KUSER_SHARED_DATA documented

[guga]

KUSER_SHARED_DATA documented by me. - Updated (Included the complete Wow64Information Table Pointer untill windows 8 )

This version is for winXP SP3, but i´m documenting the others from NT to Win7 and will make a pdf for them soon and will updating them here

For a matter of update. I need some info about Wow64SharedInformation. I know that there is a enumeration in wow64t.h as:

Code Select Expand


typedef enum _WOW64_SHARED_INFORMATION
{
    SharedNtdll32LdrInitializeThunk,
    SharedNtdll32KiUserExceptionDispatcher,
    SharedNtdll32KiUserApcDispatcher,
    SharedNtdll32KiUserCallbackDispatcher,
    SharedNtdll32LdrHotPatchRoutine,
    SharedNtdll32ExpInterlockedPopEntrySListFault,
    SharedNtdll32ExpInterlockedPopEntrySListResume,
    SharedNtdll32ExpInterlockedPopEntrySListEnd,
    SharedNtdll32RtlUserThreadStart,
    SharedNtdll32RtlpQueryProcessDebugInformationRemote,
    SharedNtdll32EtwpNotificationThread,
    SharedNtdll32BaseAddress,
    Wow64SharedPageEntriesCount
} WOW64_SHARED_INFORMATION;


Each Dword represents the enumeration  described in WOW64_SHARED_INFORMATION.
So the 1st dword should be a pointer to LdrInitializeThunk inside ntdll.dll
the 2nd dword is a pointer to KiUserExceptionDispatcher
and so on.

The problem is i don´t have wow64 (neither windows 8 ) to check the rest of the table.

If someone have wow64 activated (And the last windows version), can you please check the pointers inside Wow64SharedInformation ?
I documented only untill BaseAddress (The 12th dword). The last 4 dwords are missing information or they are currently reserved for other versions of windows prior to 8. But, if someone have the latest windows versions (with wow64) and check their last 4 pointers i´ll appreciate it :).

Below is s small piece of code i made how to retrieve this information

Code Select Expand


; Just equates to easier retrieve the necessary info
[KUSER_SHARED_DATA_XPSP3.TickCountLowDeprecatedDis 0
KUSER_SHARED_DATA_XPSP3.TickCountMultiplierDis 4
KUSER_SHARED_DATA_XPSP3.InterruptTime.LowPartDis 8
KUSER_SHARED_DATA_XPSP3.InterruptTime.High1TimeDis 12
KUSER_SHARED_DATA_XPSP3.InterruptTime.High2TimeDis 16
KUSER_SHARED_DATA_XPSP3.SystemTime.LowPartDis 20
KUSER_SHARED_DATA_XPSP3.SystemTime.High1TimeDis 24
KUSER_SHARED_DATA_XPSP3.SystemTime.High2TimeDis 28
KUSER_SHARED_DATA_XPSP3.TimeZoneBias.LowPartDis 32
KUSER_SHARED_DATA_XPSP3.TimeZoneBias.High1TimeDis 36
KUSER_SHARED_DATA_XPSP3.TimeZoneBias.High2TimeDis 40
KUSER_SHARED_DATA_XPSP3.ImageNumberLowDis 44
KUSER_SHARED_DATA_XPSP3.ImageNumberHighDis 46
KUSER_SHARED_DATA_XPSP3.NtSystemRootDis 48
KUSER_SHARED_DATA_XPSP3.MaxStackTraceDepthDis 568
KUSER_SHARED_DATA_XPSP3.CryptoExponentDis 572
KUSER_SHARED_DATA_XPSP3.TimeZoneIdDis 576
KUSER_SHARED_DATA_XPSP3.LargePageMinimumDis 580
KUSER_SHARED_DATA_XPSP3.Reserved2Dis 584
KUSER_SHARED_DATA_XPSP3.NtProductTypeDis 612
KUSER_SHARED_DATA_XPSP3.Padding0Dis 613
KUSER_SHARED_DATA_XPSP3.ProductTypeIsValidDis 616
KUSER_SHARED_DATA_XPSP3.NtMajorVersionDis 620
KUSER_SHARED_DATA_XPSP3.NtMinorVersionDis 624
KUSER_SHARED_DATA_XPSP3.ProcessorFeaturesDis 628
KUSER_SHARED_DATA_XPSP3.Reserved1Dis 692
KUSER_SHARED_DATA_XPSP3.Reserved3Dis 696
KUSER_SHARED_DATA_XPSP3.TimeSlipDis 700
KUSER_SHARED_DATA_XPSP3.AlternativeArchitectureDis 704
KUSER_SHARED_DATA_XPSP3.AltArchitecturePadDis 708
KUSER_SHARED_DATA_XPSP3.SystemExpirationDateDis 712
KUSER_SHARED_DATA_XPSP3.SuiteMaskDis 720
KUSER_SHARED_DATA_XPSP3.KdDebuggerEnabledDis 724
KUSER_SHARED_DATA_XPSP3.NXSupportPolicyDis 725
KUSER_SHARED_DATA_XPSP3.Padding1Dis 727
KUSER_SHARED_DATA_XPSP3.ActiveConsoleIdDis 728
KUSER_SHARED_DATA_XPSP3.DismountCountDis 732
KUSER_SHARED_DATA_XPSP3.ComPlusPackageDis 736
KUSER_SHARED_DATA_XPSP3.LastSystemRITEventTickCountDis 740
KUSER_SHARED_DATA_XPSP3.NumberOfPhysicalPagesDis 744
KUSER_SHARED_DATA_XPSP3.SafeBootModeDis 748
KUSER_SHARED_DATA_XPSP3.Padding2Dis 749
KUSER_SHARED_DATA_XPSP3.TraceLoggingDis 752
KUSER_SHARED_DATA_XPSP3.Fill0Dis 756
KUSER_SHARED_DATA_XPSP3.TestRetInstructionDis 760
KUSER_SHARED_DATA_XPSP3.SystemCallDis 768
KUSER_SHARED_DATA_XPSP3.SystemCallReturnDis 772
KUSER_SHARED_DATA_XPSP3.SystemCallPadDis 776
KUSER_SHARED_DATA_XPSP3.TickCountDis 800
KUSER_SHARED_DATA_XPSP3.TickCountQuadDis 800
KUSER_SHARED_DATA_XPSP3.Padding3Dis 812
KUSER_SHARED_DATA_XPSP3.CookieDis 816
KUSER_SHARED_DATA_XPSP3.Wow64SharedInformationDis 820]

[Size_Of_KUSER_SHARED_DATA_XPSP3 884]

; ebx points to the start of the table
GetWow64Info:
     mov eax &MM_SHARED_USER_DATA_VA
     lea ebx D$eax+KUSER_SHARED_DATA_XPSP3.Wow64SharedInformationDis
...


[guga]

Oops

never mind...I was right about wow64. It is a pointer table as described here

[Gunther]

Gustavo,

never mind...I was right about wow64. It is a pointer table as described here

That's a very good explanation of the background. Thank you.  :t

Gunther

[guga]

Tks Gunther

I just found others sources of information such as
http://msdn.moonsols.com/win7rtm_x64/WOW64_SHARED_INFORMATION.html
http://pyew.googlecode.com/hg-history/6b1687c5e42b740f4f7933c4be7e45395311830e/vstruct/defs/windows/win_6_1_amd64/win32k.py
and in Windows Research Kernel sources
http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/public/internal/base/inc/wow64t.h

I just updated the file to include the wow64Information Table complete untill windows 8

The wow64SharedInformation is a 16 dword table pointing to these apis inside ntdll.dll:

Code Select Expand

Wow64SharedInformation.LdrInitializeThunk D$ pLdrInitializeThunk ; pointer to LdrInitializeThunk in ntdll.dll    
Wow64SharedInformation.KiUserExceptionDispatcher D$ pKiUserExceptionDispatcher ; pointer to KiUserExceptionDispatcher in ntdll.dll    
Wow64SharedInformation.KiUserApcDispatcher D$ pKiUserApcDispatcher ; pointer to KiUserApcDispatcher in ntdll.dll    
Wow64SharedInformation.KiUserCallbackDispatcher D$ pKiUserCallbackDispatcher ; pointer to KiUserCallbackDispatcher in ntdll.dll    
Wow64SharedInformation.LdrHotPatchRoutine D$ pLdrHotPatchRoutine ; pointer to LdrHotPatchRoutine in ntdll.dll    
Wow64SharedInformation.ExpInterlockedPopEntrySListFault D$ pExpInterlockedPopEntrySListFault ; pointer to ExpInterlockedPopEntrySListFault in ntdll.dll    
Wow64SharedInformation.ExpInterlockedPopEntrySListResume D$ pExpInterlockedPopEntrySListResume ; pointer to ExpInterlockedPopEntrySListResume in ntdll.dll    
Wow64SharedInformation.ExpInterlockedPopEntrySListEnd D$ pExpInterlockedPopEntrySListEnd ; pointer to ExpInterlockedPopEntrySListEnd in ntdll.dll    
Wow64SharedInformation.RtlUserThreadStart D$ pRtlUserThreadStart ; pointer to RtlUserThreadStart in ntdll.dll    
Wow64SharedInformation.RtlpQueryProcessDebugInformationRemote D$ pRtlpQueryProcessDebugInformationRemote ; pointer to RtlpQueryProcessDebugInformationRemote in ntdll.dll    
Wow64SharedInformation.EtwpNotificationThread D$ pEtwpNotificationThread ; pointer to EtwpNotificationThread in ntdll.dll    
Wow64SharedInformation.BaseAddress D$ pBaseAddress ; pointer to BaseAddress in ntdll.dll    
Wow64SharedInformation.Reserved1 Reserved pointer    
Wow64SharedInformation.Reserved2 Reserved pointer    
Wow64SharedInformation.Reserved3 Reserved pointer    
Wow64SharedInformation.Reserved4 Reserved pointer


[guga]

Btw, i´m also finding some valid information on an app called XNTSV of a russian guy who made this awesome tool that displays detailed information about Windows system structures.

Too bad it uses quicktime, otherwise i could try to port it to assembly. (I have no idea how to port or use qtime apis)

He also made another tool that is a pdb ripper, that uses msdia100.dll, which, btw, can be easilly ported to assembly. I´ll give a try on it eventually, but will focus on the new msdia120.dll which i succeed to dl yesterday. (It was a hell to get and install this crap: mssdia SDK120 without windows 8 ), but i suceed to get it :).
Btw, if someone want the new msdia120 SDK to give a try, i upload it here