Practical Malware Analysis - Lab 5.1 Question 11 function sub_100036C3

Question

Just wanted to ask one question about sub_100036C3, because I did not get the detailed answer that was given in the book.

Brief intro:

Page 107. Question 11. What does the export PSLIST do?

Page 498. Answer: The sub_100036C3 function checks to see if the OS version is Windows Vista/7 or XP/2003/2000.

Disassembled code:

We see instruction:

cmp [ebp+VersionInformation.dwMajorVersion], 5
jb short loc_100036FA

dwMajorVersion is 5 for XP/2003/2000.

dwMajorVersion is 6 for Windows Vista/7.

But in disassembled code instruction jb short loc_100036FA will not jump to loc_100036FA only if dwMajorversion is >= 5 and will jump only if dwMajorVersion < 5 (jump if below).

So in my opinion it could not be used to choose between XP and Vista/7, because 5 and 6 all fall in red arrow.

Please, can someone explain, am I right or what mistake did I do?

Answer 1

The function sub_100036C3 just makes a judgment to determine whether the host operating system is Win2000 or above(This may be why it returns a bool value instead of three options (Windows Vista/7? Or XP/2003/2000? Or neither?)).

If we use disassembly, the logic of this function is roughly as follows：

BOOL sub_100036C3()
{
    OSVERSIONINFOA VersionInformation;
    VersionInformation.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEXA);
    GetVersionExA(&VersionInformation);

    return VersionInformation.dwPlatformId == 2 && VersionInformation.dwMajorVersion >= 5;
}

So as long as the version is not Windows 95, they will follow the middle process.