flat assembler
Message board for the users of flat assembler.

Index > Windows > NtQuerySystemInformation fails

Author
Thread Post new topic Reply to topic
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 04 Apr 2017, 09:52
I am trying to get a module base address with NtQuerySystemInformation but it fails with FFFFFFFF80000002h error. There is part OF my code:


Code:
invoke LoadLibrary,NTDLL
mov [hmod],rax
invoke GetProcAddress,[hmod],NtQuerySystemInformation
mov [NtQuerySystemInformationClass],rax
push 0
push 290820
push NTKRNL
push 11
call [NtQuerySystemInformationClass]
NtQuerySystemInformationClass dq 0
NtQuerySystemInformation      db 'NtQuerySystemInformation',0
NTDLL                         db 'NTDLL.DLL',0
SYSTEM_MODULE_INFORMATION_SIZE equ 290820
SystemModuleInformation                                 equ     11
NTKRNL                 rb      290820               
hmod                   dq      0
    


Where is my error???


Last edited by Apolo on 04 Apr 2017, 17:13; edited 1 time in total
Post 04 Apr 2017, 09:52
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 04 Apr 2017, 10:00
You use 32-bit calling convention in 64-bit mode. See https://msdn.microsoft.com/en-us/library/ms235286.aspx
Post 04 Apr 2017, 10:00
View user's profile Send private message Reply with quote
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 04 Apr 2017, 17:00
NO! NtQuerySystemInformation continue with the 0FFFFFFFF80000002h error even if I Set:

mov r9,0
mov r8, 290820
lea rdx, [NTKRNL]
mov rcx, 11
call [NtQuerySystemInformationClass]


What should I do??
Post 04 Apr 2017, 17:00
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 04 Apr 2017, 19:34
Another issue, you forgot shadow stack.

But that won't change anything 0x80000002 is STATUS_DATATYPE_MISALIGNMENT exception. -- most probably your buffer size is wrong (is it win version specific& IDK)
NtQuerySystemInformation does a syscall
Code:
mov r10, rcx
mov eax, 0x33
syscall
ret
    

Who knows what it does there, I don't have kernel-level debugger at hand. Try SLGetWindowsInformation function instead as MSDN suggests. --
https://msdn.microsoft.com/en-us/library/windows/desktop/aa965834(v=vs.85).aspx
Post 04 Apr 2017, 19:34
View user's profile Send private message Reply with quote
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 06 Apr 2017, 12:51
What is teh size of buffer of windows 8 64-bit and windows 7 32-bit and windows XP?
Post 06 Apr 2017, 12:51
View user's profile Send private message Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 08 Apr 2017, 10:49
Can you post more of your code ? In the example you posted you can't even see if its x64.
Need to see more of the code to spot the error.
Post 08 Apr 2017, 10:49
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.