HoShiMin
DMI/SMBIOS editing
Would it be possible to edit the DMI information that resides in the ROM ( 0x000F0000-0x000FFFFF ) ? I've tried editing the SMBIOS that resides in the Phys address and it works on some chipsets, but on some it doesnt, any workaround ?
By the way, DMI != SMBIOS.
I'd like to keep using the wrappers included in the project, pretty neat project
It is not that they are bad, changes are simply not made, because you cant write to this part of the memory ? I suppose its because inside of the ROM ?
Can we edit from kernel this memory range 0x000F0000-0x000FFFFF ?
How can we edit it? Ive tried everything cr0 16bit flip, mdl and values dont change
@lucash4x0r, oh, wait, 0xF0000..0xFFFFF - it's a physical range, not virtual. You should map it to virtual address space using MmMapIoSpaceEx. You will get a kernel virtual address and ability to edit this region.
And how it works? Somethig like?
mov rax, VA
mov [rax], val
mov rax, [rax] ; Here rax != val?
Could you explain a little bit that asm that you wrote there , what is it for essentially ? I am currently using RtlCopyMemory after i've done MmMapIoSpaceEx , I can read and edit the values just fine on my LAPTOP, but it wont work on my desktop, I can read values on desktop but values will not change. Further giving me more reasons to believe the ROM in some chipsets cannot be edited.
PSMBIOS_EPS FindSMBIOS(UCHAR* buff, ULONG size) // DMI is not equal to SMBIOS
{
UCHAR* p = buff;
for (ULONG i = 0; i < size; i += 16)
{
if (0 == memcmp(p, "_SM_", 4))
{
PSMBIOS_EPS psm = (PSMBIOS_EPS)p;
if (0 == memcmp(psm->DMISignature, "_DMI_", 5))
{
UCHAR chk = 0;
// verify checksum
for (ULONG i = 0; i < psm->Length; i++)
{
chk += *(p + i);
}
if (0 == chk)
{
return psm;
}
}
}
p += 16;
}
return nullptr;
}
void clear_smbios()
{
const ULONG MEMRANGE = 64 * 1024; // 0xF0000 ~ 0xFFFFF, 64K
const ULONG MEMSTART = 0xF0000;
PHYSICAL_ADDRESS addr;
addr.QuadPart = MEMSTART;
if (auto p = MmMapIoSpaceEx(addr, MEMRANGE, PAGE_READWRITE | PAGE_NOCACHE)) {
Log::Print("Mapped phys mem");
if (auto pSMBIOS = FindSMBIOS((UCHAR*)p, MEM_RANGE - 0xF)) { // I try to find DMI
Log::Print("SMBIOS at %p\r\n", 0xF0000 + ((UCHAR*)pSMBIOS->StructAddress - (UCHAR*)p)); // I find it just fine
memset(pSMBIOS, 0, sizeof(PHYSICAL_ADDRESS)); // This wont work
}
MmUnmapIoSpace(p, MEM_RANGE);
}
else
Log::Print("Failed mapping");
}
I am trying this for now with no luck
@lucash4x0r, check whether HVCI/DeviceGuard are disabled on your desktop. And check what happens with something like http://rweverything.com/
Laptop smbios no DMI type in sight
In desktop it seems smbios is located in dmi, and laptop is directly in physical memory idk if i explained myself good here, but there are definitely differences
Trying to edit the first letter of Megatrend, doesnt change, this is on desktop by the way
@lucash4x0r, I don't know exactly, but it seems that your chipset rejects all writes to this memory
https://filebin.net/cxf8m9x4x354iszr/DMIEDIT_utility.rar?t=tn69zca7
I just uploaded it, UCOREW64.sys is the one that does the changes, this program for example doesnt work on my laptop, because is not supported, but it does on desktop, and can also change the values just fine
If i had better reversing skills I would reverse their driver to see what exactly they're doing, this is dbgview after editing a value of the smbios/dmi
@lucash4x0r, thanx a lot. Seems interesting, I'll check it and will add this to the Kernel-Bridge 2:
In the meantime, any tip on how i could translate this so i could use it? Cheers
PVOID BusToPhys(PHYSICAL_ADDRESS a1, SIZE_T a2)
{
PVOID result = nullptr;
PHYSICAL_ADDRESS BusAddress;
BusAddress.QuadPart = a1.QuadPart;
if (HalTranslateBusAddress(Isa, 0, a1, NULL, &BusAddress))
{
result = MmMapIoSpaceEx(BusAddress, a2, PAGE_READWRITE | PAGE_NOCACHE);
Log::Print("Result: %p", a4);
}
else
{
DbgPrint("HalTranslateBusAddress failed\n");
result = 0;
}
return result;
}
My ghetto attempt to make it work, works on laptop but not desktop.... lmao!
@lucash4x0r, try MmGetVirtualForPhysical or remove PAGE_NOCACHE from MmMapIoSpaceEx
I dont see how MmGetVirtualForPhysical could benefit me here, also removing PAGE_NOCACHE works on laptop but once again not in desktop, quite annoying this, been at this for a few days now and 0 success thus far.
Have you had the opportunity to look more into dmi editor driver ?
https://filebin.net/cxf8m9x4x354iszr/DMIEDIT_utility.rar?t=tn69zca7
I just uploaded it, UCOREW64.sys is the one that does the changes, this program for example doesnt work on my laptop, because is not supported, but it does on desktop, and can also change the values just fine
Sorry to necro the thread but can you please reupload the driver? I'd like to analyze it too. Thank you.
