A forum for reverse engineering, OS internals and malware analysis 

NtQuerySystemInformation fails with access denied

Ask your beginner questions here.

NtQuerySystemInformation fails with access denied

 #3288  by driverobject
 Tue Nov 02, 2010 8:14 pm
Hi all,

I have the below code fragment in the beginning of an IOCTL function. After allocating memory for the SystemInformation structure below, I get an access denied. Any ideas why I may be hitting this?

Thanks,
Code: Select all
	PEPROCESS ntProcess;
	NTSTRSAFE_PWSTR buffer;
	PVOID ssdtAddress;
	PVOID SystemInformation = NULL;
	NTSTATUS ntStatus = STATUS_SUCCESS;
	PULONG ReturnLength = 0;
	RTL_PROCESS_MODULES moduleList;
	RTL_PROCESS_MODULE_INFORMATION module;
	ULONG Size = 0;
	int counter = 0;
	
	
	Size = sizeof(RTL_PROCESS_MODULE_INFORMATION);
	SystemInformation = ExAllocatePoolWithTag(PagedPool, Size, 'tagx');
	DbgPrint("Size: %d\n", Size);
	if(SystemInformation == NULL) 
	{
		DbgPrint("Could not allocate memory for the module list from paged pool. \n");
		return;
	}
	ntStatus = NtQuerySystemInformation(
		SystemModuleInformation, 
		SystemInformation,
		Size,
		0
		);

Re: NtQuerySystemInformation fails with access denied

 #3289  by EP_X0FF
 Wed Nov 03, 2010 3:16 am
Hello,
Code: Select all
PVOID AllocateInfoBuffer(
		  IN SYSTEM_INFORMATION_CLASS ATableType
		  )
{
	ULONG    mSize = 0x8000;
	PVOID    mPtr;
	NTSTATUS status;
	do
	{
		mPtr = ExAllocatePool(PagedPool, mSize);
		if (!mPtr) return NULL;

		memset(mPtr, 0, mSize);
		status = ZwQuerySystemInformation(ATableType, mPtr, mSize, NULL); 
		
		if (status == STATUS_INFO_LENGTH_MISMATCH)
		{
			ExFreePool(mPtr);
			mSize = mSize * 2;
		}

	} while (status == STATUS_INFO_LENGTH_MISMATCH);

	if (NT_SUCCESS(status)) return mPtr;

	ExFreePool(mPtr);
	return NULL;
}
 Return to “Newbie Questions”