-
NtQuerySystemInformation
Code:
format pe console
section '.code' code readable executable
push 184000 ;1000 procs
call [malloc]
mov ebx, eax
push 0
push 184000
push ebx
push 5; SystemProcessInformation
call [NtQuerySystemInformation]
xor edi,edi
lop:
push dword [ebx+68+edi]
push f
call [printf]
add esp, 8
inc edi
cmp edi,1000
jnz lop
pop edx
retn
section '.data' data readable writeable
f db '%i',13,10,0
section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 5 dup 0
msvcrt_table:
printf dd RVA _printf
malloc dd RVA _malloc
dd 0
ntdll_table:
NtQuerySystemInformation dd RVA _NtQuerySystemInformation
dd 0
msvcrt_name db 'msvcrt.dll',0
ntdll_name db 'ntdll.dll',0
_printf db 0,0,'printf',0
_malloc db 0,0,'malloc',0
_NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0
i tried to gather all procs running on my system.
It-semi-worked, buy not at all.
I dont understand why it output that. all my procs are at the end, and if i loop it less times, i have only crap and 0.
What im doing wrong, how to use this?
-
Why don't you post the C-code instead?
It's much easier to read that way.
At the very least, use symbolic names such as "SystemProcessInformation" instead of magic number of 5.
Although not strictly necessary, your code doesn't return 0 or free the malloc'd block of memory.
You don't check the return value from NtQuerySystemInformation, so there's no way to tell if the processing worked or not.
--
Mats
-
Code:
You don't check the return value from NtQuerySystemInformation,
0, if error i would post it.
-
_YOUR CODE_ does not check the return value from the query function (nor do you check for out of memory on malloc() - but that would show a failure by crashing the app). So should the query function NOT return 0 at any given point in the future, it may well go undetected.
But I think the real problem is that your printout is essentially doing this:
Code:
void printinfo(int *buffer)
{
int *p = buffer[17];
for(i = 0; i < 1000; i++)
{
printf("%i\n", *p);
p++;
}
}
I don't think that's quite what you wanted.
--
Mats
