Thread: NtQuerySystemInformation

  1. 01-16-2008 #1
    qazwsx123
    qazwsx123 is offline
    Registered User
    Join Date
    Jan 2008
    Posts
    2

    NtQuerySystemInformation

    Code:
    format pe console
section '.code' code readable executable
push 184000 ;1000 procs
call [malloc]
mov ebx, eax
push 0
push 184000
push ebx
push 5; SystemProcessInformation
call [NtQuerySystemInformation]
xor edi,edi
lop:
push dword [ebx+68+edi]
push f
call [printf]
add esp, 8
inc edi
cmp edi,1000
jnz lop
pop edx
retn
section '.data' data readable writeable
f db '%i',13,10,0
section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 5 dup 0
msvcrt_table:
printf dd RVA _printf
malloc dd RVA _malloc
dd 0
ntdll_table:
NtQuerySystemInformation dd RVA _NtQuerySystemInformation
dd 0
msvcrt_name db 'msvcrt.dll',0
ntdll_name db 'ntdll.dll',0
_printf db 0,0,'printf',0
_malloc db 0,0,'malloc',0
_NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0
    i tried to gather all procs running on my system.
    It-semi-worked, buy not at all.
    I dont understand why it output that. all my procs are at the end, and if i loop it less times, i have only crap and 0.
    What im doing wrong, how to use this?
    Last edited by qazwsx123; 01-16-2008 at 07:59 AM.
  2. 01-16-2008 #2
    matsp
    matsp is offline
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Why don't you post the C-code instead?

    It's much easier to read that way.

    At the very least, use symbolic names such as "SystemProcessInformation" instead of magic number of 5.

    Although not strictly necessary, your code doesn't return 0 or free the malloc'd block of memory.

    You don't check the return value from NtQuerySystemInformation, so there's no way to tell if the processing worked or not.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.
  3. 01-16-2008 #3
    qazwsx123
    qazwsx123 is offline
    Registered User
    Join Date
    Jan 2008
    Posts
    2
    Code:
    You don't check the return value from NtQuerySystemInformation,
    0, if error i would post it.
  4. 01-16-2008 #4
    matsp
    matsp is offline
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    _YOUR CODE_ does not check the return value from the query function (nor do you check for out of memory on malloc() - but that would show a failure by crashing the app). So should the query function NOT return 0 at any given point in the future, it may well go undetected.

    But I think the real problem is that your printout is essentially doing this:
    Code:
     
void printinfo(int *buffer)
{
   int *p = buffer[17];
   for(i = 0; i < 1000; i++)
   {
       printf("%i\n", *p);
       p++;
   }
}
    I don't think that's quite what you wanted.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.
« Previous Thread | Next Thread »
Popular pages Recent additions subscribe to a feed