In this thread I am going to post a few undocumented Windows function I discovered writing the WindSLIC EFI installer this first one demonstrates an undocumented NtQuerySystemInformation function #90 which I use to detect an EFI system. in this code example I am using run time dynamic linking to retrieve a pointer to the NtQuerySystemInformation function in ntdll.dll which is similar to the pInvoke stuff in .net and is very handy when working with undocumented stuff. Code: #include <stdio.h> #include <Windows.h> typedef NTSTATUS (NTAPI *NtQuerySystemInformation) ( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength OPTIONAL ); int main (void) { int ret = 0; DWORD Buffer[5] = {}; ULONG CharsWritten; HMODULE hNtdll; wchar_t* out = L"not EFI\n"; HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE); hNtdll = GetModuleHandle(L"ntdll.dll"); if(hNtdll) { NtQuerySystemInformation pNtQuerySystemInformation = (NtQuerySystemInformation) GetProcAddress(hNtdll, "NtQuerySystemInformation"); if (pNtQuerySystemInformation(90, Buffer, sizeof(Buffer), NULL) == 0 && Buffer[4] == 2) { ret++; out = L"is EFI\n"; } WriteConsole(StdOut, out, lstrlen(out), &CharsWritten, NULL); } CloseHandle(StdOut); return ret; }
this next one is NtQuerySystemInformation function #98 which returns the system volume, I added dynamic memory allocation to this one. Code: #include <stdio.h> #include <Windows.h> typedef NTSTATUS (NTAPI *NtQuerySystemInformation) ( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength OPTIONAL ); int main (void) { UCHAR* Buffer; wchar_t* Str; HMODULE hNtdll; UINT StrLen; HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE); NtQuerySystemInformation pNtQuerySystemInformation; HANDLE hHeap = HeapCreate(0, 512, 1024); if(hHeap) { Buffer = (UCHAR *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 128); hNtdll = GetModuleHandle(L"ntdll.dll"); if (hNtdll) { pNtQuerySystemInformation = (NtQuerySystemInformation) GetProcAddress(hNtdll, "NtQuerySystemInformation"); if(pNtQuerySystemInformation(98, Buffer, 128, NULL) == 0) { StrLen = lstrlenW((wchar_t *)(Buffer + 8)) * 2 + 2; Str = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, StrLen); lstrcpy(Str, (wchar_t *)(Buffer + 8)); WriteConsole(StdOut, Str, lstrlenW((wchar_t*)(Buffer + 8)), NULL, NULL); HeapFree(hHeap, 0, Str); } } HeapFree(hHeap, 0, Buffer); } CloseHandle(StdOut); return 0; } output: Code: "\Device\HarddiskVolume1"
This one is how to install a product key with the SppComApi.dll COM object, I am using isolated COM and a patched sppcomapi.dll to display the key from the registry, you do not need to use the patched file to install a product key. Code: #include "stdafx.h" #include "ViewKey.h" #import "sppcomapi.tlb" using namespace SppComApiLib; wchar_t* PKeyIn = L"VQ3PY-VRX6D-CBG4J-8C6R2-TCVBD\0"; int main(int argc, _TCHAR* argv[]) { unsigned long Status; // COM ILicensingStateTools* LicensingStateTools = NULL; ISPPLUA* SPPLUA = NULL; IUnknown* IUkn = NULL; BSTR PKeyOut; HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE); HANDLE hHeap = GetProcessHeap(); wchar_t* OutBuffer; if(CoInitialize(NULL) != ERROR_SUCCESS) { return 1; } if(CoCreateInstance(CLSID_SPPLUAObject, NULL, CLSCTX_INPROC_SERVER, IID_IUnknown, (LPVOID *)&IUkn) == ERROR_SUCCESS) { Status = IUkn->QueryInterface(IID_ISPPLUA, (LPVOID *)&SPPLUA); } if(CoCreateInstance(CLSID_LicensingStateTools, NULL, CLSCTX_INPROC_SERVER, IID_IUnknown, (LPVOID *)&IUkn) == ERROR_SUCCESS) { Status = IUkn->QueryInterface(IID_ILicensingStateTools, (LPVOID *)&LicensingStateTools); } OutBuffer = (wchar_t*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 1024); if(LicensingStateTools) { LicensingStateTools->get_DefaultKeyFromRegistry(&PKeyOut); wsprintf(OutBuffer,L"current product key: %s\n\n\0", PKeyOut); WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL); } wsprintf(OutBuffer, L"installing key: %s\n\0", PKeyIn); WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL); SAFEARRAY* SafeArray = (SAFEARRAY*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(SAFEARRAY)); GUID* pPKeyId = (GUID*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(GUID)); if(SPPLUA && SPPLUA->SLLUAInstallProofOfPurchase(L"msft:rm/algorithm/pkey/2005\0", PKeyIn, SafeArray, pPKeyId) == ERROR_SUCCESS) { wsprintf(OutBuffer, L"key installed successfully\n\n\0"); WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL); } if(LicensingStateTools) { LicensingStateTools->get_DefaultKeyFromRegistry(&PKeyOut); wsprintf(OutBuffer, L"new Key: %s\n\0", PKeyOut); WriteConsole(StdOut, OutBuffer, lstrlen(OutBuffer), NULL, NULL); } if(LicensingStateTools) { Status = LicensingStateTools->Release(); } if(SPPLUA) { Status = SPPLUA->Release(); } Status = IUkn->Release(); CoUninitialize(); CloseHandle(StdOut); HeapFree(hHeap, 0, SafeArray); HeapFree(hHeap, 0, pPKeyId); HeapFree(hHeap, 0, OutBuffer); return Status; } source code: http://www.mediafire.com/?o9cm38w5je3x3p0
Dont like COM? this is the native way to install a key. I don't know if calling SLClose() is necessary but it seems logical to do so. Code: #include "stdafx.h" typedef int (WINAPI *SLOpen)(HANDLE Ukn); typedef int (WINAPI *SLClose)(HANDLE Ukn); typedef int (WINAPI *SLInstallProofOfPurchase)(HANDLE Ukn, wchar_t* PKeyType, wchar_t* PKeyIn, ULONG PKeyDataSize, wchar_t* PKeyData, GUID* PKeyId); wchar_t* PKeyIn = L"FJGCP-4DFJD-GJY49-VJBQ7-HYRR2\0"; wchar_t* PKeyType = L"msft:rm/algorithm/pkey/2005\0"; int main() { ULONG Status = 1; SLOpen pSLOpen = NULL; SLClose pSLClose = NULL; SLInstallProofOfPurchase pSLInstallProofOfPurchase = NULL; HMODULE hSlc = NULL; HANDLE spp = NULL; GUID PKeyId = GUID_NULL; hSlc = LoadLibrary(L"slc.dll"); if(hSlc) { pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen"); pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose"); pSLInstallProofOfPurchase = (SLInstallProofOfPurchase) GetProcAddress(hSlc, "SLInstallProofOfPurchase"); if(pSLOpen(&spp) == ERROR_SUCCESS) { Status = pSLInstallProofOfPurchase(spp, PKeyType, PKeyIn, 0, 0, &PKeyId); pSLClose(spp); } FreeLibraryAndExitThread(hSlc, Status); } return Status; }
and my last one for now is how to install the a certificate natively. Code: #include "stdafx.h" #include "cert.h" typedef int (WINAPI *SLOpen)(HANDLE Ukn); typedef int (WINAPI *SLClose)(HANDLE Ukn); typedef int (WINAPI *SLInstallLicense)(HANDLE Ukn, ULONG CertLength, UCHAR* Cert, GUID* pPkeyId); int main() { ULONG Status = 1; SLOpen pSLOpen = NULL; SLClose pSLClose = NULL; SLInstallLicense pSLInstallLicense = NULL; HMODULE hSlc = NULL; HANDLE hSl = NULL; ULONG CertSize = sizeof(Cert); GUID pKeyId = GUID_NULL; hSlc = LoadLibrary(L"slc.dll"); if (hSlc) { pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen"); pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose"); pSLInstallLicense = (SLInstallLicense) GetProcAddress(hSlc, "SLInstallLicense"); if(pSLOpen(&hSl) == ERROR_SUCCESS) { Status = pSLInstallLicense(hSl, CertSize, Cert, &pKeyId); pSLClose(hSl); } FreeLibraryAndExitThread(hSlc, Status); } return Status; }
a quick key/certificate installer installs an Acer certificate and key. EDIT: added supported OS/Product range checking
found this today, when you install/uninstall the key or cert you have to fire the "licensingstatechanged" event or reboot. I wont post a working example but will post enough to get you started Code: typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid); wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0"; #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f};
Uninstalling a product key Code: typedef int (WINAPI *SLOpen)(HANDLE Ukn); typedef int (WINAPI *SLClose)(HANDLE Ukn); typedef int (WINAPI *SLUninstallProofOfPurchase)(HANDLE Ukn, int PKeyId); typedef int (WINAPI *SLGetSLIDList)(HANDLE Ukn, int Ukn1, GUID* Ukn2, int Ukn3, int* Count , int* pPKeyId); typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid); typedef int (WINAPI *SLGetLicensingStatusInformation)(HANDLE Ukn, GUID* Ukn1, int Ukn2, int Ukn3, int* Count, int* Out); // wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0"; #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f}; // int _tmain(int argc, _TCHAR* argv[]) { ULONG Status = 1; SLOpen pSLOpen = NULL; SLClose pSLClose = NULL; SLUninstallProofOfPurchase pSLUninstallProofOfPurchase = NULL; SLGetSLIDList pSLGetSLIDList = NULL; SLGetLicensingStatusInformation pSLGetLicensingStatusInformation = NULL; SLFireEvent pSLFireEvent = NULL; HMODULE hSlc = NULL; HANDLE spp = NULL; GUID OemSlp = GUID_NULL; GUID WindowsSlid = WINDOWS_SLID int KeyId = 0; int Count = 0; hSlc = LoadLibrary(L"slc.dll"); if(hSlc) { pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen"); pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose"); pSLGetSLIDList = (SLGetSLIDList) GetProcAddress(hSlc, "SLGetSLIDList"); pSLUninstallProofOfPurchase = (SLUninstallProofOfPurchase) GetProcAddress(hSlc, "SLUninstallProofOfPurchase"); pSLFireEvent = (SLFireEvent) GetProcAddress(hSlc, "SLFireEvent"); pSLGetLicensingStatusInformation = (SLGetLicensingStatusInformation) GetProcAddress(hSlc, "SLGetLicensingStatusInformation"); if(pSLOpen(&spp) == ERROR_SUCCESS) { if(pSLGetLicensingStatusInformation(spp, &WindowsSlid, 0, 0, &Count, &KeyId) == ERROR_SUCCESS) { // uninstall key if(KeyId != NULL) { int pos = 0; for(UINT i = 0; i< Count; i++) { if(*(DWORD*)(pos + KeyId + 16)== 1 && *(DWORD*)(pos + KeyId + 20) == 0) { memcpy((VOID*)&OemSlp, (VOID*)(KeyId + pos), sizeof(GUID)); } pos += 40; } } } if(pSLGetSLIDList(spp, 1, &OemSlp, 4, &Count, &KeyId) == ERROR_SUCCESS) { Status = pSLUninstallProofOfPurchase(spp, KeyId); } pSLFireEvent(spp, SlEvent, &WindowsSlid); pSLClose(spp); } } return Status; }
Uninstalling a certificate, the GUID for the certificate can be found in by opening the certificate and looking for this Code: licenseId="{391c32e3-e599-4a7a-bab9-c3ce90ac0463}" the license will not be removed from tokens.dat until ??? triggers it, unfortunately I could not find a way to retrieve a list of all installed certificate's Code: typedef int (WINAPI *SLOpen)(HANDLE Ukn); typedef int (WINAPI *SLClose)(HANDLE Ukn); typedef int (WINAPI *SLFireEvent)(HANDLE Ukn, wchar_t* Event, GUID* Slid); typedef int (WINAPI *SLUninstallLicense)(HANDLE Ukn, int PKeyId); typedef int (WINAPI *SLGetSLIDList)(HANDLE Ukn, int Ukn1, GUID* Ukn2, int Ukn3, int* Count , int* pPKeyId); // #define ALIENWARE_CERT {0x18e07197, 0x9646, 0x49b5, 0x8a, 0x6a, 0xf1, 0x6d, 0xb9, 0x0d, 0x80, 0x15}; #define ACER_CERT {0x391c32e3, 0xe599, 0x4a7a, 0xba, 0xb9, 0xc3, 0xce, 0x90, 0xac, 0x04, 0x63}; #define ASUS_CERT {0xecb4ab2f, 0x58a3, 0x4455, 0xb9, 0x5a, 0x3b, 0x58, 0x22, 0x56, 0x1c, 0x2a}; #define WINDOWS_SLID {0x55c92734, 0xd682, 0x4d71, 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f}; wchar_t* SlEvent = L"msft:rm/event/licensingstatechanged\0"; // int _tmain(int argc, _TCHAR* argv[]) { ULONG Status = 1; SLOpen pSLOpen = NULL; SLClose pSLClose = NULL; SLFireEvent pSLFireEvent = NULL; SLGetSLIDList pSLGetSLIDList = NULL; SLUninstallLicense pSLUninstallLicense = NULL; GUID WindowsSlid = WINDOWS_SLID; HMODULE hSlc = NULL; HANDLE hSl = NULL; GUID Cert = ASUS_CERT; int Count = 0; int PKeyId = 0; hSlc = LoadLibrary(L"slc.dll"); if (hSlc) { // pSLOpen = (SLOpen) GetProcAddress(hSlc, "SLOpen"); pSLClose = (SLClose) GetProcAddress(hSlc, "SLClose"); pSLUninstallLicense = (SLUninstallLicense) GetProcAddress(hSlc, "SLUninstallLicense"); pSLFireEvent = (SLFireEvent) GetProcAddress(hSlc, "SLFireEvent"); pSLGetSLIDList = (SLGetSLIDList) GetProcAddress(hSlc, "SLGetSLIDList"); // if(pSLOpen(&hSl) == ERROR_SUCCESS) { if(pSLGetSLIDList(hSl, 3, &Cert, 2, &Count, &PKeyId)== ERROR_SUCCESS) { Status = pSLUninstallLicense(hSl, PKeyId); } pSLFireEvent(hSl, SlEvent, &WindowsSlid); pSLClose(hSl); } FreeLibrary(hSlc); } return Status; }