Vlad Ioan Topan

My playground

Undocumented structures in Delphi

leave a comment »

Undocumented or poorly-documented Windows structures translated to Delphi

If you’ve ever tried to do any Delphi system-level programming, you’ll understand what this page is all about. If you’re looking for the documented structures and APIs, Project JEDI’s API lib is the place to start.

NtQuerySystemInformation

Like all ntdll.dll APIs, this one doesn’t show up in standard MS headers either. It also tends to show up even less in Delphi source code…

function NtQuerySystemInformation(SystemInformationClass:DWORD; SystemInformation:pointer; SystemInformationLength:DWORD; ReturnLength:PDWORD):cardinal; stdcall; external 'ntdll';

UNICODE_STRING

Ubiquitous Windows device driver structure, but not defined in Delphi.

PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = packed record
   Length: Word;
   MaximumLength: Word;
   Buffer: PWideChar;
   end;

SYSTEM_PROCESS_INFORMATION, VM_COUNTERS, IO_COUNTERS and SYSTEM_THREAD

SYSTEM_PROCESS_INFORMATION is used by NtQuerySystemInformation with SystemInformation set to SystemProcessInformation (5); the latter three are members of SYSTEM_PROCESS_INFORMATION.

VM_COUNTERS = packed record
   PeakVirtualSize: DWORD;
   VirtualSize: DWORD;
   PageFaultCount: DWORD;
   PeakWorkingSetSize: DWORD;
   WorkingSetSize: DWORD;
   QuotaPeakPagedPoolUsage: DWORD;
   QuotaPagedPoolUsage: DWORD;
   QuotaPeakNonPagedPoolUsage: DWORD;
   QuotaNonPagedPoolUsage: DWORD;
   PageFileUsage: DWORD;
   PeakPageFileUsage: DWORD;
   end;

IO_COUNTERS = packed record
   ReadOperationCount: LARGE_INTEGER;
   WriteOperationCount: LARGE_INTEGER;
   OtherOperationCount: LARGE_INTEGER;
   ReadTransferCount: LARGE_INTEGER; // I/O Read Bytes in Process Explorer
   WriteTransferCount: LARGE_INTEGER; // I/O Write Bytes in Process Explorer
   OtherTransferCount: LARGE_INTEGER; // I/O Other Bytes in Process Explorer
   end;

SYSTEM_THREAD  = packed record
   KernelTime: LARGE_INTEGER;
   UserTime: LARGE_INTEGER;
   CreateTime: LARGE_INTEGER;
   WaitTime: DWORD;
   StartAddress: DWORD; // starting address of the thread
   UniqueProcess: DWORD; // process ID (PID)
   UniqueThread: DWORD; // thread ID (TID)
   Priority: integer; // current priority
   BasePriority: DWORD; // initial priority
   ContextSwitchCount: DWORD;
   State: integer; // thead state: active (<5), waiting (5)
   WaitReason: integer; // waiting reason (5 = suspended)
   Reserved1:DWORD; 
   end;

PSYSTEM_PROCESS_INFORMATION = ^SYSTEM_PROCESS_INFORMATION;
SYSTEM_PROCESS_INFORMATION = packed record
   NextEntryOffset: DWORD;
   NumberOfThreads: DWORD;
   Reserved1: array &#91;0..5&#93; of DWORD;
   CreateTime: FILETIME;
   UserTime: FILETIME;
   KernelTime: FILETIME;
   ModuleName: UNICODE_STRING; // full image path name
   BasePriority: integer;
   ProcessID: DWORD;
   InheritedFromProcessId: DWORD; // parent PID
   HandleCount: DWORD;
   Reserved2: array&#91;0..1&#93; of DWORD;
   VirtualMemoryCounters: VM_COUNTERS;
   PrivatePageCount: DWORD;
   IoCounters: IO_COUNTERS;
   ThreadInfo: array&#91;0..0&#93; of SYSTEM_THREAD;
   end;&#91;/sourcecode&#93;

The latter two are wrongfully documented on undocumented.ntinternals.net <a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/Structures/SYSTEM_PROCESS_INFORMATION.html">here</a> and <a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/Structures/SYSTEM_THREAD.html">here</a>, respectively: <strong>SYSTEM_PROCESS_INFORMATION</strong> has the members <em>VirtualMemoryCounters</em> and <em>PrivatePageCount</em> in the wrong order, while <strong>SYSTEM_THREAD</strong> is missing the last DWORD.

<a name="OBJECT_ATTRIBUTES"></a>
<h3>OBJECT_ATTRIBUTES</h3>
This structure is used by the native API instead of plain string names for all objects (files, registry keys etc.).

POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = packed record
   Length: Cardinal;
   RootDirectory: THandle;
   ObjectName: PUNICODE_STRING;
   Attributes: Cardinal;
   SecurityDescriptor: Pointer;
   SecurityQualityOfService: Pointer;
   end;

Written by vtopan

April 14, 2009 at 11:54 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: