解读 TransformKeyPermissions
准确的功能不是很清楚,从名字来看,应该是把输入的权限值,经过某种变换后,再输出。
如果版本不是大于 7 或大于 6.1,就不进行变换;
否则,如果权限值小于 256,就加上 256,大于 256,不变换。
0x114 = 276
0x110 = 272
0x100 = 256
VersionInformation 是结构体 _OSVERSIONINFOW 类型。
VersionInformation {
dwOSVersionInfoSize=0x114u,
dwMajorVersion=0u,
dwMinorVersion=0u,
dwBuildNumber=0u,
dwPlatformId=0u,
szCSDVersion={0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u,0u}
} struct _OSVERSIONINFOW
第一个字段为结构的大小,276。
32 位版本看得很清楚,
VersionInformation.dwOSVersionInfoSize = 276;
v2 = RtlGetVersion(&VersionInformation);
64位版本变有点怪了:
v10 = 276;
v2 = RtlGetVersion(&v10);
对结构体从第二个字段开始的 272 个字节,全部清零,即长度为 0x110。
memset(&VersionInformation.dwMajorVersion, 0, 0x110u);
memset_0(&Dst, 0, 0x110ui64);
szCSDVersion 中保存的是如 Service Pack 3 这样的字符串。
//----- (100F0B45) --------------------------------------------------------
NTSTATUS __thiscall `anonymous namespace'::TransformKeyPermissions(_DWORD *this)
{
VersionInformation.dwOSVersionInfoSize = 276;
v1 = this;
memset(&VersionInformation.dwMajorVersion, 0, 0x110u);
v2 = RtlGetVersion(&VersionInformation);
v3 = v2;
if ( v2 >= 0 )
{
if ( VersionInformation.dwMajorVersion >= 7
|| VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion >= 1 )
{
*v1 |= 0x100u;
}
result = 0;
}
return result;
}
//----- (0000000180079520) ----------------------------------------------------
__int64 __fastcall `anonymous namespace'::TransformKeyPermissions(_DWORD *a1)
{
v1 = a1;
v10 = 276;
memset_0(&Dst, 0, 0x110ui64);
v2 = RtlGetVersion(&v10);
v3 = v2;
if ( v2 >= 0 )
{
if ( Dst >= 7 || Dst == 6 && v12 >= 1 )
*v1 |= 0x100u;
result = 0i64;
}
return result;
}
// 1802449C0: using guessed type int __fastcall RtlGetVersion(_QWORD);