Author Topic: QueryCompleteSysNfo function  (Read 5260 times)

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
QueryCompleteSysNfo function
« on: June 30, 2014, 03:18:04 AM »
Quote
QueryCompleteSysNfo v 1.0

This function provides information about all data from the current processe, OS data etc and store the result on a Buffer that will hold the different structures involving the operation.

Arguments:

lpSysProcNfo: Pointer to a Buffer that will hold the different structures used to retrieve the information

Flag: One of the values enumerated in SYSTEM_INFORMATION_CLASS, which indicate the kind of system information to be retrieved. This includes all values from NtQuerySystemInformation.
         In RosAsm the set of equates used to retrieve those values are:
  • SYS_NFO_SYSTEM_ACPIAUDIT_INFORMATION 07A
    SYS_NFO_SYSTEM_AITSAMPLINGVALUE 06F
    SYS_NFO_SYSTEM_BADPAGE_INFORMATION 080
    SYS_NFO_SYSTEM_BASIC_INFORMATION 0
    SYS_NFO_SYSTEM_BASICPERFORMANCE_INFORMATION 07B
    SYS_NFO_SYSTEM_BIGPOOL_INFORMATION 042
    SYS_NFO_SYSTEM_BOOTENTROPY_INFORMATION 075
    SYS_NFO_SYSTEM_BOOTENVIRONMENT_INFORMATION 05A
    SYS_NFO_SYSTEM_BOOTGRAPHICS_INFORMATION 07E
    SYS_NFO_SYSTEM_BOOTLOGO_INFORMATION 08C
    SYS_NFO_SYSTEM_CALLCOUNT_INFORMATION 06
    SYS_NFO_SYSTEM_CALLTIME_INFORMATION 0A
    SYS_NFO_SYSTEM_CODEINTEGRITY_INFORMATION 067
    SYS_NFO_SYSTEM_COMBINEPHYSICALMEMORY_INFORMATION 082
    SYS_NFO_SYSTEM_COMPLUSPACKAGE 03B
    SYS_NFO_SYSTEM_CONSOLE_INFORMATION 084
    SYS_NFO_SYSTEM_CONTEXTSWITCH_INFORMATION 024
    SYS_NFO_SYSTEM_COVERAGE_INFORMATION 05F
    SYS_NFO_SYSTEM_CPUQUOTA_INFORMATION 071
    SYS_NFO_SYSTEM_CRASHDUMP_INFORMATION 020
    SYS_NFO_SYSTEM_CRASHDUMPSTATE_INFORMATION 022
    SYS_NFO_SYSTEM_CURRENTTIMEZONE_INFORMATION 02C
    SYS_NFO_SYSTEM_DEVICE_INFORMATION 07
    SYS_NFO_SYSTEM_DEVICEDATA_INFORMATION 088
    SYS_NFO_SYSTEM_DEVICEDATAENUMERATION_INFORMATION 089
    SYS_NFO_SYSTEM_DPCBEHAVIOR_INFORMATION 018
    SYS_NFO_SYSTEM_DYNAMICTIMEZONE_INFORMATION 066
    SYS_NFO_SYSTEM_EMULATIONBASIC_INFORMATION 03E
    SYS_NFO_SYSTEM_EMULATIONPROCESSOR_INFORMATION 03F
    SYS_NFO_SYSTEM_ENTROPYINTERRUPTTIMING_INFORMATION 083
    SYS_NFO_SYSTEM_ENTROPYINTERRUPTTIMINGRAW_INFORMATION 092
    SYS_NFO_SYSTEM_ERRORPORT_INFORMATION 059
    SYS_NFO_SYSTEM_ERRORPORTTIMEOUTS 073
    SYS_NFO_SYSTEM_EXCEPTION_INFORMATION 021
    SYS_NFO_SYSTEM_EXTENDEDHANDLE_INFORMATION 040
    SYS_NFO_SYSTEM_EXTENDEDPROCESS_INFORMATION 039
    SYS_NFO_SYSTEM_EXTENDSERVICETABLE_INFORMATION 026
    SYS_NFO_SYSTEM_FILECACHE_INFORMATION 015
    SYS_NFO_SYSTEM_FILECACHEINFORMATIONEX 051
    SYS_NFO_SYSTEM_FIRMWARETABLE_INFORMATION 04C
    SYS_NFO_SYSTEM_FLAGS_INFORMATION 09
    SYS_NFO_SYSTEM_FULLMEMORY_INFORMATION 019
    SYS_NFO_SYSTEM_FULLPROCESS_INFORMATION 094
    SYS_NFO_SYSTEM_HANDLE_INFORMATION 010
    SYS_NFO_SYSTEM_HOTPATCH_INFORMATION 045
    SYS_NFO_SYSTEM_HYPERVISOR_INFORMATION 05B
    SYS_NFO_SYSTEM_HYPERVISORPROCESSORCOUNT_INFORMATION 087
    SYS_NFO_SYSTEM_IMAGEFILEEXECUTIONOPTIONS_INFORMATION 05E
    SYS_NFO_SYSTEM_INTERRUPT_INFORMATION 017
    SYS_NFO_SYSTEM_KERNELDEBUGGER_INFORMATION 023
    SYS_NFO_SYSTEM_LEGACYDRIVER_INFORMATION 02B
    SYS_NFO_SYSTEM_LOADGDIDRIVER_INFORMATION 01A
    SYS_NFO_SYSTEM_LOADGDIDRIVERIN_SYSTEM_SPACE 036
    SYS_NFO_SYSTEM_LOCKS_INFORMATION 0C
    SYS_NFO_SYSTEM_LOGICALPROCESSOR_INFORMATION 049
    SYS_NFO_SYSTEM_LOGICALPROCESSORANDGROUP_INFORMATION 06B
    SYS_NFO_SYSTEM_LOOKASIDE_INFORMATION 02D
    SYS_NFO_SYSTEM_LOSTDELAYEDWRITE_INFORMATION 041
    SYS_NFO_SYSTEM_LOWPRIORITYIO_INFORMATION 074
    SYS_NFO_SYSTEM_MEMORYCHANNEL_INFORMATION 08B
    SYS_NFO_SYSTEM_MEMORYLIST_INFORMATION 050
    SYS_NFO_SYSTEM_MEMORYTOPOLOGY_INFORMATION 08A
    SYS_NFO_SYSTEM_MIRRORMEMORY_INFORMATION 01E
    SYS_NFO_SYSTEM_MODULE_INFORMATION 0B
    SYS_NFO_SYSTEM_MODULEINFORMATIONEX 04D
    SYS_NFO_SYSTEM_NATIVEBASIC_INFORMATION 072
    SYS_NFO_SYSTEM_NODEDISTANCE_INFORMATION 079
    SYS_NFO_SYSTEM_NONPAGEDPOOL_INFORMATION 0F
    SYS_NFO_SYSTEM_NUMAAVAILABLEMEMORY 03C
    SYS_NFO_SYSTEM_NUMAPROCESSORMAP 037
    SYS_NFO_SYSTEM_NUMAPROXIMITYNODE_INFORMATION 065
    SYS_NFO_SYSTEM_OBJECT_INFORMATION 011
    SYS_NFO_SYSTEM_OBJECTSECURITYMODE 046
    SYS_NFO_SYSTEM_PAGEDPOOL_INFORMATION 0E
    SYS_NFO_SYSTEM_PAGEDPOOLINFORMATIONEX 077
    SYS_NFO_SYSTEM_PAGEFILE_INFORMATION 012
    SYS_NFO_SYSTEM_PAGEFILEINFORMATIONEX 090
    SYS_NFO_SYSTEM_PATH_INFORMATION 04
    SYS_NFO_SYSTEM_PERFORMANCE_INFORMATION 02
    SYS_NFO_SYSTEM_PERFORMANCETRACE_INFORMATION 01F
    SYS_NFO_SYSTEM_PLATFORMBINARY_INFORMATION 085
    SYS_NFO_SYSTEM_POOLTAG_INFORMATION 016
    SYS_NFO_SYSTEM_PORTABLEWORKSPACEEFILAUNCHER_INFORMATION 093
    SYS_NFO_SYSTEM_PREFETCHER_INFORMATION 038
    SYS_NFO_SYSTEM_PREFETCHPATCH_INFORMATION 060
    SYS_NFO_SYSTEM_PRIORITYSEPERATION 027
    SYS_NFO_SYSTEM_PROCESS_INFORMATION 05
    SYS_NFO_SYSTEM_PROCESSID_INFORMATION 058
    SYS_NFO_SYSTEM_PROCESSOR_INFORMATION 01
    SYS_NFO_SYSTEM_PROCESSORBRANDSTRING 069
    SYS_NFO_SYSTEM_PROCESSORCYCLETIME_INFORMATION 06C
    SYS_NFO_SYSTEM_PROCESSORIDLE_INFORMATION 02A
    SYS_NFO_SYSTEM_PROCESSORIDLECYCLETIME_INFORMATION 053
    SYS_NFO_SYSTEM_PROCESSORMICROCODEUPDATE_INFORMATION 068
    SYS_NFO_SYSTEM_PROCESSORPERFORMANCE_INFORMATION 08
    SYS_NFO_SYSTEM_PROCESSORPERFORMANCEDISTRIBUTION 064
    SYS_NFO_SYSTEM_PROCESSORPERFORMANCEINFORMATIONEX 08D
    SYS_NFO_SYSTEM_PROCESSORPOWER_INFORMATION 03D
    SYS_NFO_SYSTEM_PROCESSORPOWERINFORMATIONEX 055
    SYS_NFO_SYSTEM_PROCESSORPROFILECONTROLAREA 081
    SYS_NFO_SYSTEM_QUERYPERFORMANCECOUNTER_INFORMATION 07C
    SYS_NFO_SYSTEM_RANGESTART_INFORMATION 032
    SYS_NFO_SYSTEM_RECOMMENDEDSHAREDDATAALIGNMENT 03A
    SYS_NFO_SYSTEM_REFTRACE_INFORMATION 056
    SYS_NFO_SYSTEM_REGISTERFIRMWARETABLEINFORMATIONHANDLER 04B
    SYS_NFO_SYSTEM_REGISTRYAPPENDSTRING 06E
    SYS_NFO_SYSTEM_REGISTRYQUOTA_INFORMATION 025
    SYS_NFO_SYSTEM_SCRUBPHYSICALMEMORY_INFORMATION 07F
    SYS_NFO_SYSTEM_SECUREBOOT_INFORMATION 091
    SYS_NFO_SYSTEM_SECUREBOOTPOLICY_INFORMATION 08F
    SYS_NFO_SYSTEM_SESSION_INFORMATION 031
    SYS_NFO_SYSTEM_SESSIONBIGPOOL_INFORMATION 07D
    SYS_NFO_SYSTEM_SESSIONCREATE 02F
    SYS_NFO_SYSTEM_SESSIONDETACH 030
    SYS_NFO_SYSTEM_SESSIONMAPPEDVIEW_INFORMATION 044
    SYS_NFO_SYSTEM_SESSIONPOOLTAG_INFORMATION 043
    SYS_NFO_SYSTEM_SESSIONPROCESS_INFORMATION 035
    SYS_NFO_SYSTEM_SPARE0 08E
    SYS_NFO_SYSTEM_SPECIALPOOL_INFORMATION 057
    SYS_NFO_SYSTEM_STACKTRACE_INFORMATION 0D
    SYS_NFO_SYSTEM_STORE_INFORMATION 06D
    SYS_NFO_SYSTEM_SUMMARYMEMORY_INFORMATION 01D
    SYS_NFO_SYSTEM_SUPERFETCH_INFORMATION 04F
    SYS_NFO_SYSTEM_SYSTEM_DISK_INFORMATION 063
    SYS_NFO_SYSTEM_SYSTEM_PARTITION_INFORMATION 062
    SYS_NFO_SYSTEM_SYSTEM_PTESINFORMATIONEX 078
    SYS_NFO_SYSTEM_THREADPRIORITYCLIENTID_INFORMATION 052
    SYS_NFO_SYSTEM_THROTTLENOTIFICATION_INFORMATION 086
    SYS_NFO_SYSTEM_TIMEADJUSTMENT_INFORMATION 01C
    SYS_NFO_SYSTEM_TIMEOFDAY_INFORMATION 03
    SYS_NFO_SYSTEM_TIMESLIPNOTIFICATION 02E
    SYS_NFO_SYSTEM_TIMEZONE_INFORMATION 05D
    SYS_NFO_SYSTEM_UNLOADGDIDRIVER_INFORMATION 01B
    SYS_NFO_SYSTEM_VDMBOP_INFORMATION 014
    SYS_NFO_SYSTEM_VDMINSTEMUL_INFORMATION 013
    SYS_NFO_SYSTEM_VERIFIER_INFORMATION 033
    SYS_NFO_SYSTEM_VERIFIERADDDRIVER_INFORMATION 028
    SYS_NFO_SYSTEM_VERIFIERCANCELLATION_INFORMATION 054
    SYS_NFO_SYSTEM_VERIFIERCOUNTERS_INFORMATION 076
    SYS_NFO_SYSTEM_VERIFIERFAULTS_INFORMATION 061
    SYS_NFO_SYSTEM_VERIFIERINFORMATIONEX 05C
    SYS_NFO_SYSTEM_VERIFIERREMOVEDRIVER_INFORMATION 029
    SYS_NFO_SYSTEM_VERIFIERTHUNKEXTEND 034
    SYS_NFO_SYSTEM_VERIFIERTRIAGE_INFORMATION 04E
    SYS_NFO_SYSTEM_VHDBOOT_INFORMATION 070
    SYS_NFO_SYSTEM_VIRTUALADDRESS_INFORMATION 06A
    SYS_NFO_SYSTEM_WATCHDOGTIMER_INFORMATION 048
    SYS_NFO_SYSTEM_WATCHDOGTIMERHANDLER 047
    SYS_NFO_SYSTEM_WOW64SHAREDINFORMATIONOBSOLETE 04A

Returned Values:
On sucess the function return STATUS_SUCCESS and inserts on the buffer the Pointer to the structure/Info you want to retrieve
On Failure it will return the corresponding NT_STATUS error code and also will set the last Win32 error related to it.

For more information see:
http://processhacker.sourceforge.net/doc/ntexapi_8h.html#ad5d815b48e8f4da1ef2eb7a2f18a54e0a8c1a09f24d175f4ce5ce4b4494819ecb
http://webcache.googleusercontent.com/search?q=cache:0AMGoLUIyHwJ:undocumented.ntinternals.net/UserMode/Undocumented%2520Functions/System%2520Information/SYSTEM_INFORMATION_CLASS.html+&cd=1&hl=pt-BR&ct=clnk&gl=br&client=firefox-a

Author:
Gustavo Trigueiros (Aka: Beyond2000! / Guga)


Example of usage:
Code: [Select]
[Guga: D$ 0]
    call QueryCompleteSysNfo Guga, &SYS_NFO_SYSTEM_EXTENDEDPROCESS_INFORMATION


Source Code:
Code: [Select]
; Macros used
[ROUND_TO_PAGES | (( (#1 * &PAGE_SIZE) + (&PAGE_SIZE - 1)) and (not(&PAGE_SIZE - 1)))]
[ROUND_TO_PAGES_X64 | (( (#1 * &PAGE_SIZE_X64) + (&PAGE_SIZE_X64 - 1)) and (not(&PAGE_SIZE_X64 - 1)))]

Proc QueryCompleteSysNfo:
    Arguments @lpSysProcNfo, @Flag
    Local @dwSize
    Uses esi, ecx, edx, edi

    ;mov D@dwSize {ROUND_TO_PAGES 16} ; The system initializes with at least 16 pages aligned
    mov D@dwSize {ROUND_TO_PAGES_X64 8} ; The system initializes with at least 8 pages aligned
                                        ; This is particularry interesting, because in 32 bits, it should use {ROUND_TO_PAGES 16}
                                        ; But the NTFreeVirtualMemory function aligns it on the next page boundary
                                        ; The original M$ function, uses &PAGE_SIZE_X64 as the next host page size insetad of &PAGE_SIZE
                                        ; So, the conclusion is that either on 32 bits and 64 bits, the alignment is made always
                                        ; using &PAGE_SIZE_X64 and start with DwSize as a multiple of it (Starting with 8 pages)
                                        ; See ZwMapViewOfSection documentation at the parameter "BaseAddress"
    .Do

        lea eax D@dwSize
        call 'ntdll.NtAllocateVirtualMemory' 0-1, D@lpSysProcNfo, 0, eax, &MEM_COMMIT, &PAGE_READWRITE
        On eax <> &STATUS_SUCCESS, ExitP
        mov edi D@lpSysProcNfo
        call 'ntdll.NtQuerySystemInformation' D@Flag, D$edi, D@dwSize, 0
        mov esi eax ; On sucess, returns a array of SYSTEM_PROCESS_INFORMATION structure
        If eax = &STATUS_INFO_LENGTH_MISMATCH

            ; When there is not enough size, clear the whole allocated memmory and try again with the memory extended
            call FreeSysProcNfo edi
            add D@dwSize {ROUND_TO_PAGES_X64 1} ; accordying to msdn documentation, the pagesize must be aligned by the system. PageSizes Always must a multiple of this value
                                                ; Since in x86, &PAGE_SIZE = 4096, we consider this value as a unit So 1 alignemt = 4096, 2 = (4096*2) etc etc
                                                ; For x64 OS. &PAGE_SIZE = 8192 defined in RosAsm´s equate as &PAGE_SIZE_X64
            ;add D@dwSize {ROUND_TO_PAGES 2}

        Else_if eax <> &STATUS_SUCCESS
            ; On any other error code, Clear the whole allocated memmory and exit
            mov esi eax ; preserve the error code
            call FreeSysProcNfo edi
            mov eax esi ; restore the error code
            call BaseSetLastNTError esi
            mov eax esi
            ExitP

        End_If

    .Loop_Until esi = &STATUS_SUCCESS

    mov eax esi

EndP
______________________________________________________________________________________________________________

Proc FreeSysProcNfo:
    Arguments @lpSysProcNfo
    Local @dwSize
    Uses edi, ecx, edx, esi

    mov edi D@lpSysProcNfo
    mov D@dwSize 0
    lea eax D@dwSize
    call 'ntdll.NtFreeVirtualMemory' 0-1, edi, eax, &MEM_RELEASE
    mov D$edi 0

EndP
______________________________________________________________________________________________________________

Proc BaseSetLastNTError:
    Arguments @ErrorCode
    Uses esi, ecx, edx, ebx

    call 'ntdll.RtlNtStatusToDosError' D@ErrorCode | mov esi eax
    call 'kernel32.SetLastError' eax
    mov eax esi

EndP
______________________________________________________________________________________________________________


Note: The PAGE_SIZE and PAGE_SIZE_X64 equates have the following values:
  • PAGE_SIZE 01000
    PAGE_SIZE_X64 02000

In fact, both can be used but because they are not necessarily related to 32 or 64 bits. They just allocate enough buffer aligned on a 01000 boundary (If there is not enough room, the function will add an extra 01000 to make sure it will be enough - This is why "add D@dwSize {ROUND_TO_PAGES_X64 1}" or simply "add D@dwSize {ROUND_TO_PAGES 2}"
If you intend to use ROUND_TO_PAGES macro, be sure to start with 8 pages and round it to "2". Otherwise, use ROUND_TO_PAGES_X64 (Even if your OS is not 64bits....It won´t be a problem at all)

After retrieving the info, don´t forget to release the allocated memory with the function FreeSysProcNfo

Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: QueryCompleteSysNfo function
« Reply #1 on: June 30, 2014, 03:34:08 AM »
the most interesting part.....

your name is Gustavo   :biggrin:

Gunther

  • Member
  • *****
  • Posts: 4090
  • Forgive your enemies, but never forget their names
Re: QueryCompleteSysNfo function
« Reply #2 on: June 30, 2014, 03:35:27 AM »
Interesting to know, Gustavo.  :t

Gunther
Get your facts first, and then you can distort them.

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
Re: QueryCompleteSysNfo function
« Reply #3 on: June 30, 2014, 03:50:34 AM »
Dave  :bgrin: :bgrin: :bgrin:

Updated the code a bit ;)

Thank you both.

Gunther, the interesting is that on ntdll the function related to this (The one i derivated to create this function) is a complete mess. I´m amazed how terrible ntdll (and kernel32.dll) are sometimes.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

jj2007

  • Member
  • *****
  • Posts: 12997
  • Assembler is fun ;-)
    • MasmBasic
Re: QueryCompleteSysNfo function
« Reply #4 on: June 30, 2014, 03:54:28 AM »
BTW interesting discussion about delay dll import, Gustavo  :t

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
Re: QueryCompleteSysNfo function
« Reply #5 on: June 30, 2014, 04:16:03 AM »
Many tks JJ.

The delay imports are something that i see from once and a while. I really don´t see any needs to use such a thing. It seems to me more bloated code that M$ injects on the user´s app. The better is always use LoadLibrary or any other routines that calls the dll only when it is necessary.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Gunther

  • Member
  • *****
  • Posts: 4090
  • Forgive your enemies, but never forget their names
Re: QueryCompleteSysNfo function
« Reply #6 on: June 30, 2014, 06:07:31 AM »
Hi Gustavo,

Gunther, the interesting is that on ntdll the function related to this (The one i derivated to create this function) is a complete mess. I´m amazed how terrible ntdll (and kernel32.dll) are sometimes.

Yes, indeed. It's better to program defensive.

Gunther
Get your facts first, and then you can distort them.