Undocumented Windows functions.

Discussion in 'Mixed Languages' started by nononsence, Feb 18, 2012.

  1. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #1 nononsence, Feb 18, 2012
    Last edited by a moderator: Apr 20, 2017
    In this thread I am going to post a few undocumented Windows function I discovered writing the WindSLIC EFI installer
    this first one demonstrates an undocumented NtQuerySystemInformation function #90 which I use to detect an EFI
    system.

    in this code example I am using run time dynamic linking to retrieve a pointer to the NtQuerySystemInformation function
    in ntdll.dll which is similar to the pInvoke stuff in .net and is very handy when working with undocumented stuff.


    Code:
    #include <stdio.h>
    #include <Windows.h>
    
    typedef NTSTATUS (NTAPI *NtQuerySystemInformation) (
    ULONG SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength OPTIONAL
    );
    
    int main (void)
    {
    int ret = 0;
    DWORD Buffer[5] = {};
    ULONG CharsWritten;
    HMODULE hNtdll;
    wchar_t* out = L"not EFI\n";
    HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
    hNtdll = GetModuleHandle(L"ntdll.dll");
    if(hNtdll) {
    NtQuerySystemInformation pNtQuerySystemInformation = (NtQuerySystemInformation) GetProcAddress(hNtdll, "NtQuerySystemInformation");
    if (pNtQuerySystemInformation(90, Buffer, sizeof(Buffer), NULL) == 0 && Buffer[4] == 2) {
    ret++;
    out = L"is EFI\n";
    }
    WriteConsole(StdOut, out, lstrlen(out), &CharsWritten, NULL);
    }
    CloseHandle(StdOut);
    return ret;
    }
    
     

    Attached Files:

  2. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #2 nononsence, Feb 18, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    this next one is NtQuerySystemInformation function #98 which returns the system volume, I added dynamic memory
    allocation to this one.

    Code:
    #include <stdio.h>
    #include <Windows.h>
    
    typedef NTSTATUS (NTAPI *NtQuerySystemInformation) (
    ULONG SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength OPTIONAL
    );
    
    int main (void)
    {
    UCHAR* Buffer;
    wchar_t* Str;
    HMODULE hNtdll;
    UINT StrLen;
    HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
    NtQuerySystemInformation pNtQuerySystemInformation;
    HANDLE hHeap = HeapCreate(0, 512, 1024);
    if(hHeap) {
    Buffer = (UCHAR *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 128);
    hNtdll = GetModuleHandle(L"ntdll.dll");
    if (hNtdll) {
    pNtQuerySystemInformation = (NtQuerySystemInformation) GetProcAddress(hNtdll, "NtQuerySystemInformation");
    if(pNtQuerySystemInformation(98, Buffer, 128, NULL) == 0) {
    StrLen = lstrlenW((wchar_t *)(Buffer + 8)) * 2 + 2;
    Str = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, StrLen);
    lstrcpy(Str, (wchar_t *)(Buffer + 8));
    WriteConsole(StdOut, Str, lstrlenW((wchar_t*)(Buffer + 8)), NULL, NULL);
    HeapFree(hHeap, 0, Str);
    }
    }
    HeapFree(hHeap, 0, Buffer);
    }
    CloseHandle(StdOut);
    return 0;
    }
    
    output:
    Code:
    "\Device\HarddiskVolume1"
    
     

    Attached Files:

  3. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #3 nononsence, Feb 19, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    This one is how to install a product key with the SppComApi.dll COM object, I am using isolated COM and a patched sppcomapi.dll to display the
    key from the registry, you do not need to use the patched file to install a product key.

    Code:
    #include "stdafx.h"
    #include "ViewKey.h"
    #import "sppcomapi.tlb"
    using namespace SppComApiLib;
    
    wchar_t* PKeyIn = L"VQ3PY-VRX6D-CBG4J-8C6R2-TCVBD\0";
    
    int main(int argc, _TCHAR* argv[])
    {
    unsigned long Status;
    // COM
    ILicensingStateTools* LicensingStateTools = NULL;
    ISPPLUA* SPPLUA = NULL;
    IUnknown* IUkn = NULL;
    BSTR PKeyOut;
    HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
    HANDLE hHeap = GetProcessHeap();
    wchar_t* OutBuffer;
    if(CoInitialize(NULL) != ERROR_SUCCESS) {
    return 1;
    }
    if(CoCreateInstance(CLSID_SPPLUAObject, NULL, CLSCTX_INPROC_SERVER, IID_IUnknown, (LPVOID *)&IUkn) == ERROR_SUCCESS) {
    Status = IUkn->QueryInterface(IID_ISPPLUA, (LPVOID *)&SPPLUA);
    }
    if(CoCreateInstance(CLSID_LicensingStateTools, NULL, CLSCTX_INPROC_SERVER, IID_IUnknown, (LPVOID *)&IUkn) == ERROR_SUCCESS) {
    Status = IUkn->QueryInterface(IID_ILicensingStateTools, (LPVOID *)&LicensingStateTools);
    }
    OutBuffer = (wchar_t*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 1024);
    if(LicensingStateTools) {
    LicensingStateTools->get_DefaultKeyFromRegistry(&PKeyOut);
    wsprintf(OutBuffer,L"current product key: %s\n\n\0", PKeyOut);
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    }
    wsprintf(OutBuffer, L"installing key: %s\n\0", PKeyIn);
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    SAFEARRAY* SafeArray = (SAFEARRAY*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(SAFEARRAY));
    GUID* pPKeyId = (GUID*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(GUID));
    if(SPPLUA && SPPLUA->SLLUAInstallProofOfPurchase(L"msft:rm/algorithm/pkey/2005\0", PKeyIn, SafeArray, pPKeyId) == ERROR_SUCCESS) {
    wsprintf(OutBuffer, L"key installed successfully\n\n\0");
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    }
    
    if(LicensingStateTools) {
    LicensingStateTools->get_DefaultKeyFromRegistry(&PKeyOut);
    wsprintf(OutBuffer, L"new Key: %s\n\0", PKeyOut);
    WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL);
    }
    if(LicensingStateTools) {
    Status = LicensingStateTools->Release();
    }
    if(SPPLUA) {
    Status = SPPLUA->Release();
    }
    Status = IUkn->Release();
    CoUninitialize();
    CloseHandle(StdOut);
    HeapFree(hHeap, 0, SafeArray);
    HeapFree(hHeap, 0, pPKeyId);
    HeapFree(hHeap, 0, OutBuffer);
    return Status;
    }
    
    source code:

    http://www.mediafire.com/?o9cm38w5je3x3p0
     
  4. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #4 nononsence, Feb 19, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Dont like COM? this is the native way to install a key.
    I don't know if calling SLClose() is necessary but it seems logical to do so.
    Code:
    #include "stdafx.h"
    
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLInstallProofOfPurchase)(HANDLE Ukn, wchar_t* PKeyType, wchar_t* PKeyIn, ULONG PKeyDataSize, wchar_t* PKeyData, GUID* PKeyId);
    wchar_t* PKeyIn = L"FJGCP-4DFJD-GJY49-VJBQ7-HYRR2\0";
    wchar_t* PKeyType = L"msft:rm/algorithm/pkey/2005\0";
    
    int main()
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLInstallProofOfPurchase pSLInstallProofOfPurchase = NULL;
    HMODULE hSlc = NULL;
    HANDLE spp = NULL;
    GUID PKeyId = GUID_NULL;
    hSlc = LoadLibrary(L"slc.dll");
    if(hSlc) {
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLInstallProofOfPurchase = (SLInstallProofOfPurchase) GetProcAddress(hSlc, "SLInstallProofOfPurchase");
    if(pSLOpen(&spp) == ERROR_SUCCESS) {
    Status = pSLInstallProofOfPurchase(spp, PKeyType, PKeyIn, 0, 0, &PKeyId);
    pSLClose(spp);
    }
    FreeLibraryAndExitThread(hSlc, Status);
    }
    return Status;
    }
    
     

    Attached Files:

  5. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #5 nononsence, Feb 20, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    and my last one for now is how to install the a certificate natively.
    Code:
    #include "stdafx.h"
    #include "cert.h"
    
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLInstallLicense)(HANDLE Ukn, ULONG CertLength, UCHAR* Cert, GUID* pPkeyId);
    
    int main()
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLInstallLicense pSLInstallLicense = NULL;
    HMODULE hSlc = NULL;
    HANDLE hSl = NULL;
    ULONG CertSize = sizeof(Cert);
    GUID pKeyId = GUID_NULL;
    hSlc = LoadLibrary(L"slc.dll");
    if (hSlc) {
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLInstallLicense = (SLInstallLicense) GetProcAddress(hSlc, "SLInstallLicense");
    if(pSLOpen(&hSl) == ERROR_SUCCESS) {
    Status = pSLInstallLicense(hSl, CertSize, Cert, &pKeyId);
    pSLClose(hSl);
    }
    FreeLibraryAndExitThread(hSlc, Status);
    }
    return Status;
    }
    
     

    Attached Files:

  6. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #6 nononsence, Feb 20, 2012
    Last edited: Mar 5, 2012
    (OP)
    a quick key/certificate installer installs an Acer certificate and key.

    EDIT:

    added supported OS/Product range checking
     

    Attached Files:

  7. Alphawaves

    Alphawaves Super Moderator/Developer
    Staff Member

    Aug 11, 2008
    5,886
    20,283
    180
    Awesome work nononsence..:worthy:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #8 nononsence, Feb 24, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    found this today, when you install/uninstall the key or cert you have to fire the "licensingstatechanged" event
    or reboot. I wont post a working example but will post enough to get you started
    Code:
    typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid);
    wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0";
    #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f};
    
     
  9. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #9 nononsence, Feb 24, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Uninstalling a product key
    Code:
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLUninstallProofOfPurchase)(HANDLE Ukn, int PKeyId);
    typedef int (WINAPI *SLGetSLIDList)(HANDLE Ukn, int Ukn1, GUID* Ukn2, int Ukn3, int* Count , int* pPKeyId);
    typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid);
    typedef int (WINAPI *SLGetLicensingStatusInformation)(HANDLE Ukn, GUID* Ukn1, int Ukn2, int Ukn3, int* Count, int* Out);
    //
    wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0";
    #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f};
    //
    int _tmain(int argc, _TCHAR* argv[])
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLUninstallProofOfPurchase pSLUninstallProofOfPurchase = NULL;
    SLGetSLIDList pSLGetSLIDList = NULL;
    SLGetLicensingStatusInformation pSLGetLicensingStatusInformation = NULL;
    SLFireEvent pSLFireEvent = NULL;
    HMODULE hSlc = NULL;
    HANDLE spp = NULL;
    GUID OemSlp = GUID_NULL;
    GUID WindowsSlid = WINDOWS_SLID
    int KeyId = 0;
    int Count = 0;
    
    hSlc = LoadLibrary(L"slc.dll");
    if(hSlc) {
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLGetSLIDList = (SLGetSLIDList) GetProcAddress(hSlc, "SLGetSLIDList");
    pSLUninstallProofOfPurchase = (SLUninstallProofOfPurchase) GetProcAddress(hSlc, "SLUninstallProofOfPurchase");
    pSLFireEvent = (SLFireEvent) GetProcAddress(hSlc, "SLFireEvent");
    pSLGetLicensingStatusInformation = (SLGetLicensingStatusInformation) GetProcAddress(hSlc, "SLGetLicensingStatusInformation");
    
    if(pSLOpen(&spp) == ERROR_SUCCESS) {
    if(pSLGetLicensingStatusInformation(spp, &WindowsSlid, 0, 0, &Count, &KeyId) == ERROR_SUCCESS) {
    // uninstall key
    if(KeyId != NULL) {
    int pos = 0;
    for(UINT i = 0; i< Count; i++) {
    if(*(DWORD*)(pos + KeyId + 16)== 1 && *(DWORD*)(pos + KeyId + 20) == 0) {
    memcpy((VOID*)&OemSlp, (VOID*)(KeyId + pos), sizeof(GUID));
    }
    pos += 40;
    }
    }
    }
    if(pSLGetSLIDList(spp, 1, &OemSlp, 4, &Count, &KeyId) == ERROR_SUCCESS) {
    Status = pSLUninstallProofOfPurchase(spp, KeyId);
    }
    pSLFireEvent(spp, SlEvent, &WindowsSlid);
    pSLClose(spp);
    }
    }
    return Status;
    }
    
     
  10. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #10 nononsence, Feb 26, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Uninstalling a certificate, the GUID for the certificate can be found in by opening the certificate and looking for this
    Code:
    licenseId="{391c32e3-e599-4a7a-bab9-c3ce90ac0463}"
    
    the license will not be removed from tokens.dat until ??? triggers it, unfortunately I could not find a way to
    retrieve a list of all installed certificate's
    Code:
    typedef int (WINAPI *SLOpen)(HANDLE Ukn);
    typedef int (WINAPI *SLClose)(HANDLE Ukn);
    typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid);
    typedef int (WINAPI *SLUninstallLicense)(HANDLE Ukn, int PKeyId);
    typedef int (WINAPI *SLGetSLIDList)(HANDLE Ukn, int Ukn1, GUID* Ukn2, int Ukn3, int* Count , int* pPKeyId);
    //
    #define ALIENWARE_CERT {0x18e07197, 0x9646, 0x49b5, 0x8a, 0x6a, 0xf1, 0x6d, 0xb9, 0x0d, 0x80, 0x15};
    #define ACER_CERT {0x391c32e3, 0xe599, 0x4a7a, 0xba, 0xb9, 0xc3, 0xce, 0x90, 0xac, 0x04, 0x63};
    #define ASUS_CERT {0xecb4ab2f, 0x58a3, 0x4455, 0xb9, 0x5a, 0x3b, 0x58, 0x22, 0x56, 0x1c, 0x2a};
    #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f};
    wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0";
    //
    int _tmain(int argc, _TCHAR* argv[])
    {
    ULONG Status = 1;
    SLOpen pSLOpen = NULL;
    SLClose pSLClose = NULL;
    SLFireEvent pSLFireEvent = NULL;
    SLGetSLIDList pSLGetSLIDList = NULL;
    SLUninstallLicense pSLUninstallLicense = NULL;
    GUID WindowsSlid = WINDOWS_SLID;
    HMODULE hSlc = NULL;
    HANDLE hSl = NULL;
    GUID Cert = ASUS_CERT;
    int Count = 0;
    int PKeyId = 0;
    hSlc = LoadLibrary(L"slc.dll");
    if (hSlc) {
    //
    pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen");
    pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose");
    pSLUninstallLicense = (SLUninstallLicense) GetProcAddress(hSlc, "SLUninstallLicense");
    pSLFireEvent = (SLFireEvent) GetProcAddress(hSlc, "SLFireEvent");
    pSLGetSLIDList = (SLGetSLIDList) GetProcAddress(hSlc, "SLGetSLIDList");
    //
    if(pSLOpen(&hSl) == ERROR_SUCCESS) {
    if(pSLGetSLIDList(hSl, 3, &Cert, 2, &Count, &PKeyId)== ERROR_SUCCESS) {
    Status = pSLUninstallLicense(hSl, PKeyId);
    }
    pSLFireEvent(hSl, SlEvent, &WindowsSlid);
    pSLClose(hSl);
    }
    FreeLibrary(hSlc);
    }
    return Status;
    }
    
     
  11. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,803
    45,242
    150
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,803
    45,242
    150
    #12 CODYQX4, Aug 30, 2012
    Last edited by a moderator: Apr 20, 2017
    Got this so far, doesn't work.

    Code:
    using System;
    using System.Runtime.InteropServices;
    
    namespace Activation
    {
        // None of this actually works
        public static class SLC
        {
            private enum SLDATATYPE
            {
                SL_DATA_NONE = 0,
                SL_DATA_SZ = 1,
                SL_DATA_DWORD = 2,
                SL_DATA_BINARY = 3,
                SL_DATA_MULTI_SZ = 4,
                SL_DATA_SUM = 100,
            }
    
            [DllImportAttribute("Slc.dll", EntryPoint = "SLGetApplicationInformation", CharSet = CharSet.None, ExactSpelling = false, SetLastError = false, PreserveSig = true, CallingConvention = CallingConvention.Winapi, BestFitMapping = false, ThrowOnUnmappableChar = false)]
            [PreserveSigAttribute()]
            private static extern uint SLGetApplicationInformation(IntPtr hSLC, ref Guid pApplicationId, string pwszValueName, [In, Out] ref string peDataType, [In, Out] ref uint pcbValue, [In, Out] ref byte[] ppbValue);
    
            [DllImportAttribute("Slc.dll", EntryPoint = "SLOpen", CharSet = CharSet.None, ExactSpelling = false, SetLastError = false, PreserveSig = true, CallingConvention = CallingConvention.Winapi, BestFitMapping = false, ThrowOnUnmappableChar = false)]
            [PreserveSigAttribute()]
            private static extern uint SLOpen([Out] IntPtr hSLC);
    
            public static string RemainingRearmCount()
            {
                try
                {
                    // Call SLOpen to Get Handle to SLC
                    NativeMethods.LoadLibrary("slc.dll");
                    IntPtr hSLC = new IntPtr();
    
                    // Check if Successful
                    if (SLOpen(hSLC) == 0)
                    {
                        // Create GUID of Application ID
                        Guid appId = new Guid("55c92734-d682-4d71-983e-d6ec3f16059f");
    
                        // Create String to Hold Output
                        string output = string.Empty;
                        uint size = 0;
                        byte[] buffer = new byte[] {};
    
                        // Call GetApplicationInformation
                        if (SLGetApplicationInformation(hSLC, ref appId, "RemainingRearmCount", ref output, ref size, ref buffer) == 0)
                        {
                            return buffer.ToString();
                        }
                    }
                }
                catch (Exception ex)
                {
                    return ex.Message;
                }
                throw new Exception("Did not Return Value!");
            }
        }
    }
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...