Saturday, June 22, 2013

Undocumented NtQuerySystemInformation Structures (Updated for Windows 8)

Those familiar with Windows internals are likely to have used the NtQuerySystemInformation function in ntdll. This function is extremely valuable for getting system information that would otherwise not be made available via the Win32 API. The MSDN documentation only documents a minimal subset of the structures returned by this powerful function, however. To date, one of the best references for the undocumented features of this function has been the “Windows NT/2000 Native API Reference.” Despite being published in 2000, many of the structures documented in this book are still relevant today. In recent history though, Microsoft has quietly expanded the number of functions returned by NtQuerySystemInformation. Thankfully, the vast majority of them have been made public via symbols present in uxtheme.dll (64-bit structures) and combase.dll (32-bit) structures in Windows 8. At last check, it appears as though Microsoft pulled these symbols from the latest versions of the respective dlls.
 
I did my best to document these structures and fill in as many holes as possible in the SystemInformationClass enum. What resulted is the following image – a mapping of SystemInformationClass constants to their respective 32-bit structure and a header file – NtQuerySystemInformation.h. I validated that the header file is properly parsed by IDA (Ctrl+F9). To view the result of what was parsed in IDA, press Shift+F1 (Local Types Subview). The most notable structures are the ones that return pointers. In many cases, these are pointers to kernel memory. >D


Labels: ,

6 comments:

  1. waliedJune 22, 2013 at 10:46 PM

    Good effort, Sir.
    Could you please elaborate on the " uxtheme.dll (64-bit structures) and combase.dll (32-bit)" part?

    ReplyDelete
    Replies
    1. Matt GraeberJune 23, 2013 at 7:37 AM

      Sure. The 32-bit symbols were found in combase.dll (i.e. dt combase!_SYSTEM_*_INFORMATION) and the 64-bit symbols were present in uxtheme.dll.

      Delete
  2. MP-CLApril 5, 2015 at 12:30 PM

    Thank you so much
    But the problem i have is how to manipulate pointers to get the data returned by the function ... ,, if you can make a short example to get process information with "ntquerysysteminformation" ... Thank you again :)

    ReplyDelete
    Replies
    1. Matt GraeberApril 6, 2015 at 7:10 AM

      I just Googled an example: http://www.rohitab.com/discuss/topic/40504-using-ntquerysysteminformation-to-get-process-list/

      That should help.

      Delete
  3. WongJuly 12, 2015 at 7:39 AM

    Matt, this was one of the most useful list of every struct that I've ever used. Great reference and thank you for making the work for us developers much easier!

    ReplyDelete
  4. gnomicbits (Sreejith. D. Menon)March 31, 2016 at 5:30 PM

    Thank you Matt. This helped in my research.. and I have put something in the form of code too...
    http://gnomicbits.blogspot.in/2016/03/introduction-to-native-aka-undocumented.html

    ReplyDelete

Subscribe to: Post Comments (Atom)