGetSLIDList)(HANDLE Ukn, int Ukn1, GUID* Ukn2, int Ukn3, int* Count , int* pPKeyId);
    typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid);
    typedef int (WINAPI *SLGetLicensingStatusInformation)(HANDLE Ukn, GUID* Ukn1, int Ukn2, int Ukn3, int* Count, int* Out);
    //
    wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0";
    #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f};
    //
    int _tmain(int argc, _TCHAR* argv[])
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLUninstallProofOfPurchase pSLUninstallProofOfPurchase = NULL;
    SLGetSLIDList pSLGetSLIDList = NULL;
    SLGetLicensingStatusInformation pSLGetLicensingStatusInformation = NULL;
    SLFireEvent pSLFireEvent = NULL;
    HMODULE hSlc = NULL;
    HANDLE spp = NULL;
    GUID OemSlp = GUID_NULL;
    GUID WindowsSlid = WINDOWS_SLID
    int KeyId = 0;
    int Count = 0;
    
    hSlc = LoadLibrary(L"slc.dll");
    if(hSlc) {
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLGetSLIDList = (SLGetSLIDList) GetProcAddress(hSlc, "SLGetSLIDList");
    pSLUninstallProofOfPurchase = (SLUninstallProofOfPurchase) GetProcAddress(hSlc, "SLUninstallProofOfPurchase");
    pSLFireEvent = (SLFireEvent) GetProcAddress(hSlc, "SLFireEvent");
    pSLGetLicensingStatusInformation = (SLGetLicensingStatusInformation) GetProcAddress(hSlc, "SLGetLicensingStatusInformation");
    
    if(pSLOpen(&spp) == ERROR_SUCCESS) {
    if(pSLGetLicensingStatusInformation(spp, &WindowsSlid, 0, 0, &Count, &KeyId) == ERROR_SUCCESS) {
    // uninstall key
    if(KeyId != NULL) {
    int pos = 0;
    for(UINT i = 0; i< Count; i++) {
    if(*(DWORD*)(pos + KeyId + 16)== 1 && *(DWORD*)(pos + KeyId + 20) == 0) {
    memcpy((VOID*)&OemSlp, (VOID*)(KeyId + pos), sizeof(GUID));
    }
    pos += 40;
    }
    }
    }
    if(pSLGetSLIDList(spp, 1, &OemSlp, 4, &Count, &KeyId) == ERROR_SUCCESS) {
    Status = pSLUninstallProofOfPurchase(spp, KeyId);
    }
    pSLFireEvent(spp, SlEvent, &WindowsSlid);
    pSLClose(spp);
    }
    }
    return Status;
    }
    
     
  10. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #10 nononsence, Feb 26, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Uninstalling a certificate, the GUID for the certificate can be found in by opening the certificate and looking for this
    Code:
    licenseId="{391c32e3-e599-4a7a-bab9-c3ce90ac0463}"
    
    the license will not be removed from tokens.dat until ??? triggers it, unfortunately I could not find a way to
    retrieve a list of all installed certificate's
    Code:
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid);
    typedef int (WINAPI *SLUninstallLicense)(HANDLE Ukn, int PKeyId);
    typedef int (WINAPI *SLGetSLIDList)(HANDLE Ukn, int Ukn1, GUID* Ukn2, int Ukn3, int* Count , int* pPKeyId);
    //
    #define ALIENWARE_CERT {0x18e07197, 0x9646, 0x49b5, 0x8a, 0x6a, 0xf1, 0x6d, 0xb9, 0x0d, 0x80, 0x15};
    #define ACER_CERT {0x391c32e3, 0xe599, 0x4a7a, 0xba, 0xb9, 0xc3, 0xce, 0x90, 0xac, 0x04, 0x63};
    #define ASUS_CERT {0xecb4ab2f, 0x58a3, 0x4455, 0xb9, 0x5a, 0x3b, 0x58, 0x22, 0x56, 0x1c, 0x2a};
    #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f};
    wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0";
    //
    int _tmain(int argc, _TCHAR* argv[])
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLFireEvent pSLFireEvent = NULL;
    SLGetSLIDList pSLGetSLIDList = NULL;
    SLUninstallLicense pSLUninstallLicense = NULL;
    GUID WindowsSlid = WINDOWS_SLID;
    HMODULE hSlc = NULL;
    HANDLE hSl = NULL;
    GUID Cert = ASUS_CERT;
    int Count = 0;
    int PKeyId = 0;
    hSlc = LoadLibrary(L"slc.dll");
    if (hSlc) {
    //
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLUninstallLicense = (SLUninstallLicense) GetProcAddress(hSlc, "SLUninstallLicense");
    pSLFireEvent = (SLFireEvent) GetProcAddress(hSlc, "SLFireEvent");
    pSLGetSLIDList = (SLGetSLIDList) GetProcAddress(hSlc, "SLGetSLIDList");
    //
    if(pSLOpen(&hSl) == ERROR_SUCCESS) {
    if(pSLGetSLIDList(hSl, 3, &Cert, 2, &Count, &PKeyId)== ERROR_SUCCESS) {
    Status = pSLUninstallLicense(hSl, PKeyId);
    }
    pSLFireEvent(hSl, SlEvent, &WindowsSlid);
    pSLClose(hSl);
    }
    FreeLibrary(hSlc);
    }
    return Status;
    }
    
     
  11. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,775
    150
    #11 CODYQX4, Aug 30, 2012
    Last edited: Apr 12, 2019
    .
     
  12. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,775
    150
    #12 CODYQX4, Aug 30, 2012
    Last edited: Apr 12, 2019
    .