Author Topic: RTL_DEBUG_INFORMATION documented  (Read 3963 times)

guga

  • Moderator
  • Member
  • *****
  • Posts: 1196
  • Assembly is a state of art.
    • RosAsm
RTL_DEBUG_INFORMATION documented
« on: July 13, 2014, 06:58:28 AM »
After a bit of work, i´m suceeding to document some NT functions and structures
Quote
RTL_DEBUG_INFORMATION


This structure contains information about the process being debugged.


Syntax:

RosAsm:

[RTL_DEBUG_INFORMATION:
 SectionHandleClient: D$ 0
 ViewBaseClient: D$ 0
 ViewBaseTarget: D$ 0
 ViewBaseDelta: D$ 0
 EventPairClient: D$ 0
 EventPairTarget: D$ 0
 TargetProcessId: D$ 0
 TargetThreadHandle: D$ 0
 Flags: D$ 0
 OffsetFree: D$ 0
 CommitSize: D$ 0
 ViewSize: D$ 0
 Modules: D$ 0
 BackTraces: D$ 0
 Heaps: D$ 0
 Locks: D$ 0
 SpecificHeap: D$ 0
 TargetProcessHandle: D$ 0
 VerifierOptions.SizeStruct: D$ 0
 VerifierOptions.Option: D$ 0
 VerifierOptions.OptionData: W$ 0
 ProcessHeap: D$ 0
 CriticalSectionHandle: D$ 0
 CriticalSectionOwnerThread: D$ 0
 Reserved: D$ 0 #4]
C:
typedef struct _RTL_DEBUG_INFORMATION
{
    HANDLE SectionHandleClient;
    PVOID ViewBaseClient;
    PVOID ViewBaseTarget;
    ULONG ViewBaseDelta;
    HANDLE EventPairClient;
    PVOID EventPairTarget;
    HANDLE TargetProcessId;
    HANDLE TargetThreadHandle;
    ULONG Flags;
    ULONG OffsetFree;
    ULONG CommitSize;
    ULONG ViewSize;
    union
    {
        PRTL_PROCESS_MODULES Modules;
        PRTL_PROCESS_MODULE_INFORMATION_EX ModulesEx;
    };
    PRTL_PROCESS_BACKTRACES BackTraces;
    PRTL_PROCESS_HEAPS Heaps;
    PRTL_PROCESS_LOCKS Locks;
    HANDLE SpecificHeap;
    HANDLE TargetProcessHandle;
    RTL_PROCESS_VERIFIER_OPTIONS VerifierOptions;
    HANDLE ProcessHeap;
    HANDLE CriticalSectionHandle;
    HANDLE CriticalSectionOwnerThread;
    PVOID Reserved[4];
} RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION;


Members:

SectionHandleClient
      A handle to a section object.The handle must grant SECTION_MAP_WRITE, SECTION_MAP_READ, SECTION_MAP_EXECUTE or other access flags when it was created.
      The handle was created with ZwCreateSection or NTCreateSection.
ViewBaseClient

ViewBaseTarget

ViewBaseDelta

EventPairClient

EventPairTarget

TargetProcessId
      Value of the process identifier.

TargetThreadHandle
      A handle to the thread that was impersonated by ZwImpersonateThread or NTImpersonateThread functions. The handle was granted THREAD_DIRECT_IMPERSONATE access.

Flags
      A bit array specifying which type of information is to be queried. Multiple types of information can be retrieved in a single call.This parameter can be any combination of the following flags:

RTL_QUERY_PROCESS_MODULES 0x01 // The loaded modules of the process. Also known as: PDI_MODULES on NT
RTL_QUERY_PROCESS_BACKTRACES 0x02 // The heap stack back traces Also known as: PDI_BACKTRACE on NT
RTL_QUERY_PROCESS_HEAP_SUMMARY 0x04 // The heaps of the process Also known as: PDI_HEAPS on NT
RTL_QUERY_PROCESS_HEAP_TAGS 0x08 // The heap tags Also known as: PDI_HEAP_TAGS on NT
RTL_QUERY_PROCESS_HEAP_ENTRIES 0x010 // The heap blocks Also known as: PDI_HEAP_BLOCKS on NT
RTL_QUERY_PROCESS_LOCKS 0x020 // The locks created by the process Also known as: PDI_LOCKS on NT

OffsetFree
Points to a variable that contains the offset, in bytes, from the beginning of the section to the view, possibly rounded down to the next free section
CommitSize
      Specifies the size, in bytes, of the initially committed region of the view. CommitSize is only meaningful for page-file backed sections; file backed sections, both data and image, are effectively committed at section creation time.
      This value is rounded up to the next page size boundary.

ViewSize
      Points to a variable that will receive the actual size, in bytes, of the view. If the initial value of this variable is zero, a view of the section will be mapped starting at the specified section offset and continuing to the end of the section.
      Otherwise, the initial value of this parameter specifies the size of the view, in bytes, and is rounded up to the next page size boundary.
Modules
      A pointer to the module information if this was requested.The data pointed is a RTL_PROCESS_MODULES.structure.

BackTraces
      A pointer to the heap stack back-trace information if this was requested. The data pointed is a RTL_PROCESS_BACKTRACES.structure.
Heaps
      A pointer to the heap information if this was requested.The data pointed is a RTL_PROCESS_HEAPS structure
Locks
      A pointer to the lock information if this was requested.The data pointed is a RTL_PROCESS_LOCKS structure.
SpecificHeap

TargetProcessHandle
      Identifies the process handle.

VerifierOptions.SizeStruct
      The size of the RTL_PROCESS_VERIFIER_OPTIONS.
      Driver Verifier monitors Windows kernel-mode drivers and graphics drivers to detect illegal function calls or actions that might corrupt the system.
      Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior. You can run Driver Verifier on multiple drivers simultaneously, or on one driver at a time.
      You can configure which tests to run, which allows you to put a driver through heavy stress loads or through more streamlined testing.
VerifierOptions.Option
      This information class can be both queried and set. SeDebugPrivilege is required to set the values. This information class queries and sets information maintained by the device driver verifier.The “Driver Verifier” is described in the DDK documentation.
VerifierOptions.OptionData
      Option data queried for driver verifier. This information is only avaliable if driver verifier is enable. For more information. See: http://msdn.microsoft.com/en-us/library/windows/hardware/ff545448%28v=vs.85%29.aspx
ProcessHeap

CriticalSectionHandle

CriticalSectionOwnerThread

Reserved


Remarks:
   This structure can be retrieved using the function RtlQueryProcessModuleInformation. To retrieve full informatin about this structure, use RtlQueryProcessDebugInformation.
   Back to the days of windows 95/98/NT, this structure was formelly known as DEBUG_BUFFER


Header:
query.c, nturtl.h (Windows NT)
rtltypes.h (ReactOS)
nt_internals.h (Chromium)

See Also:
RtlpQueryProcessDebugInformationRemote
RtlQueryProcessModuleInformation
RtlQueryProcessBackTraceInformation
RtlQueryProcessHeapInformation
RtlQueryProcessLockInformation
RtlpQueryProcessDebugInformationRemote
RtlpChangeQueryDebugBufferTarget
RtlpCommitQueryDebugInfo
RtlpDeCommitQueryDebugInfo
RtlDestroyQueryDebugBuffer
RtlQueryProcessDebugInformation


References:
win2ksrc.rar
http://evilcodecave.wordpress.com/2009/04/11/rtlqueryprocessdebuginformation-as-anti-dbg-trick/
http://svn.jacekowski.org/chromium/trunk/ceee/testing/utils/nt_internals.h.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com