flat assembler
Message board for the users of flat assembler.
Index
> Windows > NtQuerySystemInformation |
Author |
|
revolution 16 Jan 2008, 01:35
A1: Don't know
A2: IIRC it is limited only by memory A3: I expect they are the same thing A4: It is not a public interface and can change on each update |
|||
16 Jan 2008, 01:35 |
|
zxcv 16 Jan 2008, 01:56
okay, so how do i obtain a pid from it?
its not 68-72 byte. |
|||
16 Jan 2008, 01:56 |
|
madmatt 16 Jan 2008, 08:20
zxcv:
Q4: To get the ntdll information and documentation, you'll have to download the Windows Device Driver Kit (DDK). |
|||
16 Jan 2008, 08:20 |
|
f0dder 16 Jan 2008, 11:37
A3: because NTDLL expects a handle and not some random DWORD (ie, not the PID). If you have a PID, you can get a HANDLE with OpenProcess (remember CloseHandle afterwards). And don't try randomly querying handles or openprocess'ing random PIDs, get a list of available PIDs instead.
A4: like revolution says, NTDLL is internal support routines, not a public & published interface. You can probably do want you want using psapi or toolhelp32 anyway. |
|||
16 Jan 2008, 11:37 |
|
zxcv 16 Jan 2008, 13:03
Code: format pe console section '.code' code readable executable push 184000 ;1000 procs call [malloc] mov ebx, eax push 0 push 184000 push ebx push 5 call [NtQuerySystemInformation] xor edi,edi lop: push dword [ebx+68+edi] push f call [printf] add esp, 8 inc edi cmp edi,1000 jnz lop pop edx retn section '.data' data readable writeable f db '%i',13,10,0 section '.idata' import data readable dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table dd 0,0,0,RVA ntdll_name,RVA ntdll_table dd 5 dup 0 msvcrt_table: printf dd RVA _printf malloc dd RVA _malloc dd 0 ntdll_table: NtQuerySystemInformation dd RVA _NtQuerySystemInformation dd 0 msvcrt_name db 'msvcrt.dll',0 ntdll_name db 'ntdll.dll',0 _printf db 0,0,'printf',0 _malloc db 0,0,'malloc',0 _NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0 im confused, if i loop it 50 times all are 0. And handles are at the end. What im doing wrong? |
|||
16 Jan 2008, 13:03 |
|
f0dder 16 Jan 2008, 13:11
zxcv wrote:
Everything - give up coding _________________ - carpe noctem |
|||
16 Jan 2008, 13:11 |
|
revolution 16 Jan 2008, 13:19
zxcv wrote: What im doing wrong? It is quire simple, use the documented API and then people can help you. |
|||
16 Jan 2008, 13:19 |
|
zxcv 16 Jan 2008, 13:25
so tell me why taskmgr.exe dont use documented function.
|
|||
16 Jan 2008, 13:25 |
|
f0dder 16 Jan 2008, 13:30
zxcv wrote: so tell me why taskmgr.exe dont use documented function. Because it's an internal Microsoft application? Google psapi and toolhelp32. _________________ - carpe noctem |
|||
16 Jan 2008, 13:30 |
|
zxcv 16 Jan 2008, 13:33
ye, i use google.
thx for all, bye |
|||
16 Jan 2008, 13:33 |
|
revolution 16 Jan 2008, 13:35
I don't care what functions taskmgr uses.
Take a look at the official documentation. There is an article titled "Enumerating Process Objects Using PDH" that shows precisely how to enumerate processes using no secret functions or tricks. It is all there under the PDH interface. And that is only one way to do it, there are other documented methods also. RTFM. |
|||
16 Jan 2008, 13:35 |
|
AlexP 16 Jan 2008, 16:58
f0dder wrote:
lol meany!! But anyway, is the windows DDK just as much of a "bloated cow" as visual studio? I almost promised myself I wouldn't install anything on my new PC since what microsoft did to my last one... Nightmares of registry usage gone bad!! |
|||
16 Jan 2008, 16:58 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.