bool NtQuerySysHandleInfo(DynBuf & buf) { ULONG RequiredSize = NULL; buf.Allocate(sizeof(SYSTEM_HANDLE_INFORMATION)); NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize); buf.Allocate(RequiredSize + sizeof(SYSTEM_HANDLE_INFORMATION)); return (NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize) >= 0); }
BOOL APIENTRY EngQuerySystemAttribute( _In_ ENG_SYSTEM_ATTRIBUTE CapNum, _Out_ PDWORD pCapability) { SYSTEM_BASIC_INFORMATION sbi; SYSTEM_PROCESSOR_INFORMATION spi; switch (CapNum) { case EngNumberOfProcessors: NtQuerySystemInformation(SystemBasicInformation, &sbi, sizeof(SYSTEM_BASIC_INFORMATION), NULL); *pCapability = sbi.NumberOfProcessors; return TRUE; case EngProcessorFeature: NtQuerySystemInformation(SystemProcessorInformation, &spi, sizeof(SYSTEM_PROCESSOR_INFORMATION), NULL); *pCapability = spi.ProcessorFeatureBits; return TRUE; default: break; } return FALSE; }
ULONG GetWin32kBase() { ULONG i, Count, Status, BytesRet; PSYSTEM_MODULE_INFORMATION pSMI; Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length if(Status!=STATUS_INFO_LENGTH_MISMATCH) printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status)); pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet); Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet); if(Status!=STATUS_SUCCESS) printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status)); /* The data returned to the SystemInformation buffer is a ULONG count of the number of handles followed immediately by an array of SYSTEM_MODULE_INFORMATION. */ Count=*(PULONG)pSMI; pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4); for(i=0; i<Count; i++) { if(StrStr((pSMI+i)->ImageName, "win32k.sys")) return (ULONG)(pSMI+i)->Base; } HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI); return 0; }
void CpuMuninNodePlugin::CalculateCpuLoad() { if (NtQuerySystemInformation != NULL && GetSystemTimes != NULL) { LONG status; SYSTEM_TIME_INFORMATION SysTimeInfo; SYSTEM_BASIC_INFORMATION SysBaseInfo; // get number of processors in the system status = NtQuerySystemInformation(SystemBasicInformation, &SysBaseInfo, sizeof(SysBaseInfo), NULL); if (status != NO_ERROR) { printf("Querying SystemBasicInformation failed: 0x%x\n", status); return; } // get new system time status = NtQuerySystemInformation(SystemTimeInformation, &SysTimeInfo, sizeof(SysTimeInfo), NULL); if (status!=NO_ERROR) { printf("Querying SystemTimeInformation failed: 0x%x\n", status); return; } // get new CPU times // http://www.codeproject.com/Articles/9113/Get-CPU-Usage-with-GetSystemTimes FILETIME ftIdleTime; FILETIME ftKernelTime; FILETIME ftUserTime; BOOL result = GetSystemTimes((LPFILETIME)&ftIdleTime, (LPFILETIME)&ftKernelTime, (LPFILETIME)&ftUserTime); if (result == FALSE) { printf("GetSystemTimes failed\n"); return; } unsigned long long systemTime = FileTimeToInt64(ftKernelTime) + FileTimeToInt64(ftUserTime); unsigned long long idleTime = FileTimeToInt64(ftIdleTime); // if it's a first call - skip it if (liOldIdleTime != 0) { // CurrentValue = NewValue - OldValue __int64 diffIdleTime = idleTime - liOldIdleTime; __int64 diffSystemTime = systemTime - liOldSystemTime; dbCpuTimePercent = (1.0f - ((diffSystemTime > 0) ? ((float)diffIdleTime) / diffSystemTime : 0)) * 100; } // store new times liOldIdleTime = idleTime; liOldSystemTime = systemTime; } else { printf("NtQuerySystemInformation or GetSystemTimes functions not available\n"); } }
/* Vista Or Above 在基本用户的权限下也可 返回DOS device path */ BOOL GetProcessPathByPID5(DWORD dwProcessID, LPTSTR szFullPath, DWORD nSize) { NTSTATUS Status; PVOID pBuffer; SYSTEM_PROCESS_ID_INFORMATION info; _NtQuerySystemInformation NtQuerySystemInformation; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress( GetModuleHandle(_T("ntdll.dll")), "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) { ODS(_T("NtQuerySystemInformation address error!")); return FALSE; } pBuffer = malloc(0x100); info.ProcessId = (HANDLE)dwProcessID; info.ImageName.Length = 0; info.ImageName.MaximumLength = (USHORT)0x100; info.ImageName.Buffer = pBuffer; Status = NtQuerySystemInformation(SystemProcessIdInformation, &info, sizeof(info), NULL); if (Status == STATUS_INFO_LENGTH_MISMATCH) { free(pBuffer); pBuffer = malloc(info.ImageName.MaximumLength); info.ImageName.Buffer = pBuffer; Status = NtQuerySystemInformation(SystemProcessIdInformation, &info, sizeof(info), NULL); } if (!NT_SUCCESS(Status)) { ODS(_T("NtQuerySystemInformation failed!")); free(pBuffer); return FALSE; } #ifdef UNICODE lstrcpynW(szFullPath, info.ImageName.Buffer, nSize); #else WideCharToMultiByte(CP_ACP, 0, info.ImageName.Buffer, -1, szFullPath, nSize, NULL, NULL); #endif free(pBuffer); DosDevicePathToWin32Path(szFullPath); return TRUE; }
/* * @implemented */ BOOL WINAPI GetLogicalProcessorInformation(OUT PSYSTEM_LOGICAL_PROCESSOR_INFORMATION Buffer, IN OUT PDWORD ReturnLength) { NTSTATUS Status; if (!ReturnLength) { SetLastError(ERROR_INVALID_PARAMETER); return FALSE; } Status = NtQuerySystemInformation(SystemLogicalProcessorInformation, Buffer, *ReturnLength, ReturnLength); /* Normalize the error to what Win32 expects */ if (Status == STATUS_INFO_LENGTH_MISMATCH) Status = STATUS_BUFFER_TOO_SMALL; if (!NT_SUCCESS(Status)) { BaseSetLastNTError(Status); return FALSE; } return TRUE; }
static void *get_mod_info() { DWORD got = 0; void *m; NTSTATUS ret = NtQuerySystemInformation( SystemModuleInformation, NULL, 0, &got); if (ret != STATUS_INFO_LENGTH_MISMATCH) return NULL; m = malloc(got); if (NT_SUCCESS(NtQuerySystemInformation(SystemModuleInformation, m, got, &got))) return m; free(m); return NULL; }
VOID NTAPI SmpMakeSystemManagedPagingFileDescriptor(IN PSMP_PAGEFILE_DESCRIPTOR Descriptor) { NTSTATUS Status; LONGLONG MinimumSize, MaximumSize, Ram; SYSTEM_BASIC_INFORMATION BasicInfo; /* Query the page size of the system, and the amount of RAM */ Status = NtQuerySystemInformation(SystemBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL); if (!NT_SUCCESS(Status)) { /* If we failed, use defaults since we have no idea otherwise */ DPRINT1("SMSS:PFILE: NtQuerySystemInformation failed with %x \n", Status); SmpMakeDefaultPagingFileDescriptor(Descriptor); return; } /* Chekc how much RAM we have and set three times this amount as maximum */ Ram = BasicInfo.NumberOfPhysicalPages * BasicInfo.PageSize; MaximumSize = 3 * Ram; /* If we have more than 1GB, use that as minimum, otherwise, use 1.5X RAM */ MinimumSize = (Ram >= 1024 * MEGABYTE) ? Ram : MaximumSize / 2; /* Write the new sizes in the descriptor and mark it as system managed */ Descriptor->MinSize.QuadPart = MinimumSize; Descriptor->MaxSize.QuadPart = MaximumSize; Descriptor->Flags |= SMP_PAGEFILE_SYSTEM_MANAGED; }
PVOID GetKernelModuleInfo(CHAR * target_name, PVOID* base, LONG* size) { PVOID buffer = NULL; ULONG buf_size = 0x5000; NTSTATUS result; do { buffer = ExAllocatePool(PagedPool, buf_size); if (buffer == NULL) { return NULL; } ULONG need; result = NtQuerySystemInformation(SystemModuleInformation, buffer, buf_size, &need); if (result == STATUS_INFO_LENGTH_MISMATCH) { ExFreePool(buffer); buf_size *= 2; } else if (!NT_SUCCESS(result)) { ExFreePool(buffer); return NULL; } } while (result == STATUS_INFO_LENGTH_MISMATCH); PSYSTEM_MODULE_INFORMATION system_module_info = (PSYSTEM_MODULE_INFORMATION)buffer; int module_count = system_module_info->Count; for(int i=0; i<module_count; i++){ CHAR* name = system_module_info->Module[i].ImageName + system_module_info->Module[i].PathLength; //DbgPrint("kernel module: %s,%p \n", name, system_module_info->Module[i].Base); if (_stricmp(name, target_name) == 0) { *base = system_module_info->Module[i].Base; *size = system_module_info->Module[i].Size; } } return NULL; }
void list_processes(void) { PSYSTEM_PROCESS_INFORMATION pspi; ULONG ofs = 0, sz, i, j; NTSTATUS r; sz = 0; r = NtQuerySystemInformation( SystemProcessInformation, buffer, sizeof buffer, &sz ); ok( r == STATUS_SUCCESS, "NtQuerySystemInformation failed\n" ); if (r != STATUS_SUCCESS) return; for (i=0, ofs=0; ofs<sz; i++) { pspi = (PSYSTEM_PROCESS_INFORMATION) (buffer + ofs); dprintf( "%ld %ld %ld %S\n", pspi->ThreadCount, pspi->ProcessId, pspi->InheritedFromProcessId, pspi->ProcessName.Buffer); for (j=0; j<pspi->ThreadCount; j++) { dprintf("%p %p %p %08lx %08lx\n", pspi->Threads[j].StartAddress, pspi->Threads[j].ClientId.UniqueProcess, pspi->Threads[j].ClientId.UniqueThread, pspi->Threads[j].State, pspi->Threads[j].WaitReason); } if (!pspi->NextEntryDelta) break; ofs += pspi->NextEntryDelta; } }
static int stat_gettext(int tag, char *buf) { char *original_buf = buf; /* TODO: Support more than one processors */ LARGE_INTEGER idle_time, kernel_time, user_time; GetSystemTimes((FILETIME *)&idle_time, (FILETIME *)&kernel_time, (FILETIME *)&user_time); uint64_t user = user_time.QuadPart / (TICKS_PER_SECOND / USER_HZ); uint64_t nice = 0; uint64_t system = kernel_time.QuadPart / (TICKS_PER_SECOND / USER_HZ); uint64_t idle = idle_time.QuadPart / (TICKS_PER_SECOND / USER_HZ); system -= idle; /* KernelTime includes IdleTime */ uint64_t iowait = 0; uint64_t irq = 0; uint64_t softirq = 0; uint64_t steal = 0, guest = 0, guest_nice = 0; buf += ksprintf(buf, "cpu %llu %llu %llu %llu %llu %llu %llu %llu %llu %llu\n", user, nice, system, idle, iowait, irq, softirq, steal, guest, guest_nice); buf += ksprintf(buf, "intr %llu\n", 0); buf += ksprintf(buf, "swap %llu %llu\n", 0); uint64_t ctxt = 0; buf += ksprintf(buf, "ctxt %llu\n", ctxt); /* Boot time */ SYSTEM_TIMEOFDAY_INFORMATION tod_info; NtQuerySystemInformation(SystemTimeOfDayInformation, &tod_info, sizeof(tod_info), NULL); uint64_t btime = filetime_to_unix_sec((FILETIME *)&tod_info.BootTime); buf += ksprintf(buf, "btime %llu\n", btime); uint64_t processes = 0; buf += ksprintf(buf, "processes %llu\n", processes); int procs_running = 1; buf += ksprintf(buf, "procs_running %d\n", procs_running); int procs_blocked = 0; buf += ksprintf(buf, "procs_blocked %d\n", procs_blocked); return buf - original_buf; }
bool mod_mimikatz_sekurlsa::searchPasswords(vector<wstring> * arguments) { if(searchLSASSDatas()) { if(PNT_QUERY_SYSTEM_INFORMATION NtQuerySystemInformation = reinterpret_cast<PNT_QUERY_SYSTEM_INFORMATION>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtQuerySystemInformation"))) { #ifdef _M_X64 PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0xffff080000000000); #elif defined _M_IX86 PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0x80000000); #endif ULONG maTaille = 0; NtQuerySystemInformation(KIWI_SystemMmSystemRangeStart, &MmSystemRangeStart, sizeof(PBYTE), &maTaille); DWORD nbPossible = 0; for(PBYTE pMemoire = 0; pMemoire < MmSystemRangeStart ; ) { MEMORY_BASIC_INFORMATION mesInfos; if(VirtualQueryEx(hLSASS, pMemoire, &mesInfos, sizeof(MEMORY_BASIC_INFORMATION)) > 0) { if((mesInfos.Protect & PAGE_READWRITE) && !(mesInfos.Protect & PAGE_GUARD) && (mesInfos.Type == MEM_PRIVATE)) { UNICODE_STRING donnees[3]; for(PBYTE pZone = reinterpret_cast<PBYTE>(mesInfos.BaseAddress); pZone < (reinterpret_cast<PBYTE>(mesInfos.BaseAddress) + mesInfos.RegionSize - 3*sizeof(UNICODE_STRING)); pZone += sizeof(DWORD)) { if(mod_memory::readMemory(pZone, donnees, 3*sizeof(UNICODE_STRING), hLSASS)) { if( (donnees[0].Length && !((donnees[0].Length & 1) || (donnees[0].MaximumLength & 1)) && (donnees[0].Length < sizeof(wchar_t)*0xff) && (donnees[0].Length <= donnees[0].MaximumLength) && donnees[0].Buffer) && (donnees[1].Length && !((donnees[1].Length & 1) || (donnees[1].MaximumLength & 1)) && (donnees[1].Length < sizeof(wchar_t)*0xff) && (donnees[1].Length <= donnees[1].MaximumLength) && donnees[1].Buffer) && (donnees[2].Length && !((donnees[2].Length & 1) || (donnees[2].MaximumLength & 1)) && (donnees[2].Length < sizeof(wchar_t)*0xff) && (donnees[2].Length <= donnees[2].MaximumLength) && donnees[2].Buffer) ) { wstring user, domain, password; BYTE * bPassword = NULL; if(ressembleString(&donnees[0], &user) && ressembleString(&donnees[1], &domain) && !ressembleString(&donnees[2], NULL, &bPassword)) { if(bPassword) { mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(bPassword, donnees[2].MaximumLength); password.assign(mod_text::stringOrHex(bPassword, donnees[2].Length, 0, false)); } (*outputStream) << L"[" << nbPossible++ << L"] { " << user << L" ; " << domain << L" ; " << password << L" }" << endl; } if(bPassword) delete[] bPassword; } } } } pMemoire += mesInfos.RegionSize; } else break; } } } else (*outputStream) << L"Données LSASS en erreur" << endl; return true; }
BOOL leakHal() { _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation"); PRTL_PROCESS_MODULES pModuleInfo; DWORD ntoskrnlBase; DWORD HalDTUser, HalDTOffset; HMODULE userKernel; pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (pModuleInfo == NULL) { printf("Could not allocate memory\n"); return FALSE; } NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL); ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase; userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES); if (userKernel == NULL) { printf("Could not load ntoskrnl.exe\n"); return FALSE; } HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable"); HalDTOffset = HalDTUser - (DWORD)userKernel; g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000; return TRUE; }
NTSTATUS CsrOneTimeInitialize( VOID ) { NTSTATUS Status; // // Save away system information in a global variable // Status = NtQuerySystemInformation( SystemBasicInformation, &CsrNtSysInfo, sizeof( CsrNtSysInfo ), NULL ); if (!NT_SUCCESS( Status )) { return( Status ); } // // Use the process heap for memory allocation. // CsrHeap = RtlProcessHeap(); CsrInitOnceDone = TRUE; return( STATUS_SUCCESS ); }
/****************************************************************** * fetch_process_info * * reads system wide process information, and make spi point to the record * for process of id 'pid' */ static BOOL fetch_process_info(struct dump_context* dc) { ULONG buf_size = 0x1000; NTSTATUS nts; dc->pcs_buffer = NULL; if (!(dc->pcs_buffer = HeapAlloc(GetProcessHeap(), 0, buf_size))) return FALSE; for (;;) { nts = NtQuerySystemInformation(SystemProcessInformation, dc->pcs_buffer, buf_size, NULL); if (nts != STATUS_INFO_LENGTH_MISMATCH) break; dc->pcs_buffer = HeapReAlloc(GetProcessHeap(), 0, dc->pcs_buffer, buf_size *= 2); if (!dc->pcs_buffer) return FALSE; } if (nts == STATUS_SUCCESS) { dc->spi = dc->pcs_buffer; for (;;) { if (dc->spi->dwProcessID == dc->pid) return TRUE; if (!dc->spi->dwOffset) break; dc->spi = (SYSTEM_PROCESS_INFORMATION*) ((char*)dc->spi + dc->spi->dwOffset); } } HeapFree(GetProcessHeap(), 0, dc->pcs_buffer); dc->pcs_buffer = NULL; dc->spi = NULL; return FALSE; }
BOOL APIENTRY EngQuerySystemAttribute( _In_ ENG_SYSTEM_ATTRIBUTE CapNum, _Out_ PDWORD pCapability) { SYSTEM_BASIC_INFORMATION sbi; SYSTEM_PROCESSOR_INFORMATION spi; NTSTATUS status; switch (CapNum) { case EngNumberOfProcessors: status = NtQuerySystemInformation(SystemBasicInformation, &sbi, sizeof(SYSTEM_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DPRINT1("Failed to query basic information: 0x%lx\n", status); return FALSE; } *pCapability = sbi.NumberOfProcessors; return TRUE; case EngProcessorFeature: status = NtQuerySystemInformation(SystemProcessorInformation, &spi, sizeof(SYSTEM_PROCESSOR_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DPRINT1("Failed to query processor information: 0x%lx\n", status); return FALSE; } *pCapability = spi.ProcessorFeatureBits; return TRUE; default: break; } return FALSE; }
static PVOID get_module_base (void) { PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD i, num_modules, status, rlen; PVOID result; status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0, &rlen); if (status != STATUS_INFO_LENGTH_MISMATCH) { fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status); exit (EXIT_FAILURE); } pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, rlen); status = NtQuerySystemInformation (SystemModuleInformation, pModuleInfo, rlen, &rlen); if (status != STATUS_SUCCESS) { fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status); exit (EXIT_FAILURE); } num_modules = pModuleInfo->Count; pModuleBase = &pModuleInfo->Module[0]; result = NULL; for (i = 0; i < num_modules; i++, pModuleBase++) if (strstr (pModuleBase->ImageName, "IPSECDRV.sys")) { result = pModuleBase->Base; break; } HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo); return (result); }
VOID FinishBenchMark ( IN PPERFINFO PerfInfo ) { ULONG ContextSwitches; LARGE_INTEGER Duration; ULONG FirstLevelFills; ULONG InterruptCount; ULONG Length; ULONG Performance; ULONG SecondLevelFills; NTSTATUS Status; ULONG SystemCalls; SYSTEM_PERFORMANCE_INFORMATION SystemInfo; // // Print results and announce end of test. // NtQuerySystemTime((PLARGE_INTEGER)&PerfInfo->StopTime); Status = NtQuerySystemInformation(SystemPerformanceInformation, (PVOID)&SystemInfo, sizeof(SYSTEM_PERFORMANCE_INFORMATION), NULL); if (NT_SUCCESS(Status) == FALSE) { printf("Failed to query performance information, status = %lx\n", Status); return; } Duration = RtlLargeIntegerSubtract(PerfInfo->StopTime, PerfInfo->StartTime); Length = Duration.LowPart / 10000; printf(" Test time in milliseconds %d\n", Length); printf(" Number of iterations %d\n", PerfInfo->Iterations); Performance = PerfInfo->Iterations * 1000 / Length; printf(" Iterations per second %d\n", Performance); ContextSwitches = SystemInfo.ContextSwitches - PerfInfo->ContextSwitches; FirstLevelFills = SystemInfo.FirstLevelTbFills - PerfInfo->FirstLevelFills; InterruptCount = SystemInfo.InterruptCount - PerfInfo->InterruptCount; SecondLevelFills = SystemInfo.SecondLevelTbFills - PerfInfo->SecondLevelFills; SystemCalls = SystemInfo.SystemCalls - PerfInfo->SystemCalls; printf(" First Level TB Fills %d\n", FirstLevelFills); printf(" Second Level TB Fills %d\n", SecondLevelFills); printf(" Number of Interrupts %d\n", InterruptCount); printf(" Total Context Switches %d\n", ContextSwitches); printf(" Number of System Calls %d\n", SystemCalls); printf("*** End of Test ***\n\n"); return; }
VOID GetHardwareInfo() { int i = 0; int monitorCount; HANDLE gdi32; int cores = 0; //use 64 bits to force allmul() on 32 bit builds UINT64 physicalPages; UINT64 pageSize; InitGpuHardware(); GPU_Initialize(PushSharedMemory->HarwareInformation.DisplayDevice.pciAddress); PushSharedMemory->HarwareInformation.DisplayDevice.FrameBuffer.Total = GPU_GetTotalMemory(); PushSharedMemory->HarwareInformation.DisplayDevice.EngineClockMax = GPU_GetMaximumEngineClock(); PushSharedMemory->HarwareInformation.DisplayDevice.MemoryClockMax = GPU_GetMaximumMemoryClock(); PushSharedMemory->HarwareInformation.DisplayDevice.VoltageMax = GPU_GetMaximumVoltage(); if (Ini_ReadBoolean(L"Settings", L"GpuUsageD3DKMT", FALSE, L".\\" PUSH_SETTINGS_FILE)) PushGpuLoadD3DKMT = TRUE; // Get the number of processors in the system NtQuerySystemInformation(SystemBasicInformation, &HwInfoSystemBasicInformation, sizeof(SYSTEM_BASIC_INFORMATION), 0); PushSharedMemory->HarwareInformation.Processor.NumberOfThreads = HwInfoSystemBasicInformation.NumberOfProcessors; physicalPages = HwInfoSystemBasicInformation.NumberOfPhysicalPages; pageSize = HwInfoSystemBasicInformation.PageSize; //byte => megabytes PushSharedMemory->HarwareInformation.Memory.Total = (physicalPages * pageSize) / 1048576; cores = CPU_Intialize(); PushSharedMemory->HarwareInformation.Processor.NumberOfCores = cores; PushSharedMemory->HarwareInformation.Processor.TjMax = CPU_GetTemperatureMaximal(); PushSharedMemory->HarwareInformation.Processor.MhzBase = CPU_GetBaseSpeed(); // Monitors gdi32 = Module_Load(L"gdi32.dll"); GetNumberOfPhysicalMonitors = Module_GetProcedureAddress(gdi32, "GetNumberOfPhysicalMonitors"); GetPhysicalMonitors = Module_GetProcedureAddress(gdi32, "GetPhysicalMonitors"); DDCCIGetTimingReport = Module_GetProcedureAddress(gdi32, "DDCCIGetTimingReport"); DDCCIGetVCPFeature = Module_GetProcedureAddress(gdi32, "DDCCIGetVCPFeature"); DDCCISetVCPFeature = Module_GetProcedureAddress(gdi32, "DDCCISetVCPFeature"); monitorCount = GetSystemMetrics(SM_CMONITORS); MonitorWidth = GetSystemMetrics(SM_CXSCREEN); MonitorHeight = GetSystemMetrics(SM_CYSCREEN); MonitorHandles = Memory_Allocate(sizeof(HANDLE) * monitorCount); EnumDisplayMonitors(NULL, NULL, MonitorEnumProc, NULL); }
NTSTATUS NTAPI PsaCaptureProcessesAndThreads(OUT PSYSTEM_PROCESS_INFORMATION *ProcessesAndThreads) { PSYSTEM_PROCESS_INFORMATION pInfoBuffer = NULL; SIZE_T nSize = 0x8000; NTSTATUS Status; if(ProcessesAndThreads == NULL) { return STATUS_INVALID_PARAMETER_1; } /* FIXME: if the system has loaded several processes and threads, the buffer could get really big. But if there's several processes and threads, the system is already under stress, and a huge buffer could only make things worse. The function should be profiled to see what's the average minimum buffer size, to succeed on the first shot */ do { PVOID pTmp; /* free the buffer, and reallocate it to the new size. RATIONALE: since we ignore the buffer's contents at this point, there's no point in a realloc() that could end up copying a large chunk of data we'd discard anyway */ PsaiFree(pInfoBuffer); pTmp = PsaiMalloc(nSize); if(pTmp == NULL) { DPRINT(FAILED_WITH_STATUS, "PsaiMalloc", STATUS_NO_MEMORY); Status = STATUS_NO_MEMORY; break; } pInfoBuffer = pTmp; /* query the information */ Status = NtQuerySystemInformation(SystemProcessInformation, pInfoBuffer, nSize, NULL); /* double the buffer size */ nSize *= 2; } while(Status == STATUS_INFO_LENGTH_MISMATCH); if(!NT_SUCCESS(Status)) { DPRINT(FAILED_WITH_STATUS, "NtQuerySystemInformation", Status); return Status; } *ProcessesAndThreads = pInfoBuffer; return STATUS_SUCCESS; }
/* create the platform-specific environment registry keys */ static void create_environment_registry_keys( void ) { static const WCHAR EnvironW[] = {'S','y','s','t','e','m','\\', 'C','u','r','r','e','n','t','C','o','n','t','r','o','l','S','e','t','\\', 'C','o','n','t','r','o','l','\\', 'S','e','s','s','i','o','n',' ','M','a','n','a','g','e','r','\\', 'E','n','v','i','r','o','n','m','e','n','t',0}; static const WCHAR NumProcW[] = {'N','U','M','B','E','R','_','O','F','_','P','R','O','C','E','S','S','O','R','S',0}; static const WCHAR ProcArchW[] = {'P','R','O','C','E','S','S','O','R','_','A','R','C','H','I','T','E','C','T','U','R','E',0}; static const WCHAR x86W[] = {'x','8','6',0}; static const WCHAR IA64W[] = {'I','A','6','4',0}; static const WCHAR AMD64W[] = {'A','M','D','6','4',0}; static const WCHAR ProcIdW[] = {'P','R','O','C','E','S','S','O','R','_','I','D','E','N','T','I','F','I','E','R',0}; static const WCHAR ProcLvlW[] = {'P','R','O','C','E','S','S','O','R','_','L','E','V','E','L',0}; static const WCHAR ProcRevW[] = {'P','R','O','C','E','S','S','O','R','_','R','E','V','I','S','I','O','N',0}; static const WCHAR PercentDW[] = {'%','d',0}; static const WCHAR Percent04XW[] = {'%','0','4','x',0}; static const WCHAR IntelCpuDescrW[] = {'%','s',' ','F','a','m','i','l','y',' ','%','d',' ','M','o','d','e','l',' ','%','d', ' ','S','t','e','p','p','i','n','g',' ','%','d',',',' ','G','e','n','u','i','n','e','I','n','t','e','l',0}; HKEY env_key; SYSTEM_CPU_INFORMATION sci; WCHAR buffer[60]; const WCHAR *arch; NtQuerySystemInformation( SystemCpuInformation, &sci, sizeof(sci), NULL ); if (RegCreateKeyW( HKEY_LOCAL_MACHINE, EnvironW, &env_key )) return; sprintfW( buffer, PercentDW, NtCurrentTeb()->Peb->NumberOfProcessors ); set_reg_value( env_key, NumProcW, buffer ); switch(sci.Architecture) { case PROCESSOR_ARCHITECTURE_AMD64: arch = AMD64W; break; case PROCESSOR_ARCHITECTURE_IA64: arch = IA64W; break; default: case PROCESSOR_ARCHITECTURE_INTEL: arch = x86W; break; } set_reg_value( env_key, ProcArchW, arch ); /* TODO: currently hardcoded Intel, add different processors */ sprintfW( buffer, IntelCpuDescrW, arch, sci.Level, HIBYTE(sci.Revision), LOBYTE(sci.Revision) ); set_reg_value( env_key, ProcIdW, buffer ); sprintfW( buffer, PercentDW, sci.Level ); set_reg_value( env_key, ProcLvlW, buffer ); /* Properly report model/stepping */ sprintfW( buffer, Percent04XW, sci.Revision ); set_reg_value( env_key, ProcRevW, buffer ); RegCloseKey( env_key ); }
static VOID PhInitializeSystemInformation( VOID ) { NtQuerySystemInformation( SystemBasicInformation, &PhSystemBasicInformation, sizeof(SYSTEM_BASIC_INFORMATION), NULL ); }
VOID PhSipTickCpuDialog( VOID ) { ULONG64 dpcCount; ULONG i; dpcCount = 0; if (NT_SUCCESS(NtQuerySystemInformation( SystemInterruptInformation, InterruptInformation, sizeof(SYSTEM_INTERRUPT_INFORMATION) * NumberOfProcessors, NULL ))) { for (i = 0; i < NumberOfProcessors; i++) dpcCount += InterruptInformation[i].DpcCount; } PhUpdateDelta(&ContextSwitchesDelta, PhPerfInformation.ContextSwitches); PhUpdateDelta(&InterruptsDelta, PhCpuTotals.InterruptCount); PhUpdateDelta(&DpcsDelta, dpcCount); PhUpdateDelta(&SystemCallsDelta, PhPerfInformation.SystemCalls); if (!NT_SUCCESS(NtPowerInformation( ProcessorInformation, NULL, 0, PowerInformation, sizeof(PROCESSOR_POWER_INFORMATION) * NumberOfProcessors ))) { memset(PowerInformation, 0, sizeof(PROCESSOR_POWER_INFORMATION) * NumberOfProcessors); } if (WindowsVersion >= WINDOWS_7) { if (PreviousPerformanceDistribution) PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = CurrentPerformanceDistribution; CurrentPerformanceDistribution = NULL; PhSipQueryProcessorPerformanceDistribution(&CurrentPerformanceDistribution); } CpuTicked++; if (CpuTicked > 2) CpuTicked = 2; PhSipUpdateCpuGraphs(); PhSipUpdateCpuPanel(); }
NTSTATUS kull_m_process_NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS informationClass, PVOID buffer, ULONG informationLength) { NTSTATUS status = STATUS_INFO_LENGTH_MISMATCH; DWORD sizeOfBuffer, returnedLen; if(*(PVOID *) buffer) { status = NtQuerySystemInformation(informationClass, *(PVOID *) buffer, informationLength, &returnedLen); } else { for(sizeOfBuffer = 0x1000; (status == STATUS_INFO_LENGTH_MISMATCH) && (*(PVOID *) buffer = LocalAlloc(LPTR, sizeOfBuffer)) ; sizeOfBuffer <<= 1) { status = NtQuerySystemInformation(informationClass, *(PVOID *) buffer, sizeOfBuffer, &returnedLen); if(!NT_SUCCESS(status)) LocalFree(*(PVOID *) buffer); } } return status; }
ULONG getNtBase() { DWORD dwsize; DWORD dwSizeReturn; PUCHAR pBuffer = NULL; PSYSTEM_MODULE_INFORMATION pSmi=NULL; PSYSTEM_MODULE psm=NULL; NTSTATUS ntStatus=STATUS_UNSUCCESSFUL; ntStatus = NtQuerySystemInformation(SystemModuleInformation, pSmi, 0, &dwSizeReturn); if (ntStatus!=STATUS_INFO_LENGTH_MISMATCH) { MessageBoxA(NULL,"fuck1",NULL,NULL); return 0; } dwsize = dwSizeReturn*2; pSmi = (PSYSTEM_MODULE_INFORMATION)new char[dwsize]; if (pSmi==NULL) { MessageBoxA(NULL,"fuck2",NULL,NULL); return 0; } ntStatus = NtQuerySystemInformation(SystemModuleInformation, pSmi,dwsize, &dwSizeReturn); if (ntStatus!=STATUS_SUCCESS) { MessageBoxA(NULL,"fuck3",NULL,NULL); return 0; } DWORD dwcount = pSmi->uCount; psm = pSmi->aSM; DWORD ntbase = psm->Base; strcpy(osname, psm->ImageName); delete pSmi; return ntbase; }
NTSTATUS kull_m_process_getMemoryInformations(PKULL_M_MEMORY_HANDLE memory, PKULL_M_MEMORY_RANGE_ENUM_CALLBACK callBack, PVOID pvArg) { NTSTATUS status = STATUS_NOT_FOUND; MEMORY_BASIC_INFORMATION memoryInfos; PBYTE currentPage, maxPage; PMINIDUMP_MEMORY_INFO_LIST maListeInfo = NULL; PMINIDUMP_MEMORY_INFO mesInfos = NULL; ULONG i; BOOL continueCallback = TRUE; if(!NT_SUCCESS(NtQuerySystemInformation(KIWI_SystemMmSystemRangeStart, &maxPage, sizeof(PBYTE), NULL))) maxPage = MmSystemRangeStart; switch(memory->type) { case KULL_M_MEMORY_TYPE_OWN: for(currentPage = 0; (currentPage < maxPage) && continueCallback; currentPage += memoryInfos.RegionSize) if(VirtualQuery(currentPage, &memoryInfos, sizeof(MEMORY_BASIC_INFORMATION)) == sizeof(MEMORY_BASIC_INFORMATION)) continueCallback = callBack(&memoryInfos, pvArg); else break; status = STATUS_SUCCESS; break; case KULL_M_MEMORY_TYPE_PROCESS: for(currentPage = 0; (currentPage < maxPage) && continueCallback; currentPage += memoryInfos.RegionSize) if(VirtualQueryEx(memory->pHandleProcess->hProcess, currentPage, &memoryInfos, sizeof(MEMORY_BASIC_INFORMATION)) == sizeof(MEMORY_BASIC_INFORMATION)) continueCallback = callBack(&memoryInfos, pvArg); else break; status = STATUS_SUCCESS; break; case KULL_M_MEMORY_TYPE_PROCESS_DMP: if(maListeInfo = (PMINIDUMP_MEMORY_INFO_LIST) kull_m_minidump_stream(memory->pHandleProcessDmp->hMinidump, MemoryInfoListStream)) { for(i = 0; (i < maListeInfo->NumberOfEntries) && continueCallback; i++) { mesInfos = (PMINIDUMP_MEMORY_INFO) ((PBYTE) maListeInfo + maListeInfo->SizeOfHeader + (i * maListeInfo->SizeOfEntry)); memoryInfos.AllocationBase = (PVOID) mesInfos->AllocationBase; memoryInfos.AllocationProtect = mesInfos->AllocationProtect; memoryInfos.BaseAddress = (PVOID) mesInfos->BaseAddress; memoryInfos.Protect = mesInfos->Protect; memoryInfos.RegionSize = (SIZE_T) mesInfos->RegionSize; memoryInfos.State = mesInfos->State; memoryInfos.Type = mesInfos->Type; continueCallback = callBack(&memoryInfos, pvArg); } status = STATUS_SUCCESS; } break; default: break; } return status; }
/* * @implemented */ VOID WINAPI GetSystemInfo(IN LPSYSTEM_INFO lpSystemInfo) { SYSTEM_BASIC_INFORMATION BasicInfo; SYSTEM_PROCESSOR_INFORMATION ProcInfo; NTSTATUS Status; Status = NtQuerySystemInformation(SystemBasicInformation, &BasicInfo, sizeof(BasicInfo), 0); if (!NT_SUCCESS(Status)) return; Status = NtQuerySystemInformation(SystemProcessorInformation, &ProcInfo, sizeof(ProcInfo), 0); if (!NT_SUCCESS(Status)) return; GetSystemInfoInternal(&BasicInfo, &ProcInfo, lpSystemInfo); }
// on x86, we dont have the luxury of saving the original ci_Options // We attempt to guess semi-correct value of the first byte. // Since x86 has no PatchGuard running (yet?), this needs to be only // semi-accurate to feign the "secure" kernel status. static ULONG_PTR guess_ci() { DWORD dw, infoci[2] = { sizeof(infoci) }; unsigned char infosb[0x18]; unsigned char infobe[0x20]; ULONG_PTR ret = 0; NTSTATUS status; status = NtQuerySystemInformation(SystemCodeIntegrityInformation, &infoci, sizeof(infoci), &dw); DBG("QueryCI status %08x", (unsigned)status); if (!NT_SUCCESS(status)) return 0; dw = sizeof(infosb); status = NtQuerySystemInformation(SystemSecureBootPolicyInformation, &infosb, sizeof(infosb), &dw); DBG("QuerySecureBoot status %08x", (int)status); if (NT_SUCCESS(status)) { dw = sizeof(infobe); // if ( *(_BYTE *)(v5 + 0x14) & 0x80 ) // { // LOWORD(v8) = g_CiOptions | 0x20; // g_CiOptions |= 0x20u; // } status = NtQuerySystemInformation(SystemBootEnvironmentInformation, &infobe, sizeof(infobe), &dw); DBG("QueryBootEnv status %08x", (int)status); if (NT_SUCCESS(status)) { if (infosb[0x14] & 0x80) ret |= 0x20; } } DBG("infoci is %d", (int)infoci[1]); if (infoci[1] & 1) // enabled ret |= 6; if (infoci[1] & 2) // testsign ret |= 8; return ret; }
int InterruptsMuninNodePlugin::GetValues(char *buffer, int len) { int index = 0; int ret; unsigned long interrupt_count = 0UL, context_switches = 0UL; SYSTEM_PERFORMANCE_INFORMATION_ spi = {0}; NTSTATUS ntret; SYSTEM_PROCESSOR_TIMES spt[32]; SYSTEM_INFO SystemInfo; GetSystemInfo(&SystemInfo); /* We have array for 32 processor only :( */ if (SystemInfo.dwNumberOfProcessors <= 32) { ntret = NtQuerySystemInformation (SystemProcessorPerformanceInformation, (PVOID) spt, sizeof spt[0] * SystemInfo.dwNumberOfProcessors, NULL); if (ntret == NO_ERROR) { for (unsigned int i = 0; i < SystemInfo.dwNumberOfProcessors; i++) { interrupt_count += spt[i].InterruptCount; } ret = _snprintf(buffer, len, "intr.value %u\n", interrupt_count); len -= ret; buffer += ret; } ntret = NtQuerySystemInformation (SystemPerformanceInformation, (PVOID) &spi, sizeof spi, NULL); if (ntret == NO_ERROR) { ret = _snprintf(buffer, len, "ctx.value %u\n", spi.ContextSwitches); len -= ret; buffer += ret; } } strncat(buffer, ".\n", len); return 0; }
/* * @implemented */ DWORD WINAPI GetTimeZoneInformation(LPTIME_ZONE_INFORMATION lpTimeZoneInformation) { RTL_TIME_ZONE_INFORMATION TimeZoneInformation; NTSTATUS Status; DPRINT("GetTimeZoneInformation()\n"); Status = NtQuerySystemInformation(SystemCurrentTimeZoneInformation, &TimeZoneInformation, sizeof(RTL_TIME_ZONE_INFORMATION), NULL); if (!NT_SUCCESS(Status)) { BaseSetLastNTError(Status); return TIME_ZONE_ID_INVALID; } lpTimeZoneInformation->Bias = TimeZoneInformation.Bias; wcsncpy(lpTimeZoneInformation->StandardName, TimeZoneInformation.StandardName, ARRAYSIZE(lpTimeZoneInformation->StandardName)); lpTimeZoneInformation->StandardDate.wYear = TimeZoneInformation.StandardDate.Year; lpTimeZoneInformation->StandardDate.wMonth = TimeZoneInformation.StandardDate.Month; lpTimeZoneInformation->StandardDate.wDay = TimeZoneInformation.StandardDate.Day; lpTimeZoneInformation->StandardDate.wHour = TimeZoneInformation.StandardDate.Hour; lpTimeZoneInformation->StandardDate.wMinute = TimeZoneInformation.StandardDate.Minute; lpTimeZoneInformation->StandardDate.wSecond = TimeZoneInformation.StandardDate.Second; lpTimeZoneInformation->StandardDate.wMilliseconds = TimeZoneInformation.StandardDate.Milliseconds; lpTimeZoneInformation->StandardDate.wDayOfWeek = TimeZoneInformation.StandardDate.Weekday; lpTimeZoneInformation->StandardBias = TimeZoneInformation.StandardBias; wcsncpy(lpTimeZoneInformation->DaylightName, TimeZoneInformation.DaylightName, ARRAYSIZE(lpTimeZoneInformation->DaylightName)); lpTimeZoneInformation->DaylightDate.wYear = TimeZoneInformation.DaylightDate.Year; lpTimeZoneInformation->DaylightDate.wMonth = TimeZoneInformation.DaylightDate.Month; lpTimeZoneInformation->DaylightDate.wDay = TimeZoneInformation.DaylightDate.Day; lpTimeZoneInformation->DaylightDate.wHour = TimeZoneInformation.DaylightDate.Hour; lpTimeZoneInformation->DaylightDate.wMinute = TimeZoneInformation.DaylightDate.Minute; lpTimeZoneInformation->DaylightDate.wSecond = TimeZoneInformation.DaylightDate.Second; lpTimeZoneInformation->DaylightDate.wMilliseconds = TimeZoneInformation.DaylightDate.Milliseconds; lpTimeZoneInformation->DaylightDate.wDayOfWeek = TimeZoneInformation.DaylightDate.Weekday; lpTimeZoneInformation->DaylightBias = TimeZoneInformation.DaylightBias; return TIME_ZoneID(lpTimeZoneInformation); }