flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > NtQueryObject
Author
Thread Post new topic Reply to topic
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 30 Nov 2014, 20:07
Hello everyone

I would like to call NtQueryObject with OBJECT_TYPE_INFORMATION. I dont know how to use this in FASM.

C++ example
----------------

POBJECT_TYPE_INFORMATION objectType = (POBJECT_TYPE_INFORMATION)memory;
if (NtQueryObject(debugObject, ObjectTypeInformation, objectType, sizeof(memory), 0) >= 0)

Can someone help pls ?

thanks Smile
Post 30 Nov 2014, 20:07
View user's profile Send private message MSN Messenger Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 30 Nov 2014, 23:47
I couldn't find that function but I found a similar function on msdn. Probably someone who knows more should correct this, but is should be enough it get you started in the right direction.

Code:
;
;NTSTATUS ZwQueryObject(
;  _In_opt_   HANDLE Handle,
;  _In_       OBJECT_INFORMATION_CLASS ObjectInformationClass,
;  _Out_opt_  PVOID ObjectInformation,
;  _In_       ULONG ObjectInformationLength,
;  _Out_opt_  PULONG ReturnLength
Wink;

struct UNICODE_STRING
  dw Length
  dw MaximumLength
  dq Buffer
ends

struct POBJECT_TYPE_INFORMATION
  UNICODE_STRING TypeName
  rd 22
ends


code section:

        sub     rsp,8*8
        mov     rcx,[handle]
        mov     rdx,0 ; ObjectBasicInformation = 0
        lea     r8,[objectType]
        mov     r9d,sizeof.POBJECT_TYPE_INFORMATION
        mov     qword[rsp+8*5],0
       call     qword[ZwQueryObject] ; call function imported from Ntoskrnl.lib
        add     rsp,8*8
        cmp     eax,0
        jge     .ReturnIsNotNegative
.ReturnIsNegative:
        ...
.ReturnIsNotNegative:
        ...

data section:

POBJECT_TYPE_INFORMATION objectType
Post 30 Nov 2014, 23:47
View user's profile Send private message Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 01 Dec 2014, 00:02
@tthsqe : this is more then good to get me started! thank you ! Smile
also wasn't sure how to declare the OBJECT_TYPE_INFORMATION struct in FASM.

Now i know Smile
Post 01 Dec 2014, 00:02
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.