Jump to content
Tuts 4 You

Undocumented NtQuerySystemInformation Structures...

Teddy Rogers

By Teddy Rogers
in Programming and Coding

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
Posted

I came across this nice article from Matthew Graeber regarding NtQuerySystemInformation and it's undocumented structures of the function. Thought others here may find it of interest...

 

enum _SYSTEM_INFORMATION_CLASS


{
SystemBasicInformation=0x0000,
SystemProcessorInformation=0x0001,
SystemPerformanceInformation=0x0002,
SystemTimeOfDayInformation=0x0003,
SystemPathInformation=0x0004,
SystemProcessInformation=0x0005,
SystemCallCountInformation=0x0006,
SystemDeviceInformation=0x0007,
SystemProcessorPerformanceInformation=0x0008,
SystemFlagsInformation=0x0009,
SystemCallTimeInformation=0x000A,
SystemModuleInformation=0x000B,
SystemLocksInformation=0x000C,
SystemStackTraceInformation=0x000D,
SystemPagedPoolInformation=0x000E,
SystemNonPagedPoolInformation=0x000F,
SystemHandleInformation=0x0010,
SystemObjectInformation=0x0011,
SystemPageFileInformation=0x0012,
SystemVdmInstemulInformation=0x0013,
SystemVdmBopInformation=0x0014,
SystemFileCacheInformation=0x0015,
SystemPoolTagInformation=0x0016,
SystemInterruptInformation=0x0017,
SystemDpcBehaviorInformation=0x0018,
SystemFullMemoryInformation=0x0019,
SystemLoadGdiDriverInformation=0x001A,
SystemUnloadGdiDriverInformation=0x001B,
SystemTimeAdjustmentInformation=0x001C,
SystemSummaryMemoryInformation=0x001D,
SystemMirrorMemoryInformation=0x001E,
SystemPerformanceTraceInformation=0x001F,
SystemCrashDumpInformation=0x0020,
SystemExceptionInformation=0x0021,
SystemCrashDumpStateInformation=0x0022,
SystemKernelDebuggerInformation=0x0023,
SystemContextSwitchInformation=0x0024,
SystemRegistryQuotaInformation=0x0025,
SystemExtendServiceTableInformation=0x0026,
SystemPrioritySeperation=0x0027,
SystemVerifierAddDriverInformation=0x0028,
SystemVerifierRemoveDriverInformation=0x0029,
SystemProcessorIdleInformation=0x002A,
SystemLegacyDriverInformation=0x002B,
SystemCurrentTimeZoneInformation=0x002C,
SystemLookasideInformation=0x002D,
SystemTimeSlipNotification=0x002E,
SystemSessionCreate=0x002F,
SystemSessionDetach=0x0030,
SystemSessionInformation=0x0031,
SystemRangeStartInformation=0x0032,
SystemVerifierInformation=0x0033,
SystemVerifierThunkExtend=0x0034,
SystemSessionProcessInformation=0x0035,
SystemLoadGdiDriverInSystemSpace=0x0036,
SystemNumaProcessorMap=0x0037,
SystemPrefetcherInformation=0x0038,
SystemExtendedProcessInformation=0x0039,
SystemRecommendedSharedDataAlignment=0x003A,
SystemComPlusPackage=0x003B,
SystemNumaAvailableMemory=0x003C,
SystemProcessorPowerInformation=0x003D,
SystemEmulationBasicInformation=0x003E,
SystemEmulationProcessorInformation=0x003F,
SystemExtendedHandleInformation=0x0040,
SystemLostDelayedWriteInformation=0x0041,
SystemBigPoolInformation=0x0042,
SystemSessionPoolTagInformation=0x0043,
SystemSessionMappedViewInformation=0x0044,
SystemHotpatchInformation=0x0045,
SystemObjectSecurityMode=0x0046,
SystemWatchdogTimerHandler=0x0047,
SystemWatchdogTimerInformation=0x0048,
SystemLogicalProcessorInformation=0x0049,
SystemWow64SharedInformationObsolete=0x004A,
SystemRegisterFirmwareTableInformationHandler=0x004B,
SystemFirmwareTableInformation=0x004C,
SystemModuleInformationEx=0x004D,
SystemVerifierTriageInformation=0x004E,
SystemSuperfetchInformation=0x004F,
SystemMemoryListInformation=0x0050,
SystemFileCacheInformationEx=0x0051,
SystemThreadPriorityClientIdInformation=0x0052,
SystemProcessorIdleCycleTimeInformation=0x0053,
SystemVerifierCancellationInformation=0x0054,
SystemProcessorPowerInformationEx=0x0055,
SystemRefTraceInformation=0x0056,
SystemSpecialPoolInformation=0x0057,
SystemProcessIdInformation=0x0058,
SystemErrorPortInformation=0x0059,
SystemBootEnvironmentInformation=0x005A,
SystemHypervisorInformation=0x005B,
SystemVerifierInformationEx=0x005C,
SystemTimeZoneInformation=0x005D,
SystemImageFileExecutionOptionsInformation=0x005E,
SystemCoverageInformation=0x005F,
SystemPrefetchPatchInformation=0x0060,
SystemVerifierFaultsInformation=0x0061,
SystemSystemPartitionInformation=0x0062,
SystemSystemDiskInformation=0x0063,
SystemProcessorPerformanceDistribution=0x0064,
SystemNumaProximityNodeInformation=0x0065,
SystemDynamicTimeZoneInformation=0x0066,
SystemCodeIntegrityInformation=0x0067,
SystemProcessorMicrocodeUpdateInformation=0x0068,
SystemProcessorBrandString=0x0069,
SystemVirtualAddressInformation=0x006A,
SystemLogicalProcessorAndGroupInformation=0x006B,
SystemProcessorCycleTimeInformation=0x006C,
SystemStoreInformation=0x006D,
SystemRegistryAppendString=0x006E,
SystemAitSamplingValue=0x006F,
SystemVhdBootInformation=0x0070,
SystemCpuQuotaInformation=0x0071,
SystemNativeBasicInformation=0x0072,
SystemErrorPortTimeouts=0x0073,
SystemLowPriorityIoInformation=0x0074,
SystemBootEntropyInformation=0x0075,
SystemVerifierCountersInformation=0x0076,
SystemPagedPoolInformationEx=0x0077,
SystemSystemPtesInformationEx=0x0078,
SystemNodeDistanceInformation=0x0079,
SystemAcpiAuditInformation=0x007A,
SystemBasicPerformanceInformation=0x007B,
SystemQueryPerformanceCounterInformation=0x007C,
SystemSessionBigPoolInformation=0x007D,
SystemBootGraphicsInformation=0x007E,
SystemScrubPhysicalMemoryInformation=0x007F,
SystemBadPageInformation=0x0080,
SystemProcessorProfileControlArea=0x0081,
SystemCombinePhysicalMemoryInformation=0x0082,
SystemEntropyInterruptTimingInformation=0x0083,
SystemConsoleInformation=0x0084,
SystemPlatformBinaryInformation=0x0085,
SystemThrottleNotificationInformation=0x0086,
SystemHypervisorProcessorCountInformation=0x0087,
SystemDeviceDataInformation=0x0088,
SystemDeviceDataEnumerationInformation=0x0089,
SystemMemoryTopologyInformation=0x008A,
SystemMemoryChannelInformation=0x008B,
SystemBootLogoInformation=0x008C,
SystemProcessorPerformanceInformationEx=0x008D,
SystemSpare0=0x008E,
SystemSecureBootPolicyInformation=0x008F,
SystemPageFileInformationEx=0x0090,
SystemSecureBootInformation=0x0091,
SystemEntropyInterruptTimingRawInformation=0x0092,
SystemPortableWorkspaceEfiLauncherInformation=0x0093,
SystemFullProcessInformation=0x0094,
MaxSystemInfoClass=0x0095
};typedef unsigned short USHORT, *USHORT_PTR;
typedef PVOID HANDLE;typedef struct _UNICODE_STRING // Size=8
{
USHORT Length; // Size=2 Offset=0
USHORT MaximumLength; // Size=2 Offset=2
USHORT_PTR Buffer; // Size=4 Offset=4
} UNICODE_STRING, *PUNICODE_STRING;typedef struct _LARGE_INTEGER // Size=8
{
ULONG LowPart; // Size=4 Offset=0
LONG HighPart; // Size=4 Offset=4
} LARGE_INTEGER;typedef struct _GENERIC_MAPPING // Size=16
{
ULONG GenericRead; // Size=4 Offset=0
ULONG GenericWrite; // Size=4 Offset=4
ULONG GenericExecute; // Size=4 Offset=8
ULONG GenericAll; // Size=4 Offset=12
} GENERIC_MAPPING;struct _SYSTEM_BASIC_INFORMATION // Size=44
{
ULONG Reserved; // Size=4 Offset=0
ULONG TimerResolution; // Size=4 Offset=4
ULONG PageSize; // Size=4 Offset=8
ULONG NumberOfPhysicalPages; // Size=4 Offset=12
ULONG LowestPhysicalPageNumber; // Size=4 Offset=16
ULONG HighestPhysicalPageNumber; // Size=4 Offset=20
ULONG AllocationGranularity; // Size=4 Offset=24
ULONG MinimumUserModeAddress; // Size=4 Offset=28
ULONG MaximumUserModeAddress; // Size=4 Offset=32
ULONG ActiveProcessorsAffinityMask; // Size=4 Offset=36
UCHAR NumberOfProcessors; // Size=1 Offset=40
};struct _SYSTEM_PROCESSOR_INFORMATION // Size=12
{
USHORT ProcessorArchitecture; // Size=2 Offset=0
USHORT ProcessorLevel; // Size=2 Offset=2
USHORT ProcessorRevision; // Size=2 Offset=4
USHORT MaximumProcessors; // Size=2 Offset=6
ULONG ProcessorFeatureBits; // Size=4 Offset=8
};struct _SYSTEM_PERFORMANCE_INFORMATION // Size=344
{
LARGE_INTEGER IdleProcessTime; // Size=8 Offset=0
LARGE_INTEGER IoReadTransferCount; // Size=8 Offset=8
LARGE_INTEGER IoWriteTransferCount; // Size=8 Offset=16
LARGE_INTEGER IoOtherTransferCount; // Size=8 Offset=24
ULONG IoReadOperationCount; // Size=4 Offset=32
ULONG IoWriteOperationCount; // Size=4 Offset=36
ULONG IoOtherOperationCount; // Size=4 Offset=40
ULONG AvailablePages; // Size=4 Offset=44
ULONG CommittedPages; // Size=4 Offset=48
ULONG CommitLimit; // Size=4 Offset=52
ULONG PeakCommitment; // Size=4 Offset=56
ULONG PageFaultCount; // Size=4 Offset=60
ULONG CopyOnWriteCount; // Size=4 Offset=64
ULONG TransitionCount; // Size=4 Offset=68
ULONG CacheTransitionCount; // Size=4 Offset=72
ULONG DemandZeroCount; // Size=4 Offset=76
ULONG PageReadCount; // Size=4 Offset=80
ULONG PageReadIoCount; // Size=4 Offset=84
ULONG CacheReadCount; // Size=4 Offset=88
ULONG CacheIoCount; // Size=4 Offset=92
ULONG DirtyPagesWriteCount; // Size=4 Offset=96
ULONG DirtyWriteIoCount; // Size=4 Offset=100
ULONG MappedPagesWriteCount; // Size=4 Offset=104
ULONG MappedWriteIoCount; // Size=4 Offset=108
ULONG PagedPoolPages; // Size=4 Offset=112
ULONG NonPagedPoolPages; // Size=4 Offset=116
ULONG PagedPoolAllocs; // Size=4 Offset=120
ULONG PagedPoolFrees; // Size=4 Offset=124
ULONG NonPagedPoolAllocs; // Size=4 Offset=128
ULONG NonPagedPoolFrees; // Size=4 Offset=132
ULONG FreeSystemPtes; // Size=4 Offset=136
ULONG ResidentSystemCodePage; // Size=4 Offset=140
ULONG TotalSystemDriverPages; // Size=4 Offset=144
ULONG TotalSystemCodePages; // Size=4 Offset=148
ULONG NonPagedPoolLookasideHits; // Size=4 Offset=152
ULONG PagedPoolLookasideHits; // Size=4 Offset=156
ULONG AvailablePagedPoolPages; // Size=4 Offset=160
ULONG ResidentSystemCachePage; // Size=4 Offset=164
ULONG ResidentPagedPoolPage; // Size=4 Offset=168
ULONG ResidentSystemDriverPage; // Size=4 Offset=172
ULONG CcFastReadNoWait; // Size=4 Offset=176
ULONG CcFastReadWait; // Size=4 Offset=180
ULONG CcFastReadResourceMiss; // Size=4 Offset=184
ULONG CcFastReadNotPossible; // Size=4 Offset=188
ULONG CcFastMdlReadNoWait; // Size=4 Offset=192
ULONG CcFastMdlReadWait; // Size=4 Offset=196
ULONG CcFastMdlReadResourceMiss; // Size=4 Offset=200
ULONG CcFastMdlReadNotPossible; // Size=4 Offset=204
ULONG CcMapDataNoWait; // Size=4 Offset=208
ULONG CcMapDataWait; // Size=4 Offset=212
ULONG CcMapDataNoWaitMiss; // Size=4 Offset=216
ULONG CcMapDataWaitMiss; // Size=4 Offset=220
ULONG CcPinMappedDataCount; // Size=4 Offset=224
ULONG CcPinReadNoWait; // Size=4 Offset=228
ULONG CcPinReadWait; // Size=4 Offset=232
ULONG CcPinReadNoWaitMiss; // Size=4 Offset=236
ULONG CcPinReadWaitMiss; // Size=4 Offset=240
ULONG CcCopyReadNoWait; // Size=4 Offset=244
ULONG CcCopyReadWait; // Size=4 Offset=248
ULONG CcCopyReadNoWaitMiss; // Size=4 Offset=252
ULONG CcCopyReadWaitMiss; // Size=4 Offset=256
ULONG CcMdlReadNoWait; // Size=4 Offset=260
ULONG CcMdlReadWait; // Size=4 Offset=264
ULONG CcMdlReadNoWaitMiss; // Size=4 Offset=268
ULONG CcMdlReadWaitMiss; // Size=4 Offset=272
ULONG CcReadAheadIos; // Size=4 Offset=276
ULONG CcLazyWriteIos; // Size=4 Offset=280
ULONG CcLazyWritePages; // Size=4 Offset=284
ULONG CcDataFlushes; // Size=4 Offset=288
ULONG CcDataPages; // Size=4 Offset=292
ULONG ContextSwitches; // Size=4 Offset=296
ULONG FirstLevelTbFills; // Size=4 Offset=300
ULONG SecondLevelTbFills; // Size=4 Offset=304
ULONG SystemCalls; // Size=4 Offset=308
ULONGLONG CcTotalDirtyPages; // Size=8 Offset=312
ULONGLONG CcDirtyPageThreshold; // Size=8 Offset=320
LONGLONG ResidentAvailablePages; // Size=8 Offset=328
ULONGLONG SharedCommittedPages; // Size=8 Offset=336
};struct _SYSTEM_TIMEOFDAY_INFORMATION // Size=48
{
LARGE_INTEGER BootTime; // Size=8 Offset=0
LARGE_INTEGER CurrentTime; // Size=8 Offset=8
LARGE_INTEGER TimeZoneBias; // Size=8 Offset=16
ULONG TimeZoneId; // Size=4 Offset=24
ULONG Reserved; // Size=4 Offset=28
ULONGLONG BootTimeBias; // Size=8 Offset=32
ULONGLONG SleepTimeBias; // Size=8 Offset=40
};typedef struct _SYSTEM_PROCESS_INFORMATION // Size=184
{
ULONG NextEntryOffset; // Size=4 Offset=0
ULONG NumberOfThreads; // Size=4 Offset=4
LARGE_INTEGER WorkingSetPrivateSize; // Size=8 Offset=8
ULONG HardFaultCount; // Size=4 Offset=16
ULONG NumberOfThreadsHighWatermark; // Size=4 Offset=20
ULONGLONG CycleTime; // Size=8 Offset=24
LARGE_INTEGER CreateTime; // Size=8 Offset=32
LARGE_INTEGER UserTime; // Size=8 Offset=40
LARGE_INTEGER KernelTime; // Size=8 Offset=48
UNICODE_STRING ImageName; // Size=8 Offset=56
LONG BasePriority; // Size=4 Offset=64
PVOID UniqueProcessId; // Size=4 Offset=68
PVOID InheritedFromUniqueProcessId; // Size=4 Offset=72
ULONG HandleCount; // Size=4 Offset=76
ULONG SessionId; // Size=4 Offset=80
ULONG UniqueProcessKey; // Size=4 Offset=84
ULONG PeakVirtualSize; // Size=4 Offset=88
ULONG VirtualSize; // Size=4 Offset=92
ULONG PageFaultCount; // Size=4 Offset=96
ULONG PeakWorkingSetSize; // Size=4 Offset=100
ULONG WorkingSetSize; // Size=4 Offset=104
ULONG QuotaPeakPagedPoolUsage; // Size=4 Offset=108
ULONG QuotaPagedPoolUsage; // Size=4 Offset=112
ULONG QuotaPeakNonPagedPoolUsage; // Size=4 Offset=116
ULONG QuotaNonPagedPoolUsage; // Size=4 Offset=120
ULONG PagefileUsage; // Size=4 Offset=124
ULONG PeakPagefileUsage; // Size=4 Offset=128
ULONG PrivatePageCount; // Size=4 Offset=132
LARGE_INTEGER ReadOperationCount; // Size=8 Offset=136
LARGE_INTEGER WriteOperationCount; // Size=8 Offset=144
LARGE_INTEGER OtherOperationCount; // Size=8 Offset=152
LARGE_INTEGER ReadTransferCount; // Size=8 Offset=160
LARGE_INTEGER WriteTransferCount; // Size=8 Offset=168
LARGE_INTEGER OtherTransferCount; // Size=8 Offset=176
} SYSTEM_PROCESS_INFORMATION;struct _SYSTEM_CALL_COUNT_INFORMATION // Size=8
{
ULONG Length; // Size=4 Offset=0
ULONG NumberOfTables; // Size=4 Offset=4
};struct _SYSTEM_DEVICE_INFORMATION // Size=24
{
ULONG NumberOfDisks; // Size=4 Offset=0
ULONG NumberOfFloppies; // Size=4 Offset=4
ULONG NumberOfCdRoms; // Size=4 Offset=8
ULONG NumberOfTapes; // Size=4 Offset=12
ULONG NumberOfSerialPorts; // Size=4 Offset=16
ULONG NumberOfParallelPorts; // Size=4 Offset=20
};struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION // Size=48
{
LARGE_INTEGER IdleTime; // Size=8 Offset=0
LARGE_INTEGER KernelTime; // Size=8 Offset=8
LARGE_INTEGER UserTime; // Size=8 Offset=16
LARGE_INTEGER DpcTime; // Size=8 Offset=24
LARGE_INTEGER InterruptTime; // Size=8 Offset=32
ULONG InterruptCount; // Size=4 Offset=40
};typedef enum _SYSTEM_GLOBAL_FLAGS
{
FLG_DISABLE_DBGPRINT=0x08000000,
FLG_KERNEL_STACK_TRACE_DB=0x00002000,
FLG_USER_STACK_TRACE_DB=0x00001000,
FLG_DEBUG_INITIAL_COMMAND=0x00000004,
FLG_DEBUG_INITIAL_COMMAND_EX=0x04000000,
FLG_HEAP_DISABLE_COALESCING=0x00200000,
FLG_DISABLE_PAGE_KERNEL_STACKS=0x00080000,
FLG_DISABLE_PROTDLLS=0x80000000,
FLG_DISABLE_STACK_EXTENSION=0x00010000,
FLG_CRITSEC_EVENT_CREATION=0x10000000,
FLG_APPLICATION_VERIFIER=0x00000100,
FLG_ENABLE_HANDLE_EXCEPTIONS=0x40000000,
FLG_ENABLE_CLOSE_EXCEPTIONS=0x00400000,
FLG_ENABLE_CSRDEBUG=0x00020000,
FLG_ENABLE_EXCEPTION_LOGGING=0x00800000,
FLG_HEAP_ENABLE_FREE_CHECK=0x00000020,
FLG_HEAP_VALIDATE_PARAMETERS=0x00000040,
FLG_HEAP_ENABLE_TAGGING=0x00000800,
FLG_HEAP_ENABLE_TAG_BY_DLL=0x00008000,
FLG_HEAP_ENABLE_TAIL_CHECK=0x00000010,
FLG_HEAP_VALIDATE_ALL=0x00000080,
FLG_ENABLE_KDEBUG_SYMBOL_LOAD=0x00040000,
FLG_ENABLE_HANDLE_TYPE_TAGGING=0x01000000,
FLG_HEAP_PAGE_ALLOCS=0x02000000,
FLG_POOL_ENABLE_TAGGING=0x00000400,
FLG_ENABLE_SYSTEM_CRIT_BREAKS=0x00100000,
FLG_MAINTAIN_OBJECT_TYPELIST=0x00004000,
FLG_MONITOR_SILENT_PROCESS_EXIT=0x00000200,
FLG_SHOW_LDR_SNAPS=0x00000002,
FLG_STOP_ON_EXCEPTION=0x00000001,
FLG_STOP_ON_HUNG_GUI=0x00000008
} SYSTEM_GLOBAL_FLAGS;struct _SYSTEM_FLAGS_INFORMATION // Size=4
{
SYSTEM_GLOBAL_FLAGS Flags; // Size=4 Offset=0
};struct _SYSTEM_CALL_TIME_INFORMATION // Size=16
{
ULONG Length; // Size=4 Offset=0
ULONG TotalCalls; // Size=4 Offset=4
LARGE_INTEGER TimeOfCalls[1]; // Size=8 Offset=8
};typedef struct _SYSTEM_MODULE // Size=280
{
USHORT Reserved1; // Size=2 Offset=0
USHORT Reserved2; // Size=2 Offset=2
ULONG ImageBaseAddress; // Size=4 Offset=4
ULONG ImageSize; // Size=4 Offset=8
ULONG Flags; // Size=4 Offset=12
USHORT Index; // Size=2 Offset=16
USHORT Rank; // Size=2 Offset=18
USHORT LoadCount; // Size=2 Offset=20
USHORT NameOffset; // Size=2 Offset=22
UCHAR Name[256]; // Size=256 Offset=24
} SYSTEM_MODULE;struct _SYSTEM_MODULE_INFORMATION // Size=284
{
ULONG Count; // Size=4 Offset=0
SYSTEM_MODULE Modules[1]; // Size=280 Offset=4
};typedef struct _SYSTEM_LOCK // Size=36
{
PVOID Address; // Size=4 Offset=0
USHORT Type; // Size=2 Offset=4
USHORT Reserved1; // Size=2 Offset=6
ULONG ExclusiveOwnerThreadId; // Size=4 Offset=8
ULONG ActiveCount; // Size=4 Offset=12
ULONG ContentionCount; // Size=4 Offset=16
ULONG Reserved2[2]; // Size=8 Offset=20
ULONG NumberOfSharedWaiters; // Size=4 Offset=28
ULONG NumberOfExclusiveWaiters; // Size=4 Offset=32
} SYSTEM_LOCK;struct _SYSTEM_LOCK_INFORMATION // Size=40
{
ULONG Count; // Size=4 Offset=0
SYSTEM_LOCK Locks[1]; // Size=36 Offset=4
};typedef enum _SYSTEM_HANDLE_FLAGS
{
PROTECT_FROM_CLOSE=1,
INHERIT=2
} SYSTEM_HANDLE_FLAGS;typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO // Size=16
{
USHORT UniqueProcessId; // Size=2 Offset=0
USHORT CreatorBackTraceIndex; // Size=2 Offset=2
UCHAR ObjectTypeIndex; // Size=1 Offset=4
SYSTEM_HANDLE_FLAGS HandleAttributes; // Size=1 Offset=5
USHORT HandleValue; // Size=2 Offset=6
PVOID Object; // Size=4 Offset=8
ULONG GrantedAccess; // Size=4 Offset=12
} SYSTEM_HANDLE_TABLE_ENTRY_INFO;struct _SYSTEM_HANDLE_INFORMATION // Size=20
{
ULONG NumberOfHandles; // Size=4 Offset=0
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; // Size=16 Offset=4
};struct _SYSTEM_OBJECTTYPE_INFORMATION // Size=56
{
ULONG NextEntryOffset; // Size=4 Offset=0
ULONG NumberOfObjects; // Size=4 Offset=4
ULONG NumberOfHandles; // Size=4 Offset=8
ULONG TypeIndex; // Size=4 Offset=12
ULONG InvalidAttributes; // Size=4 Offset=16
GENERIC_MAPPING GenericMapping; // Size=16 Offset=20
ULONG ValidAccessMask; // Size=4 Offset=36
ULONG PoolType; // Size=4 Offset=40
UCHAR SecurityRequired; // Size=1 Offset=44
UCHAR WaitableObject; // Size=1 Offset=45
UNICODE_STRING TypeName; // Size=8 Offset=48
};typedef struct _OBJECT_NAME_INFORMATION // Size=8
{
UNICODE_STRING Name; // Size=8 Offset=0
} OBJECT_NAME_INFORMATION;struct _SYSTEM_OBJECT_INFORMATION // Size=48
{
ULONG NextEntryOffset; // Size=4 Offset=0
PVOID Object; // Size=4 Offset=4
PVOID CreatorUniqueProcess; // Size=4 Offset=8
USHORT CreatorBackTraceIndex; // Size=2 Offset=12
USHORT Flags; // Size=2 Offset=14
LONG PointerCount; // Size=4 Offset=16
LONG HandleCount; // Size=4 Offset=20
ULONG PagedPoolCharge; // Size=4 Offset=24
ULONG NonPagedPoolCharge; // Size=4 Offset=28
PVOID ExclusiveProcessId; // Size=4 Offset=32
PVOID SecurityDescriptor; // Size=4 Offset=36
OBJECT_NAME_INFORMATION NameInfo; // Size=8 Offset=40
};struct _SYSTEM_PAGEFILE_INFORMATION // Size=24
{
ULONG NextEntryOffset; // Size=4 Offset=0
ULONG TotalSize; // Size=4 Offset=4
ULONG TotalInUse; // Size=4 Offset=8
ULONG PeakUsage; // Size=4 Offset=12
UNICODE_STRING PageFileName; // Size=8 Offset=16
};struct _SYSTEM_VDM_INSTEMUL_INFO // Size=136
{
ULONG SegmentNotPresent; // Size=4 Offset=0
ULONG VdmOpcode0F; // Size=4 Offset=4
ULONG OpcodeESPrefix; // Size=4 Offset=8
ULONG OpcodeCSPrefix; // Size=4 Offset=12
ULONG OpcodeSSPrefix; // Size=4 Offset=16
ULONG OpcodeDSPrefix; // Size=4 Offset=20
ULONG OpcodeFSPrefix; // Size=4 Offset=24
ULONG OpcodeGSPrefix; // Size=4 Offset=28
ULONG OpcodeOPER32Prefix; // Size=4 Offset=32
ULONG OpcodeADDR32Prefix; // Size=4 Offset=36
ULONG OpcodeINSB; // Size=4 Offset=40
ULONG OpcodeINSW; // Size=4 Offset=44
ULONG OpcodeOUTSB; // Size=4 Offset=48
ULONG OpcodeOUTSW; // Size=4 Offset=52
ULONG OpcodePUSHF; // Size=4 Offset=56
ULONG OpcodePOPF; // Size=4 Offset=60
ULONG OpcodeINTnn; // Size=4 Offset=64
ULONG OpcodeINTO; // Size=4 Offset=68
ULONG OpcodeIRET; // Size=4 Offset=72
ULONG OpcodeINBimm; // Size=4 Offset=76
ULONG OpcodeINWimm; // Size=4 Offset=80
ULONG OpcodeOUTBimm; // Size=4 Offset=84
ULONG OpcodeOUTWimm; // Size=4 Offset=88
ULONG OpcodeINB; // Size=4 Offset=92
ULONG OpcodeINW; // Size=4 Offset=96
ULONG OpcodeOUTB; // Size=4 Offset=100
ULONG OpcodeOUTW; // Size=4 Offset=104
ULONG OpcodeLOCKPrefix; // Size=4 Offset=108
ULONG OpcodeREPNEPrefix; // Size=4 Offset=112
ULONG OpcodeREPPrefix; // Size=4 Offset=116
ULONG OpcodeHLT; // Size=4 Offset=120
ULONG OpcodeCLI; // Size=4 Offset=124
ULONG OpcodeSTI; // Size=4 Offset=128
ULONG BopCount; // Size=4 Offset=132
};struct _SYSTEM_FILECACHE_INFORMATION // Size=36
{
ULONG CurrentSize; // Size=4 Offset=0
ULONG PeakSize; // Size=4 Offset=4
ULONG PageFaultCount; // Size=4 Offset=8
ULONG MinimumWorkingSet; // Size=4 Offset=12
ULONG MaximumWorkingSet; // Size=4 Offset=16
ULONG CurrentSizeIncludingTransitionInPages; // Size=4 Offset=20
ULONG PeakSizeIncludingTransitionInPages; // Size=4 Offset=24
ULONG TransitionRePurposeCount; // Size=4 Offset=28
ULONG Flags; // Size=4 Offset=32
};typedef struct _SYSTEM_POOLTAG // Size=28
{
UCHAR Tag[4]; // Size=4 Offset=0
ULONG PagedAllocs; // Size=4 Offset=4
ULONG PagedFrees; // Size=4 Offset=8
ULONG PagedUsed; // Size=4 Offset=12
ULONG NonPagedAllocs; // Size=4 Offset=16
ULONG NonPagedFrees; // Size=4 Offset=20
ULONG NonPagedUsed; // Size=4 Offset=24
} SYSTEM_POOLTAG;struct _SYSTEM_POOLTAG_INFORMATION // Size=32
{
ULONG Count; // Size=4 Offset=0
SYSTEM_POOLTAG TagInfo[1]; // Size=28 Offset=4
};struct _SYSTEM_INTERRUPT_INFORMATION // Size=24
{
ULONG ContextSwitches; // Size=4 Offset=0
ULONG DpcCount; // Size=4 Offset=4
ULONG DpcRate; // Size=4 Offset=8
ULONG TimeIncrement; // Size=4 Offset=12
ULONG DpcBypassCount; // Size=4 Offset=16
ULONG ApcBypassCount; // Size=4 Offset=20
};struct _SYSTEM_DPC_BEHAVIOR_INFORMATION // Size=20
{
ULONG Spare; // Size=4 Offset=0
ULONG DpcQueueDepth; // Size=4 Offset=4
ULONG MinimumDpcRate; // Size=4 Offset=8
ULONG AdjustDpcThreshold; // Size=4 Offset=12
ULONG IdealDpcRate; // Size=4 Offset=16
};typedef struct _IMAGE_EXPORT_DIRECTORY // Size=40
{
ULONG Characteristics; // Size=4 Offset=0
ULONG TimeDateStamp; // Size=4 Offset=4
USHORT MajorVersion; // Size=2 Offset=8
USHORT MinorVersion; // Size=2 Offset=10
ULONG Name; // Size=4 Offset=12
ULONG Base; // Size=4 Offset=16
ULONG NumberOfFunctions; // Size=4 Offset=20
ULONG NumberOfNames; // Size=4 Offset=24
ULONG AddressOfFunctions; // Size=4 Offset=28
ULONG AddressOfNames; // Size=4 Offset=32
ULONG AddressOfNameOrdinals; // Size=4 Offset=36
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;struct _SYSTEM_LOADED_GDI_DRIVER_INFORMATION // Size=28
{
UNICODE_STRING DriverName; // Size=8 Offset=0
PVOID ImageAddress; // Size=4 Offset=8
PVOID SectionPointer; // Size=4 Offset=12
PVOID EntryPoint; // Size=4 Offset=16
PIMAGE_EXPORT_DIRECTORY ExportSectionPointer; // Size=4 Offset=20
ULONG ImageLength; // Size=4 Offset=24
};struct _SYSTEM_UNLOADED_GDI_DRIVER_INFORMATION // Size=28
{
PVOID ImageAddress; // Size=4 Offset=0
};struct _SYSTEM_CRASH_DUMP_INFORMATION
{
HANDLE CrashDumpSectionHandle; // Size=4 Offset=0
};struct _SYSTEM_EXCEPTION_INFORMATION // Size=16
{
ULONG AlignmentFixupCount; // Size=4 Offset=0
ULONG ExceptionDispatchCount; // Size=4 Offset=4
ULONG FloatingEmulationCount; // Size=4 Offset=8
ULONG ByteWordEmulationCount; // Size=4 Offset=12
};typedef enum _SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS
{
SystemCrashDumpDisable=0,
SystemCrashDumpReconfigure=1,
SystemCrashDumpInitializationComplete=2
} SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS;struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION // Size=4
{
SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS CrashDumpConfigurationClass; // Size=4 Offset=0
};struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION // Size=2
{
UCHAR KernelDebuggerEnabled; // Size=1 Offset=0
UCHAR KernelDebuggerNotPresent; // Size=1 Offset=1
};struct _SYSTEM_PRIORITY_SEPARATION
{
ULONG PrioritySeparation; // Size=4 Offset=0
};typedef struct _SYSTEMTIME {
WORD wYear; // Size=2 Offset=0
WORD wMonth; // Size=2 Offset=2
WORD wDayOfWeek; // Size=2 Offset=4
WORD wDay; // Size=2 Offset=6
WORD wHour; // Size=2 Offset=8
WORD wMinute; // Size=2 Offset=10
WORD wSecond; // Size=2 Offset=12
WORD wMilliseconds; // Size=2 Offset=14
} SYSTEMTIME;struct _SYSTEM_TIME_ZONE_INFORMATION
{
LONG Bias;
WCHAR StandardName[32];
SYSTEMTIME StandardDate;
LONG StandardBias;
WCHAR DaylightName[32];
SYSTEMTIME DaylightDate;
LONG DaylightBias;
};struct _SYSTEM_CONTEXT_SWITCH_INFORMATION // Size=48
{
ULONG ContextSwitches; // Size=4 Offset=0
ULONG FindAny; // Size=4 Offset=4
ULONG FindLast; // Size=4 Offset=8
ULONG FindIdeal; // Size=4 Offset=12
ULONG IdleAny; // Size=4 Offset=16
ULONG IdleCurrent; // Size=4 Offset=20
ULONG IdleLast; // Size=4 Offset=24
ULONG IdleIdeal; // Size=4 Offset=28
ULONG PreemptAny; // Size=4 Offset=32
ULONG PreemptCurrent; // Size=4 Offset=36
ULONG PreemptLast; // Size=4 Offset=40
ULONG SwitchToIdle; // Size=4 Offset=44
};struct _SYSTEM_REGISTRY_QUOTA_INFORMATION // Size=12
{
ULONG RegistryQuotaAllowed; // Size=4 Offset=0
ULONG RegistryQuotaUsed; // Size=4 Offset=4
ULONG PagedPoolSize; // Size=4 Offset=8
};struct _SYSTEM_PROCESSOR_IDLE_INFORMATION // Size=48
{
ULONGLONG IdleTime; // Size=8 Offset=0
ULONGLONG C1Time; // Size=8 Offset=8
ULONGLONG C2Time; // Size=8 Offset=16
ULONGLONG C3Time; // Size=8 Offset=24
ULONG C1Transitions; // Size=4 Offset=32
ULONG C2Transitions; // Size=4 Offset=36
ULONG C3Transitions; // Size=4 Offset=40
ULONG Padding; // Size=4 Offset=44
};struct _SYSTEM_LEGACY_DRIVER_INFORMATION // Size=12
{
ULONG VetoType; // Size=4 Offset=0
UNICODE_STRING VetoList; // Size=8 Offset=4
};typedef enum _POOL_TYPE {
NonPagedPool,
NonPagedPoolExecute = NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed = NonPagedPool + 2,
DontUseThisType,
NonPagedPoolCacheAligned = NonPagedPool + 4,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
MaxPoolType,
NonPagedPoolBase = 0,
NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
NonPagedPoolSession = 32,
PagedPoolSession = NonPagedPoolSession + 1,
NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
NonPagedPoolNx = 512,
NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
NonPagedPoolSessionNx = NonPagedPoolNx + 32
} POOL_TYPE;struct _SYSTEM_LOOKASIDE_INFORMATION // Size=32
{
USHORT CurrentDepth; // Size=2 Offset=0
USHORT MaximumDepth; // Size=2 Offset=2
ULONG TotalAllocates; // Size=4 Offset=4
ULONG AllocateMisses; // Size=4 Offset=8
ULONG TotalFrees; // Size=4 Offset=12
ULONG FreeMisses; // Size=4 Offset=16
POOL_TYPE Type; // Size=4 Offset=20
ULONG Tag; // Size=4 Offset=24
ULONG Size; // Size=4 Offset=28
};struct _SYSTEM_SET_TIME_SLIP_EVENT
{
HANDLE TimeSlipEvent;
};struct _SYSTEM_SESSION
{
ULONG SessionId;
};struct _SYSTEM_RANGE_START_INFORMATION
{
PVOID SystemRangeStart;
};typedef struct _SYSTEM_VERIFIER_INFORMATION // Size=104
{
ULONG NextEntryOffset; // Size=4 Offset=0
ULONG Level; // Size=4 Offset=4
UNICODE_STRING DriverName; // Size=8 Offset=8
ULONG RaiseIrqls; // Size=4 Offset=16
ULONG AcquireSpinLocks; // Size=4 Offset=20
ULONG SynchronizeExecutions; // Size=4 Offset=24
ULONG AllocationsAttempted; // Size=4 Offset=28
ULONG AllocationsSucceeded; // Size=4 Offset=32
ULONG AllocationsSucceededSpecialPool; // Size=4 Offset=36
ULONG AllocationsWithNoTag; // Size=4 Offset=40
ULONG TrimRequests; // Size=4 Offset=44
ULONG Trims; // Size=4 Offset=48
ULONG AllocationsFailed; // Size=4 Offset=52
ULONG AllocationsFailedDeliberately; // Size=4 Offset=56
ULONG Loads; // Size=4 Offset=60
ULONG Unloads; // Size=4 Offset=64
ULONG UnTrackedPool; // Size=4 Offset=68
ULONG CurrentPagedPoolAllocations; // Size=4 Offset=72
ULONG CurrentNonPagedPoolAllocations; // Size=4 Offset=76
ULONG PeakPagedPoolAllocations; // Size=4 Offset=80
ULONG PeakNonPagedPoolAllocations; // Size=4 Offset=84
ULONG PagedPoolUsageInBytes; // Size=4 Offset=88
ULONG NonPagedPoolUsageInBytes; // Size=4 Offset=92
ULONG PeakPagedPoolUsageInBytes; // Size=4 Offset=96
ULONG PeakNonPagedPoolUsageInBytes; // Size=4 Offset=100
} SYSTEM_VERIFIER_INFORMATION;struct _SYSTEM_SESSION_PROCESS_INFORMATION // Size=12
{
ULONG SessionId; // Size=4 Offset=0
ULONG SizeOfBuf; // Size=4 Offset=4
PVOID Buffer; // Size=4 Offset=8
};typedef struct _SYSTEM_POOL_BLOCK
{
BOOLEAN Allocated;
USHORT Unknown;
ULONG Size;
CHAR Tag[4];
} SYSTEM_POOL_BLOCK;struct _SYSTEM_POOL_BLOCKS_INFORMATION
{
ULONG PoolSize;
PVOID PoolBase;
USHORT PoolAlignment;
ULONG NumberOfBlocks;
SYSTEM_POOL_BLOCK PoolBlocks[1];
};typedef struct _SYSTEM_MEMORY_USAGE
{
PVOID Name;
USHORT Valid;
USHORT Standby;
USHORT Modified;
USHORT PageTables;
} SYSTEM_MEMORY_USAGE;struct _SYSTEM_MEMORY_USAGE_INFORMATION
{
ULONG Reserved;
PVOID EndOfData;
SYSTEM_MEMORY_USAGE MemoryUsage[1];
};typedef struct _CLIENT_ID // Size=8
{
PVOID UniqueProcess; // Size=4 Offset=0
PVOID UniqueThread; // Size=4 Offset=4
} CLIENT_ID;typedef struct _SYSTEM_THREAD_INFORMATION // Size=64
{
LARGE_INTEGER KernelTime; // Size=8 Offset=0
LARGE_INTEGER UserTime; // Size=8 Offset=8
LARGE_INTEGER CreateTime; // Size=8 Offset=16
ULONG WaitTime; // Size=4 Offset=24
PVOID StartAddress; // Size=4 Offset=28
CLIENT_ID ClientId; // Size=8 Offset=32
LONG Priority; // Size=4 Offset=40
LONG BasePriority; // Size=4 Offset=44
ULONG ContextSwitches; // Size=4 Offset=48
ULONG ThreadState; // Size=4 Offset=52
ULONG WaitReason; // Size=4 Offset=56
} SYSTEM_THREAD_INFORMATION;typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION // Size=96
{
SYSTEM_THREAD_INFORMATION ThreadInfo; // Size=64 Offset=0
PVOID StackBase; // Size=4 Offset=64
PVOID StackLimit; // Size=4 Offset=68
PVOID Win32StartAddress; // Size=4 Offset=72
PVOID TebBase; // Size=4 Offset=76
ULONG Reserved2; // Size=4 Offset=80
ULONG Reserved3; // Size=4 Offset=84
ULONG Reserved4; // Size=4 Offset=88
} SYSTEM_EXTENDED_THREAD_INFORMATION;// I have not validated this structure
struct _SYSTEM_EXTENDED_PROCESS_INFORMATION
{
SYSTEM_PROCESS_INFORMATION ProcessInfo;
SYSTEM_EXTENDED_THREAD_INFORMATION ThreadInfo;
};struct _SYSTEM_PROCESSOR_POWER_INFORMATION // Size=72
{
UCHAR CurrentFrequency; // Size=1 Offset=0
UCHAR ThermalLimitFrequency; // Size=1 Offset=1
UCHAR ConstantThrottleFrequency; // Size=1 Offset=2
UCHAR DegradedThrottleFrequency; // Size=1 Offset=3
UCHAR LastBusyFrequency; // Size=1 Offset=4
UCHAR LastC3Frequency; // Size=1 Offset=5
UCHAR LastAdjustedBusyFrequency; // Size=1 Offset=6
UCHAR ProcessorMinThrottle; // Size=1 Offset=7
UCHAR ProcessorMaxThrottle; // Size=1 Offset=8
ULONG NumberOfFrequencies; // Size=4 Offset=12
ULONG PromotionCount; // Size=4 Offset=16
ULONG DemotionCount; // Size=4 Offset=20
ULONG ErrorCount; // Size=4 Offset=24
ULONG RetryCount; // Size=4 Offset=28
ULONGLONG CurrentFrequencyTime; // Size=8 Offset=32
ULONGLONG CurrentProcessorTime; // Size=8 Offset=40
ULONGLONG CurrentProcessorIdleTime; // Size=8 Offset=48
ULONGLONG LastProcessorTime; // Size=8 Offset=56
ULONGLONG LastProcessorIdleTime; // Size=8 Offset=64
};struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX // Size=28
{
PVOID Object; // Size=4 Offset=0
ULONG UniqueProcessId; // Size=4 Offset=4
ULONG HandleValue; // Size=4 Offset=8
ULONG GrantedAccess; // Size=4 Offset=12
USHORT CreatorBackTraceIndex; // Size=2 Offset=16
USHORT ObjectTypeIndex; // Size=2 Offset=18
ULONG HandleAttributes; // Size=4 Offset=20
ULONG Reserved; // Size=4 Offset=24
};struct _SYSTEM_HANDLE_INFORMATION_EX // Size=36
{
ULONG NumberOfHandles; // Size=4 Offset=0
ULONG Reserved; // Size=4 Offset=4
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; // Size=36 Offset=8
};typedef struct _SYSTEM_BIGPOOL_ENTRY // Size=12
{
PVOID VirtualAddress; // Size=4 Offset=0
ULONG SizeInBytes; // Size=4 Offset=4
UCHAR Tag[4]; // Size=4 Offset=8
} SYSTEM_BIGPOOL_ENTRY;struct _SYSTEM_BIGPOOL_INFORMATION // Size=16
{
ULONG Count; // Size=4 Offset=0
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; // Size=12 Offset=4
};struct _SYSTEM_SESSION_POOLTAG_INFORMATION // Size=40
{
ULONG NextEntryOffset; // Size=4 Offset=0
ULONG SessionId; // Size=4 Offset=4
ULONG Count; // Size=4 Offset=8
SYSTEM_POOLTAG TagInfo[1]; // Size=28 Offset=12
};struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION // Size=20
{
ULONG NextEntryOffset; // Size=4 Offset=0
ULONG SessionId; // Size=4 Offset=4
ULONG ViewFailures; // Size=4 Offset=8
ULONG NumberOfBytesAvailable; // Size=4 Offset=12
ULONG NumberOfBytesAvailableContiguous; // Size=4 Offset=16
};typedef struct _HOTPATCH_HOOK_DESCRIPTOR // Size=40
{
ULONGLONG TargetAddress; // Size=8 Offset=0
ULONGLONG MappedAddress; // Size=8 Offset=8
ULONG CodeOffset; // Size=4 Offset=16
ULONG CodeSize; // Size=4 Offset=20
ULONG OrigCodeOffset; // Size=4 Offset=24
ULONG ValidationOffset; // Size=4 Offset=28
ULONG ValidationSize; // Size=4 Offset=32
} HOTPATCH_HOOK_DESCRIPTOR;struct _SYSTEM_HOTPATCH_CODE_INFORMATION_KERNEL_INFO // Size=4
{
USHORT NameOffset; // Size=2 Offset=0
USHORT NameLength; // Size=2 Offset=2
};struct _SYSTEM_HOTPATCH_CODE_INFORMATION_USERMODE_INFO // Size=14
{
USHORT NameOffset; // Size=2 Offset=0
USHORT NameLength; // Size=2 Offset=2
USHORT TargetNameOffset; // Size=2 Offset=4
USHORT TargetNameLength; // Size=2 Offset=6
USHORT ColdpatchImagePathOffset; // Size=2 Offset=8
USHORT ColdpatchImagePathLength; // Size=2 Offset=10
UCHAR PatchingFinished; // Size=1 Offset=12
};struct _SYSTEM_HOTPATCH_CODE_INFORMATION_INJECTION_INFO // Size=24
{
USHORT NameOffset; // Size=2 Offset=0
USHORT NameLength; // Size=2 Offset=2
USHORT TargetNameOffset; // Size=2 Offset=4
USHORT TargetNameLength; // Size=2 Offset=6
USHORT ColdpatchImagePathOffset; // Size=2 Offset=8
USHORT ColdpatchImagePathLength; // Size=2 Offset=10
ULONGLONG TargetProcess; // Size=8 Offset=16
};struct _SYSTEM_HOTPATCH_CODE_INFORMATION_ATOMIC_SWAP // Size=24
{
ULONGLONG ParentDirectory; // Size=8 Offset=0
ULONGLONG ObjectHandle1; // Size=8 Offset=8
ULONGLONG ObjectHandle2; // Size=8 Offset=16
};struct _SYSTEM_HOTPATCH_CODE_INFORMATION_CODE_INFO // Size=48
{
ULONG DescriptorsCount; // Size=4 Offset=0
HOTPATCH_HOOK_DESCRIPTOR CodeDescriptors[1]; // Size=40 Offset=8
};typedef enum _WATCHDOG_INFORMATION_CLASS
{
WdInfoTimeoutValue=0,
WdInfoResetTimer=1,
WdInfoStopTimer=2,
WdInfoStartTimer=3,
WdInfoTriggerAction=4,
WdInfoState=5
} WATCHDOG_INFORMATION_CLASS;struct _SYSTEM_WATCHDOG_TIMER_INFORMATION // Size=8
{
WATCHDOG_INFORMATION_CLASS WdInfoClass; // Size=4 Offset=0
ULONG DataValue; // Size=4 Offset=4
};struct _SYSTEM_LOGICAL_PROCESSOR_INFORMATION_PROCESSOR_CORE // Size=1
{
UCHAR Flags; // Size=1 Offset=0
};struct _SYSTEM_LOGICAL_PROCESSOR_INFORMATION_NUMA_CODE // Size=4
{
ULONG NodeNumber; // Size=4 Offset=0
};typedef enum _PROCESSOR_CACHE_TYPE
{
CacheUnified=0,
CacheInstruction=1,
CacheData=2,
CacheTrace=3
} PROCESSOR_CACHE_TYPE;typedef enum _LOGICAL_PROCESSOR_RELATIONSHIP
{
RelationProcessorCore=0,
RelationNumaNode=1,
RelationCache=2,
RelationProcessorPackage=3,
RelationGroup=4,
RelationAll=65535
} LOGICAL_PROCESSOR_RELATIONSHIP;struct _CACHE_DESCRIPTOR // Size=12
{
UCHAR Level; // Size=1 Offset=0
UCHAR Associativity; // Size=1 Offset=1
USHORT LineSize; // Size=2 Offset=2
ULONG Size; // Size=4 Offset=4
PROCESSOR_CACHE_TYPE Type; // Size=4 Offset=8
};struct _SYSTEM_LOGICAL_PROCESSOR_INFORMATION // Size=24
{
ULONG ProcessorMask; // Size=4 Offset=0
LOGICAL_PROCESSOR_RELATIONSHIP Relationship; // Size=4 Offset=4
union
{
_SYSTEM_LOGICAL_PROCESSOR_INFORMATION_PROCESSOR_CORE; // Size=1 Offset=8
_SYSTEM_LOGICAL_PROCESSOR_INFORMATION_NUMA_CODE NumaNode; // Size=4 Offset=8
_CACHE_DESCRIPTOR Cache; // Size=12 Offset=8
ULONGLONG Reserved[2]; // Size=16 Offset=8
};
};typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
SystemFirmwareTable_Enumerate=0,
SystemFirmwareTable_Get=1
} SYSTEM_FIRMWARE_TABLE_ACTION;struct _SYSTEM_FIRMWARE_TABLE_INFORMATION // Size=20
{
ULONG ProviderSignature; // Size=4 Offset=0
SYSTEM_FIRMWARE_TABLE_ACTION Action; // Size=4 Offset=4
ULONG TableID; // Size=4 Offset=8
ULONG TableBufferLength; // Size=4 Offset=12
UCHAR TableBuffer[1]; // Size=1 Offset=16
};struct _SYSTEM_VERIFIER_TRIAGE_INFORMATION // Size=544
{
ULONG ActionTaken; // Size=4 Offset=0
ULONG CrashData[5]; // Size=20 Offset=4
ULONG VerifierMode; // Size=4 Offset=24
ULONG VerifierFlags; // Size=4 Offset=28
WCHAR VerifierTargets[256]; // Size=512 Offset=32
};struct _SYSTEM_MEMORY_LIST_INFORMATION // Size=88
{
ULONG ZeroPageCount; // Size=4 Offset=0
ULONG FreePageCount; // Size=4 Offset=4
ULONG ModifiedPageCount; // Size=4 Offset=8
ULONG ModifiedNoWritePageCount; // Size=4 Offset=12
ULONG BadPageCount; // Size=4 Offset=16
ULONG PageCountByPriority[8]; // Size=32 Offset=20
ULONG RepurposedPagesByPriority[8]; // Size=32 Offset=52
ULONG ModifiedPageCountPageFile; // Size=4 Offset=84
};struct _SYSTEM_THREAD_CID_PRIORITY_INFORMATION // Size=12
{
CLIENT_ID ClientId; // Size=8 Offset=0
LONG Priority; // Size=4 Offset=8
};struct _SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION // Size=8
{
ULONGLONG CycleTime; // Size=8 Offset=0
};typedef struct _SYSTEM_VERIFIER_ISSUE // Size=16
{
ULONG IssueType; // Size=4 Offset=0
PVOID Address; // Size=4 Offset=4
ULONG Parameters[2]; // Size=8 Offset=8
} SYSTEM_VERIFIER_ISSUE;struct _SYSTEM_VERIFIER_CANCELLATION_INFORMATION // Size=2068
{
ULONG CancelProbability; // Size=4 Offset=0
ULONG CancelThreshold; // Size=4 Offset=4
ULONG CompletionThreshold; // Size=4 Offset=8
ULONG CancellationVerifierDisabled; // Size=4 Offset=12
ULONG AvailableIssues; // Size=4 Offset=16
SYSTEM_VERIFIER_ISSUE Issues[128]; // Size=2048 Offset=20
};struct _SYSTEM_REF_TRACE_INFORMATION // Size=20
{
UCHAR TraceEnable; // Size=1 Offset=0
UCHAR TracePermanent; // Size=1 Offset=1
UNICODE_STRING TraceProcessName; // Size=8 Offset=4
UNICODE_STRING TracePoolTags; // Size=8 Offset=12
};struct _SYSTEM_SPECIAL_POOL_INFORMATION // Size=8
{
ULONG PoolTag; // Size=4 Offset=0
ULONG Flags; // Size=4 Offset=4
};struct _SYSTEM_PROCESS_ID_INFORMATION // Size=12
{
PVOID ProcessId; // Size=4 Offset=0
UNICODE_STRING ImageName; // Size=8 Offset=4
};typedef struct _GUID // Size=16
{
ULONG Data1; // Size=4 Offset=0
USHORT Data2; // Size=2 Offset=4
USHORT Data3; // Size=2 Offset=6
UCHAR Data4[8]; // Size=8 Offset=8
} GUID;typedef enum _FIRMWARE_TYPE
{
FirmwareTypeUnknown=0,
FirmwareTypeBios=1,
FirmwareTypeUefi=2,
FirmwareTypeMax=3
} FIRMWARE_TYPE;struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION // Size=32
{
GUID BootIdentifier; // Size=16 Offset=0
FIRMWARE_TYPE FirmwareType; // Size=4 Offset=16
ULONGLONG BootFlags; // Size=8 Offset=24
};struct _SYSTEM_VERIFIER_INFORMATION_EX // Size=36
{
ULONG VerifyMode; // Size=4 Offset=0
ULONG OptionChanges; // Size=4 Offset=4
UNICODE_STRING PreviousBucketName; // Size=8 Offset=8
ULONG IrpCancelTimeoutMsec; // Size=4 Offset=16
ULONG VerifierExtensionEnabled; // Size=4 Offset=20
ULONG Reserved[3]; // Size=12 Offset=24
};struct _SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION // Size=8
{
ULONG FlagsToEnable; // Size=4 Offset=0
ULONG FlagsToDisable; // Size=4 Offset=4
};struct _SYSTEM_PREFETCH_PATCH_INFORMATION // Size=4
{
ULONG PrefetchPatchCount; // Size=4 Offset=0
};struct _SYSTEM_VERIFIER_FAULTS_INFORMATION // Size=24
{
ULONG Probability; // Size=4 Offset=0
ULONG MaxProbability; // Size=4 Offset=4
UNICODE_STRING PoolTags; // Size=8 Offset=8
UNICODE_STRING Applications; // Size=8 Offset=16
};struct _SYSTEM_SYSTEM_PARTITION_INFORMATION // Size=8
{
UNICODE_STRING SystemPartition; // Size=8 Offset=0
};struct _SYSTEM_SYSTEM_DISK_INFORMATION // Size=8
{
UNICODE_STRING SystemDisk; // Size=8 Offset=0
};struct _SYSTEM_CODEINTEGRITY_INFORMATION // Size=8
{
ULONG Length; // Size=4 Offset=0
ULONG CodeIntegrityOptions; // Size=4 Offset=4
};struct _SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION // Size=4
{
ULONG Operation; // Size=4 Offset=0
};struct _SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION // Size=8
{
ULONGLONG CycleTime; // Size=8 Offset=0
};struct _SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // Size=36
{
PVOID KeyHandle; // Size=4 Offset=0
PUNICODE_STRING ValueNamePointer; // Size=4 Offset=4
ULONG_PTR RequiredLengthPointer; // Size=4 Offset=8
PUCHAR Buffer; // Size=4 Offset=12
ULONG BufferLength; // Size=4 Offset=16
ULONG Type; // Size=4 Offset=20
PUCHAR AppendBuffer; // Size=4 Offset=24
ULONG AppendBufferLength; // Size=4 Offset=28
UCHAR CreateIfDoesntExist; // Size=1 Offset=32
UCHAR TruncateExistingValue; // Size=1 Offset=33
};struct _SYSTEM_VHD_BOOT_INFORMATION // Size=12
{
UCHAR OsDiskIsVhd; // Size=1 Offset=0
ULONG OsVhdFilePathOffset; // Size=4 Offset=4
WCHAR OsVhdParentVolume[1]; // Size=2 Offset=8
};struct _SYSTEM_ERROR_PORT_TIMEOUTS // Size=8
{
ULONG StartTimeout; // Size=4 Offset=0
ULONG CommTimeout; // Size=4 Offset=4
};struct _SYSTEM_LOW_PRIORITY_IO_INFORMATION // Size=40
{
ULONG LowPriReadOperations; // Size=4 Offset=0
ULONG LowPriWriteOperations; // Size=4 Offset=4
ULONG KernelBumpedToNormalOperations; // Size=4 Offset=8
ULONG LowPriPagingReadOperations; // Size=4 Offset=12
ULONG KernelPagingReadsBumpedToNormal; // Size=4 Offset=16
ULONG LowPriPagingWriteOperations; // Size=4 Offset=20
ULONG KernelPagingWritesBumpedToNormal; // Size=4 Offset=24
ULONG BoostedIrpCount; // Size=4 Offset=28
ULONG BoostedPagingIrpCount; // Size=4 Offset=32
ULONG BlanketBoostCount; // Size=4 Offset=36
};struct _SYSTEM_VERIFIER_COUNTERS_INFORMATION // Size=168
{
SYSTEM_VERIFIER_INFORMATION Legacy; // Size=104 Offset=0
ULONG RaiseIrqls; // Size=4 Offset=104
ULONG AcquireSpinLocks; // Size=4 Offset=108
ULONG SynchronizeExecutions; // Size=4 Offset=112
ULONG AllocationsWithNoTag; // Size=4 Offset=116
ULONG AllocationsFailed; // Size=4 Offset=120
ULONG AllocationsFailedDeliberately; // Size=4 Offset=124
ULONG LockedBytes; // Size=4 Offset=128
ULONG PeakLockedBytes; // Size=4 Offset=132
ULONG MappedLockedBytes; // Size=4 Offset=136
ULONG PeakMappedLockedBytes; // Size=4 Offset=140
ULONG MappedIoSpaceBytes; // Size=4 Offset=144
ULONG PeakMappedIoSpaceBytes; // Size=4 Offset=148
ULONG PagesForMdlBytes; // Size=4 Offset=152
ULONG PeakPagesForMdlBytes; // Size=4 Offset=156
ULONG ContiguousMemoryBytes; // Size=4 Offset=160
ULONG PeakContiguousMemoryBytes; // Size=4 Offset=164
};struct _SYSTEM_ACPI_AUDIT_INFORMATION // Size=8
{
ULONG RsdpCount; // Size=4 Offset=0
struct
{
ULONG SameRsdt: 1; // Size=4 Offset=4 BitOffset=0 BitCount=1
ULONG SlicPresent: 1; // Size=4 Offset=4 BitOffset=1 BitCount=1
ULONG SlicDifferent: 1; // Size=4 Offset=4 BitOffset=2 BitCount=1
};
};struct _SYSTEM_BASIC_PERFORMANCE_INFORMATION // Size=16
{
ULONG AvailablePages; // Size=4 Offset=0
ULONG CommittedPages; // Size=4 Offset=4
ULONG CommitLimit; // Size=4 Offset=8
ULONG PeakCommitment; // Size=4 Offset=12
};typedef struct _QUERY_PERFORMANCE_COUNTER_FLAGS // Size=4
{
struct
{
ULONG KernelTransition: 1; // Size=4 Offset=0 BitOffset=0 BitCount=1
ULONG Reserved: 31; // Size=4 Offset=0 BitOffset=1 BitCount=31
};
ULONG ul; // Size=4 Offset=0
} QUERY_PERFORMANCE_COUNTER_FLAGS;struct _SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // Size=12
{
ULONG Version; // Size=4 Offset=0
QUERY_PERFORMANCE_COUNTER_FLAGS Flags; // Size=4 Offset=4
QUERY_PERFORMANCE_COUNTER_FLAGS ValidFlags; // Size=4 Offset=8
};struct _SYSTEM_SESSION_BIGPOOL_INFORMATION // Size=24
{
ULONG NextEntryOffset; // Size=4 Offset=0
ULONG SessionId; // Size=4 Offset=4
ULONG Count; // Size=4 Offset=8
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; // Size=12 Offset=12
};typedef enum _SYSTEM_PIXEL_FORMAT
{
SystemPixelFormatUnknown=0,
SystemPixelFormatR8G8B8=1,
SystemPixelFormatR8G8B8X8=2,
SystemPixelFormatB8G8R8=3,
SystemPixelFormatB8G8R8X8=4
} SYSTEM_PIXEL_FORMAT;struct _SYSTEM_BOOT_GRAPHICS_INFORMATION // Size=32
{
LARGE_INTEGER FrameBuffer; // Size=8 Offset=0
ULONG Width; // Size=4 Offset=8
ULONG Height; // Size=4 Offset=12
ULONG PixelStride; // Size=4 Offset=16
ULONG Flags; // Size=4 Offset=20
SYSTEM_PIXEL_FORMAT Format; // Size=4 Offset=24
};typedef struct _PEBS_DS_SAVE_AREA // Size=96
{
ULONGLONG BtsBufferBase; // Size=8 Offset=0
ULONGLONG BtsIndex; // Size=8 Offset=8
ULONGLONG BtsAbsoluteMaximum; // Size=8 Offset=16
ULONGLONG BtsInterruptThreshold; // Size=8 Offset=24
ULONGLONG PebsBufferBase; // Size=8 Offset=32
ULONGLONG PebsIndex; // Size=8 Offset=40
ULONGLONG PebsAbsoluteMaximum; // Size=8 Offset=48
ULONGLONG PebsInterruptThreshold; // Size=8 Offset=56
ULONGLONG PebsCounterReset0; // Size=8 Offset=64
ULONGLONG PebsCounterReset1; // Size=8 Offset=72
ULONGLONG PebsCounterReset2; // Size=8 Offset=80
ULONGLONG PebsCounterReset3; // Size=8 Offset=88
} PEBS_DS_SAVE_AREA;typedef struct _PROCESSOR_PROFILE_CONTROL_AREA // Size=96
{
PEBS_DS_SAVE_AREA PebsDsSaveArea; // Size=96 Offset=0
} *PPROCESSOR_PROFILE_CONTROL_AREA;struct _SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA // Size=8
{
PPROCESSOR_PROFILE_CONTROL_AREA ProcessorProfileControlArea; // Size=4 Offset=0
UCHAR Allocate; // Size=1 Offset=4
};struct _SYSTEM_ENTROPY_TIMING_INFORMATION // Size=12
{
PVOID EntropyRoutine; // Size=4 Offset=0 VOID (* EntropyRoutine)(PVOID,ULONG)
PVOID InitializationRoutine; // Size=4 Offset=4 VOID ( * InitializationRoutine)(PVOID,ULONG,PVOID)
PVOID InitializationContext; // Size=4 Offset=8
};struct _SYSTEM_CONSOLE_INFORMATION // Size=4
{
ULONG DriverLoaded: 1; // Size=4 Offset=0 BitOffset=0 BitCount=1
ULONG Spare: 31; // Size=4 Offset=0 BitOffset=1 BitCount=31
};struct _SYSTEM_PLATFORM_BINARY_INFORMATION // Size=24
{
ULONGLONG PhysicalAddress; // Size=8 Offset=0
PVOID HandoffBuffer; // Size=4 Offset=8
PVOID CommandLineBuffer; // Size=4 Offset=12
ULONG HandoffBufferSize; // Size=4 Offset=16
ULONG CommandLineBufferSize; // Size=4 Offset=20
};struct _SYSTEM_DEVICE_DATA_INFORMATION // Size=28
{
UNICODE_STRING DeviceId; // Size=8 Offset=0
UNICODE_STRING DataName; // Size=8 Offset=8
ULONG DataType; // Size=4 Offset=16
ULONG DataBufferLength; // Size=4 Offset=20
PVOID DataBuffer; // Size=4 Offset=24
};typedef struct _PHYSICAL_CHANNEL_RUN // Size=32
{
ULONG NodeNumber; // Size=4 Offset=0
ULONG ChannelNumber; // Size=4 Offset=4
ULONGLONG BasePage; // Size=8 Offset=8
ULONGLONG PageCount; // Size=8 Offset=16
ULONG Flags; // Size=4 Offset=24
} PHYSICAL_CHANNEL_RUN;struct _SYSTEM_MEMORY_TOPOLOGY_INFORMATION // Size=48
{
ULONGLONG NumberOfRuns; // Size=8 Offset=0
ULONG NumberOfNodes; // Size=4 Offset=8
ULONG NumberOfChannels; // Size=4 Offset=12
PHYSICAL_CHANNEL_RUN Run[1]; // Size=32 Offset=16
};struct _SYSTEM_MEMORY_CHANNEL_INFORMATION // Size=40
{
ULONG ChannelNumber; // Size=4 Offset=0
ULONG ChannelHeatIndex; // Size=4 Offset=4
ULONGLONG TotalPageCount; // Size=8 Offset=8
ULONGLONG ZeroPageCount; // Size=8 Offset=16
ULONGLONG FreePageCount; // Size=8 Offset=24
ULONGLONG StandbyPageCount; // Size=8 Offset=32
};struct _SYSTEM_BOOT_LOGO_INFORMATION // Size=8
{
ULONG Flags; // Size=4 Offset=0
ULONG BitmapOffset; // Size=4 Offset=4
};struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // Size=72
{
LARGE_INTEGER IdleTime; // Size=8 Offset=0
LARGE_INTEGER KernelTime; // Size=8 Offset=8
LARGE_INTEGER UserTime; // Size=8 Offset=16
LARGE_INTEGER DpcTime; // Size=8 Offset=24
LARGE_INTEGER InterruptTime; // Size=8 Offset=32
ULONG InterruptCount; // Size=4 Offset=40
ULONG Spare0; // Size=4 Offset=44
LARGE_INTEGER AvailableTime; // Size=8 Offset=48
LARGE_INTEGER Spare1; // Size=8 Offset=56
LARGE_INTEGER Spare2; // Size=8 Offset=64
};struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION // Size=24
{
GUID PolicyPublisher; // Size=16 Offset=0
ULONG PolicyVersion; // Size=4 Offset=16
ULONG PolicyOptions; // Size=4 Offset=20
};struct _SYSTEM_SECUREBOOT_INFORMATION // Size=2
{
UCHAR SecureBootEnabled; // Size=1 Offset=0
UCHAR SecureBootCapable; // Size=1 Offset=1
};struct _SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION // Size=1
{
UCHAR EfiLauncherEnabled; // Size=1 Offset=0
};

 

http://www.exploit-monday.com/2013/06/undocumented-ntquerysysteminformation.html

 

Ted.

Undocumented NtQuerySystemInformation Structures.zip

  • Like 5
mrexodia

mrexodia

Posted
Posted

Definitely interesting stuff! Thanks

  • Like 1
master131

master131

Posted
Posted

Undocumented functions and structures are definately fun to play around with. :P The SystemModuleInformation value along with the _SYSTEM_MODULE_INFORMATION and _SYSTEM_MODULE structs can be used to list drivers loaded in the system, which Nirsoft's DriverView does. Those new Windows 8 values seem interesting too because of the addition of secure boot and other UEFI features.


 


Thanks Ted!


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...