Assembly Language for Beginners

(Jeff_L) #1

8.1. TASK MANAGER PRACTICAL JOKE (WINDOWS VISTA)


Figure 8.4:Fooled Windows Task Manager

The biggest number Task Manager does not crash with is 64.


Apparently, Task Manager in Windows Vista was not tested on computers with a large number of cores.


So there are probably some static data structure(s) inside it limited to 64 cores.


8.1.1 Using LEA to load values.


Sometimes,LEAis used intaskmgr.exeinstead ofMOVto set the first argument of
NtQuerySystemInformation():


Listing 8.2: taskmgr.exe (Windows Vista)
xor r9d, r9d
div dword ptr [rsp+4C8h+WndClass.lpfnWndProc]
lea rdx, [rsp+4C8h+VersionInformation]
lea ecx, [r9+2] ; put 2 to ECX
mov r8d, 138h
mov ebx, eax
; ECX=SystemPerformanceInformation
call cs:__imp_NtQuerySystemInformation ; 2


...

mov r8d, 30h
lea r9, [rsp+298h+var_268]
lea rdx, [rsp+298h+var_258]
lea ecx, [r8-2Dh] ; put 3 to ECX
; ECX=SystemTimeOfDayInformation
call cs:__imp_NtQuerySystemInformation ; not zero

Free download pdf