# Copyright (C) 2018, Stefan Kanthak # * The software is provided "as is" without any warranty, neither express # nor implied. # In no event will the author be held liable for any damage(s) arising # from the use of the software. # * Redistribution of the software is allowed only in unmodified form. # * Permission is granted to use the software solely for personal private # and non-commercial purposes. # * An individuals use of the software in his or her capacity or function # as an agent, (independent) contractor, employee, member or officer of # a business, corporation or organization (commercial or non-commercial) # does not qualify as personal private and non-commercial purpose. # * Without written approval from the author the software must not be used # for a business, for commercial, corporate, governmental, military or # organizational purposes of any kind, or in a commercial, corporate, # governmental, military or organizational environment of any kind. .SUFFIXES: test: BTI_RDCL.EXE BTI_RDCL.EXE sign: BTI_RDCL.EXE SIGNTOOL.EXE Sign /A /D "Meltdown, Spectre and Spectre-NG Update Check Utility" /DU "https://skanthak.homepage.t-online.de/gimmick.html" /T "http://timestamp.verisign.com/scripts/timstamp.dll" /V $** # SIGNTOOL.EXE Sign /AS /D "Meltdown, Spectre and Spectre-NG Update Check Utility" /DU "https://skanthak.homepage.t-online.de/gimmick.html" /FD SHA256 /TD SHA256 /TR "http://timestamp.verisign.com/scripts/timstamp.dll" /V $** clobber: clean Erase BTI_RDCL.EXE clean: Erase BTI_RDCL.EXP BTI_RDCL.LIB BTI_RDCL.TMP Erase BTI_RDCL.DOS BTI_RDCL.OBJ BTI_RDCL.RES BTI_RDCL.LIB: BTI_RDCL.TMP LINK.EXE /LIB /DEF /EXPORT:NtQuerySystemInformation /EXPORT:RtlNtStatusToDosError /NAME:NTDLL /NODEFAULTLIB /NOLOGO /OUT:$@ BTI_RDCL.TMP BTI_RDCL.TMP: BTI_RDCL.MAK CL.EXE /c /Fo$@ /nologo /Tc<< /W4 /wd4100 /Zl // Copyright (C) 2018, Stefan Kanthak __declspec(dllexport) long __stdcall NtQuerySystemInformation(long _1, void *_2, long _3, void *_4) { return 0; } __declspec(dllexport) long __stdcall RtlNtStatusToDosError(long _1) { return 0; } < #pragma comment(compiler) #pragma comment(user, __TIMESTAMP__) #define STRICT #define UNICODE #define WIN32_LEAN_AND_MEAN #include extern const IMAGE_DOS_HEADER __ImageBase; // https://msdn.microsoft.com/en-us/library/cc231200.aspx // https://msdn.microsoft.com/en-us/library/cc704588.aspx typedef enum _NTSTATUS { STATUS_SUCCESS = 0x00000000, STATUS_UNSUCCESSFUL = 0xC0000001, STATUS_NOT_IMPLEMENTED = 0xC0000002, STATUS_INVALID_INFO_CLASS = 0xC0000003, STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 } NTSTATUS; // https://msdn.microsoft.com/en-us/library/ms680600.aspx __declspec(dllimport) DWORD NTAPI RtlNtStatusToDosError(NTSTATUS Status); typedef enum _SYSTEM_INFORMATION_CLASS { SystemKernelVaShadowInformation = 196, SystemSpeculationControlInformation = 201 } SYSTEM_INFORMATION_CLASS; // https://msdn.microsoft.com/en-us/library/ms724509.aspx __declspec(dllimport) NTSTATUS NTAPI NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, LPVOID SystemInformation, DWORD SystemInformationLength, LPDWORD ReturnLength); // https://msdn.microsoft.com/en-us/library/f9t8842e.aspx VOID WINAPI wWinMainCRTStartup(VOID) { NTSTATUS ntStatus = STATUS_SUCCESS; #pragma warning(disable: 4214) // https://msdn.microsoft.com/en-us/library/ms724509.aspx struct { DWORD KvaShadowEnabled : 1; // Kernel Virtual Address Shadowing enabled DWORD KvaShadowUserGlobal : 1; // Kernel Virtual Address Shadowing enabled on user pages marked global DWORD KvaShadowPcid : 1; // PCID support (Westmere and later) DWORD KvaShadowInvpcid : 1; // INVPCID support (Haswell and later) DWORD KvaShadowRequired : 1; DWORD KvaShadowRequiredAvailable : 1; DWORD InvalidPteBit : 6; DWORD L1DataCacheFlushSupported : 1; DWORD L1TerminalFaultMitigationPresent : 1; DWORD Reserved : 18; } KvaShadowFlags; struct { DWORD BpbEnabled : 1; // Branch target injection protection enabled DWORD BpbDisabledSystemPolicy : 1; // PolicyOverride/PolicyOverrideMask registry setting DWORD BpbDisabledNoHardwareSupport : 1; // Microcode update not installed DWORD SpecCtrlEnumerated : 1; // IA32_SPEC_CTRL MSR support DWORD SpecCmdEnumerated : 1; // IA32_PRED_CMD MSR support (IBPB) DWORD IbrsPresent : 1; // IBRS support (Indirect Branch Restricted Speculation) DWORD StibpPresent : 1; // STIPB support (Single Thread Indirect Branch Predictors) DWORD SmepPresent : 1; // SMEP support (Supervisor-Mode Execution Prevention) DWORD SpeculativeStoreBypassDisableAvailable : 1; DWORD SpeculativeStoreBypassDisableSupported : 1; DWORD SpeculativeStoreBypassDisabledSystemWide : 1; DWORD SpeculativeStoreBypassDisabledKernel : 1; DWORD SpeculativeStoreBypassDisableRequired : 1; DWORD BpbDisabledKernelToUser : 1; DWORD SpecCtrlRetpolineEnabled : 1; DWORD SpecCtrlImportOptimizationEnabled : 1; DWORD Reserved : 16; } SpeculationControlFlags; #pragma warning(default: 4214) DWORD dwError = ERROR_SUCCESS; INT niBuffer = 0; WCHAR szBuffer[1025]; // https://msdn.microsoft.com/en-us/library/ms645402.aspx // https://msdn.microsoft.com/en-us/library/ms648029.aspx // https://msdn.microsoft.com/en-us/library/dd373908.aspx // BUG: if MB_DEFAULT_DESKTOP_ONLY is set, MessageBoxIndirect() // displays no icon and fails with access violation when // caption or text are specified as resources! MSGBOXPARAMS mbp = {sizeof(MSGBOXPARAMS), HWND_DESKTOP, (HINSTANCE) &__ImageBase, NULL, L"\'Meltdown\' (CVE-2017-5754 [Rogue Data Cache Load])", MB_USERICON | MB_OK, MAKEINTRESOURCE(1), (DWORD_PTR) NULL, (MSGBOXCALLBACK) NULL, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT)}; // https://msdn.microsoft.com/en-us/library/ms724509.aspx if ((ntStatus = NtQuerySystemInformation(SystemKernelVaShadowInformation, &KvaShadowFlags, sizeof(KvaShadowFlags), (LPDWORD) NULL)) < 0) // https://msdn.microsoft.com/en-us/library/ms647550.aspx niBuffer = wsprintf(szBuffer, L"NtQuerySystemInformation(SystemKernelVaShadowInformation) returned status 0x%08lX\n" L"\n" L"Summary information:\n" L"\tMitigation for \'Meltdown\' (CVE-2017-5754 [Rogue Data Cache Load]) is not installed!\n" L"\n" L"Notes:\t0xC0000002 (STATUS_NOT_IMPLEMENTED) indicates that security update KB405689x is installed, but does not support this information request!\n" L"\t0xC0000003 (STATUS_INVALID_INFO_CLASS) indicates that security update KB405689x is not installed!\n", ntStatus); else // https://msdn.microsoft.com/en-us/library/ms647550.aspx niBuffer = wsprintf(szBuffer, L"NtQuerySystemInformation(SystemKernelVaShadowInformation) returned status 0x%08lX\n" L"\n" L"Summary information:\n" L"\tMitigation for \'Meltdown\' (CVE-2017-5754 [Rogue Data Cache Load]) is%ls enabled!\n" L"\n" L"Detail information:\n" L"\tKvaShadowFlags = 0x%08lX\n" L"\t%lc\tKvaShadowEnabled\n" L"\t\t(Mitigation enabled by Windows)\n" L"\t%lc\tKvaShadowUserGlobal\n" L"\t%lc\tKvaShadowPcid\n" L"\t\t(Processor supports PCID feature)\n" L"\t%lc\tKvaShadowInvpcid\n" L"\t\t(Processor supports INVPCID instruction)\n" L"\t%lc\tKvaShadowRequired\n" L"\t%lc\tKvaShadowRequiredAvailable\n" L"\t%lc\tL1DataCacheFlushSupported\n" L"\t%lc\tL1TerminalFaultMitigationPresent\n", ntStatus, KvaShadowFlags.KvaShadowEnabled ? L"" : L" not", *(LPDWORD) &KvaShadowFlags, L'0' + KvaShadowFlags.KvaShadowEnabled, L'0' + KvaShadowFlags.KvaShadowUserGlobal, L'0' + KvaShadowFlags.KvaShadowPcid, L'0' + KvaShadowFlags.KvaShadowInvpcid, L'0' + KvaShadowFlags.KvaShadowRequired, L'0' + KvaShadowFlags.KvaShadowRequiredAvailable, L'0' + KvaShadowFlags.L1DataCacheFlushSupported, L'0' + KvaShadowFlags.L1TerminalFaultMitigationPresent); if (niBuffer == 0) dwError = GetLastError(); else { szBuffer[niBuffer] = L'\0'; mbp.lpszText = szBuffer; // mbp.lpszCaption = L"\'Meltdown\' (CVE-2017-5754 [Rogue Data Cache Load])"; // mbp.lpszIcon = MAKEINTRESOURCE(1); // https://msdn.microsoft.com/en-us/library/ms645511.aspx if (MessageBoxIndirect(&mbp) == 0) dwError = GetLastError(); else // https://msdn.microsoft.com/en-us/library/ms680600.aspx dwError = RtlNtStatusToDosError(ntStatus); } // https://msdn.microsoft.com/en-us/library/ms724509.aspx if ((ntStatus = NtQuerySystemInformation(SystemSpeculationControlInformation, &SpeculationControlFlags, sizeof(SpeculationControlFlags), (LPDWORD) NULL)) < 0) // https://msdn.microsoft.com/en-us/library/ms647550.aspx niBuffer = wsprintf(szBuffer, L"NtQuerySystemInformation(SystemSpeculationControlInformation) returned status 0x%08lX\n" L"\n" L"Summary information:\n" L"\tMitigation for \'Spectre\' (CVE-2017-5715 [Branch Target Injection], CVE-2017-5753 [Bounds Check Bypass]) and \'Spectre-NG\' (CVE-2018-3639 [Speculative Store Bypass], CVE-2018-3640 [Rogue System Register Read]) is not installed!\n" L"\n" L"Notes:\t0xC0000002 (STATUS_NOT_IMPLEMENTED) indicates that security update KB405689x is installed, but does not support this information request!\n" L"\t0xC0000003 (STATUS_INVALID_INFO_CLASS) indicates that security update KB405689x is not installed!\n", ntStatus); else // https://msdn.microsoft.com/en-us/library/ms647550.aspx niBuffer = wsprintf(szBuffer, L"NtQuerySystemInformation(SystemSpeculationControlInformation) returned status 0x%08lX\n" L"\n" L"Summary information:\n" L"\tMitigation for \'Variant 2\' (CVE-2017-5715 [Branch Target Injection]) is%ls enabled!\n" L"\tMitigation for \'Variant 4\' (CVE-2018-3639 [Speculative Store Bypass]) is%ls enabled!\n" L"\n" L"Detail information:\n" L"\tSpeculationControlFlags = 0x%08lX\n" L"\t%lc\tBpbEnabled\n" L"\t\t(Mitigation enabled by Windows)\n" L"\t%lc\tBpbDisabledSystemPolicy\n" L"\t\t(Mitigation disabled via Registry)\n" L"\t%lc\tBpbDisabledNoHardwareSupport\n" L"\t\t(Microcode update missing)\n" L"\t%lc\tSpecCtrlEnumerated\n" L"\t\t(Processor supports IA32_SPEC_CTRL MSR)\n" L"\t%lc\tSpecCmdEnumerated\n" L"\t\t(Processor supports IA32_SPEC_CMD MSR)\n" L"\t%lc\tIbrsPresent\n" L"\t\t(Processor supports IBRS feature)\n" L"\t%lc\tStibpPresent\n" L"\t\t(Processor supports STIBP feature)\n" L"\t%lc\tSmepPresent\n" L"\t\t(Processor supports SMEP feature)\n" L"\t%lc\tSsbdAvailable\n" L"\t%lc\tSsbdSupported\n" L"\t%lc\tSsbdSystemWide\n" L"\t%lc\tSsbdKernel\n" L"\t%lc\tSsbdRequired\n" L"\t%lc\tBpbDisabledKernelToUser\n" L"\t%lc\tSpecCtrlRetpolineEnabled\n" L"\t%lc\tSpecCtrlImportOptimizationEnabled\n", ntStatus, SpeculationControlFlags.BpbEnabled ? L"" : L" not", SpeculationControlFlags.SpeculativeStoreBypassDisabledSystemWide ? L"" : L" not", *(LPDWORD) &SpeculationControlFlags, L'0' + SpeculationControlFlags.BpbEnabled, L'0' + SpeculationControlFlags.BpbDisabledSystemPolicy, L'0' + SpeculationControlFlags.BpbDisabledNoHardwareSupport, L'0' + SpeculationControlFlags.SpecCtrlEnumerated, L'0' + SpeculationControlFlags.SpecCmdEnumerated, L'0' + SpeculationControlFlags.IbrsPresent, L'0' + SpeculationControlFlags.StibpPresent, L'0' + SpeculationControlFlags.SmepPresent, L'0' + SpeculationControlFlags.SpeculativeStoreBypassDisableAvailable, L'0' + SpeculationControlFlags.SpeculativeStoreBypassDisableSupported, L'0' + SpeculationControlFlags.SpeculativeStoreBypassDisabledSystemWide, L'0' + SpeculationControlFlags.SpeculativeStoreBypassDisabledKernel, L'0' + SpeculationControlFlags.SpeculativeStoreBypassDisableRequired, L'0' + SpeculationControlFlags.BpbDisabledKernelToUser, L'0' + SpeculationControlFlags.SpecCtrlRetpolineEnabled, L'0' + SpeculationControlFlags.SpecCtrlImportOptimizationEnabled); if (niBuffer == 0) dwError = GetLastError(); else { szBuffer[niBuffer] = L'\0'; // mbp.lpszText = szBuffer; mbp.lpszCaption = L"\'Spectre\' (CVE-2017-5715, CVE-2017-5753, CVE-2018-3639 & CVE-2018-3640)"; mbp.lpszIcon = MAKEINTRESOURCE(2); // https://msdn.microsoft.com/en-us/library/ms645511.aspx if (MessageBoxIndirect(&mbp) == 0) dwError = GetLastError(); else // https://msdn.microsoft.com/en-us/library/ms680600.aspx dwError = RtlNtStatusToDosError(ntStatus); } // https://msdn.microsoft.com/en-us/library/ms682658.aspx ExitProcess(dwError); } < #define STRICT #define WIN32_LEAN_AND_MEAN #define WINVER 0x0500 #define _WIN32_WINNT 0x0500 #include #include #include #ifdef _WIN32 #pragma code_page(1252) #endif LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 1 ICON "MELTDOWN.ICO" // https://meltdownattack.com/favicon.ico 2 ICON "SPECTRE.ICO" // https://spectreattack.com/favicon.ico // https://msdn.microsoft.com/en-us/library/dn481241.aspx CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST BEGIN #ifdef BOM // https://msdn.microsoft.com/en-us/library/dd374101.aspx "\xEF\xBB\xBF" #endif // BUG: Windows' module loader fails with STATUS_SXS_CANT_GEN_ACTCTX when // valid encoding "US-ASCII", "UTF-7" or "Windows-1252" is specified! "\n" "\n" "\n" " \n" " \n" " \n" " \n" // NT 6.0 " \n" // NT 6.1 " \n" // NT 6.2 " \n" // NT 6.3 " \n" // NT 10 " \n" " \n" " Meltdown, Spectre and Spectre-NG Update Check Utility\n" " \n" " \n" " \n" " \n" " \n" " \n" " \n" "\n" END VERSION 0x20181208L VS_VERSION_INFO VERSIONINFO FILEFLAGS VS_FF_PRIVATEBUILD | VS_FF_SPECIALBUILD FILEFLAGSMASK VS_FFI_FILEFLAGSMASK FILEOS VOS_NT_WINDOWS32 FILETYPE VFT_APP FILESUBTYPE VFT2_UNKNOWN FILEVERSION 1,0,1,0 PRODUCTVERSION 1,0,1,0 BEGIN BLOCK "StringFileInfo" BEGIN #ifdef UNICODE BLOCK "040904B0" #else BLOCK "040904E4" #endif BEGIN VALUE "Comments", "https://meltdownattack.com/index.html\r\n" "https://spectreattack.com/index.html\0" VALUE "CompanyName", "eSKamation\r\n" "https://skanthak.homepage.t-online.de/gimmick.html\0" VALUE "FileDescription", "Meltdown (CVE-2017-5754 [Rogue Data Cache Load]), Spectre (CVE-2017-5715 [Branch Target Injection], CVE-2017-5753 [Bounds Check Bypass]) and Spectre-NG (CVE-2018-3639 [Speculative Store Bypass], CVE-2018-3639 [Rogue System Register Read]) Update Check Utility\0" VALUE "FileVersion", "1.0.1.0\0" VALUE "InternalName", "BTI_RDCL\0" VALUE "LegalCopyright", "Copyright © 2018, Stefan Kanthak\0" VALUE "LegalTrademarks", "\0" // VALUE "OLESelfRegister", "\0" VALUE "OriginalFilename", "BTI_RDCL.EXE\0" VALUE "PrivateBuild", "NOMSVCRT\0" VALUE "ProductName", "Meltdown, Spectre and Spectre-NG Update Check Utility\0" VALUE "ProductVersion", "1.0.1.0\0" VALUE "SpecialBuild", "Release\0" END END BLOCK "VarFileInfo" BEGIN #ifdef UNICODE VALUE "Translation", 0x0409, 1200 #else VALUE "Translation", 0x0409, 1252 #endif END END < 0090 0D 0A 24 0E 1F 33 D2 B4 09 CD 21 B8 01 4C CD 21 .....3....!..L.! <