KUSER_SHARED_DATA documented

[guga]

KUSER_SHARED_DATA documented by me. - Updated (Included the complete Wow64Information Table Pointer untill windows 8 )

This version is for winXP SP3, but i´m documenting the others from NT to Win7 and will make a pdf for them soon and will updating them here

For a matter of update. I need some info about Wow64SharedInformation. I know that there is a enumeration in wow64t.h as:

Code: [Select]

typedef enum _WOW64_SHARED_INFORMATION
{
    SharedNtdll32LdrInitializeThunk,
    SharedNtdll32KiUserExceptionDispatcher,
    SharedNtdll32KiUserApcDispatcher,
    SharedNtdll32KiUserCallbackDispatcher,
    SharedNtdll32LdrHotPatchRoutine,
    SharedNtdll32ExpInterlockedPopEntrySListFault,
    SharedNtdll32ExpInterlockedPopEntrySListResume,
    SharedNtdll32ExpInterlockedPopEntrySListEnd,
    SharedNtdll32RtlUserThreadStart,
    SharedNtdll32RtlpQueryProcessDebugInformationRemote,
    SharedNtdll32EtwpNotificationThread,
    SharedNtdll32BaseAddress,
    Wow64SharedPageEntriesCount
} WOW64_SHARED_INFORMATION;

Each Dword represents the enumeration  described in WOW64_SHARED_INFORMATION.
So the 1st dword should be a pointer to LdrInitializeThunk inside ntdll.dll
the 2nd dword is a pointer to KiUserExceptionDispatcher
and so on.

The problem is i don´t have wow64 (neither windows 8 ) to check the rest of the table.

If someone have wow64 activated (And the last windows version), can you please check the pointers inside Wow64SharedInformation ?
I documented only untill BaseAddress (The 12th dword). The last 4 dwords are missing information or they are currently reserved for other versions of windows prior to 8. But, if someone have the latest windows versions (with wow64) and check their last 4 pointers i´ll appreciate it :).

Below is s small piece of code i made how to retrieve this information

Code: [Select]

; Just equates to easier retrieve the necessary info
[KUSER_SHARED_DATA_XPSP3.TickCountLowDeprecatedDis 0
 KUSER_SHARED_DATA_XPSP3.TickCountMultiplierDis 4
 KUSER_SHARED_DATA_XPSP3.InterruptTime.LowPartDis 8
 KUSER_SHARED_DATA_XPSP3.InterruptTime.High1TimeDis 12
 KUSER_SHARED_DATA_XPSP3.InterruptTime.High2TimeDis 16
 KUSER_SHARED_DATA_XPSP3.SystemTime.LowPartDis 20
 KUSER_SHARED_DATA_XPSP3.SystemTime.High1TimeDis 24
 KUSER_SHARED_DATA_XPSP3.SystemTime.High2TimeDis 28
 KUSER_SHARED_DATA_XPSP3.TimeZoneBias.LowPartDis 32
 KUSER_SHARED_DATA_XPSP3.TimeZoneBias.High1TimeDis 36
 KUSER_SHARED_DATA_XPSP3.TimeZoneBias.High2TimeDis 40
 KUSER_SHARED_DATA_XPSP3.ImageNumberLowDis 44
 KUSER_SHARED_DATA_XPSP3.ImageNumberHighDis 46
 KUSER_SHARED_DATA_XPSP3.NtSystemRootDis 48
 KUSER_SHARED_DATA_XPSP3.MaxStackTraceDepthDis 568
 KUSER_SHARED_DATA_XPSP3.CryptoExponentDis 572
 KUSER_SHARED_DATA_XPSP3.TimeZoneIdDis 576
 KUSER_SHARED_DATA_XPSP3.LargePageMinimumDis 580
 KUSER_SHARED_DATA_XPSP3.Reserved2Dis 584
 KUSER_SHARED_DATA_XPSP3.NtProductTypeDis 612
 KUSER_SHARED_DATA_XPSP3.Padding0Dis 613
 KUSER_SHARED_DATA_XPSP3.ProductTypeIsValidDis 616
 KUSER_SHARED_DATA_XPSP3.NtMajorVersionDis 620
 KUSER_SHARED_DATA_XPSP3.NtMinorVersionDis 624
 KUSER_SHARED_DATA_XPSP3.ProcessorFeaturesDis 628
 KUSER_SHARED_DATA_XPSP3.Reserved1Dis 692
 KUSER_SHARED_DATA_XPSP3.Reserved3Dis 696
 KUSER_SHARED_DATA_XPSP3.TimeSlipDis 700
 KUSER_SHARED_DATA_XPSP3.AlternativeArchitectureDis 704
 KUSER_SHARED_DATA_XPSP3.AltArchitecturePadDis 708
 KUSER_SHARED_DATA_XPSP3.SystemExpirationDateDis 712
 KUSER_SHARED_DATA_XPSP3.SuiteMaskDis 720
 KUSER_SHARED_DATA_XPSP3.KdDebuggerEnabledDis 724
 KUSER_SHARED_DATA_XPSP3.NXSupportPolicyDis 725
 KUSER_SHARED_DATA_XPSP3.Padding1Dis 727
 KUSER_SHARED_DATA_XPSP3.ActiveConsoleIdDis 728
 KUSER_SHARED_DATA_XPSP3.DismountCountDis 732
 KUSER_SHARED_DATA_XPSP3.ComPlusPackageDis 736
 KUSER_SHARED_DATA_XPSP3.LastSystemRITEventTickCountDis 740
 KUSER_SHARED_DATA_XPSP3.NumberOfPhysicalPagesDis 744
 KUSER_SHARED_DATA_XPSP3.SafeBootModeDis 748
 KUSER_SHARED_DATA_XPSP3.Padding2Dis 749
 KUSER_SHARED_DATA_XPSP3.TraceLoggingDis 752
 KUSER_SHARED_DATA_XPSP3.Fill0Dis 756
 KUSER_SHARED_DATA_XPSP3.TestRetInstructionDis 760
 KUSER_SHARED_DATA_XPSP3.SystemCallDis 768
 KUSER_SHARED_DATA_XPSP3.SystemCallReturnDis 772
 KUSER_SHARED_DATA_XPSP3.SystemCallPadDis 776
 KUSER_SHARED_DATA_XPSP3.TickCountDis 800
 KUSER_SHARED_DATA_XPSP3.TickCountQuadDis 800
 KUSER_SHARED_DATA_XPSP3.Padding3Dis 812
 KUSER_SHARED_DATA_XPSP3.CookieDis 816
 KUSER_SHARED_DATA_XPSP3.Wow64SharedInformationDis 820]

[Size_Of_KUSER_SHARED_DATA_XPSP3 884]

; ebx points to the start of the table
GetWow64Info:
     mov eax &MM_SHARED_USER_DATA_VA
     lea ebx D$eax+KUSER_SHARED_DATA_XPSP3.Wow64SharedInformationDis
...


[guga]

Oops

never mind...I was right about wow64. It is a pointer table as described here

[Gunther]

Gustavo,

never mind...I was right about wow64. It is a pointer table as described here

That's a very good explanation of the background. Thank you.  :t

Gunther

[guga]

Tks Gunther

I just found others sources of information such as
http://msdn.moonsols.com/win7rtm_x64/WOW64_SHARED_INFORMATION.html
http://pyew.googlecode.com/hg-history/6b1687c5e42b740f4f7933c4be7e45395311830e/vstruct/defs/windows/win_6_1_amd64/win32k.py
and in Windows Research Kernel sources
http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/public/internal/base/inc/wow64t.h

I just updated the file to include the wow64Information Table complete untill windows 8

The wow64SharedInformation is a 16 dword table pointing to these apis inside ntdll.dll:
 

Code: [Select]

Wow64SharedInformation.LdrInitializeThunk D$ pLdrInitializeThunk ; pointer to LdrInitializeThunk in ntdll.dll    
Wow64SharedInformation.KiUserExceptionDispatcher D$ pKiUserExceptionDispatcher ; pointer to KiUserExceptionDispatcher in ntdll.dll    
Wow64SharedInformation.KiUserApcDispatcher D$ pKiUserApcDispatcher ; pointer to KiUserApcDispatcher in ntdll.dll    
Wow64SharedInformation.KiUserCallbackDispatcher D$ pKiUserCallbackDispatcher ; pointer to KiUserCallbackDispatcher in ntdll.dll    
Wow64SharedInformation.LdrHotPatchRoutine D$ pLdrHotPatchRoutine ; pointer to LdrHotPatchRoutine in ntdll.dll    
Wow64SharedInformation.ExpInterlockedPopEntrySListFault D$ pExpInterlockedPopEntrySListFault ; pointer to ExpInterlockedPopEntrySListFault in ntdll.dll    
Wow64SharedInformation.ExpInterlockedPopEntrySListResume D$ pExpInterlockedPopEntrySListResume ; pointer to ExpInterlockedPopEntrySListResume in ntdll.dll    
Wow64SharedInformation.ExpInterlockedPopEntrySListEnd D$ pExpInterlockedPopEntrySListEnd ; pointer to ExpInterlockedPopEntrySListEnd in ntdll.dll    
Wow64SharedInformation.RtlUserThreadStart D$ pRtlUserThreadStart ; pointer to RtlUserThreadStart in ntdll.dll    
Wow64SharedInformation.RtlpQueryProcessDebugInformationRemote D$ pRtlpQueryProcessDebugInformationRemote ; pointer to RtlpQueryProcessDebugInformationRemote in ntdll.dll    
Wow64SharedInformation.EtwpNotificationThread D$ pEtwpNotificationThread ; pointer to EtwpNotificationThread in ntdll.dll    
Wow64SharedInformation.BaseAddress D$ pBaseAddress ; pointer to BaseAddress in ntdll.dll    
Wow64SharedInformation.Reserved1 Reserved pointer    
Wow64SharedInformation.Reserved2 Reserved pointer    
Wow64SharedInformation.Reserved3 Reserved pointer    
Wow64SharedInformation.Reserved4 Reserved pointer


[guga]

Btw, i´m also finding some valid information on an app called XNTSV of a russian guy who made this awesome tool that displays detailed information about Windows system structures.

Too bad it uses quicktime, otherwise i could try to port it to assembly. (I have no idea how to port or use qtime apis)

He also made another tool that is a pdb ripper, that uses msdia100.dll, which, btw, can be easilly ported to assembly. I´ll give a try on it eventually, but will focus on the new msdia120.dll which i succeed to dl yesterday. (It was a hell to get and install this crap: mssdia SDK120 without windows 8 ), but i suceed to get it :).
Btw, if someone want the new msdia120 SDK to give a try, i upload it here