GetBaseStaticServerFromTEB v1.0

[guga]

Updated version of GetBaseStaticServerFromTEB

Code: [Select]


;;
         GetBaseStaticServerFromTEB

            This function retrieves the pointer to a BASE_STATIC_SERVER_DATA structure that contains information about your system.

         Arguments:
           pOutput (out): Pointer to a Variable that will holds the data to the structure BASE_STATIC_SERVER_DATA

        Returned Values:
               This function will return a pointer to BASE_STATIC_SERVER_DATA structure. Also, it will store it on the proper variable at pOutput

       Example of usage:

          [BaseStaticServerData: D$ 0]
                    call 'ntdll.RtlAcquirePebLock' ; <------- Always lock the PEb before using it.
                    call GetBaseStaticServerFromTEB BaseStaticServerData
                    add eax BASE_STATIC_SERVER_DATA.NamedObjectDirectory.LengthDis
                     (...)
                    call 'ntdll.RtlReleasePebLock' <---- And, of course, don´t forget to unlock it.

       See Also: BASE_STATIC_SERVER_DATA structure

        Remarks: Always lock and unlock the PEb when retrieving the information from TEB/PEB data.
                        To lock you must use a call to  'ntdll.RtlAcquirePebLock' and to unlock you must use the function ntdll.RtlReleasePebLock
                         See the example above.

      Author:
         Gustavo Trigueiros (aka: Beyond2000! or Guga)
         jul/2014
;;

Proc GetBaseStaticServerFromTEB:
    Arguments @pOutput
    Uses edi

    mov edi D@pOutput
    mov eax D$fs:TEB.Tib.SelfDis ; retrieve TEB structure for the current process
    mov eax D$eax+TEB.PebDis ; pointer to a PEB structure
    mov eax D$eax+PEB.ReadOnlyStaticServerDataDis ; retrieve the ReadOnlyStaticServerData (a TEXT_INFO structure)
    mov eax D$eax+TEXT_INFO.SystemStringsDis ; pointer to a BASE_STATIC_SERVER_DATA structure and not a SYSTEM_STRINGS structure (eah member points to a UNICODE_STRING String)
    mov D$edi eax

EndP

Code: [Select]


        BASE_STATIC_SERVER_DATA structure

          This structure contains information related to your system. You retrieve this info from TEB or using the function GetBaseStaticServerFromTEB

Members:
[BASE_STATIC_SERVER_DATA:
 BASE_STATIC_SERVER_DATA.WindowsDirectory.Length: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLength: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsDirectory.Buffer: D$ 0
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Length: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLength: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Buffer: D$ 0
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Length: W$ 0
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLength: W$ 0
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Buffer: D$ 0
 BASE_STATIC_SERVER_DATA.WindowsMajorVersion: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsMinorVersion: W$ 0
 BASE_STATIC_SERVER_DATA.BuildNumber: W$ 0
 BASE_STATIC_SERVER_DATA.CSDVersion: W$ 0 #128
 BASE_STATIC_SERVER_DATA.Padding1: W$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.Reserved: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.TimerResolution: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.PageSize: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPages: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumber: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumber: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularity: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddress: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddress: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMask: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessors: B$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.Padding1: B$ 0 #3
 BASE_STATIC_SERVER_DATA.Padding2: D$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.BootTime: Q$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTime: Q$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBias: Q$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneId: D$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.Reserved: D$ 0
 BASE_STATIC_SERVER_DATA.IniFileMapping: D$ 0
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangName: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountry: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountry: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sList: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasure: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimal: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousand: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sGrouping: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigits: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZero: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumber: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrency: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSep: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSep: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGrouping: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigits: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrency: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurr: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSign: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSign: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormat: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTime: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTime: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZero: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosn: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalType: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDay: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeek: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocale: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleId: D$ 0
 BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValid: D$ 0
 BASE_STATIC_SERVER_DATA.DefaultSeparateVDM: B$ 0
 BASE_STATIC_SERVER_DATA.Wx86Enabled: B$ 0
 BASE_STATIC_SERVER_DATA.Padding3: W$ 0]

Equates for the structure BASE_STATIC_SERVER

Code: [Select]


[BASE_STATIC_SERVER_DATA.WindowsDirectory.LengthDis 0
 BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLengthDis 2
 BASE_STATIC_SERVER_DATA.WindowsDirectory.BufferDis 4
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.LengthDis 8
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLengthDis 10
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.BufferDis 12
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.LengthDis 16
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLengthDis 18
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.BufferDis 20
 BASE_STATIC_SERVER_DATA.WindowsMajorVersionDis 24
 BASE_STATIC_SERVER_DATA.WindowsMinorVersionDis 26
 BASE_STATIC_SERVER_DATA.BuildNumberDis 28
 BASE_STATIC_SERVER_DATA.CSDVersionDis 30
 BASE_STATIC_SERVER_DATA.Padding1Dis 286
 BASE_STATIC_SERVER_DATA.SysInfo.ReservedDis 288
 BASE_STATIC_SERVER_DATA.SysInfo.TimerResolutionDis 292
 BASE_STATIC_SERVER_DATA.SysInfo.PageSizeDis 296
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPagesDis 300
 BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumberDis 304
 BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumberDis 308
 BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularityDis 312
 BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddressDis 316
 BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddressDis 320
 BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMaskDis 324
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessorsDis 328
 BASE_STATIC_SERVER_DATA.SysInfo.Padding1Dis 329
 BASE_STATIC_SERVER_DATA.Padding2Dis 332
 BASE_STATIC_SERVER_DATA.TimeOfDay.BootTimeDis 336
 BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTimeDis 344
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBiasDis 352
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneIdDis 360
 BASE_STATIC_SERVER_DATA.TimeOfDay.ReservedDis 364
 BASE_STATIC_SERVER_DATA.IniFileMappingDis 368
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangNameDis 372
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountryDis 532
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountryDis 692
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sListDis 852
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasureDis 1012
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimalDis 1172
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousandDis 1332
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sGroupingDis 1492
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigitsDis 1652
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZeroDis 1812
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumberDis 1972
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrencyDis 2132
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSepDis 2292
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSepDis 2452
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGroupingDis 2612
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigitsDis 2772
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrencyDis 2932
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurrDis 3092
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSignDis 3252
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSignDis 3412
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormatDis 3572
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeDis 3732
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeDis 3892
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZeroDis 4052
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosnDis 4212
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159Dis 4372
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359Dis 4532
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDateDis 4692
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDateDis 4852
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDateDis 5012
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDateDis 5172
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalTypeDis 5332
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDayDis 5492
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeekDis 5652
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocaleDis 5812
 BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleIdDis 5972
 BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValidDis 5976
 BASE_STATIC_SERVER_DATA.DefaultSeparateVDMDis 5980
 BASE_STATIC_SERVER_DATA.Wx86EnabledDis 5981
 BASE_STATIC_SERVER_DATA.Padding3Dis 5982]

[Size_Of_BASE_STATIC_SERVER_DATA 5984]


Note:
For the TEb structures and equates see discussion here:
http://masm32.com/board/index.php?topic=3339.0

Additional Structures and Equates:

Code: [Select]

[TEXT_INFO:
 TEXT_INFO.Reserved: D$ 0
 TEXT_INFO.SystemStrings: D$ 0]Equates relate:

Code: [Select]

[TEXT_INFO.ReservedDis 0
 TEXT_INFO.SystemStringsDis 4]

[Size_Of_TEXT_INFO 8]

[guga]

Interesting note:
To retrieve the Service Pack. You have to point to BASE_STATIC_SERVER_DATA.CSDVersionDis

The CSD is just the service pack inserted on a structure with the following format:
[CSD.wServicePackMajor: W$ 0 ; < Service Pack major version. The value seems to be shifted. (So, if saving in eax do "shr eax 8")
CSD.wServicePackMinor: W$ 0 ; < Service Pack major version. The value seems to be shifted. (So, if saving in eax do "shr eax 8")
CSD.szCSDVersion: W$ 0#124] < A null terminated Unicode string containing the Service Pack string

The info is hard to find and in M$ docs the CSDString says other things
http://msdn.microsoft.com/en-us/library/aa371748%28v=vs.85%29.aspx

But...after analysing the retrieve data, it is the same as described in here
http://blogs.technet.com/b/askperf/archive/2008/08/22/what-os-service-pack-am-i-running.aspx

The updated structure is, in fact:

Code: [Select]

[BASE_STATIC_SERVER_DATA:
 BASE_STATIC_SERVER_DATA.WindowsDirectory.Length: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLength: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsDirectory.Buffer: D$ 0
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Length: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLength: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Buffer: D$ 0
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Length: W$ 0
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLength: W$ 0
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Buffer: D$ 0
 BASE_STATIC_SERVER_DATA.WindowsMajorVersion: W$ 0
 BASE_STATIC_SERVER_DATA.WindowsMinorVersion: W$ 0
 BASE_STATIC_SERVER_DATA.BuildNumber: W$ 0
 BASE_STATIC_SERVER_DATA.CSD.wServicePackMajor: W$ 0
 BASE_STATIC_SERVER_DATA.CSD.wServicePackMinor: W$ 0
 BASE_STATIC_SERVER_DATA.CSD.szCSDVersion: W$ 0 #126
 BASE_STATIC_SERVER_DATA.Padding1: W$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.Reserved: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.TimerResolution: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.PageSize: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPages: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumber: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumber: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularity: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddress: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddress: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMask: D$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessors: B$ 0
 BASE_STATIC_SERVER_DATA.SysInfo.Padding1: B$ 0 #3
 BASE_STATIC_SERVER_DATA.Padding2: D$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.BootTime: Q$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTime: Q$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBias: Q$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneId: D$ 0
 BASE_STATIC_SERVER_DATA.TimeOfDay.Reserved: D$ 0
 BASE_STATIC_SERVER_DATA.IniFileMapping: D$ 0
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangName: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountry: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountry: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sList: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasure: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimal: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousand: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sGrouping: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigits: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZero: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumber: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrency: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSep: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSep: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGrouping: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigits: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrency: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurr: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSign: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSign: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormat: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTime: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTime: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZero: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosn: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDate: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalType: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDay: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeek: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocale: W$ 0 #&MAX_REG_VAL_SIZE
 BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleId: D$ 0
 BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValid: D$ 0
 BASE_STATIC_SERVER_DATA.DefaultSeparateVDM: B$ 0
 BASE_STATIC_SERVER_DATA.Wx86Enabled: B$ 0
 BASE_STATIC_SERVER_DATA.Padding3: W$ 0]

The corresponding equates are:

Code: [Select]


[BASE_STATIC_SERVER_DATA.WindowsDirectory.LengthDis 0
 BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLengthDis 2
 BASE_STATIC_SERVER_DATA.WindowsDirectory.BufferDis 4
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.LengthDis 8
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLengthDis 10
 BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.BufferDis 12
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.LengthDis 16
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLengthDis 18
 BASE_STATIC_SERVER_DATA.NamedObjectDirectory.BufferDis 20
 BASE_STATIC_SERVER_DATA.WindowsMajorVersionDis 24
 BASE_STATIC_SERVER_DATA.WindowsMinorVersionDis 26
 BASE_STATIC_SERVER_DATA.BuildNumberDis 28
 BASE_STATIC_SERVER_DATA.CSD.wServicePackMajorDis 30
 BASE_STATIC_SERVER_DATA.CSD.wServicePackMinorDis 32
 BASE_STATIC_SERVER_DATA.CSD.szCSDVersionDis 34
 BASE_STATIC_SERVER_DATA.Padding1Dis 286
 BASE_STATIC_SERVER_DATA.SysInfo.ReservedDis 288
 BASE_STATIC_SERVER_DATA.SysInfo.TimerResolutionDis 292
 BASE_STATIC_SERVER_DATA.SysInfo.PageSizeDis 296
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPagesDis 300
 BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumberDis 304
 BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumberDis 308
 BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularityDis 312
 BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddressDis 316
 BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddressDis 320
 BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMaskDis 324
 BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessorsDis 328
 BASE_STATIC_SERVER_DATA.SysInfo.Padding1Dis 329
 BASE_STATIC_SERVER_DATA.Padding2Dis 332
 BASE_STATIC_SERVER_DATA.TimeOfDay.BootTimeDis 336
 BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTimeDis 344
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBiasDis 352
 BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneIdDis 360
 BASE_STATIC_SERVER_DATA.TimeOfDay.ReservedDis 364
 BASE_STATIC_SERVER_DATA.IniFileMappingDis 368
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangNameDis 372
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountryDis 532
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountryDis 692
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sListDis 852
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasureDis 1012
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimalDis 1172
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousandDis 1332
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sGroupingDis 1492
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigitsDis 1652
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZeroDis 1812
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumberDis 1972
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrencyDis 2132
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSepDis 2292
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSepDis 2452
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGroupingDis 2612
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigitsDis 2772
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrencyDis 2932
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurrDis 3092
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSignDis 3252
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSignDis 3412
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormatDis 3572
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeDis 3732
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeDis 3892
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZeroDis 4052
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosnDis 4212
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159Dis 4372
 BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359Dis 4532
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDateDis 4692
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sDateDis 4852
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iDateDis 5012
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDateDis 5172
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalTypeDis 5332
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDayDis 5492
 BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeekDis 5652
 BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocaleDis 5812
 BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleIdDis 5972
 BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValidDis 5976
 BASE_STATIC_SERVER_DATA.DefaultSeparateVDMDis 5980
 BASE_STATIC_SERVER_DATA.Wx86EnabledDis 5981
 BASE_STATIC_SERVER_DATA.Padding3Dis 5982]

[Size_Of_BASE_STATIC_SERVER_DATA 5984]


Example of usage:

Code: [Select]

[BaseStaticServerData: D$ 0]

    call GetBaseStaticServerFromTEB BaseStaticServerData
    mov esi eax
    movzx ebx W$esi+BASE_STATIC_SERVER_DATA.CSD.wServicePackMajorDis | shr ebx 8
    movzx ebx W$esi+BASE_STATIC_SERVER_DATA.CSD.wServicePackMinorDis | shr ebx 8
    lea eax D$esi+BASE_STATIC_SERVER_DATA.CSD.szCSDVersionDis

[dedndave]

there are 2 easier ways to get the service pack
and, you can probably also get it through WMI

1) GetVersionEx
OSVERSIONINFO(EX).szCSDVersion is a string, like "Service Pack 3" (probably from the registry in method 2)
OSVERSIONINFOEX.wServicePackMajor and wServicePackMinor are 16-bit values that make something like 3.0

2) from the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"CSDVersion"="Service Pack 3"

[guga]

Hi Dave, yes, i know that. I was just updating the info for  BASE_STATIC_SERVER_DATA.  :t

Btw...concening retrieving the Service Pack. In fact, the GetversionEx Api (and others), calls other functions inside ntdll that will have access to the PE info structure PEB.OSMajorVersionDis etc.
GetVersionEx call RtlGetVersion that uses the PEB addressing.

Also, if i recall well, RTlGetVersion also have acess to ntoskrnl.exe when the retrieved data from PEB fails.

In C, this small code can be done to access ServicePack info without using getversionEx

Code: [Select]

///////////////////////////////////////////////////////////////////////
// Kernel01.cpp : Call the RtlGetVersion from native API
// © by Thiseas 2011 for www.p0wnbox.com
//
#include "stdafx.h"
#include <Windows.h>

typedef void (WINAPI *pwinapi)(PRTL_OSVERSIONINFOW); //http://www.osronline.com/ddkx/kmarch/k109_452q.htm

int _tmain(int argc, _TCHAR* argv[])
{
    RTL_OSVERSIONINFOW info;
    pwinapi p_pwinapi;

    ZeroMemory(&info, sizeof(RTL_OSVERSIONINFOW));

    p_pwinapi = (pwinapi) GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "RtlGetVersion");
    p_pwinapi(&info);

    return(0);
}

Reference above http://0x191unauthorized.blogspot.com.br/2011/04/debugging-native-windows-api.html


Why not simply using GetVersionEx ?

Well there is nothing against it, but, if you are coding for WinNT family and above, and need some fast access to data, why use an Apis that may contains internally several uneeded lines of code, instead simply doing the direct way, that , in general is faster ?

Kernel32.dll was compiled probably with Frame Point omission activated. So there are several "bogus" code inside of it.

One example of a bad coding inside kernel32 is what i´m finding inside CreateToolhelp32Snapshot. I´m at the 4th day rebuilding this function and it supposedly just have to contains 3 major functions 
Not to mention that i´m finding some bad usage of the stack for the local variables inside of some of them. (No wonder i was finding some left overs of some structure that was supposedly to be only a handle and vice-versa we talked about earlier)