NtQuerySystemInformation

Index > Windows > NtQuerySystemInformation

Author

Thread

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz

Hi, I'm trying to get process list with native api called NtQuerySystemInformation but seems I don't know enough C to translate is to asm. Here's code what I'm trying, could anyone help me how it should work ? Thank you.

Code:

format pe console 4.0
include 'win32ax.inc'
entry main

section '.data' data readable writeable

struct UNICODE_STRING
 Length          dw ?  
 MaximumLength   dw ?  
 Buffer          dd ?                    ; offset  
ends

struct   VM_COUNTERS
  
   PeakVirtualSize  dd ?                   
   VirtualSize     dd ? 
   PageFaultCount    dd ? 
   PeakWorkingSetSize  dd ?     
   WorkingSetSize      dd ? 
   QuotaPeakPagedPoolUsage  dd ?  
   QuotaPagedPoolUsage dd ? 
   QuotaPeakNonPagedPoolUsage  dd ?     
   QuotaNonPagedPoolUsage dd ?     
   PagefileUsage dd ? 
   PeakPagefileUsage dd ? 
ends

struct IO_COUNTERS
        ReadOperationCount dd ? 

         WriteOperationCount dd ? 

         OtherOperationCount dd ? 

         ReadTransferCount dd ? 

         WriteTransferCount dd ? 

         OtherTransferCount dd ? 
ends

struct CLIENT_ID
 UniqueProcess dd ?
 UniqueThread dd ?
ends

struct SYSTEM_THREAD_INFORMATION
   
        KernelTime dq ?      ; 100 nsec units 
        UserTime dq ?       ; 100 nsec units 
        CreateTime dq ?        ; relative to 01-01-1601 
        WaitTime dd ? 
        StartAddress dd ? 
        ClientId    CLIENT_ID              ; process/thread ids 
        Priority dd ? 
        BasePriority dd ? 
        ContextSwitches dd ? 
        ThreadState dd ?    ; 2=running, 5=waiting 
        WaitReason dd ? 
        Reserved01  dd ? 
ends

struct SYSTEM_PROCESS_INFORMATION
    Next dd ?        ; offset to the next entry 
    ThreadCount dd ?          ; number of threads 
    Reserved1       db 6 dup (?)         ; reserved 
    CreateTime  dd ?           ; process creation time 
    UserTime   dq ?            ; time spent in user mode 
    ProcessName    UNICODE_STRING 
    KernelTime dq ?            ; time spent in kernel mode 
    BasePriority dd ?         ; base process priority 
    ProcessId dd ?             ; process identifier 
    ParentProcessId dd ? ; parent process identifier 
    HandleCount  dd ?          ; number of handles 
    Reserved2       db 2 dup (?)           
    VmCounters VM_COUNTERS
    IoCounters IO_COUNTERS
    Threads SYSTEM_THREAD_INFORMATION  
ends

sysinfo SYSTEM_PROCESS_INFORMATION
retaddr dd ?

section '.text' code readable executable

proc main
     mov [sysinfo.Next],0
@@:     
invoke NtQuerySystemInformation,5,sysinfo,sizeof.SYSTEM_PROCESS_INFORMATION,retaddr
     cinvoke printf,sysinfo.ProcessName.Buffer ;fail.
     cinvoke system,"PAUSE>NUL"
     mov eax,[sysinfo.Next]
     add [sysinfo.Next],eax
     jmp @b ;just testing, don't need loop.
     ret
endp

section '.idata' import data readable

library user32,'user32.dll',\
        kernel32,'kernel32.dll',\
        ntdll,'ntdll.dll',\
        msvcrt,'msvcrt.dll'
include 'api\user32.inc'
include 'api\kernel32.inc'
include 'api\ntdll.inc'
include 'api\msvcrt.inc'

29 Jul 2012, 08:55

bzdashek

Joined: 15 Feb 2012
Posts: 147
Location: Tolstokvashino, Russia

bzdashek

Where is your
invoke ExitProcess,0
?

29 Jul 2012, 09:31

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz

as I said, I'm doing it just in testing case, I don't care about ExitProcess for now.

29 Jul 2012, 09:49

Fockyerdoder

Joined: 08 Mar 2010
Posts: 1

Fockyerdoder

If i remember correctly the SystemInformationLength parameter passed to NtQuerySystemInformation has to be the length needed by the function to return the entire record of all processes, u have to call it once, and use the value returned in ReturnLength parameter to create the right size buffer, and call it again with the needed buffer size.

Check the return value of NtQuereySystemInformation, and check NTStatus.h codes

29 Jul 2012, 10:15

typedef

Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000

typedef

Where are you getting that struct from. This is what I found on MSDN:

Code:

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    BYTE Reserved1[52];
    PVOID Reserved2[3];
    HANDLE UniqueProcessId;
    PVOID Reserved3;
    ULONG HandleCount;
    BYTE Reserved4[4];
    PVOID Reserved5[11];
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION;

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724509%28v=vs.85%29.aspx

29 Jul 2012, 15:51

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz

I was using struct as buffer argument, my bad. I'll try to code better tomorow.

typedef
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/Structures/SYSTEM_PROCESS_INFORMATION.html
works well in C.

29 Jul 2012, 21:00

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system

revolution

Also here:

Code:

cinvoke printf,[sysinfo.ProcessName.Buffer]

I doubt the process name is a maximum of 3 characters, so you will likely need the enclosing brackets (as I show above) to point to the proper address.

31 Jul 2012, 11:34

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz

Thank you all, I get it working now Smile

01 Aug 2012, 22:16

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum