bool NtQuerySysHandleInfo(DynBuf & buf)
{
ULONG RequiredSize = NULL;
buf.Allocate(sizeof(SYSTEM_HANDLE_INFORMATION));
NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize);
buf.Allocate(RequiredSize + sizeof(SYSTEM_HANDLE_INFORMATION));
return (NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize) >= 0);
}
BOOL
APIENTRY
EngQuerySystemAttribute(
_In_ ENG_SYSTEM_ATTRIBUTE CapNum,
_Out_ PDWORD pCapability)
{
SYSTEM_BASIC_INFORMATION sbi;
SYSTEM_PROCESSOR_INFORMATION spi;
switch (CapNum)
{
case EngNumberOfProcessors:
NtQuerySystemInformation(SystemBasicInformation,
&sbi,
sizeof(SYSTEM_BASIC_INFORMATION),
NULL);
*pCapability = sbi.NumberOfProcessors;
return TRUE;
case EngProcessorFeature:
NtQuerySystemInformation(SystemProcessorInformation,
&spi,
sizeof(SYSTEM_PROCESSOR_INFORMATION),
NULL);
*pCapability = spi.ProcessorFeatureBits;
return TRUE;
default:
break;
}
return FALSE;
}
ULONG GetWin32kBase()
{
ULONG i, Count, Status, BytesRet;
PSYSTEM_MODULE_INFORMATION pSMI;
Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length
if(Status!=STATUS_INFO_LENGTH_MISMATCH)
printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet);
Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet);
if(Status!=STATUS_SUCCESS)
printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
/*
The data returned to the SystemInformation buffer is a ULONG count of the number of
handles followed immediately by an array of
SYSTEM_MODULE_INFORMATION.
*/
Count=*(PULONG)pSMI;
pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4);
for(i=0; i<Count; i++)
{
if(StrStr((pSMI+i)->ImageName, "win32k.sys"))
return (ULONG)(pSMI+i)->Base;
}
HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI);
return 0;
}
void CpuMuninNodePlugin::CalculateCpuLoad()
{
if (NtQuerySystemInformation != NULL && GetSystemTimes != NULL) {
LONG status;
SYSTEM_TIME_INFORMATION SysTimeInfo;
SYSTEM_BASIC_INFORMATION SysBaseInfo;
// get number of processors in the system
status = NtQuerySystemInformation(SystemBasicInformation, &SysBaseInfo, sizeof(SysBaseInfo), NULL);
if (status != NO_ERROR) {
printf("Querying SystemBasicInformation failed: 0x%x\n", status);
return;
}
// get new system time
status = NtQuerySystemInformation(SystemTimeInformation, &SysTimeInfo, sizeof(SysTimeInfo), NULL);
if (status!=NO_ERROR) {
printf("Querying SystemTimeInformation failed: 0x%x\n", status);
return;
}
// get new CPU times
// http://www.codeproject.com/Articles/9113/Get-CPU-Usage-with-GetSystemTimes
FILETIME ftIdleTime;
FILETIME ftKernelTime;
FILETIME ftUserTime;
BOOL result = GetSystemTimes((LPFILETIME)&ftIdleTime, (LPFILETIME)&ftKernelTime, (LPFILETIME)&ftUserTime);
if (result == FALSE) {
printf("GetSystemTimes failed\n");
return;
}
unsigned long long systemTime = FileTimeToInt64(ftKernelTime) + FileTimeToInt64(ftUserTime);
unsigned long long idleTime = FileTimeToInt64(ftIdleTime);
// if it's a first call - skip it
if (liOldIdleTime != 0)
{
// CurrentValue = NewValue - OldValue
__int64 diffIdleTime = idleTime - liOldIdleTime;
__int64 diffSystemTime = systemTime - liOldSystemTime;
dbCpuTimePercent = (1.0f - ((diffSystemTime > 0) ? ((float)diffIdleTime) / diffSystemTime : 0)) * 100;
}
// store new times
liOldIdleTime = idleTime;
liOldSystemTime = systemTime;
}
else {
printf("NtQuerySystemInformation or GetSystemTimes functions not available\n");
}
}
/* Vista Or Above 在基本用户的权限下也可 返回DOS device path */
BOOL GetProcessPathByPID5(DWORD dwProcessID, LPTSTR szFullPath, DWORD nSize)
{
NTSTATUS Status;
PVOID pBuffer;
SYSTEM_PROCESS_ID_INFORMATION info;
_NtQuerySystemInformation NtQuerySystemInformation;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(
GetModuleHandle(_T("ntdll.dll")), "NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
ODS(_T("NtQuerySystemInformation address error!"));
return FALSE;
}
pBuffer = malloc(0x100);
info.ProcessId = (HANDLE)dwProcessID;
info.ImageName.Length = 0;
info.ImageName.MaximumLength = (USHORT)0x100;
info.ImageName.Buffer = pBuffer;
Status = NtQuerySystemInformation(SystemProcessIdInformation, &info, sizeof(info), NULL);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
free(pBuffer);
pBuffer = malloc(info.ImageName.MaximumLength);
info.ImageName.Buffer = pBuffer;
Status = NtQuerySystemInformation(SystemProcessIdInformation, &info, sizeof(info), NULL);
}
if (!NT_SUCCESS(Status))
{
ODS(_T("NtQuerySystemInformation failed!"));
free(pBuffer);
return FALSE;
}
#ifdef UNICODE
lstrcpynW(szFullPath, info.ImageName.Buffer, nSize);
#else
WideCharToMultiByte(CP_ACP, 0, info.ImageName.Buffer, -1, szFullPath, nSize, NULL, NULL);
#endif
free(pBuffer);
DosDevicePathToWin32Path(szFullPath);
return TRUE;
}
/*
* @implemented
*/
BOOL
WINAPI
GetLogicalProcessorInformation(OUT PSYSTEM_LOGICAL_PROCESSOR_INFORMATION Buffer,
IN OUT PDWORD ReturnLength)
{
NTSTATUS Status;
if (!ReturnLength)
{
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
Status = NtQuerySystemInformation(SystemLogicalProcessorInformation,
Buffer,
*ReturnLength,
ReturnLength);
/* Normalize the error to what Win32 expects */
if (Status == STATUS_INFO_LENGTH_MISMATCH) Status = STATUS_BUFFER_TOO_SMALL;
if (!NT_SUCCESS(Status))
{
BaseSetLastNTError(Status);
return FALSE;
}
return TRUE;
}
static void *get_mod_info()
{
DWORD got = 0;
void *m;
NTSTATUS ret = NtQuerySystemInformation(
SystemModuleInformation, NULL, 0, &got);
if (ret != STATUS_INFO_LENGTH_MISMATCH)
return NULL;
m = malloc(got);
if (NT_SUCCESS(NtQuerySystemInformation(SystemModuleInformation, m, got, &got)))
return m;
free(m);
return NULL;
}
VOID
NTAPI
SmpMakeSystemManagedPagingFileDescriptor(IN PSMP_PAGEFILE_DESCRIPTOR Descriptor)
{
NTSTATUS Status;
LONGLONG MinimumSize, MaximumSize, Ram;
SYSTEM_BASIC_INFORMATION BasicInfo;
/* Query the page size of the system, and the amount of RAM */
Status = NtQuerySystemInformation(SystemBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL);
if (!NT_SUCCESS(Status))
{
/* If we failed, use defaults since we have no idea otherwise */
DPRINT1("SMSS:PFILE: NtQuerySystemInformation failed with %x \n", Status);
SmpMakeDefaultPagingFileDescriptor(Descriptor);
return;
}
/* Chekc how much RAM we have and set three times this amount as maximum */
Ram = BasicInfo.NumberOfPhysicalPages * BasicInfo.PageSize;
MaximumSize = 3 * Ram;
/* If we have more than 1GB, use that as minimum, otherwise, use 1.5X RAM */
MinimumSize = (Ram >= 1024 * MEGABYTE) ? Ram : MaximumSize / 2;
/* Write the new sizes in the descriptor and mark it as system managed */
Descriptor->MinSize.QuadPart = MinimumSize;
Descriptor->MaxSize.QuadPart = MaximumSize;
Descriptor->Flags |= SMP_PAGEFILE_SYSTEM_MANAGED;
}
PVOID GetKernelModuleInfo(CHAR * target_name, PVOID* base, LONG* size) {
PVOID buffer = NULL;
ULONG buf_size = 0x5000;
NTSTATUS result;
do {
buffer = ExAllocatePool(PagedPool, buf_size);
if (buffer == NULL) {
return NULL;
}
ULONG need;
result = NtQuerySystemInformation(SystemModuleInformation, buffer, buf_size, &need);
if (result == STATUS_INFO_LENGTH_MISMATCH) {
ExFreePool(buffer);
buf_size *= 2;
}
else if (!NT_SUCCESS(result)) {
ExFreePool(buffer);
return NULL;
}
} while (result == STATUS_INFO_LENGTH_MISMATCH);
PSYSTEM_MODULE_INFORMATION system_module_info = (PSYSTEM_MODULE_INFORMATION)buffer;
int module_count = system_module_info->Count;
for(int i=0; i<module_count; i++){
CHAR* name = system_module_info->Module[i].ImageName + system_module_info->Module[i].PathLength;
//DbgPrint("kernel module: %s,%p \n", name, system_module_info->Module[i].Base);
if (_stricmp(name, target_name) == 0) {
*base = system_module_info->Module[i].Base;
*size = system_module_info->Module[i].Size;
}
}
return NULL;
}
void list_processes(void)
{
PSYSTEM_PROCESS_INFORMATION pspi;
ULONG ofs = 0, sz, i, j;
NTSTATUS r;
sz = 0;
r = NtQuerySystemInformation( SystemProcessInformation, buffer, sizeof buffer, &sz );
ok( r == STATUS_SUCCESS, "NtQuerySystemInformation failed\n" );
if (r != STATUS_SUCCESS)
return;
for (i=0, ofs=0; ofs<sz; i++)
{
pspi = (PSYSTEM_PROCESS_INFORMATION) (buffer + ofs);
dprintf( "%ld %ld %ld %S\n", pspi->ThreadCount, pspi->ProcessId,
pspi->InheritedFromProcessId, pspi->ProcessName.Buffer);
for (j=0; j<pspi->ThreadCount; j++)
{
dprintf("%p %p %p %08lx %08lx\n",
pspi->Threads[j].StartAddress,
pspi->Threads[j].ClientId.UniqueProcess,
pspi->Threads[j].ClientId.UniqueThread,
pspi->Threads[j].State,
pspi->Threads[j].WaitReason);
}
if (!pspi->NextEntryDelta)
break;
ofs += pspi->NextEntryDelta;
}
}
static int stat_gettext(int tag, char *buf)
{
char *original_buf = buf;
/* TODO: Support more than one processors */
LARGE_INTEGER idle_time, kernel_time, user_time;
GetSystemTimes((FILETIME *)&idle_time, (FILETIME *)&kernel_time, (FILETIME *)&user_time);
uint64_t user = user_time.QuadPart / (TICKS_PER_SECOND / USER_HZ);
uint64_t nice = 0;
uint64_t system = kernel_time.QuadPart / (TICKS_PER_SECOND / USER_HZ);
uint64_t idle = idle_time.QuadPart / (TICKS_PER_SECOND / USER_HZ);
system -= idle; /* KernelTime includes IdleTime */
uint64_t iowait = 0;
uint64_t irq = 0;
uint64_t softirq = 0;
uint64_t steal = 0, guest = 0, guest_nice = 0;
buf += ksprintf(buf, "cpu %llu %llu %llu %llu %llu %llu %llu %llu %llu %llu\n",
user, nice, system, idle, iowait, irq, softirq, steal, guest, guest_nice);
buf += ksprintf(buf, "intr %llu\n", 0);
buf += ksprintf(buf, "swap %llu %llu\n", 0);
uint64_t ctxt = 0;
buf += ksprintf(buf, "ctxt %llu\n", ctxt);
/* Boot time */
SYSTEM_TIMEOFDAY_INFORMATION tod_info;
NtQuerySystemInformation(SystemTimeOfDayInformation, &tod_info, sizeof(tod_info), NULL);
uint64_t btime = filetime_to_unix_sec((FILETIME *)&tod_info.BootTime);
buf += ksprintf(buf, "btime %llu\n", btime);
uint64_t processes = 0;
buf += ksprintf(buf, "processes %llu\n", processes);
int procs_running = 1;
buf += ksprintf(buf, "procs_running %d\n", procs_running);
int procs_blocked = 0;
buf += ksprintf(buf, "procs_blocked %d\n", procs_blocked);
return buf - original_buf;
}
bool mod_mimikatz_sekurlsa::searchPasswords(vector<wstring> * arguments)
{
if(searchLSASSDatas())
{
if(PNT_QUERY_SYSTEM_INFORMATION NtQuerySystemInformation = reinterpret_cast<PNT_QUERY_SYSTEM_INFORMATION>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtQuerySystemInformation")))
{
#ifdef _M_X64
PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0xffff080000000000);
#elif defined _M_IX86
PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0x80000000);
#endif
ULONG maTaille = 0;
NtQuerySystemInformation(KIWI_SystemMmSystemRangeStart, &MmSystemRangeStart, sizeof(PBYTE), &maTaille);
DWORD nbPossible = 0;
for(PBYTE pMemoire = 0; pMemoire < MmSystemRangeStart ; )
{
MEMORY_BASIC_INFORMATION mesInfos;
if(VirtualQueryEx(hLSASS, pMemoire, &mesInfos, sizeof(MEMORY_BASIC_INFORMATION)) > 0)
{
if((mesInfos.Protect & PAGE_READWRITE) && !(mesInfos.Protect & PAGE_GUARD) && (mesInfos.Type == MEM_PRIVATE))
{
UNICODE_STRING donnees[3];
for(PBYTE pZone = reinterpret_cast<PBYTE>(mesInfos.BaseAddress); pZone < (reinterpret_cast<PBYTE>(mesInfos.BaseAddress) + mesInfos.RegionSize - 3*sizeof(UNICODE_STRING)); pZone += sizeof(DWORD))
{
if(mod_memory::readMemory(pZone, donnees, 3*sizeof(UNICODE_STRING), hLSASS))
{
if(
(donnees[0].Length && !((donnees[0].Length & 1) || (donnees[0].MaximumLength & 1)) && (donnees[0].Length < sizeof(wchar_t)*0xff) && (donnees[0].Length <= donnees[0].MaximumLength) && donnees[0].Buffer) &&
(donnees[1].Length && !((donnees[1].Length & 1) || (donnees[1].MaximumLength & 1)) && (donnees[1].Length < sizeof(wchar_t)*0xff) && (donnees[1].Length <= donnees[1].MaximumLength) && donnees[1].Buffer) &&
(donnees[2].Length && !((donnees[2].Length & 1) || (donnees[2].MaximumLength & 1)) && (donnees[2].Length < sizeof(wchar_t)*0xff) && (donnees[2].Length <= donnees[2].MaximumLength) && donnees[2].Buffer)
)
{
wstring user, domain, password;
BYTE * bPassword = NULL;
if(ressembleString(&donnees[0], &user) && ressembleString(&donnees[1], &domain) && !ressembleString(&donnees[2], NULL, &bPassword))
{
if(bPassword)
{
mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(bPassword, donnees[2].MaximumLength);
password.assign(mod_text::stringOrHex(bPassword, donnees[2].Length, 0, false));
}
(*outputStream) << L"[" << nbPossible++ << L"] { " << user << L" ; " << domain << L" ; " << password << L" }" << endl;
}
if(bPassword)
delete[] bPassword;
}
}
}
}
pMemoire += mesInfos.RegionSize;
}
else break;
}
}
}
else (*outputStream) << L"Données LSASS en erreur" << endl;
return true;
}
BOOL leakHal()
{
_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
PRTL_PROCESS_MODULES pModuleInfo;
DWORD ntoskrnlBase;
DWORD HalDTUser, HalDTOffset;
HMODULE userKernel;
pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pModuleInfo == NULL)
{
printf("Could not allocate memory\n");
return FALSE;
}
NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
if (userKernel == NULL)
{
printf("Could not load ntoskrnl.exe\n");
return FALSE;
}
HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
HalDTOffset = HalDTUser - (DWORD)userKernel;
g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
return TRUE;
}
NTSTATUS
CsrOneTimeInitialize( VOID )
{
NTSTATUS Status;
//
// Save away system information in a global variable
//
Status = NtQuerySystemInformation( SystemBasicInformation,
&CsrNtSysInfo,
sizeof( CsrNtSysInfo ),
NULL
);
if (!NT_SUCCESS( Status )) {
return( Status );
}
//
// Use the process heap for memory allocation.
//
CsrHeap = RtlProcessHeap();
CsrInitOnceDone = TRUE;
return( STATUS_SUCCESS );
}
/******************************************************************
* fetch_process_info
*
* reads system wide process information, and make spi point to the record
* for process of id 'pid'
*/
static BOOL fetch_process_info(struct dump_context* dc)
{
ULONG buf_size = 0x1000;
NTSTATUS nts;
dc->pcs_buffer = NULL;
if (!(dc->pcs_buffer = HeapAlloc(GetProcessHeap(), 0, buf_size))) return FALSE;
for (;;)
{
nts = NtQuerySystemInformation(SystemProcessInformation,
dc->pcs_buffer, buf_size, NULL);
if (nts != STATUS_INFO_LENGTH_MISMATCH) break;
dc->pcs_buffer = HeapReAlloc(GetProcessHeap(), 0, dc->pcs_buffer,
buf_size *= 2);
if (!dc->pcs_buffer) return FALSE;
}
if (nts == STATUS_SUCCESS)
{
dc->spi = dc->pcs_buffer;
for (;;)
{
if (dc->spi->dwProcessID == dc->pid) return TRUE;
if (!dc->spi->dwOffset) break;
dc->spi = (SYSTEM_PROCESS_INFORMATION*)
((char*)dc->spi + dc->spi->dwOffset);
}
}
HeapFree(GetProcessHeap(), 0, dc->pcs_buffer);
dc->pcs_buffer = NULL;
dc->spi = NULL;
return FALSE;
}
BOOL
APIENTRY
EngQuerySystemAttribute(
_In_ ENG_SYSTEM_ATTRIBUTE CapNum,
_Out_ PDWORD pCapability)
{
SYSTEM_BASIC_INFORMATION sbi;
SYSTEM_PROCESSOR_INFORMATION spi;
NTSTATUS status;
switch (CapNum)
{
case EngNumberOfProcessors:
status = NtQuerySystemInformation(SystemBasicInformation,
&sbi,
sizeof(SYSTEM_BASIC_INFORMATION),
NULL);
if (!NT_SUCCESS(status))
{
DPRINT1("Failed to query basic information: 0x%lx\n", status);
return FALSE;
}
*pCapability = sbi.NumberOfProcessors;
return TRUE;
case EngProcessorFeature:
status = NtQuerySystemInformation(SystemProcessorInformation,
&spi,
sizeof(SYSTEM_PROCESSOR_INFORMATION),
NULL);
if (!NT_SUCCESS(status))
{
DPRINT1("Failed to query processor information: 0x%lx\n", status);
return FALSE;
}
*pCapability = spi.ProcessorFeatureBits;
return TRUE;
default:
break;
}
return FALSE;
}
static PVOID
get_module_base (void)
{
PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD i, num_modules, status, rlen;
PVOID result;
status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0,
&rlen);
if (status != STATUS_INFO_LENGTH_MISMATCH)
{
fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n",
status);
exit (EXIT_FAILURE);
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap
(), HEAP_ZERO_MEMORY, rlen);
status = NtQuerySystemInformation (SystemModuleInformation,
pModuleInfo, rlen, &rlen);
if (status != STATUS_SUCCESS)
{
fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n",
status);
exit (EXIT_FAILURE);
}
num_modules = pModuleInfo->Count;
pModuleBase = &pModuleInfo->Module[0];
result = NULL;
for (i = 0; i < num_modules; i++, pModuleBase++)
if (strstr (pModuleBase->ImageName, "IPSECDRV.sys"))
{
result = pModuleBase->Base;
break;
}
HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo);
return (result);
}
VOID
FinishBenchMark (
IN PPERFINFO PerfInfo
)
{
ULONG ContextSwitches;
LARGE_INTEGER Duration;
ULONG FirstLevelFills;
ULONG InterruptCount;
ULONG Length;
ULONG Performance;
ULONG SecondLevelFills;
NTSTATUS Status;
ULONG SystemCalls;
SYSTEM_PERFORMANCE_INFORMATION SystemInfo;
//
// Print results and announce end of test.
//
NtQuerySystemTime((PLARGE_INTEGER)&PerfInfo->StopTime);
Status = NtQuerySystemInformation(SystemPerformanceInformation,
(PVOID)&SystemInfo,
sizeof(SYSTEM_PERFORMANCE_INFORMATION),
NULL);
if (NT_SUCCESS(Status) == FALSE) {
printf("Failed to query performance information, status = %lx\n", Status);
return;
}
Duration = RtlLargeIntegerSubtract(PerfInfo->StopTime, PerfInfo->StartTime);
Length = Duration.LowPart / 10000;
printf(" Test time in milliseconds %d\n", Length);
printf(" Number of iterations %d\n", PerfInfo->Iterations);
Performance = PerfInfo->Iterations * 1000 / Length;
printf(" Iterations per second %d\n", Performance);
ContextSwitches = SystemInfo.ContextSwitches - PerfInfo->ContextSwitches;
FirstLevelFills = SystemInfo.FirstLevelTbFills - PerfInfo->FirstLevelFills;
InterruptCount = SystemInfo.InterruptCount - PerfInfo->InterruptCount;
SecondLevelFills = SystemInfo.SecondLevelTbFills - PerfInfo->SecondLevelFills;
SystemCalls = SystemInfo.SystemCalls - PerfInfo->SystemCalls;
printf(" First Level TB Fills %d\n", FirstLevelFills);
printf(" Second Level TB Fills %d\n", SecondLevelFills);
printf(" Number of Interrupts %d\n", InterruptCount);
printf(" Total Context Switches %d\n", ContextSwitches);
printf(" Number of System Calls %d\n", SystemCalls);
printf("*** End of Test ***\n\n");
return;
}
VOID GetHardwareInfo()
{
int i = 0;
int monitorCount;
HANDLE gdi32;
int cores = 0;
//use 64 bits to force allmul() on 32 bit builds
UINT64 physicalPages;
UINT64 pageSize;
InitGpuHardware();
GPU_Initialize(PushSharedMemory->HarwareInformation.DisplayDevice.pciAddress);
PushSharedMemory->HarwareInformation.DisplayDevice.FrameBuffer.Total = GPU_GetTotalMemory();
PushSharedMemory->HarwareInformation.DisplayDevice.EngineClockMax = GPU_GetMaximumEngineClock();
PushSharedMemory->HarwareInformation.DisplayDevice.MemoryClockMax = GPU_GetMaximumMemoryClock();
PushSharedMemory->HarwareInformation.DisplayDevice.VoltageMax = GPU_GetMaximumVoltage();
if (Ini_ReadBoolean(L"Settings", L"GpuUsageD3DKMT", FALSE, L".\\" PUSH_SETTINGS_FILE))
PushGpuLoadD3DKMT = TRUE;
// Get the number of processors in the system
NtQuerySystemInformation(SystemBasicInformation, &HwInfoSystemBasicInformation, sizeof(SYSTEM_BASIC_INFORMATION), 0);
PushSharedMemory->HarwareInformation.Processor.NumberOfThreads = HwInfoSystemBasicInformation.NumberOfProcessors;
physicalPages = HwInfoSystemBasicInformation.NumberOfPhysicalPages;
pageSize = HwInfoSystemBasicInformation.PageSize;
//byte => megabytes
PushSharedMemory->HarwareInformation.Memory.Total = (physicalPages * pageSize) / 1048576;
cores = CPU_Intialize();
PushSharedMemory->HarwareInformation.Processor.NumberOfCores = cores;
PushSharedMemory->HarwareInformation.Processor.TjMax = CPU_GetTemperatureMaximal();
PushSharedMemory->HarwareInformation.Processor.MhzBase = CPU_GetBaseSpeed();
// Monitors
gdi32 = Module_Load(L"gdi32.dll");
GetNumberOfPhysicalMonitors = Module_GetProcedureAddress(gdi32, "GetNumberOfPhysicalMonitors");
GetPhysicalMonitors = Module_GetProcedureAddress(gdi32, "GetPhysicalMonitors");
DDCCIGetTimingReport = Module_GetProcedureAddress(gdi32, "DDCCIGetTimingReport");
DDCCIGetVCPFeature = Module_GetProcedureAddress(gdi32, "DDCCIGetVCPFeature");
DDCCISetVCPFeature = Module_GetProcedureAddress(gdi32, "DDCCISetVCPFeature");
monitorCount = GetSystemMetrics(SM_CMONITORS);
MonitorWidth = GetSystemMetrics(SM_CXSCREEN);
MonitorHeight = GetSystemMetrics(SM_CYSCREEN);
MonitorHandles = Memory_Allocate(sizeof(HANDLE) * monitorCount);
EnumDisplayMonitors(NULL, NULL, MonitorEnumProc, NULL);
}
NTSTATUS NTAPI
PsaCaptureProcessesAndThreads(OUT PSYSTEM_PROCESS_INFORMATION *ProcessesAndThreads)
{
PSYSTEM_PROCESS_INFORMATION pInfoBuffer = NULL;
SIZE_T nSize = 0x8000;
NTSTATUS Status;
if(ProcessesAndThreads == NULL)
{
return STATUS_INVALID_PARAMETER_1;
}
/* FIXME: if the system has loaded several processes and threads, the buffer
could get really big. But if there's several processes and threads, the
system is already under stress, and a huge buffer could only make things
worse. The function should be profiled to see what's the average minimum
buffer size, to succeed on the first shot */
do
{
PVOID pTmp;
/* free the buffer, and reallocate it to the new size. RATIONALE: since we
ignore the buffer's contents at this point, there's no point in a realloc()
that could end up copying a large chunk of data we'd discard anyway */
PsaiFree(pInfoBuffer);
pTmp = PsaiMalloc(nSize);
if(pTmp == NULL)
{
DPRINT(FAILED_WITH_STATUS, "PsaiMalloc", STATUS_NO_MEMORY);
Status = STATUS_NO_MEMORY;
break;
}
pInfoBuffer = pTmp;
/* query the information */
Status = NtQuerySystemInformation(SystemProcessInformation,
pInfoBuffer,
nSize,
NULL);
/* double the buffer size */
nSize *= 2;
} while(Status == STATUS_INFO_LENGTH_MISMATCH);
if(!NT_SUCCESS(Status))
{
DPRINT(FAILED_WITH_STATUS, "NtQuerySystemInformation", Status);
return Status;
}
*ProcessesAndThreads = pInfoBuffer;
return STATUS_SUCCESS;
}
/* create the platform-specific environment registry keys */
static void create_environment_registry_keys( void )
{
static const WCHAR EnvironW[] = {'S','y','s','t','e','m','\\',
'C','u','r','r','e','n','t','C','o','n','t','r','o','l','S','e','t','\\',
'C','o','n','t','r','o','l','\\',
'S','e','s','s','i','o','n',' ','M','a','n','a','g','e','r','\\',
'E','n','v','i','r','o','n','m','e','n','t',0};
static const WCHAR NumProcW[] = {'N','U','M','B','E','R','_','O','F','_','P','R','O','C','E','S','S','O','R','S',0};
static const WCHAR ProcArchW[] = {'P','R','O','C','E','S','S','O','R','_','A','R','C','H','I','T','E','C','T','U','R','E',0};
static const WCHAR x86W[] = {'x','8','6',0};
static const WCHAR IA64W[] = {'I','A','6','4',0};
static const WCHAR AMD64W[] = {'A','M','D','6','4',0};
static const WCHAR ProcIdW[] = {'P','R','O','C','E','S','S','O','R','_','I','D','E','N','T','I','F','I','E','R',0};
static const WCHAR ProcLvlW[] = {'P','R','O','C','E','S','S','O','R','_','L','E','V','E','L',0};
static const WCHAR ProcRevW[] = {'P','R','O','C','E','S','S','O','R','_','R','E','V','I','S','I','O','N',0};
static const WCHAR PercentDW[] = {'%','d',0};
static const WCHAR Percent04XW[] = {'%','0','4','x',0};
static const WCHAR IntelCpuDescrW[] = {'%','s',' ','F','a','m','i','l','y',' ','%','d',' ','M','o','d','e','l',' ','%','d',
' ','S','t','e','p','p','i','n','g',' ','%','d',',',' ','G','e','n','u','i','n','e','I','n','t','e','l',0};
HKEY env_key;
SYSTEM_CPU_INFORMATION sci;
WCHAR buffer[60];
const WCHAR *arch;
NtQuerySystemInformation( SystemCpuInformation, &sci, sizeof(sci), NULL );
if (RegCreateKeyW( HKEY_LOCAL_MACHINE, EnvironW, &env_key )) return;
sprintfW( buffer, PercentDW, NtCurrentTeb()->Peb->NumberOfProcessors );
set_reg_value( env_key, NumProcW, buffer );
switch(sci.Architecture)
{
case PROCESSOR_ARCHITECTURE_AMD64: arch = AMD64W; break;
case PROCESSOR_ARCHITECTURE_IA64: arch = IA64W; break;
default:
case PROCESSOR_ARCHITECTURE_INTEL: arch = x86W; break;
}
set_reg_value( env_key, ProcArchW, arch );
/* TODO: currently hardcoded Intel, add different processors */
sprintfW( buffer, IntelCpuDescrW, arch, sci.Level, HIBYTE(sci.Revision), LOBYTE(sci.Revision) );
set_reg_value( env_key, ProcIdW, buffer );
sprintfW( buffer, PercentDW, sci.Level );
set_reg_value( env_key, ProcLvlW, buffer );
/* Properly report model/stepping */
sprintfW( buffer, Percent04XW, sci.Revision );
set_reg_value( env_key, ProcRevW, buffer );
RegCloseKey( env_key );
}
static VOID PhInitializeSystemInformation(
VOID
)
{
NtQuerySystemInformation(
SystemBasicInformation,
&PhSystemBasicInformation,
sizeof(SYSTEM_BASIC_INFORMATION),
NULL
);
}
VOID PhSipTickCpuDialog(
VOID
)
{
ULONG64 dpcCount;
ULONG i;
dpcCount = 0;
if (NT_SUCCESS(NtQuerySystemInformation(
SystemInterruptInformation,
InterruptInformation,
sizeof(SYSTEM_INTERRUPT_INFORMATION) * NumberOfProcessors,
NULL
)))
{
for (i = 0; i < NumberOfProcessors; i++)
dpcCount += InterruptInformation[i].DpcCount;
}
PhUpdateDelta(&ContextSwitchesDelta, PhPerfInformation.ContextSwitches);
PhUpdateDelta(&InterruptsDelta, PhCpuTotals.InterruptCount);
PhUpdateDelta(&DpcsDelta, dpcCount);
PhUpdateDelta(&SystemCallsDelta, PhPerfInformation.SystemCalls);
if (!NT_SUCCESS(NtPowerInformation(
ProcessorInformation,
NULL,
0,
PowerInformation,
sizeof(PROCESSOR_POWER_INFORMATION) * NumberOfProcessors
)))
{
memset(PowerInformation, 0, sizeof(PROCESSOR_POWER_INFORMATION) * NumberOfProcessors);
}
if (WindowsVersion >= WINDOWS_7)
{
if (PreviousPerformanceDistribution)
PhFree(PreviousPerformanceDistribution);
PreviousPerformanceDistribution = CurrentPerformanceDistribution;
CurrentPerformanceDistribution = NULL;
PhSipQueryProcessorPerformanceDistribution(&CurrentPerformanceDistribution);
}
CpuTicked++;
if (CpuTicked > 2)
CpuTicked = 2;
PhSipUpdateCpuGraphs();
PhSipUpdateCpuPanel();
}
NTSTATUS kull_m_process_NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS informationClass, PVOID buffer, ULONG informationLength)
{
NTSTATUS status = STATUS_INFO_LENGTH_MISMATCH;
DWORD sizeOfBuffer, returnedLen;
if(*(PVOID *) buffer)
{
status = NtQuerySystemInformation(informationClass, *(PVOID *) buffer, informationLength, &returnedLen);
}
else
{
for(sizeOfBuffer = 0x1000; (status == STATUS_INFO_LENGTH_MISMATCH) && (*(PVOID *) buffer = LocalAlloc(LPTR, sizeOfBuffer)) ; sizeOfBuffer <<= 1)
{
status = NtQuerySystemInformation(informationClass, *(PVOID *) buffer, sizeOfBuffer, &returnedLen);
if(!NT_SUCCESS(status))
LocalFree(*(PVOID *) buffer);
}
}
return status;
}
ULONG getNtBase()
{
DWORD dwsize;
DWORD dwSizeReturn;
PUCHAR pBuffer = NULL;
PSYSTEM_MODULE_INFORMATION pSmi=NULL;
PSYSTEM_MODULE psm=NULL;
NTSTATUS ntStatus=STATUS_UNSUCCESSFUL;
ntStatus = NtQuerySystemInformation(SystemModuleInformation, pSmi, 0, &dwSizeReturn);
if (ntStatus!=STATUS_INFO_LENGTH_MISMATCH)
{
MessageBoxA(NULL,"fuck1",NULL,NULL);
return 0;
}
dwsize = dwSizeReturn*2;
pSmi = (PSYSTEM_MODULE_INFORMATION)new char[dwsize];
if (pSmi==NULL)
{
MessageBoxA(NULL,"fuck2",NULL,NULL);
return 0;
}
ntStatus = NtQuerySystemInformation(SystemModuleInformation, pSmi,dwsize, &dwSizeReturn);
if (ntStatus!=STATUS_SUCCESS)
{
MessageBoxA(NULL,"fuck3",NULL,NULL);
return 0;
}
DWORD dwcount = pSmi->uCount;
psm = pSmi->aSM;
DWORD ntbase = psm->Base;
strcpy(osname, psm->ImageName);
delete pSmi;
return ntbase;
}
NTSTATUS kull_m_process_getMemoryInformations(PKULL_M_MEMORY_HANDLE memory, PKULL_M_MEMORY_RANGE_ENUM_CALLBACK callBack, PVOID pvArg)
{
NTSTATUS status = STATUS_NOT_FOUND;
MEMORY_BASIC_INFORMATION memoryInfos;
PBYTE currentPage, maxPage;
PMINIDUMP_MEMORY_INFO_LIST maListeInfo = NULL;
PMINIDUMP_MEMORY_INFO mesInfos = NULL;
ULONG i;
BOOL continueCallback = TRUE;
if(!NT_SUCCESS(NtQuerySystemInformation(KIWI_SystemMmSystemRangeStart, &maxPage, sizeof(PBYTE), NULL)))
maxPage = MmSystemRangeStart;
switch(memory->type)
{
case KULL_M_MEMORY_TYPE_OWN:
for(currentPage = 0; (currentPage < maxPage) && continueCallback; currentPage += memoryInfos.RegionSize)
if(VirtualQuery(currentPage, &memoryInfos, sizeof(MEMORY_BASIC_INFORMATION)) == sizeof(MEMORY_BASIC_INFORMATION))
continueCallback = callBack(&memoryInfos, pvArg);
else break;
status = STATUS_SUCCESS;
break;
case KULL_M_MEMORY_TYPE_PROCESS:
for(currentPage = 0; (currentPage < maxPage) && continueCallback; currentPage += memoryInfos.RegionSize)
if(VirtualQueryEx(memory->pHandleProcess->hProcess, currentPage, &memoryInfos, sizeof(MEMORY_BASIC_INFORMATION)) == sizeof(MEMORY_BASIC_INFORMATION))
continueCallback = callBack(&memoryInfos, pvArg);
else break;
status = STATUS_SUCCESS;
break;
case KULL_M_MEMORY_TYPE_PROCESS_DMP:
if(maListeInfo = (PMINIDUMP_MEMORY_INFO_LIST) kull_m_minidump_stream(memory->pHandleProcessDmp->hMinidump, MemoryInfoListStream))
{
for(i = 0; (i < maListeInfo->NumberOfEntries) && continueCallback; i++)
{
mesInfos = (PMINIDUMP_MEMORY_INFO) ((PBYTE) maListeInfo + maListeInfo->SizeOfHeader + (i * maListeInfo->SizeOfEntry));
memoryInfos.AllocationBase = (PVOID) mesInfos->AllocationBase;
memoryInfos.AllocationProtect = mesInfos->AllocationProtect;
memoryInfos.BaseAddress = (PVOID) mesInfos->BaseAddress;
memoryInfos.Protect = mesInfos->Protect;
memoryInfos.RegionSize = (SIZE_T) mesInfos->RegionSize;
memoryInfos.State = mesInfos->State;
memoryInfos.Type = mesInfos->Type;
continueCallback = callBack(&memoryInfos, pvArg);
}
status = STATUS_SUCCESS;
}
break;
default:
break;
}
return status;
}
/*
* @implemented
*/
VOID
WINAPI
GetSystemInfo(IN LPSYSTEM_INFO lpSystemInfo)
{
SYSTEM_BASIC_INFORMATION BasicInfo;
SYSTEM_PROCESSOR_INFORMATION ProcInfo;
NTSTATUS Status;
Status = NtQuerySystemInformation(SystemBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
0);
if (!NT_SUCCESS(Status)) return;
Status = NtQuerySystemInformation(SystemProcessorInformation,
&ProcInfo,
sizeof(ProcInfo),
0);
if (!NT_SUCCESS(Status)) return;
GetSystemInfoInternal(&BasicInfo, &ProcInfo, lpSystemInfo);
}
// on x86, we dont have the luxury of saving the original ci_Options
// We attempt to guess semi-correct value of the first byte.
// Since x86 has no PatchGuard running (yet?), this needs to be only
// semi-accurate to feign the "secure" kernel status.
static ULONG_PTR guess_ci()
{
DWORD dw, infoci[2] = { sizeof(infoci) };
unsigned char infosb[0x18];
unsigned char infobe[0x20];
ULONG_PTR ret = 0;
NTSTATUS status;
status = NtQuerySystemInformation(SystemCodeIntegrityInformation, &infoci, sizeof(infoci), &dw);
DBG("QueryCI status %08x", (unsigned)status);
if (!NT_SUCCESS(status))
return 0;
dw = sizeof(infosb);
status = NtQuerySystemInformation(SystemSecureBootPolicyInformation, &infosb, sizeof(infosb), &dw);
DBG("QuerySecureBoot status %08x", (int)status);
if (NT_SUCCESS(status)) {
dw = sizeof(infobe);
// if ( *(_BYTE *)(v5 + 0x14) & 0x80 )
// {
// LOWORD(v8) = g_CiOptions | 0x20;
// g_CiOptions |= 0x20u;
// }
status = NtQuerySystemInformation(SystemBootEnvironmentInformation, &infobe, sizeof(infobe), &dw);
DBG("QueryBootEnv status %08x", (int)status);
if (NT_SUCCESS(status)) {
if (infosb[0x14] & 0x80)
ret |= 0x20;
}
}
DBG("infoci is %d", (int)infoci[1]);
if (infoci[1] & 1) // enabled
ret |= 6;
if (infoci[1] & 2) // testsign
ret |= 8;
return ret;
}
int InterruptsMuninNodePlugin::GetValues(char *buffer, int len)
{
int index = 0;
int ret;
unsigned long interrupt_count = 0UL, context_switches = 0UL;
SYSTEM_PERFORMANCE_INFORMATION_ spi = {0};
NTSTATUS ntret;
SYSTEM_PROCESSOR_TIMES spt[32];
SYSTEM_INFO SystemInfo;
GetSystemInfo(&SystemInfo);
/* We have array for 32 processor only :( */
if (SystemInfo.dwNumberOfProcessors <= 32) {
ntret = NtQuerySystemInformation (SystemProcessorPerformanceInformation, (PVOID) spt,
sizeof spt[0] * SystemInfo.dwNumberOfProcessors, NULL);
if (ntret == NO_ERROR)
{
for (unsigned int i = 0; i < SystemInfo.dwNumberOfProcessors; i++)
{
interrupt_count += spt[i].InterruptCount;
}
ret = _snprintf(buffer, len, "intr.value %u\n", interrupt_count);
len -= ret;
buffer += ret;
}
ntret = NtQuerySystemInformation (SystemPerformanceInformation, (PVOID) &spi, sizeof spi, NULL);
if (ntret == NO_ERROR)
{
ret = _snprintf(buffer, len, "ctx.value %u\n", spi.ContextSwitches);
len -= ret;
buffer += ret;
}
}
strncat(buffer, ".\n", len);
return 0;
}
/*
* @implemented
*/
DWORD
WINAPI
GetTimeZoneInformation(LPTIME_ZONE_INFORMATION lpTimeZoneInformation)
{
RTL_TIME_ZONE_INFORMATION TimeZoneInformation;
NTSTATUS Status;
DPRINT("GetTimeZoneInformation()\n");
Status = NtQuerySystemInformation(SystemCurrentTimeZoneInformation,
&TimeZoneInformation,
sizeof(RTL_TIME_ZONE_INFORMATION),
NULL);
if (!NT_SUCCESS(Status))
{
BaseSetLastNTError(Status);
return TIME_ZONE_ID_INVALID;
}
lpTimeZoneInformation->Bias = TimeZoneInformation.Bias;
wcsncpy(lpTimeZoneInformation->StandardName,
TimeZoneInformation.StandardName,
ARRAYSIZE(lpTimeZoneInformation->StandardName));
lpTimeZoneInformation->StandardDate.wYear = TimeZoneInformation.StandardDate.Year;
lpTimeZoneInformation->StandardDate.wMonth = TimeZoneInformation.StandardDate.Month;
lpTimeZoneInformation->StandardDate.wDay = TimeZoneInformation.StandardDate.Day;
lpTimeZoneInformation->StandardDate.wHour = TimeZoneInformation.StandardDate.Hour;
lpTimeZoneInformation->StandardDate.wMinute = TimeZoneInformation.StandardDate.Minute;
lpTimeZoneInformation->StandardDate.wSecond = TimeZoneInformation.StandardDate.Second;
lpTimeZoneInformation->StandardDate.wMilliseconds = TimeZoneInformation.StandardDate.Milliseconds;
lpTimeZoneInformation->StandardDate.wDayOfWeek = TimeZoneInformation.StandardDate.Weekday;
lpTimeZoneInformation->StandardBias = TimeZoneInformation.StandardBias;
wcsncpy(lpTimeZoneInformation->DaylightName,
TimeZoneInformation.DaylightName,
ARRAYSIZE(lpTimeZoneInformation->DaylightName));
lpTimeZoneInformation->DaylightDate.wYear = TimeZoneInformation.DaylightDate.Year;
lpTimeZoneInformation->DaylightDate.wMonth = TimeZoneInformation.DaylightDate.Month;
lpTimeZoneInformation->DaylightDate.wDay = TimeZoneInformation.DaylightDate.Day;
lpTimeZoneInformation->DaylightDate.wHour = TimeZoneInformation.DaylightDate.Hour;
lpTimeZoneInformation->DaylightDate.wMinute = TimeZoneInformation.DaylightDate.Minute;
lpTimeZoneInformation->DaylightDate.wSecond = TimeZoneInformation.DaylightDate.Second;
lpTimeZoneInformation->DaylightDate.wMilliseconds = TimeZoneInformation.DaylightDate.Milliseconds;
lpTimeZoneInformation->DaylightDate.wDayOfWeek = TimeZoneInformation.DaylightDate.Weekday;
lpTimeZoneInformation->DaylightBias = TimeZoneInformation.DaylightBias;
return TIME_ZoneID(lpTimeZoneInformation);
}
