Can masm do this, if so do anyone know how to translate this fasm code to masm code. Size is not an issue.
I also included a complied exe. If you try it make sure you don't have nothing important to save. It will shut down the system totally in about 2 - 4 sec no question asked. It works for XP with or with-out service pack2. I don't know about win2000
The link to this code is at http://board.flatassembler.net/topic.php?t=5068
Also is there something that can translate fasm to masm around anywhere.
Change .bin to .exe than execute it.
This seem to be the order calls are made
TOKEN_ADJUST_PRIVILEGES
NtOpenProcessToken
ShutdownPowerOff eax SeShutdownPrivilege 1
NtAdjustPrivilegesToken
mov al, NtShutdownSystem
Thanks in advance
[attachment deleted by admin]
Yes, http://spiff.tripnet.se/~iczelion/files/Time%20ShutDown%20v1.0.zip has code that does what you want.
That's it E^cube
Now i can study how those api work. It's hard to understand in fasm.
Thank you
Thank you
Thank you
But why are you forcing a machine to just shut down? It is extremely bad UI to do that. And don't be surprised if your code soesn't work if the user is not administrator.
QuoteBut why are you forcing a machine to just shut down?
Because i like speed and and want to study the NT api. Never saw no NT code in masm or anything that ever caught my attention until now ...QuoteIt is extremely bad UI to do that.
Xp not complaining, I did it over 100x already ... I reboot instead of shutdown for testing so that the hard drive keep spinning to reduce stress.QuoteAnd don't be surprised if your code soesn't work if the user is not administrator.
Glad you brought that to my attention.
Do you mind sharing... what is the script and where do I write it to be use in my XP as an administrator to protect my machine on an network from programs like the Timer shutdown being used mulishly over an network ?Don't go and disappear on me again bud
Ok, I been working hard trying to translate from Fasm to Masm. I could not make since of it because the fasm code really don't have a normal PE. So, I set the program up in masm using NT api based on the Timer ShutDown code. I think I have set things properly but having trouble with NtAdjustPrivilegesToken call.
Here is the entire test sample with a *stripped* down working PROC from the Timer ShutDown zip, a re-arranged, comment-out,
Ancient One Fasm code for study purposes and my non-working NT PROC.
You can fire it up and it will do nothing more than display three message boxes to show if the three NT api work or not... Far as I can tell only one does not.
If there are no serious NT coders here to go into detail of how these API work would an enlightened coder still try to help me to get this code running. I been at it for sometime now and I am totally stumped. You can see that in that code lay-out. Should be easy to work with ...
Thanks in advance
.686
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\ADVAPI32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\ADVAPI32.lib
;=================
; Structures for
;=================
OSVINFO STRUCT
dwOSVersionInfoSize DWORD ?
dwMajorVersion DWORD ?
dwMinorVersion DWORD ?
dwBuildNumber DWORD ?
dwPlatformId DWORD ?
szCSDVersion BYTE 128 dup (?)
OSVINFO ENDS
LUIDCUST STRUCT
usedpart DWORD ?
ignorehigh32bitpart DWORD ?
LUIDCUST ENDS
TOKEN_PRIVS STRUCT
privilegecount DWORD ?
theluid LUIDCUST <>
attributes DWORD ?
TOKEN_PRIVS ENDS
AdjustToken PROTO
;=================
;=================
.const
ShutdownPowerOff equ 2
TOKEN_ADJUST_PRIVILEGES equ 20h
SE_SHUTDOWN_NAME equ ("SeShutdownPrivilege")
SE_PRIVILEGE_ENABLED equ 2h
;=================
;=================
.data
sz_ntdll DB "ntdll",0
sz_NtOpenProcessToken DB "NtOpenProcessToken",0 ; = 123
sz_NtAdjustPrivilegesToken DB "NtAdjustPrivilegesToken",0 ; = 011
sz_NtShutdownSystem DB "NtShutdownSystem",0 ; = 249
sz_SeShutdownPrivilege DB "SeShutdownPrivilege",0
sz_Code_Check_1 DB " NtOpenProcessToken: Code Check 1 ",0
sz_Code_Check_2 DB " NtAdjustPrivilegesToken:Code Check 2",0
sz_Code_Check_3 DB " NtShutdownSystem: Code Check 3 ",0
;=================
;=================
.data?
temp DWORD ?
__ntdll DWORD ?
__NtOpenProcessToken DWORD ? ; = 123 from Ancient One 104
__NtAdjustPrivilegesToken DWORD ? ; = 011 Don't know if masm
__NtShutdownSystem DWORD ? ; = 249 use nubers or not
; ..........................................
; ..........................................
cProcessHandle DWORD ?
c_Token_Handle DWORD ?
lBufferNeeded DWORD ?
tBuff BYTE 32 dup(?)
v_ID_POINTER DWORD ?
; ..........................................
; ..........................................
values_ID_STRUCT LUIDCUST <?>
tkp TOKEN_PRIVS <?>
tkp_New_But_Ignored TOKEN_PRIVS <?>
;=================
;=================
;=================
;=================
.code
Start:
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
;;; jmp __Avoid_this_NT_code
CALL nt_GET_NT_API
;================= With little modifcation
;================= of lables you can Jump over this if
;================= to test the working version of
;================= the slow Timer ShutDown from Icz Website
;=================
;================= The 17 lines of code below is what
;================= I am working on. I think I got
;================= NtOpenProcessToken right but having trouble
;================= with NtAdjustPrivilegesToken
; ........................................................... NtOpenProcessToken
PUSH offset c_Token_Handle ; OUT PHANDLE TokenHandle
PUSH TOKEN_ADJUST_PRIVILEGES ; IN ACCESS_MASK DesiredAccess or 40
PUSH cProcessHandle ; IN HANDLE ProcessHandle
CALL __NtOpenProcessToken
mov temp, eax
invoke MessageBoxA, 0, offset temp, offset sz_Code_Check_1, 0
; ....................................................... NtAdjustPrivilegesToken
PUSH offset lBufferNeeded ; OUT PULONG RequiredLength OPTIONAL
PUSH offset tkp_New_But_Ignored ; OUT PTOKEN_PRIVILEGES PreviousPrivileges OPTIONAL
PUSH SizeOf tkp_New_But_Ignored ; IN ULONG PreviousPrivilegesLength
PUSH offset tkp ; IN PTOKEN_PRIVILEGES TokenPrivileges
PUSH 0 ; IN BOOLEAN DisableAllPrivileges
PUSH c_Token_Handle ; IN HANDLE TokenHandle
CALL __NtAdjustPrivilegesToken
mov temp, eax
invoke MessageBoxA, 0, offset temp, offset sz_Code_Check_2, 0
; ................................................... NtShutdownSystem
PUSH ShutdownPowerOff ; Action
CALL __NtShutdownSystem
mov temp, eax
invoke MessageBoxA, 0, offset temp, offset sz_Code_Check_3, 0
;=================
;=================
;=================
;=================
jmp ___exit
;; __Avoid_this_NT_code:
jmp __Avoid_this_Kernel_code
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ This is a working strip
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Down verison of
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ShutDownTimer from
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Iczion Web Site
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ I use this to figure out
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ how to fill the NT api
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ used. Goal is to match
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ the speed or Strength
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ of Ancient One 104 .
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ShutDown and to learn
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ something about the NT Api
CALL GetCurrentProcess
mov cProcessHandle,eax
lea eax, tBuff ; address of temp buffer into eax
mov v_ID_POINTER, eax ; set pointer to temp buffer
mov BYTE PTR [eax], 0 ; initialize the buffer
; .................................... LOOK_UP_PRIVILEGES_VALUES
; .................................... LOOK_UP_PRIVILEGES_VALUES
; .................................... LOOK_UP_PRIVILEGES_VALUES
PUSH offset c_Token_Handle
PUSH 40
PUSH cProcessHandle
CALL OpenProcessToken
PUSH offset values_ID_STRUCT
PUSH offset sz_SeShutdownPrivilege
PUSH v_ID_POINTER
CALL LookupPrivilegeValue
lea eax, values_ID_STRUCT
; .................................... FILL STRUCTURES
; .................................... FILL STRUCTURES
; .................................... FILL STRUCTURES
mov ecx, (LUIDCUST PTR [eax]).usedpart ; Contents of STRUCT into ecx:edx
mov edx, (LUIDCUST PTR [eax]).ignorehigh32bitpart
lea eax, tkp ; address of tkp into eax
mov (TOKEN_PRIVS PTR [eax]).privilegecount, 1
mov (TOKEN_PRIVS PTR [eax]).theluid.usedpart, ecx
mov (TOKEN_PRIVS PTR [eax]).theluid.ignorehigh32bitpart, edx
mov (TOKEN_PRIVS PTR [eax]).attributes, 2
; ................................................. AJUST_TOKEN_PRIVILEGES
; ................................................. AJUST_TOKEN_PRIVILEGES
; ................................................. AJUST_TOKEN_PRIVILEGES
PUSH offset lBufferNeeded
PUSH offset tkp_New_But_Ignored
PUSH SizeOf tkp_New_But_Ignored
PUSH offset tkp
PUSH 0
PUSH c_Token_Handle
CALL AdjustTokenPrivileges
; ................................................. SHUT THIS MONKEY DOWN
; ................................................. SHUT THIS MONKEY DOWN
; ................................................. SHUT THIS MONKEY DOWN
PUSH 0
PUSH 2 + 8 + 4
CALL ExitWindowsEx
; EWX_SHUTDOWN + EWX_POWEROFF + EWX_FORCE + EWX_FORCEIFHUNG + EWX_REBOOT
; 1 8 4 10 2
__Avoid_this_Kernel_code:
___exit:
PUSH 0
CALL ExitProcess
; #################################################################
; #################################################################
; ################################################################# Get NT Api
; ################################################################# Get NT Api
; ################################################################# Get NT Api
; ################################################################# Get NT Api
; #################################################################
; #################################################################
nt_GET_NT_API proc
invoke LoadLibrary, offset sz_ntdll
cmp eax, 0h
je Unload
mov __ntdll, eax
invoke GetProcAddress, __ntdll, offset sz_NtOpenProcessToken
cmp eax, 0h
je Unload
mov __NtOpenProcessToken, eax
invoke GetProcAddress, __ntdll, offset sz_NtAdjustPrivilegesToken
cmp eax, 0h
je Unload
mov __NtAdjustPrivilegesToken, eax
invoke GetProcAddress, __ntdll, offset sz_NtShutdownSystem
cmp eax, 0h
je Unload
mov __NtShutdownSystem, eax
Unload:
ret
nt_GET_NT_API endp
; #################################################################
end Start
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; .........................................................
; ......................................................... This is Ancient One
; ......................................................... FASM 104 byte fast
; ......................................................... system shutdown
; ......................................................... I just line those jumps
; ......................................................... up for study
; mov ebx, esp
; push ebx
; push TOKEN_ADJUST_PRIVILEGES
; push (-1) ebx NtOpenProcessToken
; pop eax
;dd imageBase
;dd 4
;dd 4
; call edi
; push ShutdownPowerOff eax SeShutdownPrivilege 1
; mov ebp, esp
; push eax
;dd entryPoint
; push eax eax ebp eax
;dd sizeof.image
;dd sizeof.peHeaders
; push dword [ebx]
;dw 2
;sizeof.optionalHeader = $-optionalHeader
;sizeof.peHeaders = sizeof.optionalHeader
; push ebp
; mov al, NtAdjustPrivilegesToken
; call edi
; leave
; mov al, NtShutdownSystem
;_sysEnter:
; mov edx, esp
; sysenter
;sizeof.image=$
ic2,
I think I have something that will help you. It is my version of a 'force shutdown' utility. It is not as small as the FASM version, but it works. I see you are making excellent progress with your conversion. The only reason I am attaching my version is so you can examine how I handled the Privileges issue.
I hope this helps you finish your project.
Paul
[attachment deleted by admin]
As a newbie I mean to help. I hope I can manage it.
In delphi I can use the following winapis to force (even) XP to shut down.
SendMessage(HWND_BROADCAST, WM_SHUTDOWN, 0, 0);
ExitWindowsEx(EWX_SHUTDOWN, 0);
This is the pascal syntax. And this two lines ensure that the computer is shut down. HTH.
Are you not first required to acquire the SeShutdownPrivilege?
Ehtyar.
Quote from: Ehtyar on December 23, 2006, 09:14:31 PM
Are you not first required to acquire the SeShutdownPrivilege?
Ehtyar.
:dazzled: This time I've tested these two lines but they did not shut the OS down. :dazzled:
When I tested this code I was using XP (with no SPs) as an admin (at least 1,5 years ago). Now I'm using it as a user/admin, it fails. :eek
Sorry for the mislead. Regards.
Thanks Pbrennick for the effort, but it still kernel code, not direct Nt-API code which will produce the desired results. There are only three possible ways to hit a total SYSTEM HALT on XP like Ancient One did ...
1: Using the NT Api. 2: Ring 0, or 3: Totally Crashing the system... which is not a bad idea. Data will be loss but it will not harm my NT machine. A TOTAL system HALT is what The Ancient One code actually accomplished. The programmer dream !!!
You get first crack at your own sh*t before some nut or vir** do. You already know that when *guys* like that get through f**king you out of what they came for, *they only shut you down* and move on to the next weak puter-chick . . . ..
This what got me interested in the NT Api. but let me add this to my question.
Do anyone got some old bad code that once crashed your XP? I mean from The Blue Screen of Death to a total shutdown.
Thank for the present replies and all new suggestion that may come.
Btw: a BROADCAST for a shutdown. Not exactly what I'm after but i will be trying that in a minute. You said it works depending... that's going to be a big surprise for a lot of people. It must be Christmas :)
The trouble with BSOD code is that it's the one thing microsoft is actually efficient at patching. You will find in most cases that any BSOD code publicly available will no longer work, and on the off chance it still does, your use of it, or posting it on public forums, will undoubtebly lead to the vulnerability being patched even sooner. However, as you said, it is relavively easy to crash a machine from ring0, though accessing ring0 from ring3 is intentionally made almost impossible by microsoft for this very reason. You can always install a driver at runtime, and use code from it to crash the machine, but again, that is made intentionally difficult by Microsoft. I can't help you in any of these respects on principal, but these are your options, i hope some of it helps, provided your intentions are legitimate.
Ehtyar.
P.S. If you decide to persue driver development, have a look here (http://website.masm32.com/kmdtute/index.html) for the Kernel Mode Driver Kit, which contains some very helpful beginner examples and skeleton code.
I hate questions like that when im trying to solve a little problem and the know code is spreaded around the world somewhere.
Now i have to explain myself AGAIN :( ;( ;(
There are some things i do for my machines "only", when it comes to coding certain type programs. I wrote my own type system monitoring that is useful enough for what i need it for.
I use my same development machine while surfing the net. This is stupid but I got my own way to deal with any attacks. I wait for them just to make sure my sh*t work. I don't rely totally on no known public program. I don't even truth the OS itself. I use nothing but a half way decent firewall. I seen people turn of my firewall before my very eyes, MANY, MANY TIMES until they gave up after a few months.
I got big tricks when things like that happens, and if someone manage to bypass my tricks, I'm no fool. It SHUT DOWN. I just founded a better way to shut down and want to code it in masm to throw it into my bag of trick. As I said i don't even trust the OS, I only rely on what I can do for it to be as secure as i need it to be and i got my way of challenging that. This is where i have my fun.
So yes, my intentions are legitimate.
Now that I read your reply, you are absolutely right. I already know that... Even NT code get change with patches. MS will try to fix anything and is right doing so, but I need this for my own machines. I think i indicated that from the start.
So if someone know to halt a system PM me with that few lines of code. As far as my original question real such down we all know by now it got to be done with the NT Structure coding so that question remain.
Ehtyar, I got the KMD kit about a week ago and been looking into it seriously. It's enough for me to be fooling around with NT coding, my encryption program, updating my system monitor, building a web browsers cause i hate google useless packets running through my machine all day when I never use them. FireFox sold out... etc... It all got me trying to reconstructing Qeditor and Ewayne AsmEdit to my convenience to rapidly fly though all of this before I forget something important all at the same time. Dame, i could go on and on and still end up with my original question never being answered here.. . I hardly ever go elsewhere with the same question.
Thanks for your insight Ehtyar and all your help. I know you are sincere but if someone ever worry about my intentions again Im going to go some place and hide from the world and drown myself in booze and women for the rest of my like. I accually joined this pass summer and out of the few questions I asked I been re-questioned in nearly every thread I made from day 1.
I had more fun being reading guest. Than I spent all of my time explaining what i need to do it for like some kind of kid, than, the re-questionnaire leave and never come back with any type of response and no one else would even bother after seeing it all.
My questions usually are a little deeper but that's because I been following the assembler boards in the background for a long time.
I thought that was all over by now. Shutting a system down ... This is not a un-common thing to do. I just want to do it faster.
I use kernel code for year. There nothing wrong with NT, MS$ use it to better there own programs and change up when we get hip to it that's all..
May be useful...Can't remember if I got it from this board, seem to remember something about "smallest Win32 EXE" or similar.
[attachment deleted by admin]
Thanks sinsi, that is one of the fasm code back when they had the fastest, smallest shutdown challenge. Like bitRAKE and The Svin use to do with masm. The Ancient One was the smallest coming in at 104 bytes. I consider him as the Svin of fasm.
I would do fasm but I might get caught up in mastering fasm development with NO HELP instead of writing ready-to-do-something programs. Over all there are only three places that I know of where help is in abundances and this is one of them.
Anyway, these are the three must-use API for masm to match the functionality of those fasm programs. Forget about being the smallest... masm can't beat fasm in that area, so size is not the issue. Just in case someone come up with something all of below MUST be included in that code any think else is kernel level code. NT can get like ring 0 but it don't last long if MS find out you got to fancy with it or do better with it than he they. hee hee They call it a bug in a minute. ..
Thanks again for trying sinsi
Equates
SE_PRIVILEGE_ENABLED equ 2
SeShutdownPrivilege equ ("SeShutdownPrivilege")
TOKEN_ADJUST_PRIVILEGES equ 20h
Api Calls
NtAdjustPrivilegesToken
NtOpenProcessToken
NtShutdownSystem
iC2,
I am curious as to why the method I used is unsuitable to you. It is using the API. If it is a matter that you want 'certain' APIs to be used over others, let me know and I will see if I can help you.
Paul
Hello PBrennick,
Straight to the point ... what you miss is listed in red below. A easy miss. See what I had to go through.
I should have mission that the best way to test any shut-down program is to open up your favorite editor or MsWord. Type a few lines. Then execute Shutdown.exe
If you see the dialog "Do you want to save this file" that will tell you that it is not NT level code and that your api is calling Kernel32 version of the API.
You are using the proper equates like TOKEN_ADJUST_PRIVILEGES, but not the proper DLL.
NT got a private set of API and Kernel32 has it own set but must call his new BOSS if it don't have it listed under his name ...
NT got first dib's on everything I believe, To me Kernel32 these days is only there for backward compatibility but the Kernel must now call on the General.
From what I been reading this seems just about right but my thoughts are not the gospel.
IMPORTANT:
Try what I suggested above first ,,, If you don't get a black screen, and "ALL" power off in under 4 seconds it's not the real deal.
Do the same thing with Ancient One zip I posted above. Change the .bin extension to .exe and fire it up with with any darn thing open. This will prove that NT is one bad a*s Dll
If nothing change please let me know, but that should be impossible.
from the nt.dll
NtAdjustPrivilegesToken
from the kernel.dll
AdjustPrivilegesToken
here, if you are fascinated with size, a ten lines masm program :boohoo:, that works on all NT systems
not only on XPSP2 as that fasm program
.686
.model flat,stdcall
include ntdll.inc
include kernel32.inc
.code
start: push esp
invoke RtlAdjustPrivilege,19,2,0,esp
invoke NtShutdownSystem,2
jmp ExitProcess
end start
This is becoming more than interesting to me. Why do NT use difference api's to address the same type api?
RtlAdjustPrivilege*
Nt AdjustPrivilegesToken
zw AdjustPrivilegesToken
I will be searching for some answers to this question myself tonight and post my thoughts about it by tomorrow. ( I'm new to this and that's all I can do until I find facts about the opinions to the facts that I'll be searching for ).
Thanks drizz, for your reply, I know you are a very busy man like most other coders here but your code have answered an lot of questions and have lead me to this one. My thoughts as of now is rtl is a way where masm32 can implement some NT examples that will not break in newer version of Windows for quite a while. Is it rtl or is it zw? I realize behind all the replies here that it's not direct Nt_____api.
Also, am I'm right to think that a *direct NT call* is a nice way that MS$ allow programmer to make a call to *a form* of ring 0 even without a system driver? It seems to have first dibs regardless...
Btw: Ehtyar, and all others of concern.
Just for the record. My interest in encryption has nothing to do with shutdown. It may be illegal in some countries to do that while being hacked\cracked or whatever. Crackers have rights too . .. and may be protected under the law only for the sake of the stupid law writers for their own interest under instruction of a paying advisors who are hackers themself. The only meaning of the word PUSH to a politician is PAPER.
I know of code that will make any cracker program crash itself on demand and there are many irreversible *legal* ways to do this. So this is not the issue.
I simply want some NT api in my assembler adventure and refuse to be left behind any farther, including the fact that i need some new challenges before i get board with my own da*m project.
PBrennick, i have not tried drizz code yet because i got to dump ntdll.dll and make a working include and Lib ... something new to learn-how-to-do. I alway go all-out when something seems correct. yeah, i think drizz got it. Did it work for you? ...
Got to say ... Thanks masm32forum for helping me to bump to the right direction.
It works like a charm. Now I see the first mistake in the code i posted and been working with. It didn't even have the ntdll inc and lib listed. So easy to miss those little things. This may have mis-lead everyone. Sorry about that...
Thanks again drizz and everybody.
Going to study what make it tick.
ic2, i have a hard time understading what you are saying ::)
nevertheless ill give you some (dword) pointers to Native api
unfortunately since the microsoft assimilation, the sysinternals site no longer hosts this article
http://wwwspies.informatik.tu-muenchen.de/lehre/praktika/SS02/bsprakt/inside_the_native_api.html
alex ionescu
http://www.alex-ionescu.com/ read publications
unfortunately ReactOS page is down at the moment...
be sure to download NDK later
four-f's kmdkit has also stuff aplicable to usermode
http://www.freewebs.com/four-f/index.htm
books:
"Windows NT Native API" by Gary Nebbet
http://undocumented.ntinternals.net/
have fun
This is the info I been looking to dig up. This enough to keep me quite for a good while. And thank for that great example. It proved to me it's may be as easy as standard API calling. I was afraid of what I knew nothing about. I'm going to put those links and more as I find them with examples in a thread simply name NT Api for quick reference.
Thank drizz