Page 1 of 1

Where is the Windows version stored?

Posted: Wed Jan 07, 2009 12:58 am
by kpedersen

I have just joined your forums (and I already have two questions :p)

If I open up notepad (or windows explorer) and click on about, the dialog tells me that I use...

Code: Select all

Microsoft (R) Windows
Version 5.0 (Build 2195: Service Pack 4)
Copyright (C) 1981-1999 Microsoft Corp.
You might have guessed that I am using Windows 2000 :D

Where are these version strings stored? Is it in NTOSKRNL.exe because I tried to modify that with a hex editor and changed every instance of 2195 and Windows 2000 but it didn't make one ounce of difference.

(btw, I have my reasons for doing this haha)

Question Number 2.
- Do you guys only use GCC (G++) compiler for this project or do you use Borland with VCL etc... because I should be able to make some application knockoffs like Microsoft Paint etc for you...



Re: Where is the Windows version stored?

Posted: Wed Jan 07, 2009 1:17 am
by Ged
They're hardcoded values in the kernel and are stored in the PEB of every process upon creation.
You get these values in umode from API's like GetVersionEx, which will read the values from the PEB and pass them on.

I can't stress this enough, but _do not_ hex edit any values in the kernel, esspecially without knowing what you're doing!!!
I wouldn't be suprised if you've damaged your kernel in some way by doing this.
Any more messing like this and you'll find your OS starts breaking, to the point where it could start corrupting your data as you're damaging the internal integrity of the kernel to the point it may not bugcheck when it should.

Re: Where is the Windows version stored?

Posted: Wed Jan 07, 2009 6:26 pm
by kpedersen
Thanks for replying,

Lol, rest assured that I am testing only on a sandbox install :)

So is there no way to change what values the kernel gives out to that about box?

Re: Where is the Windows version stored?

Posted: Wed Jan 07, 2009 7:11 pm
by Ged
Many ways.

The easiest is to hook GetVersion and GetVersionExW and modify the return data.
This isn't without problems if you're doing this system wide via dll injection (using appinit_dlls, or something like that), as many other applications call this API and will rely on the return data to correctly identify which OS it's running on.
Incorrect identification may result in process crashes as the calling process may request features only present in other OS's.
If you did it this way, it'd be safer to look up the call stack and check if the call came from ShellAbout, only modifying data in this case.
(ShellAbout is the API which loads the dialog you're talking about)

If you just wanna hook it for your own process, then modify away to your hearts content :)

If you wanted to go really deep, you could hook MmCreatePeb in the kernel and modify the PEB at creation. This will trick lower level components too, although it'll probably result in more serious crashes and perhaps a bluescreen.

There are loads of other ways, you just have to use your imagination (plus know NT and be a half-decent programmer)