For the 3790.0 DDK version of kernrate, matching the md5 checksum: \dbe3c05202a2aa2a2ca52485b0a67516 *kernrate.exe This patch describes a kludge to fix that version of kernrate to work on modern (production) x64 kernels, such as Srv03 x64 3790.1830 and Vista x64 6000.0. typedef struct _SYSTEM_BASIC_INFORMATION_3790 { ULONG Reserved; // 00 ULONG TimerResolution; // 04 ULONG PageSize; // 08 ULONG_PTR NumberOfPhysicalPages; // 0c [...] ULONG_PTR LowestPhysicalPageNumber; ULONG_PTR HighestPhysicalPageNumber; ULONG_PTR AllocationGranularity; // Not really ULONG_PTR, but padding. ULONG_PTR MinimumUserModeAddress; ULONG_PTR MaximumUserModeAddress; KAFFINITY ActiveProcessorsAffinityMask; CCHAR NumberOfProcessors; } SYSTEM_BASIC_INFORMATION_3790, *PSYSTEM_BASIC_INFORMATION_3790; /* 0:000> dt testapp!_SYSTEM_BASIC_INFORMATION_3790 +0x000 Reserved : Uint4B +0x004 TimerResolution : Uint4B +0x008 PageSize : Uint4B +0x010 NumberOfPhysicalPages : Uint8B +0x018 LowestPhysicalPageNumber : Uint8B +0x020 HighestPhysicalPageNumber : Uint8B +0x028 AllocationGranularity : Uint8B +0x030 MinimumUserModeAddress : Uint8B +0x038 MaximumUserModeAddress : Uint8B +0x040 ActiveProcessorsAffinityMask : Uint8B +0x048 NumberOfProcessors : Char // (* -> zero extend) 0:000> dt testapp!_SYSTEM_BASIC_INFORMATION +0x000 Reserved : Uint4B +0x004 TimerResolution : Uint4B +0x008 PageSize : Uint4B +0x00c NumberOfPhysicalPages : Uint4B // to 10* +0x010 LowestPhysicalPageNumber : Uint4B // to 18* +0x014 HighestPhysicalPageNumber : Uint4B // to 20* +0x018 AllocationGranularity : Uint4B // to 28* +0x020 MinimumUserModeAddress : Uint8B // to 30 +0x028 MaximumUserModeAddress : Uint8B // to 38 +0x030 ActiveProcessorsAffinityMask : Uint8B // to 40 +0x038 NumberOfProcessors : Char // to 48 */ -- old -- .text:00000000010118E0 ; =============== S U B R O U T I N E ======================================= .text:00000000010118E0 .text:00000000010118E0 .text:00000000010118E0 GetSystemBasicInformation proc near ; CODE XREF: sub_10194A0:loc_101964Fp .text:00000000010118E0 push rbx .text:00000000010118E1 push rdi .text:00000000010118E2 sub rsp, 28h .text:00000000010118E6 mov edi, 50h .text:00000000010118EB mov rcx, rdi ; size_t .text:00000000010118EE call cs:malloc .text:00000000010118F4 mov rbx, rax .text:00000000010118F7 test rbx, rbx .text:00000000010118FA jnz short loc_101191F .text:00000000010118FC mov rax, cs:_iob .text:0000000001011903 lea rcx, [rax+60h] ; FILE * .text:0000000001011907 lea rdx, aBufferAlloca_0 ; "Buffer allocation failed for SystemInfo"... .text:000000000101190E call cs:fprintf .text:0000000001011914 mov ecx, 1 ; int .text:0000000001011919 call cs:exit .text:000000000101191F ; --------------------------------------------------------------------------- .text:000000000101191F .text:000000000101191F loc_101191F: ; CODE XREF: GetSystemBasicInformation+1Aj .text:000000000101191F xor r9d, r9d .text:0000000001011922 mov r8d, edi .text:0000000001011925 mov rdx, rbx .text:0000000001011928 xor ecx, ecx .text:000000000101192A call cs:NtQuerySystemInformation .text:0000000001011930 test eax, eax .text:0000000001011932 jge short loc_101195A .text:0000000001011934 mov rcx, cs:_iob .text:000000000101193B add rcx, 60h ; FILE * .text:000000000101193F mov r8d, eax .text:0000000001011942 lea rdx, aNtquerysystemi ; "NtQuerySystemInformation failed status "... .text:0000000001011949 call cs:fprintf .text:000000000101194F mov rcx, rbx ; void * .text:0000000001011952 call cs:free .text:0000000001011958 xor ebx, ebx .text:000000000101195A .text:000000000101195A loc_101195A: ; CODE XREF: GetSystemBasicInformation+52j .text:000000000101195A mov rax, rbx .text:000000000101195D add rsp, 28h .text:0000000001011961 pop rdi .text:0000000001011962 pop rbx .text:0000000001011963 retn .text:0000000001011963 GetSystemBasicInformation endp -- new -- .text:00000000010118E0 ; =============== S U B R O U T I N E ======================================= .text:00000000010118E0 .text:00000000010118E0 .text:00000000010118E0 GetSystemBasicInformation proc near ; CODE XREF: sub_10194A0:loc_101964Fp .text:00000000010118E0 push rbx .text:00000000010118E1 push rdi .text:00000000010118E2 sub rsp, 28h .text:00000000010118E6 mov edi, 50h .text:00000000010118EB mov rcx, rdi ; size_t .text:00000000010118EE call cs:malloc .text:00000000010118F4 xor r9d, r9d ; ; Yeah, I noticed I needed three more bytes here after I had assembled all the ; struct conversion kludge below, so I just used a jmps. Oh well. ; .text:00000000010118F7 jmp short loc_1011947 .text:00000000010118F9 ; --------------------------------------------------------------------------- .text:00000000010118F9 .text:00000000010118F9 loc_10118F9: ; CODE XREF: GetSystemBasicInformation+6Cj .text:00000000010118F9 mov rbx, rax .text:00000000010118FC mov r8d, 40h .text:0000000001011902 call cs:NtQuerySystemInformation .text:0000000001011908 mov al, [rbx+38h] .text:000000000101190B mov [rbx+48h], al .text:000000000101190E mov rax, [rbx+30h] .text:0000000001011912 mov [rbx+40h], rax .text:0000000001011916 mov rax, [rbx+28h] .text:000000000101191A mov [rbx+38h], rax .text:000000000101191E mov rax, [rbx+20h] .text:0000000001011922 mov [rbx+30h], rax .text:0000000001011926 xor rax, rax .text:0000000001011929 mov eax, [rbx+18h] ; ; N.B. Could be a 32-bit mov, it's just padding from 2c -> 30 ; .text:000000000101192C mov [rbx+28h], rax .text:0000000001011930 mov eax, [rbx+14h] .text:0000000001011933 mov [rbx+20h], rax .text:0000000001011937 mov eax, [rbx+10h] .text:000000000101193A mov [rbx+18h], rax .text:000000000101193E mov eax, [rbx+0Ch] .text:0000000001011941 mov [rbx+10h], rax .text:0000000001011945 jmp short loc_101195A .text:0000000001011947 ; --------------------------------------------------------------------------- .text:0000000001011947 .text:0000000001011947 loc_1011947: ; CODE XREF: GetSystemBasicInformation+17j .text:0000000001011947 mov rdx, rax .text:000000000101194A xor ecx, ecx .text:000000000101194C jmp short loc_10118F9 .text:000000000101194C ; --------------------------------------------------------------------------- .text:000000000101194E db 0Ch dup(90h) .text:000000000101195A ; --------------------------------------------------------------------------- .text:000000000101195A .text:000000000101195A loc_101195A: ; CODE XREF: GetSystemBasicInformation+65j .text:000000000101195A mov rax, rbx .text:000000000101195D add rsp, 28h .text:0000000001011961 pop rdi .text:0000000001011962 pop rbx .text:0000000001011963 retn .text:0000000001011963 GetSystemBasicInformation endp -- diff -- Comparing files kernrate.exe and KERNRATE.FIXED.EXE 00010CF4: 48 45 00010CF5: 8B 31 00010CF6: D8 C9 00010CF7: 48 EB 00010CF8: 85 4E 00010CF9: DB 48 00010CFA: 75 89 00010CFB: 23 C3 00010CFC: 48 41 00010CFD: 8B B8 00010CFE: 05 40 00010CFF: 2D 00 00010D00: F9 00 00010D01: FE 00 00010D03: 48 15 00010D04: 8D E0 00010D05: 48 F9 00010D06: 60 FE 00010D07: 48 FF 00010D08: 8D 8A 00010D09: 15 43 00010D0A: B2 38 00010D0B: 59 88 00010D0C: FF 43 00010D0D: FF 48 00010D0E: FF 48 00010D0F: 15 8B 00010D10: 34 43 00010D11: F9 30 00010D12: FE 48 00010D13: FF 89 00010D14: B9 43 00010D15: 01 40 00010D16: 00 48 00010D17: 00 8B 00010D18: 00 43 00010D19: FF 28 00010D1A: 15 48 00010D1B: 21 89 00010D1C: F9 43 00010D1D: FE 38 00010D1E: FF 48 00010D1F: 45 8B 00010D20: 33 43 00010D21: C9 20 00010D22: 44 48 00010D23: 8B 89 00010D24: C7 43 00010D25: 48 30 00010D26: 8B 48 00010D27: D3 31 00010D28: 33 C0 00010D29: C9 8B 00010D2A: FF 43 00010D2B: 15 18 00010D2C: B8 48 00010D2D: F9 89 00010D2E: FE 43 00010D2F: FF 28 00010D30: 85 8B 00010D31: C0 43 00010D32: 7D 14 00010D33: 26 48 00010D34: 48 89 00010D35: 8B 43 00010D36: 0D 20 00010D37: F5 8B 00010D38: F8 43 00010D39: FE 10 00010D3A: FF 48 00010D3B: 48 89 00010D3C: 83 43 00010D3D: C1 18 00010D3E: 60 8B 00010D3F: 44 43 00010D40: 8B 0C 00010D41: C0 48 00010D42: 48 89 00010D43: 8D 43 00010D44: 15 10 00010D45: 3F EB 00010D46: 59 13 00010D47: FF 48 00010D48: FF 89 00010D49: FF C2 00010D4A: 15 31 00010D4B: F9 C9 00010D4C: F8 EB 00010D4D: FE AB 00010D4E: FF 90 00010D4F: 48 90 00010D50: 8B 90 00010D51: CB 90 00010D52: FF 90 00010D53: 15 90 00010D54: 30 90 00010D55: F9 90 00010D56: FE 90 00010D57: FF 90 00010D58: 33 90 00010D59: DB 90