flat assembler
Message board for the users of flat assembler.

Index > Windows > NtQuerySystemInformation

Author
Thread Post new topic Reply to topic
zxcv
Guest




zxcv 15 Jan 2008, 23:55
Code:
format pe console
section '.code' code readable executable
push 18400 ;100 procs
call [malloc]
mov ebx, eax
push 0
push 18400
push ebx
push 5 ;SYSTEM_PROCESS_INFORMATION
call [NtQuerySystemInformation]
push dword [ebx+68+184*6] ;68 is position of pid, and 6*184 its 7th structure 
push f
call [printf] ;but its not a pid...
add esp, 12
retn
section '.data' data readable writeable
f db '%i',0
section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 5 dup 0
msvcrt_table:
printf dd RVA _printf
malloc dd RVA _malloc
dd 0
ntdll_table:
NtQuerySystemInformation dd RVA _NtQuerySystemInformation
dd 0
msvcrt_name db 'msvcrt.dll',0
ntdll_name db 'ntdll.dll',0
_printf db 0,0,'printf',0
_malloc db 0,0,'malloc',0
_NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0    


i tried to gather info about all processes in my system, but it doesnt work.

1. whats 0-8 bytes of SYSTEM_PROCESS_INFORMATION?
2. how many procs can be run under windows?
3. why UniqueProcessId is HANDLE, not DWORD?
4. Why thers no good documentation for ntdll?
Post 15 Jan 2008, 23:55
Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20421
Location: In your JS exploiting you and your system
revolution 16 Jan 2008, 01:35
A1: Don't know
A2: IIRC it is limited only by memory
A3: I expect they are the same thing
A4: It is not a public interface and can change on each update
Post 16 Jan 2008, 01:35
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv 16 Jan 2008, 01:56
okay, so how do i obtain a pid from it?
its not 68-72 byte.
Post 16 Jan 2008, 01:56
Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt 16 Jan 2008, 08:20
zxcv:
Q4: To get the ntdll information and documentation, you'll have to download the Windows Device Driver Kit (DDK).
Post 16 Jan 2008, 08:20
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 16 Jan 2008, 11:37
A3: because NTDLL expects a handle and not some random DWORD (ie, not the PID). If you have a PID, you can get a HANDLE with OpenProcess (remember CloseHandle afterwards). And don't try randomly querying handles or openprocess'ing random PIDs, get a list of available PIDs instead.

A4: like revolution says, NTDLL is internal support routines, not a public & published interface. You can probably do want you want using psapi or toolhelp32 anyway.
Post 16 Jan 2008, 11:37
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv 16 Jan 2008, 13:03
Code:
format pe console
section '.code' code readable executable
push 184000 ;1000 procs
call [malloc]
mov ebx, eax
push 0
push 184000
push ebx
push 5
call [NtQuerySystemInformation]
xor edi,edi
lop:
push dword [ebx+68+edi]
push f
call [printf]
add esp, 8
inc edi
cmp edi,1000
jnz lop
pop edx
retn
section '.data' data readable writeable
f db '%i',13,10,0
section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 5 dup 0
msvcrt_table:
printf dd RVA _printf
malloc dd RVA _malloc
dd 0
ntdll_table:
NtQuerySystemInformation dd RVA _NtQuerySystemInformation
dd 0
msvcrt_name db 'msvcrt.dll',0
ntdll_name db 'ntdll.dll',0
_printf db 0,0,'printf',0
_malloc db 0,0,'malloc',0
_NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0    

im confused, if i loop it 50 times all are 0. And handles are at the end.
What im doing wrong?
Post 16 Jan 2008, 13:03
Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 16 Jan 2008, 13:11
zxcv wrote:

What im doing wrong?


Everything - give up coding Smile

_________________
Image - carpe noctem
Post 16 Jan 2008, 13:11
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20421
Location: In your JS exploiting you and your system
revolution 16 Jan 2008, 13:19
zxcv wrote:
What im doing wrong?
You are trying to use an undocumented function and you ask here what you are doing wrong?

It is quire simple, use the documented API and then people can help you.
Post 16 Jan 2008, 13:19
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv 16 Jan 2008, 13:25
so tell me why taskmgr.exe dont use documented function.
Post 16 Jan 2008, 13:25
Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 16 Jan 2008, 13:30
zxcv wrote:
so tell me why taskmgr.exe dont use documented function.

Because it's an internal Microsoft application? Smile

Google psapi and toolhelp32.

_________________
Image - carpe noctem
Post 16 Jan 2008, 13:30
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv 16 Jan 2008, 13:33
ye, i use google.
thx for all, bye
Post 16 Jan 2008, 13:33
Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20421
Location: In your JS exploiting you and your system
revolution 16 Jan 2008, 13:35
I don't care what functions taskmgr uses.

Take a look at the official documentation. There is an article titled "Enumerating Process Objects Using PDH" that shows precisely how to enumerate processes using no secret functions or tricks. It is all there under the PDH interface. And that is only one way to do it, there are other documented methods also. RTFM.
Post 16 Jan 2008, 13:35
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 16 Jan 2008, 16:58
f0dder wrote:
zxcv wrote:

What im doing wrong?


Everything - give up coding Smile

lol meany!!

But anyway, is the windows DDK just as much of a "bloated cow" as visual studio? I almost promised myself I wouldn't install anything on my new PC since what microsoft did to my last one... Nightmares of registry usage gone bad!!
Post 16 Jan 2008, 16:58
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.