News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

GetBaseStaticServerFromTEB v1.0

Started by guga, July 02, 2014, 08:30:53 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

guga

July 02, 2014, 08:30:53 AM
Updated version of GetBaseStaticServerFromTEB

Code Select


;;
         GetBaseStaticServerFromTEB

            This function retrieves the pointer to a BASE_STATIC_SERVER_DATA structure that contains information about your system.

         Arguments:
           pOutput (out): Pointer to a Variable that will holds the data to the structure BASE_STATIC_SERVER_DATA

        Returned Values:
               This function will return a pointer to BASE_STATIC_SERVER_DATA structure. Also, it will store it on the proper variable at pOutput

       Example of usage:

          [BaseStaticServerData: D$ 0]
                    call 'ntdll.RtlAcquirePebLock' ; <------- Always lock the PEb before using it.
                    call GetBaseStaticServerFromTEB BaseStaticServerData
                    add eax BASE_STATIC_SERVER_DATA.NamedObjectDirectory.LengthDis
                     (...)
                    call 'ntdll.RtlReleasePebLock' <---- And, of course, don´t forget to unlock it.

       See Also: BASE_STATIC_SERVER_DATA structure

        Remarks: Always lock and unlock the PEb when retrieving the information from TEB/PEB data.
                        To lock you must use a call to  'ntdll.RtlAcquirePebLock' and to unlock you must use the function ntdll.RtlReleasePebLock
                         See the example above.

      Author:
         Gustavo Trigueiros (aka: Beyond2000! or Guga)
         jul/2014
;;

Proc GetBaseStaticServerFromTEB:
    Arguments @pOutput
    Uses edi

    mov edi D@pOutput
    mov eax D$fs:TEB.Tib.SelfDis ; retrieve TEB structure for the current process
    mov eax D$eax+TEB.PebDis ; pointer to a PEB structure
    mov eax D$eax+PEB.ReadOnlyStaticServerDataDis ; retrieve the ReadOnlyStaticServerData (a TEXT_INFO structure)
    mov eax D$eax+TEXT_INFO.SystemStringsDis ; pointer to a BASE_STATIC_SERVER_DATA structure and not a SYSTEM_STRINGS structure (eah member points to a UNICODE_STRING String)
    mov D$edi eax

EndP

Code Select


        BASE_STATIC_SERVER_DATA structure

          This structure contains information related to your system. You retrieve this info from TEB or using the function GetBaseStaticServerFromTEB

Members:
[BASE_STATIC_SERVER_DATA:
BASE_STATIC_SERVER_DATA.WindowsDirectory.Length: W$ 0
BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLength: W$ 0
BASE_STATIC_SERVER_DATA.WindowsDirectory.Buffer: D$ 0
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Length: W$ 0
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLength: W$ 0
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Buffer: D$ 0
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Length: W$ 0
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLength: W$ 0
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Buffer: D$ 0
BASE_STATIC_SERVER_DATA.WindowsMajorVersion: W$ 0
BASE_STATIC_SERVER_DATA.WindowsMinorVersion: W$ 0
BASE_STATIC_SERVER_DATA.BuildNumber: W$ 0
BASE_STATIC_SERVER_DATA.CSDVersion: W$ 0 #128
BASE_STATIC_SERVER_DATA.Padding1: W$ 0
BASE_STATIC_SERVER_DATA.SysInfo.Reserved: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.TimerResolution: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.PageSize: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPages: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumber: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumber: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularity: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddress: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddress: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMask: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessors: B$ 0
BASE_STATIC_SERVER_DATA.SysInfo.Padding1: B$ 0 #3
BASE_STATIC_SERVER_DATA.Padding2: D$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.BootTime: Q$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTime: Q$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBias: Q$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneId: D$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.Reserved: D$ 0
BASE_STATIC_SERVER_DATA.IniFileMapping: D$ 0
BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangName: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountry: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountry: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sList: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasure: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimal: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousand: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sGrouping: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigits: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZero: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumber: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrency: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSep: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSep: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGrouping: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigits: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrency: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurr: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSign: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSign: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormat: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTime: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTime: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZero: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosn: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalType: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDay: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeek: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocale: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleId: D$ 0
BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValid: D$ 0
BASE_STATIC_SERVER_DATA.DefaultSeparateVDM: B$ 0
BASE_STATIC_SERVER_DATA.Wx86Enabled: B$ 0
BASE_STATIC_SERVER_DATA.Padding3: W$ 0]


Equates for the structure BASE_STATIC_SERVER
Code Select


[BASE_STATIC_SERVER_DATA.WindowsDirectory.LengthDis 0
BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLengthDis 2
BASE_STATIC_SERVER_DATA.WindowsDirectory.BufferDis 4
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.LengthDis 8
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLengthDis 10
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.BufferDis 12
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.LengthDis 16
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLengthDis 18
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.BufferDis 20
BASE_STATIC_SERVER_DATA.WindowsMajorVersionDis 24
BASE_STATIC_SERVER_DATA.WindowsMinorVersionDis 26
BASE_STATIC_SERVER_DATA.BuildNumberDis 28
BASE_STATIC_SERVER_DATA.CSDVersionDis 30
BASE_STATIC_SERVER_DATA.Padding1Dis 286
BASE_STATIC_SERVER_DATA.SysInfo.ReservedDis 288
BASE_STATIC_SERVER_DATA.SysInfo.TimerResolutionDis 292
BASE_STATIC_SERVER_DATA.SysInfo.PageSizeDis 296
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPagesDis 300
BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumberDis 304
BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumberDis 308
BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularityDis 312
BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddressDis 316
BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddressDis 320
BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMaskDis 324
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessorsDis 328
BASE_STATIC_SERVER_DATA.SysInfo.Padding1Dis 329
BASE_STATIC_SERVER_DATA.Padding2Dis 332
BASE_STATIC_SERVER_DATA.TimeOfDay.BootTimeDis 336
BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTimeDis 344
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBiasDis 352
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneIdDis 360
BASE_STATIC_SERVER_DATA.TimeOfDay.ReservedDis 364
BASE_STATIC_SERVER_DATA.IniFileMappingDis 368
BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangNameDis 372
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountryDis 532
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountryDis 692
BASE_STATIC_SERVER_DATA.NlsUserInfo.sListDis 852
BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasureDis 1012
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimalDis 1172
BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousandDis 1332
BASE_STATIC_SERVER_DATA.NlsUserInfo.sGroupingDis 1492
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigitsDis 1652
BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZeroDis 1812
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumberDis 1972
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrencyDis 2132
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSepDis 2292
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSepDis 2452
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGroupingDis 2612
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigitsDis 2772
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrencyDis 2932
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurrDis 3092
BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSignDis 3252
BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSignDis 3412
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormatDis 3572
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeDis 3732
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeDis 3892
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZeroDis 4052
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosnDis 4212
BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159Dis 4372
BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359Dis 4532
BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDateDis 4692
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDateDis 4852
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDateDis 5012
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDateDis 5172
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalTypeDis 5332
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDayDis 5492
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeekDis 5652
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocaleDis 5812
BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleIdDis 5972
BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValidDis 5976
BASE_STATIC_SERVER_DATA.DefaultSeparateVDMDis 5980
BASE_STATIC_SERVER_DATA.Wx86EnabledDis 5981
BASE_STATIC_SERVER_DATA.Padding3Dis 5982]

[Size_Of_BASE_STATIC_SERVER_DATA 5984]



Note:
For the TEb structures and equates see discussion here:
http://masm32.com/board/index.php?topic=3339.0

Additional Structures and Equates:

Code Select
[TEXT_INFO:
TEXT_INFO.Reserved: D$ 0
TEXT_INFO.SystemStrings: D$ 0]
Equates relate:
Code Select

[TEXT_INFO.ReservedDis 0
TEXT_INFO.SystemStringsDis 4]

[Size_Of_TEXT_INFO 8]
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

guga

#1
July 02, 2014, 09:35:45 AM
Interesting note:
To retrieve the Service Pack. You have to point to BASE_STATIC_SERVER_DATA.CSDVersionDis

The CSD is just the service pack inserted on a structure with the following format:
[CSD.wServicePackMajor: W$ 0 ; < Service Pack major version. The value seems to be shifted. (So, if saving in eax do "shr eax 8")
CSD.wServicePackMinor: W$ 0 ; < Service Pack major version. The value seems to be shifted. (So, if saving in eax do "shr eax 8")
CSD.szCSDVersion: W$ 0#124] < A null terminated Unicode string containing the Service Pack string

The info is hard to find and in M$ docs the CSDString says other things
http://msdn.microsoft.com/en-us/library/aa371748%28v=vs.85%29.aspx

But...after analysing the retrieve data, it is the same as described in here
http://blogs.technet.com/b/askperf/archive/2008/08/22/what-os-service-pack-am-i-running.aspx

The updated structure is, in fact:
Code Select
[BASE_STATIC_SERVER_DATA:
BASE_STATIC_SERVER_DATA.WindowsDirectory.Length: W$ 0
BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLength: W$ 0
BASE_STATIC_SERVER_DATA.WindowsDirectory.Buffer: D$ 0
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Length: W$ 0
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLength: W$ 0
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.Buffer: D$ 0
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Length: W$ 0
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLength: W$ 0
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.Buffer: D$ 0
BASE_STATIC_SERVER_DATA.WindowsMajorVersion: W$ 0
BASE_STATIC_SERVER_DATA.WindowsMinorVersion: W$ 0
BASE_STATIC_SERVER_DATA.BuildNumber: W$ 0
BASE_STATIC_SERVER_DATA.CSD.wServicePackMajor: W$ 0
BASE_STATIC_SERVER_DATA.CSD.wServicePackMinor: W$ 0
BASE_STATIC_SERVER_DATA.CSD.szCSDVersion: W$ 0 #126
BASE_STATIC_SERVER_DATA.Padding1: W$ 0
BASE_STATIC_SERVER_DATA.SysInfo.Reserved: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.TimerResolution: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.PageSize: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPages: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumber: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumber: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularity: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddress: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddress: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMask: D$ 0
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessors: B$ 0
BASE_STATIC_SERVER_DATA.SysInfo.Padding1: B$ 0 #3
BASE_STATIC_SERVER_DATA.Padding2: D$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.BootTime: Q$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTime: Q$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBias: Q$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneId: D$ 0
BASE_STATIC_SERVER_DATA.TimeOfDay.Reserved: D$ 0
BASE_STATIC_SERVER_DATA.IniFileMapping: D$ 0
BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangName: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountry: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountry: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sList: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasure: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimal: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousand: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sGrouping: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigits: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZero: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumber: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrency: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSep: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSep: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGrouping: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigits: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrency: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurr: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSign: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSign: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormat: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTime: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTime: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZero: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosn: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDate: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalType: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDay: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeek: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocale: W$ 0 #&MAX_REG_VAL_SIZE
BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleId: D$ 0
BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValid: D$ 0
BASE_STATIC_SERVER_DATA.DefaultSeparateVDM: B$ 0
BASE_STATIC_SERVER_DATA.Wx86Enabled: B$ 0
BASE_STATIC_SERVER_DATA.Padding3: W$ 0]


The corresponding equates are:
Code Select


[BASE_STATIC_SERVER_DATA.WindowsDirectory.LengthDis 0
BASE_STATIC_SERVER_DATA.WindowsDirectory.MaximumLengthDis 2
BASE_STATIC_SERVER_DATA.WindowsDirectory.BufferDis 4
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.LengthDis 8
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.MaximumLengthDis 10
BASE_STATIC_SERVER_DATA.WindowsSystemDirectory.BufferDis 12
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.LengthDis 16
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.MaximumLengthDis 18
BASE_STATIC_SERVER_DATA.NamedObjectDirectory.BufferDis 20
BASE_STATIC_SERVER_DATA.WindowsMajorVersionDis 24
BASE_STATIC_SERVER_DATA.WindowsMinorVersionDis 26
BASE_STATIC_SERVER_DATA.BuildNumberDis 28
BASE_STATIC_SERVER_DATA.CSD.wServicePackMajorDis 30
BASE_STATIC_SERVER_DATA.CSD.wServicePackMinorDis 32
BASE_STATIC_SERVER_DATA.CSD.szCSDVersionDis 34
BASE_STATIC_SERVER_DATA.Padding1Dis 286
BASE_STATIC_SERVER_DATA.SysInfo.ReservedDis 288
BASE_STATIC_SERVER_DATA.SysInfo.TimerResolutionDis 292
BASE_STATIC_SERVER_DATA.SysInfo.PageSizeDis 296
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfPhysicalPagesDis 300
BASE_STATIC_SERVER_DATA.SysInfo.LowestPhysicalPageNumberDis 304
BASE_STATIC_SERVER_DATA.SysInfo.HighestPhysicalPageNumberDis 308
BASE_STATIC_SERVER_DATA.SysInfo.AllocationGranularityDis 312
BASE_STATIC_SERVER_DATA.SysInfo.MinimumUserModeAddressDis 316
BASE_STATIC_SERVER_DATA.SysInfo.MaximumUserModeAddressDis 320
BASE_STATIC_SERVER_DATA.SysInfo.ActiveProcessorsAffinityMaskDis 324
BASE_STATIC_SERVER_DATA.SysInfo.NumberOfProcessorsDis 328
BASE_STATIC_SERVER_DATA.SysInfo.Padding1Dis 329
BASE_STATIC_SERVER_DATA.Padding2Dis 332
BASE_STATIC_SERVER_DATA.TimeOfDay.BootTimeDis 336
BASE_STATIC_SERVER_DATA.TimeOfDay.CurrentTimeDis 344
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneBiasDis 352
BASE_STATIC_SERVER_DATA.TimeOfDay.TimeZoneIdDis 360
BASE_STATIC_SERVER_DATA.TimeOfDay.ReservedDis 364
BASE_STATIC_SERVER_DATA.IniFileMappingDis 368
BASE_STATIC_SERVER_DATA.NlsUserInfo.sAbbrevLangNameDis 372
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCountryDis 532
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCountryDis 692
BASE_STATIC_SERVER_DATA.NlsUserInfo.sListDis 852
BASE_STATIC_SERVER_DATA.NlsUserInfo.iMeasureDis 1012
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDecimalDis 1172
BASE_STATIC_SERVER_DATA.NlsUserInfo.sThousandDis 1332
BASE_STATIC_SERVER_DATA.NlsUserInfo.sGroupingDis 1492
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDigitsDis 1652
BASE_STATIC_SERVER_DATA.NlsUserInfo.iLZeroDis 1812
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegNumberDis 1972
BASE_STATIC_SERVER_DATA.NlsUserInfo.sCurrencyDis 2132
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonDecSepDis 2292
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonThouSepDis 2452
BASE_STATIC_SERVER_DATA.NlsUserInfo.sMonGroupingDis 2612
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrDigitsDis 2772
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCurrencyDis 2932
BASE_STATIC_SERVER_DATA.NlsUserInfo.iNegCurrDis 3092
BASE_STATIC_SERVER_DATA.NlsUserInfo.sPosSignDis 3252
BASE_STATIC_SERVER_DATA.NlsUserInfo.sNegSignDis 3412
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeFormatDis 3572
BASE_STATIC_SERVER_DATA.NlsUserInfo.sTimeDis 3732
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeDis 3892
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTLZeroDis 4052
BASE_STATIC_SERVER_DATA.NlsUserInfo.iTimeMarkPosnDis 4212
BASE_STATIC_SERVER_DATA.NlsUserInfo.s1159Dis 4372
BASE_STATIC_SERVER_DATA.NlsUserInfo.s2359Dis 4532
BASE_STATIC_SERVER_DATA.NlsUserInfo.sShortDateDis 4692
BASE_STATIC_SERVER_DATA.NlsUserInfo.sDateDis 4852
BASE_STATIC_SERVER_DATA.NlsUserInfo.iDateDis 5012
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLongDateDis 5172
BASE_STATIC_SERVER_DATA.NlsUserInfo.iCalTypeDis 5332
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstDayDis 5492
BASE_STATIC_SERVER_DATA.NlsUserInfo.iFirstWeekDis 5652
BASE_STATIC_SERVER_DATA.NlsUserInfo.sLocaleDis 5812
BASE_STATIC_SERVER_DATA.NlsUserInfo.UserLocaleIdDis 5972
BASE_STATIC_SERVER_DATA.NlsUserInfo.fCacheValidDis 5976
BASE_STATIC_SERVER_DATA.DefaultSeparateVDMDis 5980
BASE_STATIC_SERVER_DATA.Wx86EnabledDis 5981
BASE_STATIC_SERVER_DATA.Padding3Dis 5982]

[Size_Of_BASE_STATIC_SERVER_DATA 5984]



Example of usage:
Code Select

[BaseStaticServerData: D$ 0]

    call GetBaseStaticServerFromTEB BaseStaticServerData
    mov esi eax
    movzx ebx W$esi+BASE_STATIC_SERVER_DATA.CSD.wServicePackMajorDis | shr ebx 8
    movzx ebx W$esi+BASE_STATIC_SERVER_DATA.CSD.wServicePackMinorDis | shr ebx 8
    lea eax D$esi+BASE_STATIC_SERVER_DATA.CSD.szCSDVersionDis
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

dedndave

#2
July 02, 2014, 12:19:21 PM
there are 2 easier ways to get the service pack
and, you can probably also get it through WMI

1) GetVersionEx
OSVERSIONINFO(EX).szCSDVersion is a string, like "Service Pack 3" (probably from the registry in method 2)
OSVERSIONINFOEX.wServicePackMajor and wServicePackMinor are 16-bit values that make something like 3.0

2) from the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"CSDVersion"="Service Pack 3"

guga

#3
July 02, 2014, 02:07:41 PM
Hi Dave, yes, i know that. I was just updating the info for  BASE_STATIC_SERVER_DATA.  :t

Btw...concening retrieving the Service Pack. In fact, the GetversionEx Api (and others), calls other functions inside ntdll that will have access to the PE info structure PEB.OSMajorVersionDis etc.
GetVersionEx call RtlGetVersion that uses the PEB addressing.

Also, if i recall well, RTlGetVersion also have acess to ntoskrnl.exe when the retrieved data from PEB fails.

In C, this small code can be done to access ServicePack info without using getversionEx

Code Select

///////////////////////////////////////////////////////////////////////
// Kernel01.cpp : Call the RtlGetVersion from native API
// © by Thiseas 2011 for www.p0wnbox.com
//
#include "stdafx.h"
#include <Windows.h>

typedef void (WINAPI *pwinapi)(PRTL_OSVERSIONINFOW); //http://www.osronline.com/ddkx/kmarch/k109_452q.htm

int _tmain(int argc, _TCHAR* argv[])
{
    RTL_OSVERSIONINFOW info;
    pwinapi p_pwinapi;

    ZeroMemory(&info, sizeof(RTL_OSVERSIONINFOW));

    p_pwinapi = (pwinapi) GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "RtlGetVersion");
    p_pwinapi(&info);

    return(0);
}


Reference above http://0x191unauthorized.blogspot.com.br/2011/04/debugging-native-windows-api.html


Why not simply using GetVersionEx ?

Well there is nothing against it, but, if you are coding for WinNT family and above, and need some fast access to data, why use an Apis that may contains internally several uneeded lines of code, instead simply doing the direct way, that , in general is faster ?

Kernel32.dll was compiled probably with Frame Point omission activated. So there are several "bogus" code inside of it.

One example of a bad coding inside kernel32 is what i´m finding inside CreateToolhelp32Snapshot. I´m at the 4th day rebuilding this function and it supposedly just have to contains 3 major functions  :dazzled:
Not to mention that i´m finding some bad usage of the stack for the local variables inside of some of them. (No wonder i was finding some left overs of some structure that was supposedly to be only a handle and vice-versa we talked about earlier)
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com
Print
Go Up Pages1
User actions