flat assembler
Message board for the users of flat assembler.

Index > Windows > NtQuerySystemInformation

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 29 Jul 2012, 08:55
Hi, I'm trying to get process list with native api called NtQuerySystemInformation but seems I don't know enough C to translate is to asm. Here's code what I'm trying, could anyone help me how it should work ? Thank you.

Code:
format pe console 4.0
include 'win32ax.inc'
entry main

section '.data' data readable writeable

struct UNICODE_STRING
 Length          dw ?  
 MaximumLength   dw ?  
 Buffer          dd ?                    ; offset  
ends

struct   VM_COUNTERS
  
   PeakVirtualSize  dd ?                   
   VirtualSize     dd ? 
   PageFaultCount    dd ? 
   PeakWorkingSetSize  dd ?     
   WorkingSetSize      dd ? 
   QuotaPeakPagedPoolUsage  dd ?  
   QuotaPagedPoolUsage dd ? 
   QuotaPeakNonPagedPoolUsage  dd ?     
   QuotaNonPagedPoolUsage dd ?     
   PagefileUsage dd ? 
   PeakPagefileUsage dd ? 
ends

struct IO_COUNTERS
        ReadOperationCount dd ? 

         WriteOperationCount dd ? 

         OtherOperationCount dd ? 

         ReadTransferCount dd ? 

         WriteTransferCount dd ? 

         OtherTransferCount dd ? 
ends

struct CLIENT_ID
 UniqueProcess dd ?
 UniqueThread dd ?
ends

struct SYSTEM_THREAD_INFORMATION
   
        KernelTime dq ?      ; 100 nsec units 
        UserTime dq ?       ; 100 nsec units 
        CreateTime dq ?        ; relative to 01-01-1601 
        WaitTime dd ? 
        StartAddress dd ? 
        ClientId    CLIENT_ID              ; process/thread ids 
        Priority dd ? 
        BasePriority dd ? 
        ContextSwitches dd ? 
        ThreadState dd ?    ; 2=running, 5=waiting 
        WaitReason dd ? 
        Reserved01  dd ? 
ends

struct SYSTEM_PROCESS_INFORMATION
    Next dd ?        ; offset to the next entry 
    ThreadCount dd ?          ; number of threads 
    Reserved1       db 6 dup (?)         ; reserved 
    CreateTime  dd ?           ; process creation time 
    UserTime   dq ?            ; time spent in user mode 
    ProcessName    UNICODE_STRING 
    KernelTime dq ?            ; time spent in kernel mode 
    BasePriority dd ?         ; base process priority 
    ProcessId dd ?             ; process identifier 
    ParentProcessId dd ? ; parent process identifier 
    HandleCount  dd ?          ; number of handles 
    Reserved2       db 2 dup (?)           
    VmCounters VM_COUNTERS
    IoCounters IO_COUNTERS
    Threads SYSTEM_THREAD_INFORMATION  
ends

sysinfo SYSTEM_PROCESS_INFORMATION
retaddr dd ?

section '.text' code readable executable

proc main
     mov [sysinfo.Next],0
@@:     
invoke NtQuerySystemInformation,5,sysinfo,sizeof.SYSTEM_PROCESS_INFORMATION,retaddr
     cinvoke printf,sysinfo.ProcessName.Buffer ;fail.
     cinvoke system,"PAUSE>NUL"
     mov eax,[sysinfo.Next]
     add [sysinfo.Next],eax
     jmp @b ;just testing, don't need loop.
     ret
endp

section '.idata' import data readable

library user32,'user32.dll',\
        kernel32,'kernel32.dll',\
        ntdll,'ntdll.dll',\
        msvcrt,'msvcrt.dll'
include 'api\user32.inc'
include 'api\kernel32.inc'
include 'api\ntdll.inc'
include 'api\msvcrt.inc'    
Post 29 Jul 2012, 08:55
View user's profile Send private message Reply with quote
bzdashek



Joined: 15 Feb 2012
Posts: 147
Location: Tolstokvashino, Russia
bzdashek 29 Jul 2012, 09:31
Where is your
invoke ExitProcess,0
?
Post 29 Jul 2012, 09:31
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 29 Jul 2012, 09:49
as I said, I'm doing it just in testing case, I don't care about ExitProcess for now.
Post 29 Jul 2012, 09:49
View user's profile Send private message Reply with quote
Fockyerdoder



Joined: 08 Mar 2010
Posts: 1
Fockyerdoder 29 Jul 2012, 10:15
If i remember correctly the SystemInformationLength parameter passed to NtQuerySystemInformation has to be the length needed by the function to return the entire record of all processes, u have to call it once, and use the value returned in ReturnLength parameter to create the right size buffer, and call it again with the needed buffer size.

Check the return value of NtQuereySystemInformation, and check NTStatus.h codes
Post 29 Jul 2012, 10:15
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 29 Jul 2012, 15:51
Where are you getting that struct from. This is what I found on MSDN:
Code:
typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    BYTE Reserved1[52];
    PVOID Reserved2[3];
    HANDLE UniqueProcessId;
    PVOID Reserved3;
    ULONG HandleCount;
    BYTE Reserved4[4];
    PVOID Reserved5[11];
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION;
    

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724509%28v=vs.85%29.aspx
Post 29 Jul 2012, 15:51
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 29 Jul 2012, 21:00
I was using struct as buffer argument, my bad. I'll try to code better tomorow.

typedef
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/Structures/SYSTEM_PROCESS_INFORMATION.html
works well in C.
Post 29 Jul 2012, 21:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 31 Jul 2012, 11:34
Also here:
Code:
cinvoke printf,[sysinfo.ProcessName.Buffer]    
I doubt the process name is a maximum of 3 characters, so you will likely need the enclosing brackets (as I show above) to point to the proper address.
Post 31 Jul 2012, 11:34
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 01 Aug 2012, 22:16
Thank you all, I get it working now Smile
Post 01 Aug 2012, 22:16
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.