Hi f0dder,
Knowing how much you love undocumented stuff, I have been playing with the TIB and PDB for the last few days and have a few interesting tidbits, still no progress on GetPIDFromhProcess9x though...
Replacement for GetProcessHeap (All Windows versions)
Windows version information (NT systems only)
Determine 9x or NT (all Windows versions)
Replacement for GetModuleHandle,0 (NT only)
Replacement for GetCurrentProcessId (NT systems only)
Get remote process ID (NT Systems only)
Knowing how much you love undocumented stuff, I have been playing with the TIB and PDB for the last few days and have a few interesting tidbits, still no progress on GetPIDFromhProcess9x though...
Replacement for GetProcessHeap (All Windows versions)
fs mov edi,[30h]
mov eax,[edi+18h]Windows version information (NT systems only)
fs mov ecx,[30h]
mov eax,[ecx+0A4h] ;4=NT, 5= 2K/XP/2K3
mov edx,[ecx+0A8h] ;0=2K, 1=XP, 2=2K3Determine 9x or NT (all Windows versions)
fs mov eax,[18h]
cmp eax,7FFDE000h
jne >.OS_IS_9X Replacement for GetModuleHandle,0 (NT only)
fs mov edi,[30h]
mov eax,[edi+08h]Replacement for GetCurrentProcessId (NT systems only)
fs mov eax,[20h]Get remote process ID (NT Systems only)
invoke ReadProcessMemory,[hProcess],7FFDE020h,offset ProcessID,4,offset cbWrittenThought I'd add this one.
Original Snippet by Ratter/29A, =BaseAddress of kernel32.dll
Seems to be universal.
assume fs:nothing
mov ebx, fs:[30h] ; EAX=PEB base
mov ebx, ; EAX=PEB_LDR_DATA
mov ebx, ; InitOrderModuleList 1st entry
mov ebx, ; next entry
mov ebx, ; K32 imagebase
Anyone else got any of these?
Original Snippet by Ratter/29A, =BaseAddress of kernel32.dll
Seems to be universal.
assume fs:nothing
mov ebx, fs:[30h] ; EAX=PEB base
mov ebx, ; EAX=PEB_LDR_DATA
mov ebx, ; InitOrderModuleList 1st entry
mov ebx, ; next entry
mov ebx, ; K32 imagebase
Anyone else got any of these?
Hi EvilHomer2K
I put these together from stuff I found and articles at MSJ, TIBxx is pointed to by fs:[18h] and PDB by fs:[30h]...
Posted on 2004-07-06 18:17:25 by donkey
I put these together from stuff I found and articles at MSJ, TIBxx is pointed to by fs:[18h] and PDB by fs:[30h]...
Posted on 2004-07-06 18:17:25 by donkey
great stuff!
Ok ok, you beat it out of me :grin:
I have actually known about this for about five or so years now.
I was looking for undocumented window styles. The odd thing about
it is that I actually found one...
Not very useful in most cases I can think of. Can be combined with
any other style. It (in effect) reverses completely the x-axis so that
0,0 of the window is in the upper right corner and increasing X moves
farther left. When used the buttons (of course) are in the left corner
and the title bar is aligned to the right with the system menu.
I have tested it in most Windows versions with no issues
[98/NT/2k/XP]. The only thing I have yet been able to use it for
was to create a tool window on the left side so the close button was
also tward the right side...
WS_EX_REVERSE = WS_DLGFRAME
And since Microsoft obviously cares not :) ? 2004 Graebel hehe
Enjoy the madness
Graebel
I have actually known about this for about five or so years now.
I was looking for undocumented window styles. The odd thing about
it is that I actually found one...
Not very useful in most cases I can think of. Can be combined with
any other style. It (in effect) reverses completely the x-axis so that
0,0 of the window is in the upper right corner and increasing X moves
farther left. When used the buttons (of course) are in the left corner
and the title bar is aligned to the right with the system menu.
I have tested it in most Windows versions with no issues
[98/NT/2k/XP]. The only thing I have yet been able to use it for
was to create a tool window on the left side so the close button was
also tward the right side...
WS_EX_REVERSE = WS_DLGFRAME
And since Microsoft obviously cares not :) ? 2004 Graebel hehe
Enjoy the madness
Graebel
Hi donkey !
I found this GetLastError in WinNT/2000/XP:
GetLastError:
mov eax, dword ptr fs:[18]
mov eax, dword ptr ds:
ret
Thank for your informations.
TQN
I found this GetLastError in WinNT/2000/XP:
GetLastError:
mov eax, dword ptr fs:[18]
mov eax, dword ptr ds:
ret
Thank for your informations.
TQN
not much related to peb/tib, but this is a cheap trick to determine if the system is 9x/nt, optimized:
mov ecx,cs
xor cl,cl
jecxz win_nt
That's funny... yesterday evening I was wondering if GetCurrentThreadId is as fast as it should be. Today I decided to have a look in the debugger, and what I see is:
Then I decide to read the messageboard and I find this thread :)
77E7A7DF > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77E7A7E5 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
77E7A7E8 C3 RETN
Then I decide to read the messageboard and I find this thread :)
Very good stuff.
Thanks for sharing :alright:
Thanks for sharing :alright:
Hi all,
In keeping with the NT theme and semi-documentation. Have you ever looked at the MSDN entry for NtQueryInformationProcess ? It says :
Then it only gives 2 examples. Here are the rest...
Example of how it works if you want to shave a few 100 clocks off of the GetProcessTimes API (GoAsm syntax)
In keeping with the NT theme and semi-documentation. Have you ever looked at the MSDN entry for NtQueryInformationProcess ? It says :
ProcessInformationClass
One of the values enumerated in PROCESSINFOCLASS, that specifies what kind of process information is to be returned. These include:
One of the values enumerated in PROCESSINFOCLASS, that specifies what kind of process information is to be returned. These include:
Then it only gives 2 examples. Here are the rest...
// ProcessInformationClasses for NtQueryInformationProcess
#Define ProcessBasicInformation 000000000h
#Define ProcessQuotaLimits 000000001h
#Define ProcessIoCounters 000000002h
#Define ProcessVmCounters 000000003h
#Define ProcessTimes 000000004h
#Define ProcessBasePriority 000000005h
#Define ProcessRaisePriority 000000006h
#Define ProcessDebugPort 000000007h
#Define ProcessExceptionPort 000000008h
#Define ProcessAccessToken 000000009h
#Define ProcessLdtInformation 00000000Ah
#Define ProcessLdtSize 00000000Bh
#Define ProcessDefaultHardErrorMode 00000000Ch
#Define ProcessIoPortHandlers 00000000Dh ; Kernel mode only
#Define ProcessPooledUsageAndLimits 00000000Eh
#Define ProcessWorkingSetWatch 00000000Fh
#Define ProcessUserModeIOPL 000000010h
#Define ProcessEnableAlignmentFaultFixup 000000011h
#Define ProcessPriorityClass 000000012h
#Define ProcessWx86Information 000000013h
#Define ProcessHandleCount 000000014h
#Define ProcessAffinityMask 000000015h
#Define ProcessPriorityBoost 000000016h
#Define ProcessDeviceMap 000000017h
#Define ProcessSessionInformation 000000018h
#Define ProcessForegroundInformation 000000019h
#Define ProcessWow64Information 00000001Ah
#Define MaxProcessInfoClass 00000001Bh
/*
Structures for NtQueryInformationProcess
All structures must be aligned at 16 byte
boundaries or the call will fail
*/
PROCESS_BASIC_INFORMATION STRUCT
// NtQueryInformationProcess using ProcessBasicInfo
ExitStatus DD
PebBaseAddress DD
AffinityMask DD
BasePriority DD
UniqueProcessId DD
InheritedFromUniqueProcessId DD
ENDS
PROCESS_SESSION_INFORMATION STRUCT
// NtQueryInformationProcess using ProcessSessionInformation
SessionId DD
ENDS
QUOTA_LIMITS STRUCT
// NtQueryInformationProcess using ProcessQuotaLimits
// NtQueryInformationProcess using ProcessPooledQuotaLimits
// NtSetInformationProcess using ProcessQuotaLimits
PagedPoolLimit DD ; SIZE_T ?
NonPagedPoolLimit DD ; SIZE_T ?
MinimumWorkingSetSize DD ; SIZE_T ?
MaximumWorkingSetSize DD ; SIZE_T ?
PagefileLimit DD ; SIZE_T ?
TimeLimit DQ ; SIZE_T ?
ENDS
IO_COUNTERS STRUCT
// NtQueryInformationProcess using ProcessIoCounters
ReadOperationCount DD 2 DUP (?) ; ULONGLONG ?
WriteOperationCount DD 2 DUP (?) ; ULONGLONG ?
OtherOperationCount DD 2 DUP (?) ; ULONGLONG ?
ReadTransferCount DD 2 DUP (?) ; ULONGLONG ?
WriteTransferCount DD 2 DUP (?) ; ULONGLONG ?
OtherTransferCount DD 2 DUP (?) ; ULONGLONG ?
ENDS
VM_COUNTERS STRUCT
// NtQueryInformationProcess using ProcessVmCounters
PeakVirtualSize DD ; SIZE_T ?
VirtualSize DD ; SIZE_T ?
PageFaultCount DD
PeakWorkingSetSize DD ; SIZE_T ?
WorkingSetSize DD ; SIZE_T ?
QuotaPeakPagedPoolUsage DD ; SIZE_T ?
QuotaPagedPoolUsage DD ; SIZE_T ?
QuotaPeakNonPagedPoolUsage DD ; SIZE_T ?
QuotaNonPagedPoolUsage DD ; SIZE_T ?
PagefileUsage DD ; SIZE_T ?
PeakPagefileUsage DD ; SIZE_T ?
ENDS
POOLED_USAGE_AND_LIMITS STRUCT
// NtSetInformationProcess using ProcessAccessToken
// PROCESS_SET_ACCESS_TOKEN access to the process is needed
PeakPagedPoolUsage DD ; SIZE_T ?
PagedPoolUsage DD ; SIZE_T ?
PagedPoolLimit DD ; SIZE_T ?
PeakNonPagedPoolUsage DD ; SIZE_T ?
NonPagedPoolUsage DD ; SIZE_T ?
NonPagedPoolLimit DD ; SIZE_T ?
PeakPagefileUsage DD ; SIZE_T ?
PagefileUsage DD ; SIZE_T ?
PagefileLimit DD ; SIZE_T ?
ENDS
PROCESS_ACCESS_TOKEN STRUCT
// NtSetInformationProcess using ProcessAccessToken
// PROCESS_SET_ACCESS_TOKEN access to the process is needed
Token DD
Thread DD
ENDS
KERNEL_USER_TIMES STRUCT
// NtQueryInformationProcess using ProcessTimes
// NtQueryInformationThread using ThreadTimes
// Note all times are zulu
CreateTime DQ
ExitTime DQ
KernelTime DQ
UserTime DQ
ENDS
TIME_FIELDS STRUCT
// Use with RtlTimeToTimeFields
// RtlTimeToTimeFields,offset DQTIME,offset TIME_FIELDS
// Needed to convert KERNEL_USER_TIMES fields
Year DW ; range [1601...]
Month DW ; range [1..12]
Day DW ; range [1..31]
Hour DW ; range [0..23]
Minute DW ; range [0..59]
Second DW ; range [0..59]
Milliseconds DW ; range [0..999]
Weekday DW ; range [0..6] == [Sunday..Saturday]
ENDSExample of how it works if you want to shave a few 100 clocks off of the GetProcessTimes API (GoAsm syntax)
DATA SECTION
retlen DD ?
ALIGN 16
kut KERNEL_USER_TIMES <?>
ALIGN 16
tflds TIME_FIELDS <?>
CODE SECTION
invoke NTDLL:NtQueryInformationProcess, [hProcess], ProcessTimes, offset kut,
sizeof KERNEL_USER_TIMES, offset retlen
invoke NTDLL:RtlTimeToTimeFields, offset kut.CreateTime, offset tfldsHi donkey !
I found this GetLastError in WinNT/2000/XP:
GetLastError:
mov eax, dword ptr fs:[18]
mov eax, dword ptr ds:
ret
Thank for your informations.
TQN
Tested this on 95 and 98se :
fs mov eax, [18h]
mov eax, [eax+60h]Well as long as the topic is undocumented stuff...
Anyone have a clue as to the nature / purpose of of the Windows Message
with the value of 0118h ? I have seen this message several times, but so
far I am clueless on what it actually is or does...
:rolleyes:
Anyone have a clue as to the nature / purpose of of the Windows Message
with the value of 0118h ? I have seen this message several times, but so
far I am clueless on what it actually is or does...
:rolleyes:
I was going through my list of offline books in search of an OpenGL book (if anyone has a PDF on learning OpenGL, I'm keen! I'm busy with the NeHe tutorials!) and stumbled upon a list of "undocumented OpCodes I must have downloaded a LONG time ago! If f0dder loves this sort of thing, he probably has the list, but here it is for those that don't! It lists a few opcodes from the "unofficial" site. I can't seem to find the site again though (listed in the files) ... Not exactly sure if they (the opcodes) are documented or not now, the list is old (last updated in '95?)
AAM
AAD
CMOV
FCMOV
FCOMI
ICEBP
INT01
LOADALL
RDPMC
SALC
UMOV
Regards
AAM
AAD
CMOV
FCMOV
FCOMI
ICEBP
INT01
LOADALL
RDPMC
SALC
UMOV
Regards
In XP and 2000,
GetCurrentProcess returns -1, and in 98 it returns 7FFFFFFFh. If it's true in other windowses, then these calls could be replaced by simple constants: :grin:
GetCurrentProcess returns -1, and in 98 it returns 7FFFFFFFh. If it's true in other windowses, then these calls could be replaced by simple constants: :grin:
CURRENT_PROCESS_9X EQU <7FFFFFFFh>
CURRENT_PROCESS_NT EQU <-1>
Hi Petroizki,
Good one, but very well documented at MSDN ...
Good one, but very well documented at MSDN ...
GetCurrentProcess
A pseudo handle is a special constant, currently (HANDLE)-1, that is interpreted as the current process handle. For compatibility with future operating systems, it is best to call GetCurrentProcess instead of hard-coding this constant value.
A pseudo handle is a special constant, currently (HANDLE)-1, that is interpreted as the current process handle. For compatibility with future operating systems, it is best to call GetCurrentProcess instead of hard-coding this constant value.
Anyone have a clue as to the nature / purpose of of the Windows Message
with the value of 0118h ? I have seen this message several times, but so
far I am clueless on what it actually is or does...
:rolleyes:
That's WM_SYSTIMER.
All that M$ tells about it is at
h..p://support.microsoft.com/default.aspx?scid=kb;EN-US;108938
You can find a little more with some googling.
Regards, bilbo
donkey,
Sorry my MSDN is a rather old, so all i can do is to give bad advices.. :tongue:
anyway, here's another one:
a way to get current directory in NT (UNICODE format):
Sorry my MSDN is a rather old, so all i can do is to give bad advices.. :tongue:
anyway, here's another one:
a way to get current directory in NT (UNICODE format):
mov eax, dword ptr fs:[30h]
mov eax, dword ptr [eax + 10h]
mov eax, dword ptr [eax + 28h]
That is a very useful one and I will add it to my little repetoire :alright:
I think it is the application path however, I tried SetCurrentDirectory and it did not change.
I think it is the application path however, I tried SetCurrentDirectory and it did not change.
Sweet !
Keep them coming :)
Keep them coming :)
Name of the current module in NT (UNICODE):
Command line in NT (UNICODE):
mov eax, dword ptr fs:[30h]
mov eax, dword ptr [eax + 10h]
mov eax, dword ptr [eax + 74h]
Command line in NT (UNICODE):
mov eax, dword ptr fs:[30h]
mov eax, dword ptr [eax + 10h]
mov eax, dword ptr [eax + 44h]