CHAPTER 74. TASK MANAGER PRACTICAL JOKE (WINDOWS VISTA) CHAPTER 74. TASK MANAGER PRACTICAL JOKE (WINDOWS VISTA)
.text:10000B4CA xor ebx, ebx
.text:10000B4CC cmp eax, ebx
.text:10000B4CE jge short loc_10000B4D7
.text:10000B4D0
.text:10000B4D0 loc_10000B4D0: ; CODE XREF: InitPerfInfo(void)+97
.text:10000B4D0 ; InitPerfInfo(void)+AF
.text:10000B4D0 xor al, al
.text:10000B4D2 jmp loc_10000B5EA
.text:10000B4D7 ; ---------------------------------------------------------------------------
.text:10000B4D7
.text:10000B4D7 loc_10000B4D7: ; CODE XREF: InitPerfInfo(void)+36
.text:10000B4D7 mov eax, [rsp+0C78h+var_C50]
.text:10000B4DB mov esi, ebx
.text:10000B4DD mov r12d, 3E80h
.text:10000B4E3 mov cs:?g_PageSize@@3KA, eax ; ulong g_PageSize
.text:10000B4E9 shr eax, 0Ah
.text:10000B4EC lea r13, ImageBase
.text:10000B4F3 imul eax, [rsp+0C78h+var_C4C]
.text:10000B4F8 cmp [rsp+0C78h+var_C20], bpl
.text:10000B4FD mov cs:?g_MEMMax@@3_JA, rax ; int64 g_MEMMax
.text:10000B504 movzx eax, [rsp+0C78h+var_C20] ; number of CPUs
.text:10000B509 cmova eax, ebp
.text:10000B50C cmp al, bl
.text:10000B50E mov cs:?g_cProcessors@@3EA, al ; uchar g_cProcessors
g_cProcessorsis a global variable, and this name was assigned by IDA according to thePDBloaded from Microsoft’s
symbol server.
The byte is taken fromvar_C20. Andvar_C58is passed toNtQuerySystemInformation()as a pointer to the receiv-
ing buffer. The difference between 0xC20 and 0xC58 is 0x38 (56). Let’s take a look at format of the return structure, which
we can find in MSDN:
typedef struct _SYSTEM_BASIC_INFORMATION {
BYTE Reserved1[24];
PVOID Reserved2[4];
CCHAR NumberOfProcessors;
} SYSTEM_BASIC_INFORMATION;
This is a x64 system, so each PVOID takes 8 byte. Allreservedfields in the structure take24 + 4∗8 = 56bytes. Oh yes, this
implies thatvar_C20is the local stack is exactly theNumberOfProcessorsfield of theSYSTEM_BASIC_INFORMATION
structure.
Let’s check our guess. Copytaskmgr.exefromC:\Windows\System32to some other folder (so theWindows Resource
Protection will not try to restore the patchedtaskmgr.exe).
Let’s open it in Hiew and find the place:
Figure 74.2:Hiew: find the place to be patchedLet’s replace theMOVZXinstruction with ours. Let’s pretend we’ve got 64 CPU cores. Add one additionalNOP(because our
instruction is shorter than the original one):