i saw a method that used deviceiocontrolfile to spoof this value, from a program that requiered that serial number.

here is the spoofing part

Code:
#define ATA_IDENTIFY_DEVICE 0xec
#pragma pack(1)
struct ata_identify_device {
unsigned short words000_009[10];
unsigned char serial_no[20];
unsigned short words020_022[3];
unsigned char fw_rev[8];
unsigned char model[40];
unsigned short words047_079[33];
unsigned short major_rev_num;
unsigned short minor_rev_num;
unsigned short command_set_1;
unsigned short command_set_2;
unsigned short command_set_extension;
unsigned short cfs_enable_1;
unsigned short word086;
unsigned short csf_default;
unsigned short words088_255[168];
};
#pragma pack()
 
NTSTATUS
(*pNtDeviceIoControlFile)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
NTSTATUS
MyNtDeviceIoControlFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
)
{
NTSTATUS ret = pNtDeviceIoControlFile( FileHandle, Event, ApcRoutine,
ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength,
OutputBuffer, OutputBufferLength );
switch( IoControlCode ) {
case IOCTL_STORAGE_QUERY_PROPERTY: {
PSTORAGE_DEVICE_DESCRIPTOR output = (PSTORAGE_DEVICE_DESCRIPTOR) OutputBuffer;
if( output->SerialNumberOffset ) {
char* serialnum = (char*)output + output->SerialNumberOffset;
strncpy( serialnum, "FAKE SERIAL", strlen(serialnum) );
}
if( output->ProductIdOffset ) {
char* productid = (char*)output + output->ProductIdOffset;
strncpy( productid, "STUPID PB", strlen(productid) );
}
if( output->VendorIdOffset ) {
char* vendorid = (char*)output + output->VendorIdOffset;
strncpy( vendorid, "asdfghjkl", strlen(vendorid) );
}
}
break;
case SMART_RCV_DRIVE_DATA: {
PSENDCMDINPARAMS input = (PSENDCMDINPARAMS) InputBuffer;
PSENDCMDOUTPARAMS output = (PSENDCMDOUTPARAMS) OutputBuffer;
if (input->irDriveRegs.bCommandReg == ATA_IDENTIFY_DEVICE) {
struct ata_identify_device *hdid = (struct ata_identify_device*) (output->bBuffer);
strncpy( hdid->model, "spoofed model!", 40 );
strncpy( hdid->serial_no, "serial goes here", 20 );
}
}
break;
}
return ret;
}

Last edited by shabbir; 20Jun2010 at 19:08.. Reason: Code blocks