NTOSKRNL

[hutch--]

You don't have the correct argument for the function. Look here,

http://www.osronline.com/ddkx/kmarch/k112_00fm.htm

POOL_TYPE

[bomz]

[qWord]

what a useful answer bomz...

[bomz]

I don't know how do this POOL_TYPE

[qWord]

I don't know how do this POOL_TYPE

he was referring to your problem with ExAllocatePool!

Also, are you trying to get process information using ZwQuerySystemInformation? There are enough examples - just search for them!

[bomz]

I see with pool_type in the very beginning. I don't know how use it in masm. all examples I find belong to windows 2000.

there is no problems with query process. only - first you get data size , allocate memory, and call function second time. but between this times a new apllication may be run and size changed. I can't find any serious method to decide this

one problem was - to count offset, because any struct was not in masm includes

.686

.model flat, stdcall
option casemap :none

include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\masm32.inc
include \MASM32\INCLUDE\gdi32.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
includelib \MASM32\LIB\masm32.lib
includelib \MASM32\LIB\gdi32.lib
includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib

UNICODE_STRING STRUCT
    Len            WORD ?
    MaximumLength      WORD ?
    Buffer         PWSTR ?
UNICODE_STRING ends

CLIENT_ID STRUCT
    UniqueProcess               dd    ?
    UniqueThread                dd    ?
CLIENT_ID ENDS

SYSTEM_THREADS struct
    KernelTime                  LARGE_INTEGER   <>
    UserTime                    LARGE_INTEGER   <>
    CreateTime                  LARGE_INTEGER   <>
    WaitTime                    dd  ?           
    StartAddress                dd  ?
    ClientId                    CLIENT_ID       <>
    Priority                    SDWORD   ?
    BasePriority                SDWORD   ?
    ContextSwitchCount          dd  ?
    State                       dd  ?
    WaitReason                  dd  ?
SYSTEM_THREADS  ends

VM_COUNTERS STRUCT
    PeakVirtualSize             DWORD    ?
    VirtualSize                 DWORD    ?
    PageFaultCount              DWORD    ?
    PeakWorkingSetSize          DWORD    ?
    WorkingSetSize              DWORD    ?
    QuotaPeakPagedPoolUsage     DWORD    ?
    QuotaPagedPoolUsage         DWORD    ?
    QuotaPeakNonPagedPoolUsage  DWORD    ?
    QuotaNonPagedPoolUsage      DWORD    ?
    PagefileUsage               DWORD    ?
    PeakPagefileUsage           DWORD    ?
VM_COUNTERS ENDS

SYSTEM_PROCESSES struct
    NextEntryDelta              dd  ?
    ThreadCount                 dd  ?
    Reserved1                   dd  6 dup (?)
    CreateTime                  LARGE_INTEGER  <>
    UserTime                    LARGE_INTEGER  <>
    KernelTime                  LARGE_INTEGER  <>
    ProcessName                 UNICODE_STRING  <>
    BasePriority                SDWORD   ? 
    ProcessId                   dd  ?
    InheritedFromProcessId      dd  ?
    HandleCount                 dd  ?
    Reserved2                   dd  2 dup (?)
    VmCounters                  VM_COUNTERS <>
;IO_COUNTERS IoCounters; // Windows 2000 only
    Threads                     SYSTEM_THREADS  <>
SYSTEM_PROCESSES ends

.data
mestitle db "Bomz",0
form db "EAX: %u", 0


.data?
buffer db 512 dup(?)
new   SYSTEM_PROCESSES <>
.code
start:
lea eax, new.NextEntryDelta
lea ebx, new.VmCounters.WorkingSetSize
lea ebx, new.UserTime
sub ebx, eax
invoke wsprintf,ADDR buffer,ADDR form,ebx
invoke MessageBox,0,ADDR buffer,ADDR mestitle,MB_ICONASTERISK

invoke ExitProcess,0
end start

[Magnum]

bomz,

A lot of russian speakers over here.

http://www.winasm.net/forum/index.php

[bomz]

I know about this forum. If nobody don't know here how declare POOL_TYPE , there the more.
masm code no need translation

[qWord]

double the buffer size each time, the function fails (-> HeaoAlloc or GloabAlloc, there is no need to use ExAllocatePool) :

Code Select Expand

mov esi,10000
@1:
.if esi < MAX
    mov edi,alloc(esi)
    .if edi
        .if rv(ZwQuerySystemInformation ,...) != STATUS_SUCCESS
            lea esi,[esi*2]
            free edi
            jmp @1
        .endif
    .endif
.endif

The question is, why are you stepping in such advanced topics without any knowleg on C?

[bomz]

I don't need any C. In school I learn Basic - so asm is mine, C for pascal user.

I wan't use ExAllocatePool. ZwQuerySystemInformation - second thing

[qWord]

I don't need any C.

If nobody don't know here how declare POOL_TYPE 

most people herknow how declare the POOL_TYPE-enumeration because they can at least read C-code!

[dedndave]

Code Select Expand

typedef enum _POOL_TYPE {
  NonPagedPool                    = 0,
  PagedPool                       = 1,
  NonPagedPoolMustSucceed         = 2,
  DontUseThisType                 = 3,
  NonPagedPoolCacheAligned        = 4,
  PagedPoolCacheAligned           = 5,
  NonPagedPoolCacheAlignedMustS   = 6
} POOL_TYPE;

enumerations look like structures to us non-C ASM coders   :P
but - they are really more similar to EQUates
if you want a NonPagedPool, use 0
if you want a PagedPool, use 1
and so on

[bomz]

invoke ExAllocatePool, 1, 1024 - I do - error c0000005

[bomz]

I trying all variants. proto ExAllocatePool :DWORD, :DWORD

I use 1,2,3,4,5,6. addr buffer (1024 long), addr 'PagedPool', addr INT64=1. always error c0000005
I hope for 4 page somebody show working code

[qWord]

I trying all variants. proto ExAllocatePool :DWORD, :DWORD

I use 1,2,3,4,5,6. addr buffer (1024 long), addr 'PagedPool', addr INT64=1. always error c0000005
I hope for 4 page somebody show working code

It won't work, because this function can only be called by kernel mode drivers.