KUSER_SHARED_DATA and added a proper cleanup block

AdvDebug · web-flow · commit c5cb6317d33a · 2025-07-20T01:16:18.000+03:00
Added the KUSER_SHARED_DATA support to get the BuildNumber directly which is less prone to tampering. also added a proper cleanup block instead of whatever i was doing
diff --git a/AntiCrack-DotNet/Syscalls.cs b/AntiCrack-DotNet/Syscalls.cs
@@ -353,6 +353,26 @@ private static string GetWindowsBuildNumberWinAPI()
             return null;
         }
 
+        /// <summary>
+        /// Gets the build number using KUSER_SHARED_dATA.
+        /// </summary>
+        /// <returns>The build number.</returns>
+        private static string GetWindowsBuildNumberKUser()
+        {
+            byte[] BuildNumberBytes = new byte[4];
+            IntPtr NtBuildNumber = new IntPtr(0x7FFE0260);
+            Utils.CopyMem(BuildNumberBytes, NtBuildNumber, false);
+            try
+            {
+                uint BuildNumber = BitConverter.ToUInt32(BuildNumberBytes, 0);
+                return BuildNumber.ToString();
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
 
         /// <summary>
         /// Searches for the return value from the function bytes.
@@ -365,11 +385,14 @@ private static bool IsTampered(string WinAPI, string WMI, string Registry)
         }
 
         /// <summary>
-        /// Searches for the return value from the function bytes.
+        /// Gets the best source for the BuildNumber that is harder to tamper with.
         /// </summary>
         /// <returns>The most suitable build number.</returns>
-        public static string GetMostMatching(string WinAPI, string WMI, string Registry)
+        public static string GetMostMatching(string WinAPI, string WMI, string Registry, string KUSER)
         {
+            if (!string.IsNullOrWhiteSpace(KUSER))
+                return KUSER;
+
             if (Tampered)
             {
                 if (WinAPI == WMI)
@@ -409,6 +432,7 @@ public static string GetBuildNumber(bool ExitOnBuildNumberTamper, bool OnlyShowO
             string WinAPI = GetWindowsBuildNumberWinAPI();
             string WMI = GetWindowsBuildNumberWMI();
             string Registry = GetWindowsBuildNumberReg();
+            string KUSER = GetWindowsBuildNumberKUser();
             if (IsTampered(WinAPI, WMI, Registry))
             {
                 Tampered = true;
@@ -427,7 +451,7 @@ public static string GetBuildNumber(bool ExitOnBuildNumberTamper, bool OnlyShowO
                     ForceExit();
                 }
             }
-            return GetMostMatching(WinAPI, WMI, Registry);
+            return GetMostMatching(WinAPI, WMI, Registry, KUSER);
         }
 
         /// <summary>
@@ -506,10 +530,9 @@ public static uint SyscallNtQueryInformationProcess(uint ProcessInfoClass, out u
                 {
                     SysNtQueryInformationProcess Executed = (SysNtQueryInformationProcess)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationProcess));
                     uint Result = Executed(new IntPtr(-1), ProcessInfoClass, out ProcessInfo, nSize, out ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }
@@ -528,10 +551,9 @@ public static uint SyscallNtQueryInformationProcess(uint ProcessInfoClass, out I
                 {
                     SysNtQueryInformationProcess2 Executed = (SysNtQueryInformationProcess2)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationProcess2));
                     uint Result = Executed(new IntPtr(-1), ProcessInfoClass, out ProcessInfo, nSize, ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }
@@ -550,10 +572,9 @@ public static uint SyscallNtQueryInformationProcess(uint ProcessInfoClass, ref S
                 {
                     SysNtQueryInformationProcess3 Executed = (SysNtQueryInformationProcess3)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationProcess3));
                     uint Result = Executed(new IntPtr(-1), ProcessInfoClass, ref ProcessInfo, nSize, ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }
@@ -570,7 +591,6 @@ public static bool SyscallNtClose(IntPtr Handle)
                 {
                     SysNtClose Executed = (SysNtClose)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtClose));
                     bool Result = Executed(Handle);
-                    FreeCode(Syscall);
                     return Result;
                 }
                 finally
@@ -591,10 +611,9 @@ public static uint SyscallNtQuerySystemInformation(uint SystemInformationClass,
                 {
                     SysNtQuerySystemInformation Executed = (SysNtQuerySystemInformation)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQuerySystemInformation));
                     uint Result = Executed(SystemInformationClass, ref SystemInformation, SystemInformationLength, out ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }
@@ -612,10 +631,9 @@ public static uint SyscallNtQuerySystemInformation(uint SystemInformationClass,
                 {
                     SysNtQuerySystemInformation2 Executed = (SysNtQuerySystemInformation2)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQuerySystemInformation2));
                     uint Result = Executed(SystemInformationClass, ref SystemInformation, SystemInformationLength, out ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }
@@ -633,10 +651,9 @@ public static uint SyscallNtQuerySystemInformation(uint SystemInformationClass,
                 {
                     SysNtQuerySystemInformation3 Executed = (SysNtQuerySystemInformation3)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQuerySystemInformation3));
                     uint Result = Executed(SystemInformationClass, ref SystemInformation, SystemInformationLength, out ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }
@@ -654,10 +671,9 @@ public static uint SyscallNtQueryVirtualMemory(IntPtr ProcessHandle, IntPtr Base
                 {
                     SysNtQueryVirtualMemory Executed = (SysNtQueryVirtualMemory)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryVirtualMemory));
                     uint Result = Executed(ProcessHandle, BaseAddress, MemoryInformationClass, ref MemoryInformation, MemoryInformationLength, out ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }
@@ -674,10 +690,9 @@ public static int SyscallNtQueryInformationThread(IntPtr ThreadHandle, int Threa
                 {
                     SysNtQueryInformationThread Executed = (SysNtQueryInformationThread)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationThread));
                     int Result = Executed(ThreadHandle, ThreadInformationClass, ref ThreadInformation, ThreadInformationLength, ReturnLength);
-                    FreeCode(Syscall);
                     return Result;
                 }
-                catch
+                finally
                 {
                     FreeCode(Syscall);
                 }

Original file line number	Diff line number	Diff line change
`@@ -353,6 +353,26 @@ private static string GetWindowsBuildNumberWinAPI()`
`353`	`353`	`return null;`
`354`	`354`	`}`
`355`	`355`
	`356`	`+ /// <summary>`
	`357`	`+ /// Gets the build number using KUSER_SHARED_dATA.`
	`358`	`+ /// </summary>`
	`359`	`+ /// <returns>The build number.</returns>`
	`360`	`+ private static string GetWindowsBuildNumberKUser()`
	`361`	`+ {`
	`362`	`+ byte[] BuildNumberBytes = new byte[4];`
	`363`	`+ IntPtr NtBuildNumber = new IntPtr(0x7FFE0260);`
	`364`	`+ Utils.CopyMem(BuildNumberBytes, NtBuildNumber, false);`
	`365`	`+ try`
	`366`	`+ {`
	`367`	`+ uint BuildNumber = BitConverter.ToUInt32(BuildNumberBytes, 0);`
	`368`	`+ return BuildNumber.ToString();`
	`369`	`+ }`
	`370`	`+ catch`
	`371`	`+ {`
	`372`	`+ return null;`
	`373`	`+ }`
	`374`	`+ }`
	`375`	`+`
`356`	`376`
`357`	`377`	`/// <summary>`
`358`	`378`	`/// Searches for the return value from the function bytes.`
`@@ -365,11 +385,14 @@ private static bool IsTampered(string WinAPI, string WMI, string Registry)`
`365`	`385`	`}`
`366`	`386`
`367`	`387`	`/// <summary>`
`368`		`- /// Searches for the return value from the function bytes.`
	`388`	`+ /// Gets the best source for the BuildNumber that is harder to tamper with.`
`369`	`389`	`/// </summary>`
`370`	`390`	`/// <returns>The most suitable build number.</returns>`
`371`		`- public static string GetMostMatching(string WinAPI, string WMI, string Registry)`
	`391`	`+ public static string GetMostMatching(string WinAPI, string WMI, string Registry, string KUSER)`
`372`	`392`	`{`
	`393`	`+ if (!string.IsNullOrWhiteSpace(KUSER))`
	`394`	`+ return KUSER;`
	`395`	`+`
`373`	`396`	`if (Tampered)`
`374`	`397`	`{`
`375`	`398`	`if (WinAPI == WMI)`
`@@ -409,6 +432,7 @@ public static string GetBuildNumber(bool ExitOnBuildNumberTamper, bool OnlyShowO`
`409`	`432`	`string WinAPI = GetWindowsBuildNumberWinAPI();`
`410`	`433`	`string WMI = GetWindowsBuildNumberWMI();`
`411`	`434`	`string Registry = GetWindowsBuildNumberReg();`
	`435`	`+ string KUSER = GetWindowsBuildNumberKUser();`
`412`	`436`	`if (IsTampered(WinAPI, WMI, Registry))`
`413`	`437`	`{`
`414`	`438`	`Tampered = true;`
`@@ -427,7 +451,7 @@ public static string GetBuildNumber(bool ExitOnBuildNumberTamper, bool OnlyShowO`
`427`	`451`	`ForceExit();`
`428`	`452`	`}`
`429`	`453`	`}`
`430`		`- return GetMostMatching(WinAPI, WMI, Registry);`
	`454`	`+ return GetMostMatching(WinAPI, WMI, Registry, KUSER);`
`431`	`455`	`}`
`432`	`456`
`433`	`457`	`/// <summary>`
`@@ -506,10 +530,9 @@ public static uint SyscallNtQueryInformationProcess(uint ProcessInfoClass, out u`
`506`	`530`	`{`
`507`	`531`	`SysNtQueryInformationProcess Executed = (SysNtQueryInformationProcess)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationProcess));`
`508`	`532`	`uint Result = Executed(new IntPtr(-1), ProcessInfoClass, out ProcessInfo, nSize, out ReturnLength);`
`509`		`- FreeCode(Syscall);`
`510`	`533`	`return Result;`
`511`	`534`	`}`
`512`		`- catch`
	`535`	`+ finally`
`513`	`536`	`{`
`514`	`537`	`FreeCode(Syscall);`
`515`	`538`	`}`
`@@ -528,10 +551,9 @@ public static uint SyscallNtQueryInformationProcess(uint ProcessInfoClass, out I`
`528`	`551`	`{`
`529`	`552`	`SysNtQueryInformationProcess2 Executed = (SysNtQueryInformationProcess2)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationProcess2));`
`530`	`553`	`uint Result = Executed(new IntPtr(-1), ProcessInfoClass, out ProcessInfo, nSize, ReturnLength);`
`531`		`- FreeCode(Syscall);`
`532`	`554`	`return Result;`
`533`	`555`	`}`
`534`		`- catch`
	`556`	`+ finally`
`535`	`557`	`{`
`536`	`558`	`FreeCode(Syscall);`
`537`	`559`	`}`
`@@ -550,10 +572,9 @@ public static uint SyscallNtQueryInformationProcess(uint ProcessInfoClass, ref S`
`550`	`572`	`{`
`551`	`573`	`SysNtQueryInformationProcess3 Executed = (SysNtQueryInformationProcess3)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationProcess3));`
`552`	`574`	`uint Result = Executed(new IntPtr(-1), ProcessInfoClass, ref ProcessInfo, nSize, ReturnLength);`
`553`		`- FreeCode(Syscall);`
`554`	`575`	`return Result;`
`555`	`576`	`}`
`556`		`- catch`
	`577`	`+ finally`
`557`	`578`	`{`
`558`	`579`	`FreeCode(Syscall);`
`559`	`580`	`}`
`@@ -570,7 +591,6 @@ public static bool SyscallNtClose(IntPtr Handle)`
`570`	`591`	`{`
`571`	`592`	`SysNtClose Executed = (SysNtClose)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtClose));`
`572`	`593`	`bool Result = Executed(Handle);`
`573`		`- FreeCode(Syscall);`
`574`	`594`	`return Result;`
`575`	`595`	`}`
`576`	`596`	`finally`
`@@ -591,10 +611,9 @@ public static uint SyscallNtQuerySystemInformation(uint SystemInformationClass,`
`591`	`611`	`{`
`592`	`612`	`SysNtQuerySystemInformation Executed = (SysNtQuerySystemInformation)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQuerySystemInformation));`
`593`	`613`	`uint Result = Executed(SystemInformationClass, ref SystemInformation, SystemInformationLength, out ReturnLength);`
`594`		`- FreeCode(Syscall);`
`595`	`614`	`return Result;`
`596`	`615`	`}`
`597`		`- catch`
	`616`	`+ finally`
`598`	`617`	`{`
`599`	`618`	`FreeCode(Syscall);`
`600`	`619`	`}`
`@@ -612,10 +631,9 @@ public static uint SyscallNtQuerySystemInformation(uint SystemInformationClass,`
`612`	`631`	`{`
`613`	`632`	`SysNtQuerySystemInformation2 Executed = (SysNtQuerySystemInformation2)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQuerySystemInformation2));`
`614`	`633`	`uint Result = Executed(SystemInformationClass, ref SystemInformation, SystemInformationLength, out ReturnLength);`
`615`		`- FreeCode(Syscall);`
`616`	`634`	`return Result;`
`617`	`635`	`}`
`618`		`- catch`
	`636`	`+ finally`
`619`	`637`	`{`
`620`	`638`	`FreeCode(Syscall);`
`621`	`639`	`}`
`@@ -633,10 +651,9 @@ public static uint SyscallNtQuerySystemInformation(uint SystemInformationClass,`
`633`	`651`	`{`
`634`	`652`	`SysNtQuerySystemInformation3 Executed = (SysNtQuerySystemInformation3)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQuerySystemInformation3));`
`635`	`653`	`uint Result = Executed(SystemInformationClass, ref SystemInformation, SystemInformationLength, out ReturnLength);`
`636`		`- FreeCode(Syscall);`
`637`	`654`	`return Result;`
`638`	`655`	`}`
`639`		`- catch`
	`656`	`+ finally`
`640`	`657`	`{`
`641`	`658`	`FreeCode(Syscall);`
`642`	`659`	`}`
`@@ -654,10 +671,9 @@ public static uint SyscallNtQueryVirtualMemory(IntPtr ProcessHandle, IntPtr Base`
`654`	`671`	`{`
`655`	`672`	`SysNtQueryVirtualMemory Executed = (SysNtQueryVirtualMemory)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryVirtualMemory));`
`656`	`673`	`uint Result = Executed(ProcessHandle, BaseAddress, MemoryInformationClass, ref MemoryInformation, MemoryInformationLength, out ReturnLength);`
`657`		`- FreeCode(Syscall);`
`658`	`674`	`return Result;`
`659`	`675`	`}`
`660`		`- catch`
	`676`	`+ finally`
`661`	`677`	`{`
`662`	`678`	`FreeCode(Syscall);`
`663`	`679`	`}`
`@@ -674,10 +690,9 @@ public static int SyscallNtQueryInformationThread(IntPtr ThreadHandle, int Threa`
`674`	`690`	`{`
`675`	`691`	`SysNtQueryInformationThread Executed = (SysNtQueryInformationThread)Marshal.GetDelegateForFunctionPointer(Syscall, typeof(SysNtQueryInformationThread));`
`676`	`692`	`int Result = Executed(ThreadHandle, ThreadInformationClass, ref ThreadInformation, ThreadInformationLength, ReturnLength);`
`677`		`- FreeCode(Syscall);`
`678`	`693`	`return Result;`
`679`	`694`	`}`
`680`		`- catch`
	`695`	`+ finally`
`681`	`696`	`{`
`682`	`697`	`FreeCode(Syscall);`
`683`	`698`	`}`