From e797d246f6b482c8eebe821933f1499ef7633c43 Mon Sep 17 00:00:00 2001
From: BlackINT3 <blackint3@gmail.com>
Date: Thu, 19 Nov 2020 11:05:49 +0800
Subject: [PATCH] Make code to support 20H2.

---
 src/OpenArk/kernel/kernel.cpp         | 32 ++++++++++++-
 src/OpenArkDrv/common/common.cpp      | 66 ++++++++++++++++++++++++++-
 src/OpenArkDrv/common/common.h        | 31 ++++++++++++-
 src/OpenArkDrv/knotify/notify-lib.cpp | 20 ++++----
 4 files changed, 136 insertions(+), 13 deletions(-)

diff --git a/src/OpenArk/kernel/kernel.cpp b/src/OpenArk/kernel/kernel.cpp
index a2d7c65..e9d2582 100644
--- a/src/OpenArk/kernel/kernel.cpp
+++ b/src/OpenArk/kernel/kernel.cpp
@@ -203,6 +203,36 @@ void Kernel::onTabChanged(int index)
 	CommonMainTabObject::onTabChanged(index);
 }
 
+std::string OsReleaseNumber()
+{
+	/*
+	//c++11
+	std::map<DWORD, DWORD> tables = {
+		{ 10240, 1507 }, { 10586, 1511} ,{ 14393, 1607 } ,{ 15063, 1703 } ,{ 16299, 1709 } ,{ 17134, 1803 } ,
+		{ 17763, 1809 }, { 18362, 1903 } ,{ 18363, 1909 } ,{ 19041, 2004 }, { 19042, 20H2 }
+	};*/
+
+	std::pair<DWORD, std::string> pairs[] = {
+		std::make_pair(10240, "1507"),
+		std::make_pair(10586, "1511"),
+		std::make_pair(14393, "1607"),
+		std::make_pair(15063, "1703"),
+		std::make_pair(16299, "1709"),
+		std::make_pair(17134, "1803"),
+		std::make_pair(17763, "1809"),
+		std::make_pair(18362, "1903"),
+		std::make_pair(18363, "1909"),
+		std::make_pair(19041, "2004"),
+		std::make_pair(19042, "20H2"),
+	};
+	std::map<DWORD, std::string> tables(pairs, pairs+_countof(pairs));
+
+	DWORD build = UNONE::OsBuildNumber();
+	auto it = tables.find(build);
+	if (it != tables.end())
+		return it->second;
+	return "";
+}
 void Kernel::InitKernelEntryView()
 {
 	kerninfo_model_ = new QStandardItemModel;
@@ -234,7 +264,7 @@ void Kernel::InitKernelEntryView()
 	auto major = UNONE::OsMajorVer();
 	AddSummaryUpItem(tr("MajorVersion"), DWordToDecQ(major));
 	AddSummaryUpItem(tr("MiniorVersion"), DWordToDecQ(UNONE::OsMinorVer()));
-	if (major >= 10) AddSummaryUpItem(tr("ReleaseNumber"), DWordToDecQ(UNONE::OsReleaseNumber()));
+	if (major >= 10) AddSummaryUpItem(tr("ReleaseNumber"), StrToQ(OsReleaseNumber()));
 	AddSummaryUpItem(tr("BuildNumber"), DWordToDecQ(UNONE::OsBuildNumber()));
 	AddSummaryUpItem(tr("MajorServicePack"), DWordToDecQ(info.wServicePackMajor));
 	AddSummaryUpItem(tr("MiniorServicePack"), DWordToDecQ(info.wServicePackMinor));
diff --git a/src/OpenArkDrv/common/common.cpp b/src/OpenArkDrv/common/common.cpp
index bf644f4..fb4a1de 100644
--- a/src/OpenArkDrv/common/common.cpp
+++ b/src/OpenArkDrv/common/common.cpp
@@ -19,12 +19,76 @@
 
 ARK_DRIVER ArkDrv;
 
+/*++
+Description:
+	get os version
+Arguments:
+	void
+Return:
+	NTOS_VERSION
+--*/
+NTOS_VERSION_X OsNtVersion()
+{
+	RTL_OSVERSIONINFOEXW info;
+	if (!KNONE::OsGetVersionInfo(info)) return _NTOS_UNKNOWN;
+	
+	switch (info.dwMajorVersion) {
+	case 5: {
+		if (info.dwMinorVersion == 1) {
+			if (info.wServicePackMajor == 1) return _NTOS_WINXPSP1;
+			if (info.wServicePackMajor == 2) return _NTOS_WINXPSP2;
+			if (info.wServicePackMajor == 3) return _NTOS_WINXPSP3;
+			return _NTOS_WINXP;
+		}
+		if (info.dwMinorVersion == 2) {
+			if (info.wServicePackMajor == 1) return _NTOS_WIN2003SP1;
+			if (info.wServicePackMajor == 2) return _NTOS_WIN2003SP2;
+			return _NTOS_WIN2003;
+		}
+		break;
+	} case 6: {
+		if (info.dwMinorVersion == 0) {
+			if (info.wServicePackMajor == 1) return _NTOS_WINVISTASP1;
+			if (info.wServicePackMajor == 2) return _NTOS_WINVISTASP2;
+			return _NTOS_WINVISTA;
+		}
+		if (info.dwMinorVersion == 1) {
+			if (info.wServicePackMajor == 1) return _NTOS_WIN7SP1;
+			return _NTOS_WIN7;
+		}
+		if (info.dwMinorVersion == 2) {
+			return _NTOS_WIN8;
+		}
+		if (info.dwMinorVersion == 3) {
+			return _NTOS_WIN81;
+		}
+		break;
+	} case 10: {
+		if (info.dwBuildNumber == 10240) return _NTOS_WIN10_1507;
+		if (info.dwBuildNumber == 10586) return _NTOS_WIN10_1511;
+		if (info.dwBuildNumber == 14393) return _NTOS_WIN10_1607;
+		if (info.dwBuildNumber == 15063) return _NTOS_WIN10_1703;
+		if (info.dwBuildNumber == 16299) return _NTOS_WIN10_1709;
+		if (info.dwBuildNumber == 17134) return _NTOS_WIN10_1803;
+		if (info.dwBuildNumber == 17763) return _NTOS_WIN10_1809;
+		if (info.dwBuildNumber == 18362) return _NTOS_WIN10_1903;
+		if (info.dwBuildNumber == 18363) return _NTOS_WIN10_1909;
+		if (info.dwBuildNumber == 19041) return _NTOS_WIN10_2004;
+		if (info.dwBuildNumber == 19042) return _NTOS_WIN10_20H2;
+	}
+	default:
+		break;
+	}
+	return _NTOS_UNKNOWN;
+}
+
+
 BOOLEAN InitArkDriver(PDRIVER_OBJECT drvobj, PDEVICE_OBJECT devobj)
 {
 	ArkDrv.drvobj = drvobj;
 	ArkDrv.devobj = devobj;
 	
-	ArkDrv.ver = KNONE::OsNtVersion();
+	ArkDrv.ver = OsNtVersion();
 	ArkDrv.major = KNONE::OsMajorVersion();
 	ArkDrv.minor = KNONE::OsMinorVersion();
 	ArkDrv.build = KNONE::OsBuildNumber();
diff --git a/src/OpenArkDrv/common/common.h b/src/OpenArkDrv/common/common.h
index 1b4a828..e3d766c 100644
--- a/src/OpenArkDrv/common/common.h
+++ b/src/OpenArkDrv/common/common.h
@@ -34,9 +34,38 @@ typedef struct _ARK_DRIVER {
 
 extern ARK_DRIVER ArkDrv;
 
+typedef enum {
+	_NTOS_UNKNOWN,
+	_NTOS_WINXP,
+	_NTOS_WINXPSP1,
+	_NTOS_WINXPSP2,
+	_NTOS_WINXPSP3,
+	_NTOS_WIN2003,
+	_NTOS_WIN2003SP1,
+	_NTOS_WIN2003SP2,
+	_NTOS_WINVISTA,
+	_NTOS_WINVISTASP1,
+	_NTOS_WINVISTASP2,
+	_NTOS_WIN7,
+	_NTOS_WIN7SP1,
+	_NTOS_WIN8,
+	_NTOS_WIN81,
+	_NTOS_WIN10_1507, //10240
+	_NTOS_WIN10_1511, //10586
+	_NTOS_WIN10_1607, //14393
+	_NTOS_WIN10_1703, //15063
+	_NTOS_WIN10_1709, //16299
+	_NTOS_WIN10_1803, //17134
+	_NTOS_WIN10_1809, //17763
+	_NTOS_WIN10_1903, //18362
+	_NTOS_WIN10_1909, //18363
+	_NTOS_WIN10_2004, //19041
+	_NTOS_WIN10_20H2, //19042
+} NTOS_VERSION_X, *PNTOS_VERSION_X;
+
 BOOLEAN InitArkDriver(PDRIVER_OBJECT drvobj, PDEVICE_OBJECT devobj);
 
 PVOID GetNtRoutineAddress(IN PCWSTR name);
 
 NTSTATUS DuplicateInputBuffer(IN PIRP irp, PVOID &inbuf);
-NTSTATUS ReleaseInputBuffer(IN PIRP irp, PVOID &inbuf);
\ No newline at end of file
+NTSTATUS ReleaseInputBuffer(IN PIRP irp, PVOID &inbuf);
diff --git a/src/OpenArkDrv/knotify/notify-lib.cpp b/src/OpenArkDrv/knotify/notify-lib.cpp
index 0d244b5..b0eb38b 100644
--- a/src/OpenArkDrv/knotify/notify-lib.cpp
+++ b/src/OpenArkDrv/knotify/notify-lib.cpp
@@ -109,7 +109,7 @@ FORCEINLINE ULONG GetThreadNotifyMaximum()
 }
 FORCEINLINE ULONG GetImageNotifyMaximum()
 {
-	if (ArkDrv.ver >= NTOS_WIN7SP1) return 64;
+	if (ArkDrv.ver >= _NTOS_WIN7SP1) return 64;
 	else return 8;
 }
 FORCEINLINE ULONG GetRegistryNotifyMaximum()
@@ -125,7 +125,7 @@ PEX_CALLBACK GetProcessNotifyCallback()
 
 	PEX_CALLBACK callback = NULL;
 #ifdef _AMD64_
-	if (ArkDrv.ver >= NTOS_WINVISTA && ArkDrv.ver < NTOS_WIN7) {
+	if (ArkDrv.ver >= _NTOS_WINVISTA && ArkDrv.ver < _NTOS_WIN7) {
 		for (PUCHAR ptr1 = routine; ptr1 <= routine + 0x10; ptr1++) {
 			// e9 jmp
 			if (*ptr1 == 0xe9) {
@@ -143,7 +143,7 @@ PEX_CALLBACK GetProcessNotifyCallback()
 				}
 			}
 		}
-	} else if (ArkDrv.ver >= NTOS_WIN7 && ArkDrv.ver < NTOS_WIN8) {
+	} else if (ArkDrv.ver >= _NTOS_WIN7 && ArkDrv.ver < _NTOS_WIN8) {
 		for (PUCHAR ptr1 = routine; ptr1 <= routine + 0x10; ptr1++) {
 			// e9 jmp
 			if (*ptr1 == 0xe9) {
@@ -159,7 +159,7 @@ PEX_CALLBACK GetProcessNotifyCallback()
 				}
 			}
 		}
-	} else if (ArkDrv.ver >= NTOS_WIN8 && ArkDrv.ver < NTOS_WIN10_1507) {
+	} else if (ArkDrv.ver >= _NTOS_WIN8 && ArkDrv.ver < _NTOS_WIN10_1507) {
 		for (PUCHAR ptr1 = routine; ptr1 <= routine + 0x10; ptr1++) {
 			PUCHAR psp_routine = NULL;
 			//Win8 eb jmp 
@@ -178,7 +178,7 @@ PEX_CALLBACK GetProcessNotifyCallback()
 				}
 			}
 		}
-	} else if (ArkDrv.ver >= NTOS_WIN10_1507) {
+	} else if (ArkDrv.ver >= _NTOS_WIN10_1507) {
 		//Win10 2004 0xe8   call
 		//Win10 1909 0xe8   call
 		//Win10 1903 0xe8   call
@@ -290,7 +290,7 @@ PEX_CALLBACK GetThreadNotifyCallback()
 
 	PEX_CALLBACK callback = NULL;
 #ifdef _AMD64_
-	if (ArkDrv.ver >= NTOS_WINVISTA && ArkDrv.ver <= NTOS_WIN81) {
+	if (ArkDrv.ver >= _NTOS_WINVISTA && ArkDrv.ver <= _NTOS_WIN81) {
 		// lea rcx
 		for (PUCHAR ptr1 = routine; ptr1 <= routine + 0x30; ptr1++) {
 			if (*ptr1 == 0x48 && *(ptr1 + 1) == 0x8d && *(ptr1 + 2) == 0x0d) {
@@ -299,7 +299,7 @@ PEX_CALLBACK GetThreadNotifyCallback()
 				break;
 			}
 		}
-	} else if (ArkDrv.ver >= NTOS_WIN10_1507) {
+	} else if (ArkDrv.ver >= _NTOS_WIN10_1507) {
 		//Win10 2004 e8   call
 		//Win10 1909 e8   call
 		//Win10 1903 e8   call
@@ -391,9 +391,9 @@ BOOLEAN RemoveThreadNotify(ULONG64 routine)
 PEX_CALLBACK GetImageNotifyCallback()
 {
 	PUCHAR routine = NULL;
-	if (ArkDrv.ver >= NTOS_WINXP && ArkDrv.ver <= NTOS_WIN10_1703) {
+	if (ArkDrv.ver >= _NTOS_WINXP && ArkDrv.ver <= _NTOS_WIN10_1703) {
 		routine = (PUCHAR)GetNtRoutineAddress(L"PsSetLoadImageNotifyRoutine");
-	} else if (ArkDrv.ver >= NTOS_WIN10_1709 && ArkDrv.ver <= NTOS_WIN10_1903) {
+	} else if (ArkDrv.ver >= _NTOS_WIN10_1709 && ArkDrv.ver <= _NTOS_WIN10_20H2) {
 		routine = (PUCHAR)GetNtRoutineAddress(L"PsSetLoadImageNotifyRoutineEx");
 	}
 	if (!routine) return NULL;
@@ -477,7 +477,7 @@ PVOID GetRegistryNotifyCallback()
 	PVOID callback = NULL;
 
 #ifdef _AMD64_
-	if (ArkDrv.ver >= NTOS_WINVISTA) {
+	if (ArkDrv.ver >= _NTOS_WINVISTA) {
 		// xor r8d, r8d
 		// lea rcx, CallbackListHead
 		for (PUCHAR ptr1 = routine; ptr1 <= routine + 0x100; ptr1++) {