KMSアクティベーションツールのTunMirrorの原則



Tunmirror Principle Kms Activation Tool



記事のディレクトリ

Disclaimer: This article is for technical exchange only, and any legal copyright issues arising therefrom are not responsible, thank you. If you are involved in commercial applications, please buy genuine!

動作原理

Win8.1以降では、要求されたKMSサーバーがローカルで実行されているかどうかがチェックされるため、127.0.0.0 / 24およびローカルNICで監視が失敗します。
バイパスする方法はおおよそ2つあります
1.フックシステム機能
2.仮想ネットワークカードをインストールし、tunmirrorでバイパスします



このコードはTunMirror.exeから逆コンパイルされ、変更されます

  • VPN証明書をインポートし(ドライバーのインストールを求められたときにVPNがサイレントインストールされないようにするため)、OpenVPNをインストールします
  • 対応するIPアドレスを設定し、tunmirrorサービスを開始します
  • tunmirrorエージェントは、対応するネットワークセグメントのローカルポートに要求を送信します。

** OpenVPNインストールパッケージと証明書は、KMSPicoなどのオンラインで見つけることができます



TunMirror
画像

TunTap.cs

using System using System.IO using System.Threading using System.Management using System.Text.RegularExpressions using System.Runtime.InteropServices using Microsoft.Win32.SafeHandles namespace TunMirror { class TunTap { // Fields private static int _bytesRead private static FileStream _tap private static EventWaitHandle _waitObject private static EventWaitHandle _waitObject2 private const uint FileAnyAccess = 0 private const int FileAttributeSystem = 4 private const uint FileDeviceUnknown = 0x22 private const int FileFlagOverlapped = 0x40000000 private const uint MethodBuffered = 0 public string IP public string MASK public TunTap(string ip, string mask) { IP = ip MASK = mask } // Methods [DllImport('Kernel32.dll', CharSet = CharSet.Auto, SetLastError = true)] private static extern IntPtr CreateFile(string filename, [MarshalAs(UnmanagedType.U4)] FileAccess fileaccess, [MarshalAs(UnmanagedType.U4)] FileShare fileshare, int securityattributes, [MarshalAs(UnmanagedType.U4)] FileMode creationdisposition, int flags, IntPtr template) private static uint CtlCode(uint deviceType, uint function, uint method, uint access) (function << 2)) [DllImport('kernel32.dll', CharSet = CharSet.Auto, SetLastError = true, ExactSpelling = true)] private static extern bool DeviceIoControl(IntPtr hDevice, uint dwIoControlCode, IntPtr lpInBuffer, uint nInBufferSize, IntPtr lpOutBuffer, uint nOutBufferSize, out int lpBytesReturned, IntPtr lpOverlapped) private static string GetDeviceGuid() { ManagementObjectSearcher searcher = new ManagementObjectSearcher(@'rootCIMV2', 'SELECT GUID FROM Win32_NetworkAdapter WHERE ServiceName = 'tap0901'') foreach (ManagementObject obj2 in searcher.Get()) { if (obj2['GUID'].ToString() != string.Empty) { return obj2['GUID'].ToString() } } return string.Empty } private static uint TapControlCode(uint request, uint method) { return CtlCode(0x22, request, method, 0) } public static Int32 IPInfoToInt32(string s) { Regex regex = new Regex(@'d+.d+.d+.d+') if (!regex.IsMatch(s)) { Console.WriteLine(String.Format('{0} format is incorrect', s)) Environment.Exit(1) } string[] sList = s.Split('.') Int32 ret = 0 try { for (int i = 0 i < 4 i++) { Int32 j = System.Convert.ToInt32(sList[i]) if (j > 255) { throw new FormatException() } ret += j * (int)Math.Pow(256, i) } } catch (FormatException) { Console.WriteLine(String.Format('{0} format is incorrect', s)) Environment.Exit(1) } return ret } [STAThread] public void ThreadLoop() { int num string deviceGuid = GetDeviceGuid() IntPtr hDevice = CreateFile(@'\.Global' + deviceGuid + '.tap', FileAccess.ReadWrite, FileShare.ReadWrite, 0, FileMode.Open, 0x40000004, IntPtr.Zero) IntPtr ptr = Marshal.AllocHGlobal(4) Marshal.WriteInt32(ptr, 1) // TAP_IOCTL_CONFIG_POINT_TO_POINT = TAP_CONTROL_CODE(5, 0) // TAP_IOCTL_SET_MEDIA_STATUS = TAP_CONTROL_CODE(6, 0) // TAP_IOCTL_CONFIG_TUN = TAP_CONTROL_CODE(10, 0) // #define TAP_WIN_IOCTL_GET_MAC TAP_WIN_CONTROL_CODE (1, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_GET_VERSION TAP_WIN_CONTROL_CODE (2, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_GET_MTU TAP_WIN_CONTROL_CODE (3, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_GET_INFO TAP_WIN_CONTROL_CODE (4, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT TAP_WIN_CONTROL_CODE (5, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_SET_MEDIA_STATUS TAP_WIN_CONTROL_CODE (6, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_CONFIG_DHCP_MASQ TAP_WIN_CONTROL_CODE (7, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_GET_LOG_LINE TAP_WIN_CONTROL_CODE (8, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT TAP_WIN_CONTROL_CODE (9, METHOD_BUFFERED) // #define TAP_WIN_IOCTL_CONFIG_TUN TAP_WIN_CONTROL_CODE (10, METHOD_BUFFERED) // https://gist.github.com/glacjay/586892 // https://bbs.csdn.net/topics/392438702 DeviceIoControl(hDevice, TapControlCode(6, 0), ptr, 4, ptr, 4, out num, IntPtr.Zero) IntPtr ptr3 = Marshal.AllocHGlobal(12) Int32 ip = IPInfoToInt32(IP) Int32 mask = IPInfoToInt32(MASK) Marshal.WriteInt32(ptr3, 0, ip) Marshal.WriteInt32(ptr3, 4, ip & mask) Marshal.WriteInt32(ptr3, 8, mask) DeviceIoControl(hDevice, TapControlCode(10, 0), ptr3, 12, ptr3, 12, out num, IntPtr.Zero) // _tap = new FileStream(hDevice, FileAccess.ReadWrite, true, 0x2710, true) _tap = new FileStream(new SafeFileHandle(hDevice, true), FileAccess.ReadWrite, 0x2710, true) byte[] buffer = new byte[0x2710] object state = 0 _waitObject = new EventWaitHandle(false, EventResetMode.AutoReset) object obj3 = 0 _waitObject2 = new EventWaitHandle(false, EventResetMode.AutoReset) AsyncCallback callback = new AsyncCallback(TunTap.ReadDataCallback) AsyncCallback callback2 = new AsyncCallback(TunTap.WriteDataCallback) while (Thread.CurrentThread.IsAlive) { _tap.BeginRead(buffer, 0, 0x2710, callback, state) _waitObject.WaitOne() string src = String.Format('{0}.{1}.{2}.{3}', buffer[12], buffer[13], buffer[14], buffer[15]) string dst = String.Format('{0}.{1}.{2}.{3}', buffer[16], buffer[17], buffer[18], buffer[19]) string srcPort = String.Format('{0}', Convert.ToInt32(buffer[20]) * 256 + Convert.ToInt32(buffer[21])) string dstPort = String.Format('{0}', Convert.ToInt32(buffer[22]) * 256 + Convert.ToInt32(buffer[23])) for (int i = 0 i < 4 i++) { byte num3 = buffer[12 + i] buffer[12 + i] = buffer[0x10 + i] buffer[0x10 + i] = num3 } Console.WriteLine(String.Format('Data frame {0}: {1} -> {2}: {3} converted to {4}: {5} -> {6}: {7} total {8} bytes', src, srcPort, dst, dstPort, dst, srcPort, src, dstPort, _bytesRead)) _tap.BeginWrite(buffer, 0, _bytesRead, callback2, obj3) _waitObject2.WaitOne() } } public static void ReadDataCallback(IAsyncResult asyncResult) { try { _bytesRead = _tap.EndRead(asyncResult) } catch { } _waitObject.Set() } public static void WriteDataCallback(IAsyncResult asyncResult) { try { _tap.EndWrite(asyncResult) } catch { } _waitObject2.Set() } } }

Program.cs

using System using System.Threading using System.Diagnostics using System.Management namespace TunMirror { class Program { static void Main(string[] args) { Console.Title = 'Leo's TunMirror' Console.ForegroundColor = ConsoleColor.Green if(args.Length != 0 && args.Length != 2 && !(args.Length == 1 && args[0] == '/u')) { Console.WriteLine(@' Usage: TunMirror.exe without any parameters Perform the installation and set the default IP address: 10.3.0.1 Subnet mask: 255.255.255.0 TunMirror.exe IP address Subnet mask EX: TunMirror.exe 192.168.1.1 255.255.255.0 Perform the installation and set the VPN NIC address according to the parameters. TunMirror.exe /u If it detects that the openvpn virtual network card is installed, uninstall it! ') Console.ReadKey() Environment.Exit(0) } if(args.Length == 1 && args[0] == '/u') { UninstallVPN() Environment.Exit(0) } TunTap tun if(args.Length == 2) { tun = new TunTap(args[0], args[1]) } else { tun = new TunTap('10.3.0.1', '255.255.255.0') } // Install VPN and set IP bool bInstalled = IsVPNInstalled() if(!bInstalled) { InstallCert() } InstallVPN(tun.IP, tun.MASK, bInstalled) / / Start the thread Console.WriteLine('Starting the TunMirror service.... ') Thread th = new Thread(tun.ThreadLoop) th.Start() Console.WriteLine('TunMirror service has started... ') Console.ForegroundColor = ConsoleColor.Yellow } public static bool IsVPNInstalled() { ManagementClass objMC = new ManagementClass('Win32_NetworkAdapterConfiguration') ManagementObjectCollection objMCC = objMC.GetInstances() foreach (ManagementObject objMO in objMCC) { if (((string)objMO['Description']).Contains('TAP-Windows')) { return true } } return false } public static void InstallCert() { ProcessStartInfo procInfo = new ProcessStartInfo { FileName = 'certutil', Arguments = '-addstore -f 'TrustedPublisher' '' + Environment.CurrentDirectory + '\TrustTAP.cer'', WorkingDirectory = Environment.CurrentDirectory, CreateNoWindow = true, WindowStyle = ProcessWindowStyle.Hidden } Process ps = new Process { StartInfo = procInfo } Console.WriteLine('Installing certificate:') Console.WriteLine(procInfo.FileName + ' ' + procInfo.Arguments + ' ') try { ps.Start() ps.WaitForExit() } catch { } } public static void UninstallVPN() { ProcessStartInfo procInfo = new ProcessStartInfo { FileName = Environment.GetEnvironmentVariable('SystemDrive') + '\Program Files\TAP-Windows\Uninstall.exe', Arguments = '/S', WorkingDirectory = Environment.GetEnvironmentVariable('SystemDrive') + '\Program Files\TAP-Windows', } Console.WriteLine('Uninstalling VPN...') Process ps = new Process { StartInfo = procInfo } try { ps.Start() ps.WaitForExit() } catch { } } public static void InstallVPN(string ip, string mask, bool bInstall) { if (bInstall) { goto SETIP } ProcessStartInfo procInfo = new ProcessStartInfo { FileName = Environment.CurrentDirectory + '\tap.exe', Arguments = '/S', WorkingDirectory = Environment.CurrentDirectory, } Process ps = new Process { StartInfo = procInfo } Console.WriteLine('Installing OpenVPN Virtual NIC... ') try { ps.Start() ps.WaitForExit() } catch { } Thread.Sleep(4000) // set ip SETIP: Console.WriteLine('Setting IP address for virtual NIC... ') ManagementClass objMC = new ManagementClass('Win32_NetworkAdapterConfiguration') ManagementObjectCollection objMCC = objMC.GetInstances() foreach (ManagementObject objMO in objMCC) { if (((string)objMO['Description']).Contains('TAP-Windows')) { ManagementBaseObject newIP = objMO.GetMethodParameters('EnableStatic') newIP['IPAddress'] = new string[] { ip } newIP['SubnetMask'] = new string[] { mask } objMO.InvokeMethod('EnableStatic', newIP, null) objMO.InvokeMethod('EnableStatic', newIP, null) break } } Thread.Sleep(4000) } } }

仮想NICは10.3.0.1に設定されます
画像

TunMirrorを起動し、アクティベーションコマンドを実行します



画像

画像