1.8.2 merge legacy driver to normal one

Author: NevermindExpress

.vs/TimeDefuser-VS2026.vcxproj.filters

@@ -1,9 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
-    <Filter Include="tdwdm">
-      <UniqueIdentifier>{e79a6596-9c12-4d86-9073-0b0aa23c42a7}</UniqueIdentifier>
-    </Filter>
     <Filter Include="Header Files">
       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>

src/Driver.c

@@ -1,6 +1,5 @@
 #include "TimeDefuser.h"
 
-#ifndef TD_LEGACY
 BOOLEAN PatchExGetExpirationDate(void* pExGetExpirationDate) {
 	PMDL mdl = NULL;
 	unsigned char* map = NULL;
@@ -35,28 +34,25 @@ BOOLEAN PatchExGetExpirationDate(void* pExGetExpirationDate) {
 	IoFreeMdl(mdl);
 	return TRUE;
 }
-#endif
-#define PDRIVER_OBEJCT void* // Unused by TimeDefuser
 
-NTSTATUS DriverEntry(void* DriverObject, PUNICODE_STRING RegistryPath) {
+NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath) {
 	LARGE_INTEGER* li = KUSERSystemExpirationDate; // Address of SystemExpirationDate field at KUSER_SHARED_DATA
 	unsigned long long TimebombStamp = 0;	// Expiration date stamp
 	RTL_PROCESS_MODULES ModuleInfo = { 0 };	// Structure used for getting kernel base address
 	unsigned long long* KernelBase = NULL;	// Kernel Base address
 	ULONG KernelSize = 0;					// Kernel image size
 	//HANDLE hKey = OpenRegistryKey(RegistryPath);
 	HANDLE hKey = 0;
-#ifndef TD_LEGACY
 	unsigned int KernelSize2 = 0;			// Var used in loops as a max value
 	PAGESections ps[5] = { 0 };				// PE sections that name starts with "PAGE"
 	unsigned char* PotentialTimestamp = NULL;// Potential address of ExNtExpirationDate/a
-#endif
+	BOOLEAN Legacy = FALSE;
 
 	// Unrefence unused variables.
 	UNREFERENCED_PARAMETER(DriverObject);
 
 	// Print version info.
-	TDPrint("[*] TimeDefuser: version " td_version td_variant" loaded "
+	TDPrint("[*] TimeDefuser: version " td_version " loaded "
 			"| Compiled on " __DATE__ " " __TIME__ " "
 			"| https://github.com/NevermindExpress/TimeDefuser\n");
 
@@ -68,6 +64,16 @@ NTSTATUS DriverEntry(void* DriverObject, PUNICODE_STRING RegistryPath) {
 	}
 	TDPrint("[+] TimeDefuser: SystemExpirationDate is 0x%llx\n", TimebombStamp);
 
+	// Determine if we are running in a legacy system
+	{
+		int verMajor = 0;
+		PsGetVersion(&verMajor, 0, 0, 0);
+		if (verMajor == 5) {
+			TDPrint("[*] TimeDefuser: Legacy system detected.\n");
+			Legacy = TRUE;
+		}
+	}
+
 	// Get kernel base
 	ZwQuerySystemInformation(SystemModuleInformation, &ModuleInfo, sizeof(ModuleInfo), 0);
 	if (ModuleInfo.NumberOfModules == 0) {
@@ -80,77 +86,75 @@ NTSTATUS DriverEntry(void* DriverObject, PUNICODE_STRING RegistryPath) {
 
 	// Check whether addresses are cached
 	if (hKey) {
-		//if (CompareKernelVersion(hKey)) {
-		if(0) {
-			//// Get cached address offsets for timestamps.
-			////int Stamp1 = RegReadValue(hKey, L"Stamp1", NULL, 0),
-			////	Stamp2 = RegReadValue(hKey, L"Stamp2", NULL, 0);
-
-			//// Zero first timestamp
-			////if (!Stamp1) {
-			//if(1) {
-			//	// No cached address, assume nothing is cached.
-			//	goto patchBeginning;
-			//}
-			//TDPrint("[*] TimeDefuser: Cached addresses are found on registry.\n");
-			//TDPrint("[+] TimeDefuser: Cached ExpNtExpirationDate address 0x%p is used.\n", (unsigned long long*)((char*)KernelBase + Stamp1));
-			//*(unsigned long long*)((char*)KernelBase+Stamp1) = 0;
-			//#ifdef TD_LEGACY
-			//	// On legacy, for some reason, actual timebomb stamp 
-			//	// is the next qword (on XP 2526). We will zero that too.
-			//	*(unsigned long long*)((char*)KernelBase+Stamp1+8) = 0;
-			//#endif
-			//
-			//// Zero second timestamp if available.
-			//if (Stamp2) {
-			//	TDPrint("[+] TimeDefuser: Cached ExpNtExpirationData address 0x%p is used.\n", (char*)KernelBase + Stamp2);
-			//	#ifdef TD_LEGACY
-			//		RtlZeroMemory((char*)KernelBase + Stamp2, 16);
-			//	#else
-			//		*(unsigned long long*)((char*)KernelBase + Stamp2) = 0;
-			//	#endif
-			//}
-
-//#ifndef TD_LEGACY
-			//int Function = RegReadValue(hKey, L"Function", NULL, 0);
-//			TDPrint("[+] TimeDefuser: Cached ExGetExpirationDate function address 0x%p is used.\n", (char*)KernelBase + Function);
-//			if (!PatchExGetExpirationDate((char*)KernelBase + Function))
-//				goto patchFail;
-//#endif
-//			goto patchOK;
+		if (CompareKernelVersion(hKey)) {
+			// Get cached address offsets for timestamps.
+			int Stamp1 = RegReadValue(hKey, L"Stamp1", NULL, 0),
+				Stamp2 = RegReadValue(hKey, L"Stamp2", NULL, 0);
+
+			// Zero first timestamp
+			if (!Stamp1) {
+				// No cached address, assume nothing is cached.
+				goto patchBeginning;
+			}
+			TDPrint("[*] TimeDefuser: Cached addresses are found on registry.\n");
+			TDPrint("[+] TimeDefuser: Cached ExpNtExpirationDate address 0x%p is used.\n", (unsigned long long*)((char*)KernelBase + Stamp1));
+			*(unsigned long long*)((char*)KernelBase+Stamp1) = 0;
+			if(Legacy) {
+				// On legacy, for some reason, actual timebomb stamp 
+				// is the next qword (on XP 2526). We will zero that too.
+				*(unsigned long long*)((char*)KernelBase + Stamp1 + 8) = 0;
+			}
+			
+			// Zero second timestamp if available.
+			if (Stamp2) {
+				TDPrint("[+] TimeDefuser: Cached ExpNtExpirationData address 0x%p is used.\n", (char*)KernelBase + Stamp2);
+				*(unsigned long long*)((char*)KernelBase + Stamp2) = 0;
+				if (Legacy)
+					*(unsigned long long*)((char*)KernelBase + Stamp2 + 8) = 0;
+			}
+
+			if (!Legacy) {
+				int Function = RegReadValue(hKey, L"Function", NULL, 0);
+				TDPrint("[+] TimeDefuser: Cached ExGetExpirationDate function address 0x%p is used.\n", (char*)KernelBase + Function);
+				if (!PatchExGetExpirationDate((char*)KernelBase + Function))
+					goto patchFail;
+			}
+			goto patchOK;
 		}
 		// Kernel version mismatch.
 	}
-//patchBeginning:
+patchBeginning:
 	TDPrint("[*] TimeDefuser: No or mismatching cached addresses are found on registry.\n");
-	//SaveKernelVersion(hKey);
-#ifdef TD_LEGACY
-	// Search for timebomb stamp in memory
-	KernelSize /= sizeof(unsigned __int64);
-	for (unsigned int i = 0; i < KernelSize; i++) {
-		if (KernelBase[i] == TimebombStamp) {
-			TDPrint("[+] TimeDefuser: ExpNtExpirationDate found at 0x%p\n", &KernelBase[i]);
-			KernelBase[i] = 0;
-			// For some reason actual timebomb was the next qword on XP 2526, I'll save this and search for it again.
-			TimebombStamp = KernelBase[i + 1]; // Save the lower part of stamp.
-			KernelBase[i + 1] = 0; // And null where I found it too.
-			RegWriteDword(hKey, L"Stamp1", (ULONG)((unsigned char*)&KernelBase[i] - (unsigned char*)KernelBase));
-			break;
+	SaveKernelVersion(hKey);
+
+	if (Legacy) {
+		// Search for timebomb stamp in memory
+		KernelSize /= sizeof(unsigned __int64);
+		for (unsigned int i = 0; i < KernelSize; i++) {
+			if (KernelBase[i] == TimebombStamp) {
+				TDPrint("[+] TimeDefuser: ExpNtExpirationDate found at 0x%p\n", &KernelBase[i]);
+				KernelBase[i] = 0;
+				// For some reason actual timebomb was the next qword on XP 2526, I'll save this and search for it again.
+				TimebombStamp = KernelBase[i + 1]; // Save the lower part of stamp.
+				KernelBase[i + 1] = 0; // And null where I found it too.
+				RegWriteDword(hKey, L"Stamp1", (ULONG)((unsigned char*)&KernelBase[i] - (unsigned char*)KernelBase));
+				break;
+			}
 		}
-	}
 
-	// Search for the second stamp, ExpNtExpirationData (and not Date)
-	for (unsigned int i = 0; i < KernelSize; i++) {
-		if ((int)KernelBase[i] == (int)TimebombStamp) {
-			TDPrint("[+] TimeDefuser: ExpNtExpirationData found at 0x%p\n", &KernelBase[i]);
-			RtlZeroMemory(&KernelBase[i], 16);
-			RegWriteDword(hKey, L"Stamp2", (ULONG)((unsigned char*)&KernelBase[i] - (unsigned char*)KernelBase));
-			goto patchOK;
+		// Search for the second stamp, ExpNtExpirationData (and not Date)
+		for (unsigned int i = 0; i < KernelSize; i++) {
+			if ((int)KernelBase[i] == (int)TimebombStamp) {
+				TDPrint("[+] TimeDefuser: ExpNtExpirationData found at 0x%p\n", &KernelBase[i]);
+				KernelBase[i] = KernelBase[i + 1] = 0;
+				RegWriteDword(hKey, L"Stamp2", (ULONG)((unsigned char*)&KernelBase[i] - (unsigned char*)KernelBase));
+				goto patchOK;
+			}
 		}
+		// That's all for legacy implementation, get out.
+		goto patchOK;
 	}
-	// That's all for legacy implementation, get out.
 
-#else
 	// Check for PE Header existance.
 	if (*(short*)KernelBase != PEheader) {
 		TDPrint("[X] TimeDefuser: PE Header not found!\n");
@@ -291,8 +295,6 @@ NTSTATUS DriverEntry(void* DriverObject, PUNICODE_STRING RegistryPath) {
 	// No references found so far so we fail.
 	TDPrint("[X] TimeDefuser: could not find ExpTimeRefreshWork!\n");
 
-#endif
-
 patchFail:
 	TDPrint("[X] TimeDefuser: Patch failed.\n");
 	return STATUS_FAILED_DRIVER_ENTRY;

src/TimeDefuser.h

@@ -4,12 +4,7 @@
 #include "tdwdm/wdm.h"
 
 /// Definitions
-#define td_version "1.8.1"
-#ifdef TD_LEGACY
-	#define td_variant " (Legacy)"
-#else
-	#define td_variant ""
-#endif
+#define td_version "1.8.2"
 
 #define SystemModuleInformation 11
 #define PEheader 0x5a4d // MZ

src/TimeDefuser.inf

@@ -11,7 +11,7 @@ Class         = System
 ClassGuid     = {4d36e97d-e325-11ce-bfc1-08002be10318}
 Provider      = %ManufacturerName%
 CatalogFile   = TimeDefuser.cat
-DriverVer     = 01/18/2026,1.8.1
+DriverVer     = 01/18/2026,1.8.2
 PnpLockdown   = 1
 
 [DestinationDirs]
@@ -23,26 +23,18 @@ DefaultDestDir = 12 ; %SystemRoot%\System32\drivers
 [SourceDisksFiles]
 TimeDefuser-x86.sys   = 1
 TimeDefuser-amd64.sys = 1
-TimeDefuser-Legacy-x86.sys   = 1
-TimeDefuser-Legacy-amd64.sys = 1
 
 ;==============================
 ; OS-specific Information
 ;==============================
 [Manufacturer]
-%ManufacturerName% = Standard,NTx86.6.0,NTamd64.6.0,NTx86,NTamd64
-
-[Standard.NTx86.6.0]
-%TimeDefuser.DeviceDesc.x86% = TimeDefuser_Inst_x86, Root\TimeDefuser
-
-[Standard.NTamd64.6.0]
-%TimeDefuser.DeviceDesc.amd64% = TimeDefuser_Inst_amd64, Root\TimeDefuser
+%ManufacturerName% = Standard,NTx86,NTamd64
 
 [Standard.NTx86]
-%TimeDefuser.LDeviceDesc.x86L% = TimeDefuser_Inst_x86_Legacy, Root\TimeDefuser
+%TimeDefuser.LDeviceDesc.x86% = TimeDefuser_Inst_x86, Root\TimeDefuser
 
 [Standard.NTamd64]
-%TimeDefuser.LDeviceDesc.amd64L% = TimeDefuser_Inst_amd64_Legacy, Root\TimeDefuser
+%TimeDefuser.LDeviceDesc.amd64% = TimeDefuser_Inst_amd64, Root\TimeDefuser
 
 ;==============================
 ; x86 Install Sections
@@ -82,44 +74,6 @@ StartType      = 3 ; SERVICE_DEMAND_START
 ErrorControl   = 1 ; SERVICE_ERROR_NORMAL
 ServiceBinary  = %12%\TimeDefuser-amd64.sys
 
-;==============================
-; x86 Legacy Install Sections
-;==============================
-[TimeDefuser_Inst_x86_Legacy]
-CopyFiles = CopyFiles_x86_Legacy
-
-[TimeDefuser_Inst_x86_Legacy.Services]
-AddService = TimeDefuser, 0x00000002, Service_Inst_x86_Legacy
-
-[CopyFiles_x86_Legacy]
-TimeDefuser-Legacy-x86.sys
-
-[Service_Inst_x86_Legacy]
-DisplayName    = %TimeDefuser.SVCDESC%
-ServiceType    = 1  ; SERVICE_KERNEL_DRIVER
-StartType      = 3  ; SERVICE_DEMAND_START
-ErrorControl   = 1  ; SERVICE_ERROR_NORMAL
-ServiceBinary  = %12%\TimeDefuser-x86-Legacy.sys
-
-;==============================
-; amd64 Legacy Install Sections
-;==============================
-[TimeDefuser_Inst_amd64_Legacy]
-CopyFiles = CopyFiles_amd64_Legacy
-
-[TimeDefuser_Inst_amd64_Legacy.Services]
-AddService = TimeDefuser, 0x00000002, Service_Inst_amd64
-
-[CopyFiles_amd64_Legacy]
-TimeDefuser-Legacy-amd64.sys
-
-[Service_Inst_amd64_Legacy]
-DisplayName    = %TimeDefuser.LSVCDESC%
-ServiceType    = 1 ; SERVICE_KERNEL_DRIVER
-StartType      = 3 ; SERVICE_DEMAND_START
-ErrorControl   = 1 ; SERVICE_ERROR_NORMAL
-ServiceBinary  = %12%\TimeDefuser-amd64-Legacy.sys
-
 ;==============================
 ; General Strings
 ;==============================
@@ -128,7 +82,4 @@ ManufacturerName      = "NevermindExpress"
 DiskName              = "TimeDefuser Installation Disk"
 TimeDefuser.DeviceDesc.x86 = "TimeDefuser (x86)"
 TimeDefuser.DeviceDesc.amd64 = "TimeDefuser (AMD64)"
-TimeDefuser.DeviceDesc.x86L = "TimeDefuser (x86 Legacy)"
-TimeDefuser.DeviceDesc.amd64L = "TimeDefuser (AMD64 Legacy)"
-TimeDefuser.SVCDESC    = "TimeDefuser Service"
-TimeDefuser.LSVCDESC    = "TimeDefuser Legacy Service"
+TimeDefuser.SVCDESC    = "TimeDefuser Service"

src/TimeDefuser.rc

@@ -17,9 +17,10 @@
 #include <excpt.h>
 #include <dpfilter.h>
 
-//#undef NTSYSAPI
+#define PDRIVER_OBEJCT void* // Unused by TimeDefuser
+
 #define NTKERNELAPI __declspec(dllimport)
-//#define NTSYSAPI
+
 
 // Definitions
 #define TIMER_TOLERABLE_DELAY_BITS      6
@@ -833,7 +834,7 @@ void* __cdecl memcpy(
 
 
 /// ???
-NTKERNELAPI BOOLEAN PsGetVersion(
+NTKERNELAPI BOOLEAN NTAPI PsGetVersion(
     _Out_opt_ PULONG MajorVersion,
     _Out_opt_ PULONG MinorVersion,
     _Out_opt_ PULONG BuildNumber,