A forum for reverse engineering, OS internals and malware analysis 

Question about NtQuerySystemInformation

Forum for discussion about user-mode development.

Question about NtQuerySystemInformation

 #11796  by yenom
 Fri Feb 24, 2012 3:16 pm
Hello,
I have a question, the second call of NtQuerySystemInformation can return STATUS_INFO_LENGTH_MISMATCH ?
If yes, i need to use "do { } while", no ?
Thx !
Code: Select all
	ULONG							BytesRet;
	PSYSTEM_PROCESS_INFORMATION		pSPI;
	

	if (NtQuerySystemInformation(SystemProcessesAndThreadsInformation, pSPI, 0, &BytesRet) == STATUS_INFO_LENGTH_MISMATCH)
	{
		if (pSPI = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet))
		{
			if(NtQuerySystemInformation(SystemProcessesAndThreadsInformation, pSPI, BytesRet, &BytesRet) == STATUS_SUCCESS)
			{
				// SUCCESS HERE
			}
		}
	}

Re: Question about NtQuerySystemInformation

 #11797  by Alex
 Fri Feb 24, 2012 4:41 pm
Yes, the second call can returns STATUS_INFO_LENGTH_MISMATCH. I think it is good idea to use do-while and to increase returned buffer length (BytesRet) of size of few SYSTEM_PROCESS_INFORMATION structures.
 Return to “User-Mode Development”