固件表

描述

如果操作系统在虚拟环境下运行,操作系统会使用一些特殊的内存区域,其中包含特定的工件。根据操作系统版本,可以使用不同的方法转储这些内存区域。
固件表通过SYSTEM_FIRMWARE_TABLE_INFORMATION对象检索。它的定义方式如下:
typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
    ULONG ProviderSignature;
    SYSTEM_FIRMWARE_TABLE_ACTION Action;
    ULONG TableID;
    ULONG TableBufferLength;
    UCHAR TableBuffer[ANYSIZE_ARRAY];  // <- the result will reside in this field
} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;

// helper enum
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
    SystemFirmwareTable_Enumerate,
    SystemFirmwareTable_Get
} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;

1.检查原始固件表中是否存在特定字符串

Windows Vista+系统的示例代码如下:
// First, SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
    (PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get;  // 1
sfti->ProviderSignature = 'FIRM';
sfti->TableID = 0xC0000;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
    SystemFirmwareTableInformation,  // 76 
    sfti,
    Length,
    &Length);
WindowsXP系统的示例代码如下:
// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
     hCSRSS, 
     0xC0000,
     sfti, 
     RegionSize, 
     &memIO);

2.检查原始 SMBIOS 固件表中是否存在特定字符串

Windows Vista+系统的示例代码如下:
// SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
    (PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get; // 1
sfti->ProviderSignature = 'RSMB';
sfti->TableID = 0;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
    SystemFirmwareTableInformation,  // 76 
    sfti,
    Length,
    &Length);
Windows XP系统的示例代码如下:
// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
     hCSRSS, 
     0xE0000,
     sfti, 
     RegionSize, 
     &memIO);