flat assembler
Message board for the users of flat assembler.

Index > Macroinstructions > Having trouble with structures...

Author
Thread Post new topic Reply to topic
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
Code:

C:\WinAsm\Assemblers\fasm\FASM.EXE "C:\Documents and Settings\Owner\Desktop\crap\fasmexp\Anti-Debug Research\Debugger Checks\Process Based\ParentIdV2\pidv2.asm"  "pidv2.exe" 

flat assembler  version 1.67.22  (344256 kilobytes memory)
C:\WinAsm\Assemblers\fasm\INCLUDE\equates/kernel32.inc [31]:
    ProcessName    UNICODE_STRING
error: illegal instruction.
    

Code:
struct SYSTEM_PROCESS_INFORMATION
    Next dd ?        ; offset to the next entry
    ThreadCount dd ?          ; number of threads
    Reserved1       db 6 dup (?)         ; reserved
    CreateTime  dd ?           ; process creation time
    UserTime   dq ?            ; time spent in user mode
    ProcessName    UNICODE_STRING
    KernelTime dq ?            ; time spent in kernel mode
    BasePriority dd ?         ; base process priority
    ProcessId dd ?             ; process identifier
    ParentProcessId dd ? ; parent process identifier
    HandleCount  dd ?          ; number of handles
    Reserved2       db 2 dup (?)          
    VM_COUNTERS     VmCounters             
    IO_COUNTERS     IoCounters            
    Threads SYSTEM_THREAD_INFORMATION 
ends
    




Anything wrong with this ?[/code]
Post 01 Sep 2007, 22:52
View user's profile Send private message Reply with quote
nocona



Joined: 04 Aug 2007
Posts: 35
nocona
perhaps you don't have the UNICODE_STRING structure defined yet?
Post 02 Sep 2007, 05:59
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Try 'du xx dup (?)' instead of UNICODE_STRING.
VmCounters, IoCounters, SYSTEM_THREAD_INFORMATION do not exist. If you're converting code, check the source where you got these from, there should be some 'type definition' like 'TCHAR typedef BYTE' in MASM for instance.
Post 02 Sep 2007, 06:02
View user's profile Send private message Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Found this in the Windows SDK:
Code:
The UNICODE_STRING structure is used by various LSA functions to specify a Unicode string.
typedef struct _LSA_UNICODE_STRING 
{  
    USHORT Length;  
    USHORT MaximumLength;  
    PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
    


The PWSTR means a pointer to a unicode string buffer so it is just a dword (Buffer dd ?).

So the whole thing would be:
Code:
struct UNICODE_STRING
    Length dw ?
    MaximumLength dw ?
    Buffer dd ?
ends    
Post 02 Sep 2007, 09:40
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
Code:
struct SYSTEM_PROCESS_INFORMATION
    Next dd ?        ; offset to the next entry
    ThreadCount dd ?          ; number of threads
    Reserved1       db 6 dup (?)         ; reserved
    CreateTime  dd ?           ; process creation time
    UserTime   dq ?            ; time spent in user mode
    ProcessName    UNICODE_STRING
    KernelTime dq ?            ; time spent in kernel mode
    BasePriority dd ?         ; base process priority
    ProcessId dd ?             ; process identifier
    ParentProcessId dd ? ; parent process identifier
    HandleCount  dd ?          ; number of handles
    Reserved2       db 2 dup (?)          
    VM_COUNTERS     VmCounters             
    IO_COUNTERS     IoCounters            
    Threads SYSTEM_THREAD_INFORMATION 
ends

struct SYSTEM_THREAD_INFORMATION
  
     KernelTime dq ?      ; 100 nsec units
       UserTime dq ?       ; 100 nsec units
        CreateTime dq ?        ; relative to 01-01-1601
     WaitTime dd ?
       StartAddress dd ?
           ClientId    CLIENT_ID              ; process/thread ids
     Priority dd ?
       BasePriority dd ?
   ContextSwitches dd ?
        ThreadState dd ?    ; 2=running, 5=waiting
          WaitReason dd ?
     Reserved01  dd ?
ends

struct   VM_COUNTERS 
 
   PeakVirtualSize  dd ?            
   VirtualSize     dd ?
   PageFaultCount    dd ?
   PeakWorkingSetSize  dd ?    
   WorkingSetSize      dd ?
   QuotaPeakPagedPoolUsage  dd ? 
   QuotaPagedPoolUsage dd ?
   QuotaPeakNonPagedPoolUsage  dd ?    
   QuotaNonPagedPoolUsage dd ?    
   PagefileUsage dd ?
   PeakPagefileUsage dd ?
ends

struct IO_COUNTERS 
  ReadOperationCount dd ?

  WriteOperationCount dd ?

        OtherOperationCount dd ?

        ReadTransferCount dd ?

  WriteTransferCount dd ?

         OtherTransferCount dd ?
ends

struct UNICODE_STRING 
 Length          dw ? 
 MaximumLength   dw ? 
 Buffer          dd ?                    ; offset 
ends 
    



I do have all the structures defined already...but I still get the error
Post 02 Sep 2007, 17:30
View user's profile Send private message Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan
shism2 wrote:

I do have all the structures defined already...

Already means before their use. Define structure before use it in other structures. Put UNICODE_STRING before anything else.
Btw in kenrel mode UNICODE_STRING imho is the most frequently used structure in API functions. No direct pointers on strings only this struct or pointer on it.

_________________
Any offers?
Post 02 Sep 2007, 17:55
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
Any of you have a better SYSTEM_PROCESS_INFORMATION structure ? Mine doesn't work correctly.... when I try to use it
Post 02 Sep 2007, 21:31
View user's profile Send private message Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Quote:
* winternl.h -- This module defines the internal NT APIs and data *
* structures that are intended for the use only by internal core *
* Windows components. These APIs and data structures may change *
* at any time. *
* *
* These APIs and data structures are subject to changes from one *
* Windows release to another Windows release. To maintain the *
* compatiblity of your application, avoid using these APIs and *
* data structures. *

This is the include file that I found 'SYSTEM_PROCESS_INFORMATION' in. As you can read, it is not recommened that you use these structures and defines,
Anyways, here's my what my include translation shows:
Code:
struct SYSTEM_PROCESS_INFORMATION
    NextEntryOffset dd ?
    Reserved1 db 52 dup(?)
    Reserved2 dd ?,?,?
    UniqueProcessId dd ?
    Reserved3 dd ?
    HandleCount dd ?
    Reserved4 db 4 dup(?)
    Reserved5 dd 11 dup(?)
    PeakPagefileUsage dd ?
    PrivatePageCount dd ?
    Reserved6 dq 6 dup(?)
ends    
Post 03 Sep 2007, 10:38
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.