Fooling Windows about its internal CPU

In this post, I’m gonna show you how you can fool windows about its internal structure and sometimes give it wrong information about its internal capabilities or internal information which can bring you a lot of fun. (At least for me !)
But don’t do that it can hurt your system actually but this post is about how to change CPU Capacity measurement of Windows and see its result in user-mode programs.
There is a good article here which gives you lots of information. I recommend seeing all its structures before start reading rest of this post.
Ok, As you know windows contains lots of structures which stores its internal information about the system which is running on and almost all of this information can be found by using NtQuerySystemInformation and you can see all about it on MSDN (In the future post I will give you more details about this function.)
I’m gonna use nt!_KPCR and Code Machine describes it well :


KPCR represents the Kernel Processor Control Region. The KPCR contains per-CPU information which is shared by the kernel and the HAL. There are as many KPCR in the system as there are CPUs.
The KPCR of the current CPU is always accessible at fs:[0] on the x86 systems and gs:[0] on x64 systems. Commonly used kernel functions like PsGetCurrentProcess() and KeGetCurrentThread() retrieve information from the KPCR using the FS/GS relative accesses.
The Prcb field contains an embedded KPRCB structure that represents the Kernel Processor Control Block.
The debugger’s “!pcr” command displays partial contents of the PCR.
You can see all Windbg gives to you from Windows symbols :

There are lots of great information about Idt , IRQL in the above structure so it must be an important one!
Look at the last one, which is Prcb!
Mark Russinovich in Windows Internals wrote “The PCR and PRCB contain information about the state of each processor in the system such as current IRQL, a pointer to the hardware Idt, the currently running thread, and the next thread selected to run. The kernel and the HAL use this information to perform architecture-specific and machine-specific actions.”.
So all we need is seeing what we can do with such a structure. Let me show you the result of windbg symbols.

Looking at the above structure shows a lot of great information about the system processor.You can find something like Current and Next Thread _KTHREAD, all information about CPU like type and capacity and manufacture company, DPC, Cycles, User-mode and Kernel-mode times and etc.
By the way, you now know that windows stores some of its internal information about CPU in nt!_PRCB and you should know find where this structure is located, I’m running an AMD64 version of Windows so it’s time to use gs:[0] in order to get the location of nt!_KPCR structure.
By using the following command you can get gs:[0] values :
dq gs:[0]
you can also use !pcr which gives you almost the same result 🙂

So, now we have where the _KPCR is located and now we should simply use :

And after finding the pcrb now we should use dt in order to map the result into the _kpcrb structure.

If you want to be sure that you are in a right place you can search for Vendor string as follows :

It gives you kinds of hex which is equal to “GenuineIntel” and this is, of course, my CPU vendor.

After this, we know that we are in a right place so let see other fields in order to find something interesting!
After studying this structure now I see something that is so familiar to me and that is “Mhz”.

Can you see my CPU’s Mhz value ?!  Let me see my windows properties.

Ok, this is what we see previously, Doesn’t it ?!

This value (2.71 GHz) exactly equals to 0xA98 so changing this value must be interesting.
I find this value and changing it to 0x10 which is equal to 16 in decimal.

So we modified the value from 0x98 to 0x10 and now we want to see if it takes effect in system information or not, so let’s view system properties again.

That’s it, guys!
You can see we changed windows properties and now it says that you have a 16 Mhz CPU.Of course, this was an example of what we can do with prcb and it doesn’t affect on windows but you can do many other things by modifying this structure like changing threads or block a thread but keep in mind that editing this structure in a wrong way almost always causes the Blue Screen Of Dead.
Thanks for reading.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.