QueryCompleteSysNfo function

[guga]

QueryCompleteSysNfo v 1.0

This function provides information about all data from the current processe, OS data etc and store the result on a Buffer that will hold the different structures involving the operation.

Arguments:

lpSysProcNfo: Pointer to a Buffer that will hold the different structures used to retrieve the information

Flag: One of the values enumerated in SYSTEM_INFORMATION_CLASS, which indicate the kind of system information to be retrieved. This includes all values from NtQuerySystemInformation.
         In RosAsm the set of equates used to retrieve those values are:

• SYS_NFO_SYSTEM_ACPIAUDIT_INFORMATION 07A
  SYS_NFO_SYSTEM_AITSAMPLINGVALUE 06F
  SYS_NFO_SYSTEM_BADPAGE_INFORMATION 080
  SYS_NFO_SYSTEM_BASIC_INFORMATION 0
  SYS_NFO_SYSTEM_BASICPERFORMANCE_INFORMATION 07B
  SYS_NFO_SYSTEM_BIGPOOL_INFORMATION 042
  SYS_NFO_SYSTEM_BOOTENTROPY_INFORMATION 075
  SYS_NFO_SYSTEM_BOOTENVIRONMENT_INFORMATION 05A
  SYS_NFO_SYSTEM_BOOTGRAPHICS_INFORMATION 07E
  SYS_NFO_SYSTEM_BOOTLOGO_INFORMATION 08C
  SYS_NFO_SYSTEM_CALLCOUNT_INFORMATION 06
  SYS_NFO_SYSTEM_CALLTIME_INFORMATION 0A
  SYS_NFO_SYSTEM_CODEINTEGRITY_INFORMATION 067
  SYS_NFO_SYSTEM_COMBINEPHYSICALMEMORY_INFORMATION 082
  SYS_NFO_SYSTEM_COMPLUSPACKAGE 03B
  SYS_NFO_SYSTEM_CONSOLE_INFORMATION 084
  SYS_NFO_SYSTEM_CONTEXTSWITCH_INFORMATION 024
  SYS_NFO_SYSTEM_COVERAGE_INFORMATION 05F
  SYS_NFO_SYSTEM_CPUQUOTA_INFORMATION 071
  SYS_NFO_SYSTEM_CRASHDUMP_INFORMATION 020
  SYS_NFO_SYSTEM_CRASHDUMPSTATE_INFORMATION 022
  SYS_NFO_SYSTEM_CURRENTTIMEZONE_INFORMATION 02C
  SYS_NFO_SYSTEM_DEVICE_INFORMATION 07
  SYS_NFO_SYSTEM_DEVICEDATA_INFORMATION 088
  SYS_NFO_SYSTEM_DEVICEDATAENUMERATION_INFORMATION 089
  SYS_NFO_SYSTEM_DPCBEHAVIOR_INFORMATION 018
  SYS_NFO_SYSTEM_DYNAMICTIMEZONE_INFORMATION 066
  SYS_NFO_SYSTEM_EMULATIONBASIC_INFORMATION 03E
  SYS_NFO_SYSTEM_EMULATIONPROCESSOR_INFORMATION 03F
  SYS_NFO_SYSTEM_ENTROPYINTERRUPTTIMING_INFORMATION 083
  SYS_NFO_SYSTEM_ENTROPYINTERRUPTTIMINGRAW_INFORMATION 092
  SYS_NFO_SYSTEM_ERRORPORT_INFORMATION 059
  SYS_NFO_SYSTEM_ERRORPORTTIMEOUTS 073
  SYS_NFO_SYSTEM_EXCEPTION_INFORMATION 021
  SYS_NFO_SYSTEM_EXTENDEDHANDLE_INFORMATION 040
  SYS_NFO_SYSTEM_EXTENDEDPROCESS_INFORMATION 039
  SYS_NFO_SYSTEM_EXTENDSERVICETABLE_INFORMATION 026
  SYS_NFO_SYSTEM_FILECACHE_INFORMATION 015
  SYS_NFO_SYSTEM_FILECACHEINFORMATIONEX 051
  SYS_NFO_SYSTEM_FIRMWARETABLE_INFORMATION 04C
  SYS_NFO_SYSTEM_FLAGS_INFORMATION 09
  SYS_NFO_SYSTEM_FULLMEMORY_INFORMATION 019
  SYS_NFO_SYSTEM_FULLPROCESS_INFORMATION 094
  SYS_NFO_SYSTEM_HANDLE_INFORMATION 010
  SYS_NFO_SYSTEM_HOTPATCH_INFORMATION 045
  SYS_NFO_SYSTEM_HYPERVISOR_INFORMATION 05B
  SYS_NFO_SYSTEM_HYPERVISORPROCESSORCOUNT_INFORMATION 087
  SYS_NFO_SYSTEM_IMAGEFILEEXECUTIONOPTIONS_INFORMATION 05E
  SYS_NFO_SYSTEM_INTERRUPT_INFORMATION 017
  SYS_NFO_SYSTEM_KERNELDEBUGGER_INFORMATION 023
  SYS_NFO_SYSTEM_LEGACYDRIVER_INFORMATION 02B
  SYS_NFO_SYSTEM_LOADGDIDRIVER_INFORMATION 01A
  SYS_NFO_SYSTEM_LOADGDIDRIVERIN_SYSTEM_SPACE 036
  SYS_NFO_SYSTEM_LOCKS_INFORMATION 0C
  SYS_NFO_SYSTEM_LOGICALPROCESSOR_INFORMATION 049
  SYS_NFO_SYSTEM_LOGICALPROCESSORANDGROUP_INFORMATION 06B
  SYS_NFO_SYSTEM_LOOKASIDE_INFORMATION 02D
  SYS_NFO_SYSTEM_LOSTDELAYEDWRITE_INFORMATION 041
  SYS_NFO_SYSTEM_LOWPRIORITYIO_INFORMATION 074
  SYS_NFO_SYSTEM_MEMORYCHANNEL_INFORMATION 08B
  SYS_NFO_SYSTEM_MEMORYLIST_INFORMATION 050
  SYS_NFO_SYSTEM_MEMORYTOPOLOGY_INFORMATION 08A
  SYS_NFO_SYSTEM_MIRRORMEMORY_INFORMATION 01E
  SYS_NFO_SYSTEM_MODULE_INFORMATION 0B
  SYS_NFO_SYSTEM_MODULEINFORMATIONEX 04D
  SYS_NFO_SYSTEM_NATIVEBASIC_INFORMATION 072
  SYS_NFO_SYSTEM_NODEDISTANCE_INFORMATION 079
  SYS_NFO_SYSTEM_NONPAGEDPOOL_INFORMATION 0F
  SYS_NFO_SYSTEM_NUMAAVAILABLEMEMORY 03C
  SYS_NFO_SYSTEM_NUMAPROCESSORMAP 037
  SYS_NFO_SYSTEM_NUMAPROXIMITYNODE_INFORMATION 065
  SYS_NFO_SYSTEM_OBJECT_INFORMATION 011
  SYS_NFO_SYSTEM_OBJECTSECURITYMODE 046
  SYS_NFO_SYSTEM_PAGEDPOOL_INFORMATION 0E
  SYS_NFO_SYSTEM_PAGEDPOOLINFORMATIONEX 077
  SYS_NFO_SYSTEM_PAGEFILE_INFORMATION 012
  SYS_NFO_SYSTEM_PAGEFILEINFORMATIONEX 090
  SYS_NFO_SYSTEM_PATH_INFORMATION 04
  SYS_NFO_SYSTEM_PERFORMANCE_INFORMATION 02
  SYS_NFO_SYSTEM_PERFORMANCETRACE_INFORMATION 01F
  SYS_NFO_SYSTEM_PLATFORMBINARY_INFORMATION 085
  SYS_NFO_SYSTEM_POOLTAG_INFORMATION 016
  SYS_NFO_SYSTEM_PORTABLEWORKSPACEEFILAUNCHER_INFORMATION 093
  SYS_NFO_SYSTEM_PREFETCHER_INFORMATION 038
  SYS_NFO_SYSTEM_PREFETCHPATCH_INFORMATION 060
  SYS_NFO_SYSTEM_PRIORITYSEPERATION 027
  SYS_NFO_SYSTEM_PROCESS_INFORMATION 05
  SYS_NFO_SYSTEM_PROCESSID_INFORMATION 058
  SYS_NFO_SYSTEM_PROCESSOR_INFORMATION 01
  SYS_NFO_SYSTEM_PROCESSORBRANDSTRING 069
  SYS_NFO_SYSTEM_PROCESSORCYCLETIME_INFORMATION 06C
  SYS_NFO_SYSTEM_PROCESSORIDLE_INFORMATION 02A
  SYS_NFO_SYSTEM_PROCESSORIDLECYCLETIME_INFORMATION 053
  SYS_NFO_SYSTEM_PROCESSORMICROCODEUPDATE_INFORMATION 068
  SYS_NFO_SYSTEM_PROCESSORPERFORMANCE_INFORMATION 08
  SYS_NFO_SYSTEM_PROCESSORPERFORMANCEDISTRIBUTION 064
  SYS_NFO_SYSTEM_PROCESSORPERFORMANCEINFORMATIONEX 08D
  SYS_NFO_SYSTEM_PROCESSORPOWER_INFORMATION 03D
  SYS_NFO_SYSTEM_PROCESSORPOWERINFORMATIONEX 055
  SYS_NFO_SYSTEM_PROCESSORPROFILECONTROLAREA 081
  SYS_NFO_SYSTEM_QUERYPERFORMANCECOUNTER_INFORMATION 07C
  SYS_NFO_SYSTEM_RANGESTART_INFORMATION 032
  SYS_NFO_SYSTEM_RECOMMENDEDSHAREDDATAALIGNMENT 03A
  SYS_NFO_SYSTEM_REFTRACE_INFORMATION 056
  SYS_NFO_SYSTEM_REGISTERFIRMWARETABLEINFORMATIONHANDLER 04B
  SYS_NFO_SYSTEM_REGISTRYAPPENDSTRING 06E
  SYS_NFO_SYSTEM_REGISTRYQUOTA_INFORMATION 025
  SYS_NFO_SYSTEM_SCRUBPHYSICALMEMORY_INFORMATION 07F
  SYS_NFO_SYSTEM_SECUREBOOT_INFORMATION 091
  SYS_NFO_SYSTEM_SECUREBOOTPOLICY_INFORMATION 08F
  SYS_NFO_SYSTEM_SESSION_INFORMATION 031
  SYS_NFO_SYSTEM_SESSIONBIGPOOL_INFORMATION 07D
  SYS_NFO_SYSTEM_SESSIONCREATE 02F
  SYS_NFO_SYSTEM_SESSIONDETACH 030
  SYS_NFO_SYSTEM_SESSIONMAPPEDVIEW_INFORMATION 044
  SYS_NFO_SYSTEM_SESSIONPOOLTAG_INFORMATION 043
  SYS_NFO_SYSTEM_SESSIONPROCESS_INFORMATION 035
  SYS_NFO_SYSTEM_SPARE0 08E
  SYS_NFO_SYSTEM_SPECIALPOOL_INFORMATION 057
  SYS_NFO_SYSTEM_STACKTRACE_INFORMATION 0D
  SYS_NFO_SYSTEM_STORE_INFORMATION 06D
  SYS_NFO_SYSTEM_SUMMARYMEMORY_INFORMATION 01D
  SYS_NFO_SYSTEM_SUPERFETCH_INFORMATION 04F
  SYS_NFO_SYSTEM_SYSTEM_DISK_INFORMATION 063
  SYS_NFO_SYSTEM_SYSTEM_PARTITION_INFORMATION 062
  SYS_NFO_SYSTEM_SYSTEM_PTESINFORMATIONEX 078
  SYS_NFO_SYSTEM_THREADPRIORITYCLIENTID_INFORMATION 052
  SYS_NFO_SYSTEM_THROTTLENOTIFICATION_INFORMATION 086
  SYS_NFO_SYSTEM_TIMEADJUSTMENT_INFORMATION 01C
  SYS_NFO_SYSTEM_TIMEOFDAY_INFORMATION 03
  SYS_NFO_SYSTEM_TIMESLIPNOTIFICATION 02E
  SYS_NFO_SYSTEM_TIMEZONE_INFORMATION 05D
  SYS_NFO_SYSTEM_UNLOADGDIDRIVER_INFORMATION 01B
  SYS_NFO_SYSTEM_VDMBOP_INFORMATION 014
  SYS_NFO_SYSTEM_VDMINSTEMUL_INFORMATION 013
  SYS_NFO_SYSTEM_VERIFIER_INFORMATION 033
  SYS_NFO_SYSTEM_VERIFIERADDDRIVER_INFORMATION 028
  SYS_NFO_SYSTEM_VERIFIERCANCELLATION_INFORMATION 054
  SYS_NFO_SYSTEM_VERIFIERCOUNTERS_INFORMATION 076
  SYS_NFO_SYSTEM_VERIFIERFAULTS_INFORMATION 061
  SYS_NFO_SYSTEM_VERIFIERINFORMATIONEX 05C
  SYS_NFO_SYSTEM_VERIFIERREMOVEDRIVER_INFORMATION 029
  SYS_NFO_SYSTEM_VERIFIERTHUNKEXTEND 034
  SYS_NFO_SYSTEM_VERIFIERTRIAGE_INFORMATION 04E
  SYS_NFO_SYSTEM_VHDBOOT_INFORMATION 070
  SYS_NFO_SYSTEM_VIRTUALADDRESS_INFORMATION 06A
  SYS_NFO_SYSTEM_WATCHDOGTIMER_INFORMATION 048
  SYS_NFO_SYSTEM_WATCHDOGTIMERHANDLER 047
  SYS_NFO_SYSTEM_WOW64SHAREDINFORMATIONOBSOLETE 04A

Returned Values:
On sucess the function return STATUS_SUCCESS and inserts on the buffer the Pointer to the structure/Info you want to retrieve
On Failure it will return the corresponding NT_STATUS error code and also will set the last Win32 error related to it.

For more information see:
http://processhacker.sourceforge.net/doc/ntexapi_8h.html#ad5d815b48e8f4da1ef2eb7a2f18a54e0a8c1a09f24d175f4ce5ce4b4494819ecb
http://webcache.googleusercontent.com/search?q=cache:0AMGoLUIyHwJ:undocumented.ntinternals.net/UserMode/Undocumented%2520Functions/System%2520Information/SYSTEM_INFORMATION_CLASS.html+&cd=1&hl=pt-BR&ct=clnk&gl=br&client=firefox-a

Author:
Gustavo Trigueiros (Aka: Beyond2000! / Guga)

Example of usage:

Code: [Select]

[Guga: D$ 0]
    call QueryCompleteSysNfo Guga, &SYS_NFO_SYSTEM_EXTENDEDPROCESS_INFORMATION


Source Code:

Code: [Select]

; Macros used
[ROUND_TO_PAGES | (( (#1 * &PAGE_SIZE) + (&PAGE_SIZE - 1)) and (not(&PAGE_SIZE - 1)))]
[ROUND_TO_PAGES_X64 | (( (#1 * &PAGE_SIZE_X64) + (&PAGE_SIZE_X64 - 1)) and (not(&PAGE_SIZE_X64 - 1)))]

Proc QueryCompleteSysNfo:
    Arguments @lpSysProcNfo, @Flag
    Local @dwSize
    Uses esi, ecx, edx, edi

    ;mov D@dwSize {ROUND_TO_PAGES 16} ; The system initializes with at least 16 pages aligned
    mov D@dwSize {ROUND_TO_PAGES_X64 8} ; The system initializes with at least 8 pages aligned
                                        ; This is particularry interesting, because in 32 bits, it should use {ROUND_TO_PAGES 16}
                                        ; But the NTFreeVirtualMemory function aligns it on the next page boundary
                                        ; The original M$ function, uses &PAGE_SIZE_X64 as the next host page size insetad of &PAGE_SIZE
                                        ; So, the conclusion is that either on 32 bits and 64 bits, the alignment is made always
                                        ; using &PAGE_SIZE_X64 and start with DwSize as a multiple of it (Starting with 8 pages)
                                        ; See ZwMapViewOfSection documentation at the parameter "BaseAddress"
    .Do

        lea eax D@dwSize
        call 'ntdll.NtAllocateVirtualMemory' 0-1, D@lpSysProcNfo, 0, eax, &MEM_COMMIT, &PAGE_READWRITE
        On eax <> &STATUS_SUCCESS, ExitP
        mov edi D@lpSysProcNfo
        call 'ntdll.NtQuerySystemInformation' D@Flag, D$edi, D@dwSize, 0
        mov esi eax ; On sucess, returns a array of SYSTEM_PROCESS_INFORMATION structure
        If eax = &STATUS_INFO_LENGTH_MISMATCH

            ; When there is not enough size, clear the whole allocated memmory and try again with the memory extended
            call FreeSysProcNfo edi
            add D@dwSize {ROUND_TO_PAGES_X64 1} ; accordying to msdn documentation, the pagesize must be aligned by the system. PageSizes Always must a multiple of this value
                                                ; Since in x86, &PAGE_SIZE = 4096, we consider this value as a unit So 1 alignemt = 4096, 2 = (4096*2) etc etc
                                                ; For x64 OS. &PAGE_SIZE = 8192 defined in RosAsm´s equate as &PAGE_SIZE_X64
            ;add D@dwSize {ROUND_TO_PAGES 2}

        Else_if eax <> &STATUS_SUCCESS
            ; On any other error code, Clear the whole allocated memmory and exit
            mov esi eax ; preserve the error code
            call FreeSysProcNfo edi
            mov eax esi ; restore the error code
            call BaseSetLastNTError esi
            mov eax esi
            ExitP

        End_If

    .Loop_Until esi = &STATUS_SUCCESS

    mov eax esi

EndP
______________________________________________________________________________________________________________

Proc FreeSysProcNfo:
    Arguments @lpSysProcNfo
    Local @dwSize
    Uses edi, ecx, edx, esi

    mov edi D@lpSysProcNfo
    mov D@dwSize 0
    lea eax D@dwSize
    call 'ntdll.NtFreeVirtualMemory' 0-1, edi, eax, &MEM_RELEASE
    mov D$edi 0

EndP
______________________________________________________________________________________________________________

Proc BaseSetLastNTError:
    Arguments @ErrorCode
    Uses esi, ecx, edx, ebx

    call 'ntdll.RtlNtStatusToDosError' D@ErrorCode | mov esi eax
    call 'kernel32.SetLastError' eax
    mov eax esi

EndP
______________________________________________________________________________________________________________


Note: The PAGE_SIZE and PAGE_SIZE_X64 equates have the following values:

• PAGE_SIZE 01000
  PAGE_SIZE_X64 02000
  

In fact, both can be used but because they are not necessarily related to 32 or 64 bits. They just allocate enough buffer aligned on a 01000 boundary (If there is not enough room, the function will add an extra 01000 to make sure it will be enough - This is why "add D@dwSize {ROUND_TO_PAGES_X64 1}" or simply "add D@dwSize {ROUND_TO_PAGES 2}"
If you intend to use ROUND_TO_PAGES macro, be sure to start with 8 pages and round it to "2". Otherwise, use ROUND_TO_PAGES_X64 (Even if your OS is not 64bits....It won´t be a problem at all)

After retrieving the info, don´t forget to release the allocated memory with the function FreeSysProcNfo

[dedndave]

the most interesting part.....

your name is Gustavo   

[Gunther]

Interesting to know, Gustavo.  :t

Gunther

[guga]

Dave 

Updated the code a bit ;)

Thank you both.

Gunther, the interesting is that on ntdll the function related to this (The one i derivated to create this function) is a complete mess. I´m amazed how terrible ntdll (and kernel32.dll) are sometimes.

[jj2007]

BTW interesting discussion about delay dll import, Gustavo  :t

[guga]

Many tks JJ.

The delay imports are something that i see from once and a while. I really don´t see any needs to use such a thing. It seems to me more bloated code that M$ injects on the user´s app. The better is always use LoadLibrary or any other routines that calls the dll only when it is necessary.

[Gunther]

Hi Gustavo,

Gunther, the interesting is that on ntdll the function related to this (The one i derivated to create this function) is a complete mess. I´m amazed how terrible ntdll (and kernel32.dll) are sometimes.

Yes, indeed. It's better to program defensive.

Gunther