Hi f0dder,

Knowing how much you love undocumented stuff, I have been playing with the TIB and PDB for the last few days and have a few interesting tidbits, still no progress on GetPIDFromhProcess9x though...

Replacement for GetProcessHeap (All Windows versions)
fs mov edi,[30h]

mov eax,[edi+18h]


Windows version information (NT systems only)
fs mov ecx,[30h]

mov eax,[ecx+0A4h] ;4=NT, 5= 2K/XP/2K3
mov edx,[ecx+0A8h] ;0=2K, 1=XP, 2=2K3


Determine 9x or NT (all Windows versions)
fs mov eax,[18h]

cmp eax,7FFDE000h
jne >.OS_IS_9X


Replacement for GetModuleHandle,0 (NT only)
fs mov edi,[30h]

mov eax,[edi+08h]


Replacement for GetCurrentProcessId (NT systems only)
fs mov eax,[20h]


Get remote process ID (NT Systems only)
invoke ReadProcessMemory,[hProcess],7FFDE020h,offset ProcessID,4,offset cbWritten
Posted on 2004-07-06 16:24:47 by donkey
Thought I'd add this one.
Original Snippet by Ratter/29A, =BaseAddress of kernel32.dll
Seems to be universal.

assume fs:nothing
mov ebx, fs:[30h] ; EAX=PEB base
mov ebx, ; EAX=PEB_LDR_DATA
mov ebx, ; InitOrderModuleList 1st entry
mov ebx, ; next entry
mov ebx, ; K32 imagebase


Anyone else got any of these?
Posted on 2004-07-06 17:40:09 by Homer
Hi EvilHomer2K

I put these together from stuff I found and articles at MSJ, TIBxx is pointed to by fs:[18h] and PDB by fs:[30h]...

Posted on 2004-07-06 18:17:25 by donkey
great stuff!
Posted on 2004-07-06 19:04:32 by comrade
Ok ok, you beat it out of me :grin:

I have actually known about this for about five or so years now.
I was looking for undocumented window styles. The odd thing about
it is that I actually found one...

Not very useful in most cases I can think of. Can be combined with
any other style. It (in effect) reverses completely the x-axis so that
0,0 of the window is in the upper right corner and increasing X moves
farther left. When used the buttons (of course) are in the left corner
and the title bar is aligned to the right with the system menu.

I have tested it in most Windows versions with no issues
[98/NT/2k/XP]. The only thing I have yet been able to use it for
was to create a tool window on the left side so the close button was
also tward the right side...

WS_EX_REVERSE = WS_DLGFRAME
And since Microsoft obviously cares not :) ? 2004 Graebel hehe


Enjoy the madness
Graebel
Posted on 2004-07-06 22:01:06 by Graebel
Hi donkey !
I found this GetLastError in WinNT/2000/XP:
GetLastError:
mov eax, dword ptr fs:[18]
mov eax, dword ptr ds:
ret
Thank for your informations.
TQN
Posted on 2004-07-06 22:19:54 by TQN
not much related to peb/tib, but this is a cheap trick to determine if the system is 9x/nt, optimized:


mov ecx,cs
xor cl,cl
jecxz win_nt
Posted on 2004-07-07 00:42:43 by Drocon
That's funny... yesterday evening I was wondering if GetCurrentThreadId is as fast as it should be. Today I decided to have a look in the debugger, and what I see is:



77E7A7DF > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77E7A7E5 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
77E7A7E8 C3 RETN


Then I decide to read the messageboard and I find this thread :)
Posted on 2004-07-07 03:10:48 by Qweerdy
Very good stuff.

Thanks for sharing :alright:
Posted on 2004-07-07 07:53:45 by pelaillo
Hi all,

In keeping with the NT theme and semi-documentation. Have you ever looked at the MSDN entry for NtQueryInformationProcess ? It says :

ProcessInformationClass
One of the values enumerated in PROCESSINFOCLASS, that specifies what kind of process information is to be returned. These include:


Then it only gives 2 examples. Here are the rest...

// ProcessInformationClasses for NtQueryInformationProcess

#Define ProcessBasicInformation 000000000h
#Define ProcessQuotaLimits 000000001h
#Define ProcessIoCounters 000000002h
#Define ProcessVmCounters 000000003h
#Define ProcessTimes 000000004h
#Define ProcessBasePriority 000000005h
#Define ProcessRaisePriority 000000006h
#Define ProcessDebugPort 000000007h
#Define ProcessExceptionPort 000000008h
#Define ProcessAccessToken 000000009h
#Define ProcessLdtInformation 00000000Ah
#Define ProcessLdtSize 00000000Bh
#Define ProcessDefaultHardErrorMode 00000000Ch
#Define ProcessIoPortHandlers 00000000Dh ; Kernel mode only
#Define ProcessPooledUsageAndLimits 00000000Eh
#Define ProcessWorkingSetWatch 00000000Fh
#Define ProcessUserModeIOPL 000000010h
#Define ProcessEnableAlignmentFaultFixup 000000011h
#Define ProcessPriorityClass 000000012h
#Define ProcessWx86Information 000000013h
#Define ProcessHandleCount 000000014h
#Define ProcessAffinityMask 000000015h
#Define ProcessPriorityBoost 000000016h
#Define ProcessDeviceMap 000000017h
#Define ProcessSessionInformation 000000018h
#Define ProcessForegroundInformation 000000019h
#Define ProcessWow64Information 00000001Ah
#Define MaxProcessInfoClass 00000001Bh

/*
Structures for NtQueryInformationProcess
All structures must be aligned at 16 byte
boundaries or the call will fail
*/

PROCESS_BASIC_INFORMATION STRUCT
// NtQueryInformationProcess using ProcessBasicInfo
ExitStatus DD
PebBaseAddress DD
AffinityMask DD
BasePriority DD
UniqueProcessId DD
InheritedFromUniqueProcessId DD
ENDS

PROCESS_SESSION_INFORMATION STRUCT
// NtQueryInformationProcess using ProcessSessionInformation
SessionId DD
ENDS

QUOTA_LIMITS STRUCT
// NtQueryInformationProcess using ProcessQuotaLimits
// NtQueryInformationProcess using ProcessPooledQuotaLimits
// NtSetInformationProcess using ProcessQuotaLimits
PagedPoolLimit DD ; SIZE_T ?
NonPagedPoolLimit DD ; SIZE_T ?
MinimumWorkingSetSize DD ; SIZE_T ?
MaximumWorkingSetSize DD ; SIZE_T ?
PagefileLimit DD ; SIZE_T ?
TimeLimit DQ ; SIZE_T ?
ENDS

IO_COUNTERS STRUCT
// NtQueryInformationProcess using ProcessIoCounters
ReadOperationCount DD 2 DUP (?) ; ULONGLONG ?
WriteOperationCount DD 2 DUP (?) ; ULONGLONG ?
OtherOperationCount DD 2 DUP (?) ; ULONGLONG ?
ReadTransferCount DD 2 DUP (?) ; ULONGLONG ?
WriteTransferCount DD 2 DUP (?) ; ULONGLONG ?
OtherTransferCount DD 2 DUP (?) ; ULONGLONG ?
ENDS

VM_COUNTERS STRUCT
// NtQueryInformationProcess using ProcessVmCounters
PeakVirtualSize DD ; SIZE_T ?
VirtualSize DD ; SIZE_T ?
PageFaultCount DD
PeakWorkingSetSize DD ; SIZE_T ?
WorkingSetSize DD ; SIZE_T ?
QuotaPeakPagedPoolUsage DD ; SIZE_T ?
QuotaPagedPoolUsage DD ; SIZE_T ?
QuotaPeakNonPagedPoolUsage DD ; SIZE_T ?
QuotaNonPagedPoolUsage DD ; SIZE_T ?
PagefileUsage DD ; SIZE_T ?
PeakPagefileUsage DD ; SIZE_T ?
ENDS

POOLED_USAGE_AND_LIMITS STRUCT
// NtSetInformationProcess using ProcessAccessToken
// PROCESS_SET_ACCESS_TOKEN access to the process is needed
PeakPagedPoolUsage DD ; SIZE_T ?
PagedPoolUsage DD ; SIZE_T ?
PagedPoolLimit DD ; SIZE_T ?
PeakNonPagedPoolUsage DD ; SIZE_T ?
NonPagedPoolUsage DD ; SIZE_T ?
NonPagedPoolLimit DD ; SIZE_T ?
PeakPagefileUsage DD ; SIZE_T ?
PagefileUsage DD ; SIZE_T ?
PagefileLimit DD ; SIZE_T ?
ENDS

PROCESS_ACCESS_TOKEN STRUCT
// NtSetInformationProcess using ProcessAccessToken
// PROCESS_SET_ACCESS_TOKEN access to the process is needed
Token DD
Thread DD
ENDS

KERNEL_USER_TIMES STRUCT
// NtQueryInformationProcess using ProcessTimes
// NtQueryInformationThread using ThreadTimes
// Note all times are zulu
CreateTime DQ
ExitTime DQ
KernelTime DQ
UserTime DQ
ENDS

TIME_FIELDS STRUCT
// Use with RtlTimeToTimeFields
// RtlTimeToTimeFields,offset DQTIME,offset TIME_FIELDS
// Needed to convert KERNEL_USER_TIMES fields
Year DW ; range [1601...]
Month DW ; range [1..12]
Day DW ; range [1..31]
Hour DW ; range [0..23]
Minute DW ; range [0..59]
Second DW ; range [0..59]
Milliseconds DW ; range [0..999]
Weekday DW ; range [0..6] == [Sunday..Saturday]
ENDS


Example of how it works if you want to shave a few 100 clocks off of the GetProcessTimes API (GoAsm syntax)

DATA SECTION

retlen DD ?

ALIGN 16
kut KERNEL_USER_TIMES <?>

ALIGN 16
tflds TIME_FIELDS <?>

CODE SECTION
invoke NTDLL:NtQueryInformationProcess, [hProcess], ProcessTimes, offset kut,
sizeof KERNEL_USER_TIMES, offset retlen
invoke NTDLL:RtlTimeToTimeFields, offset kut.CreateTime, offset tflds
Posted on 2004-07-07 09:56:18 by donkey

Hi donkey !
I found this GetLastError in WinNT/2000/XP:
GetLastError:
mov eax, dword ptr fs:[18]
mov eax, dword ptr ds:
ret
Thank for your informations.
TQN


Tested this on 95 and 98se :

fs mov eax, [18h]

mov eax, [eax+60h]
Posted on 2004-07-07 10:34:08 by donkey
Well as long as the topic is undocumented stuff...

Anyone have a clue as to the nature / purpose of of the Windows Message
with the value of 0118h ? I have seen this message several times, but so
far I am clueless on what it actually is or does...

:rolleyes:
Posted on 2004-07-08 21:01:25 by Graebel
I was going through my list of offline books in search of an OpenGL book (if anyone has a PDF on learning OpenGL, I'm keen! I'm busy with the NeHe tutorials!) and stumbled upon a list of "undocumented OpCodes I must have downloaded a LONG time ago! If f0dder loves this sort of thing, he probably has the list, but here it is for those that don't! It lists a few opcodes from the "unofficial" site. I can't seem to find the site again though (listed in the files) ... Not exactly sure if they (the opcodes) are documented or not now, the list is old (last updated in '95?)

AAM
AAD
CMOV
FCMOV
FCOMI
ICEBP
INT01
LOADALL
RDPMC
SALC
UMOV

Regards
Posted on 2004-07-09 05:00:11 by SubEvil
In XP and 2000,
GetCurrentProcess returns -1, and in 98 it returns 7FFFFFFFh. If it's true in other windowses, then these calls could be replaced by simple constants: :grin:


CURRENT_PROCESS_9X EQU <7FFFFFFFh>
CURRENT_PROCESS_NT EQU <-1>
Posted on 2004-07-09 09:07:36 by Petroizki
Hi Petroizki,

Good one, but very well documented at MSDN ...

GetCurrentProcess
A pseudo handle is a special constant, currently (HANDLE)-1, that is interpreted as the current process handle. For compatibility with future operating systems, it is best to call GetCurrentProcess instead of hard-coding this constant value.
Posted on 2004-07-09 10:28:36 by donkey

Anyone have a clue as to the nature / purpose of of the Windows Message
with the value of 0118h ? I have seen this message several times, but so
far I am clueless on what it actually is or does...

:rolleyes:


That's WM_SYSTIMER.
All that M$ tells about it is at
h..p://support.microsoft.com/default.aspx?scid=kb;EN-US;108938

You can find a little more with some googling.
Regards, bilbo
Posted on 2004-07-09 10:33:32 by prom
donkey,
Sorry my MSDN is a rather old, so all i can do is to give bad advices.. :tongue:
anyway, here's another one:

a way to get current directory in NT (UNICODE format):


mov eax, dword ptr fs:[30h]
mov eax, dword ptr [eax + 10h]
mov eax, dword ptr [eax + 28h]
Posted on 2004-07-09 12:30:11 by Petroizki
That is a very useful one and I will add it to my little repetoire :alright:

I think it is the application path however, I tried SetCurrentDirectory and it did not change.
Posted on 2004-07-09 12:31:21 by donkey
Sweet !
Keep them coming :)
Posted on 2004-07-09 23:45:05 by Homer
Name of the current module in NT (UNICODE):


mov eax, dword ptr fs:[30h]
mov eax, dword ptr [eax + 10h]
mov eax, dword ptr [eax + 74h]


Command line in NT (UNICODE):


mov eax, dword ptr fs:[30h]
mov eax, dword ptr [eax + 10h]
mov eax, dword ptr [eax + 44h]
Posted on 2004-07-10 00:05:25 by Petroizki