Assembly Language for Beginners

(Jeff_L) #1

8.1 Task manager practical joke (Windows Vista).


Instead of epigraph:


Seibel:How do you tackle reading source code? Even reading something in a program-
ming language you already know is a tricky problem.
Knuth:But it’s really worth it for what it builds in your brain. So how do I do it? There
wasamachinecalledtheBunkerRamo300andsomebodytoldmethattheFortrancompiler
for this machine was really amazingly fast, but nobody had any idea why it worked. I got
a copy of the source-code listing for it. I didn’t have a manual for the machine, so I wasn’t
even sure what the machine language was.
But I took it as an interesting challenge. I could figure out BEGIN and then I would start to
decode. The operation codes had some two-letter mnemonics and so I could start to figure
out “This probably was a load instruction, this probably was a branch.” And I knew it was a
Fortran compiler, so at some point it looked at column seven of a card, and that was where
it would tell if it was a comment or not.
After three hours I had figured out a little bit about the machine. Then I found these big,
branching tables. So it was a puzzle and I kept just making little charts like I’m working at
a security agency trying to decode a secret code. But I knew it worked and I knew it was a
Fortran compiler—it wasn’t encrypted in the sense that it was intentionally obscure; it was
only in code because I hadn’t gotten the manual for the machine.
Eventually I was able to figure out why this compiler was so fast. Unfortunately it wasn’t
because the algorithms were brilliant; it was just because they had used unstructured pro-
gramming and hand optimized the code to the hilt.
It was just basically the way you solve some kind of an unknown puzzle— make tables
and charts and get a little more information here and make a hypothesis. In general when
I’m reading a technical paper, it’s the same challenge. I’m trying to get into the author’s
mind, trying to figure out what the concept is. The more you learn to read other people’s
stuff, the more able you are to invent your own in the future, it seems to me.

( Peter Seibel — Coders at Work: Reflections on the Craft of Programming )


8.1 Task manager practical joke (Windows Vista)


Let’s see if it’s possible to hack Task Manager slightly so it would detect moreCPUcores.


Let us first think, how does the Task Manager know the number of cores?


There is theGetSystemInfo()win32 function present in win32 userspace which can tell us this. But it’s
not imported intaskmgr.exe.


There is, however, another one inNTAPI,NtQuerySystemInformation(), which is used intaskmgr.exe
in several places.


To get the number of cores, one has to call this function with theSystemBasicInformationconstant as a
first argument (which is zero^1 ).


The second argument has to point to the buffer which is getting all the information.


So we have to find all calls to the
NtQuerySystemInformation(0, ?, ?, ?)function. Let’s opentaskmgr.exein IDA.


What is always good about Microsoft executables is that IDA can download the correspondingPDBfile for
this executable and show all function names.


It is visible that Task Manager is written in C++ and some of the function names and classes are really
speaking for themselves. There are classes CAdapter, CNetPage, CPerfPage, CProcInfo, CProcPage, CSvc-
Page, CTaskPage, CUserPage.


Apparently, each class corresponds to each tab in Task Manager.


Let’s visit each call and add comment with the value which is passed as the first function argument. We
will write “not zero” at some places, because the value there was clearly not zero, but something really
different (more about this in the second part of this chapter).


And we are looking for zero passed as argument, after all.


(^1) MSDN

Free download pdf