Monday, May 26, 2014

timeBeginPeriod

Was reading how the use of timeBeginPeriod to increase system tick frequency could lead to a shorter battery life (read here) ...decided to investigate how timeBeginPeriod function interacts with Windows 8, since Windows 8 uses tickless kernel and theoretically has no relations with system timer ticks. From MSDN, timeBeginPeriod resides in winmm.dll. There are 2 versions on winmm.dll on my Win 8 machine, one under c:\Windows\SysWow64 and one under c:\Windows\system32.

timeBeginPeriod in c:\Windows\SysWow64\winmm.dll:

timeBeginPeriod calls an imported function, timeBeginPeriod@4

timeBeginPeriod@4 belongs to api-ms-win-mm-time-l1-1-0.dll

timeBeginPeriod@4 in api-ms-win-mm-time-l1-1-0.dll is an empty function
timeBeginPeriod in c:\Windows\system32\winmm.dll uses the same flow, importing the function timeBeginPeriod@4 from api-ms-win-mm-time-l1-1-0.dll:

x64 api-ms-win-mm-time-l1-1-0.dll uses the same function for multiple exports

And that one function is empty

Hence, I've verified that timeBeginPeriod does not work in Win 8...so why is Win 8 battery life still so weak?!




Posted by at No comments:

Monday, May 19, 2014

How Procmon works




Out of curiosity I looked under the hood of the tool that lets you look under the hood of other programs.

To be able to monitor so many system functions at once, Procmon probably uses a driver to do that. So I went looking for Procmon's driver using GMER, and found PROCMON23.SYS.




I didn't see PROCMON23.SYS inside the Sysinternals directory, so I guess it'll be inside the PE structure. Sure enough, when I use PE Explorer to open up Procmon, I found it inside the BINRES directory in the RESOURCE section.



Extracted out the driver, and analysed using NikPEViewer. It's a 32 bit driver.


Then proceeded to analysis using IDA. It registers itself as a filter driver...



Creates a filter communication port at \ProcessMonitor23Port and starts the filter.



Procmon 64 bit

When running Procmon in 64-bit systems, another process called Procmon64.exe is created. This isn't found anywhere in the Sysinternals folder.

Procmon in 64-bit Windows
This implies that its 64-bit image is being stored in its 32-bit executable. Hence, I looked up the second entry under the BINRES section, and sure enough, it's a PE file:

Location of Procmon 64 bit image

Procmon's 64 bit image

Initially I thought it was the 64-bit Procmon driver...turned out that it is the 64-bit Procmon executable. And of course, the 64-bit driver is hidden inside the 64 bit executable's resource section.

Procmon 64 bit driver





Posted by at No comments:

Friday, May 16, 2014

How to turn off monitor screen

Found a small program called Turn Off Monitor, decided to investigate how it works.

 Used IDA to open it, turned out to be a .NET exe. Opened it using Dotnet IL Editor instead.

Main code:


Seems like the only API call needed is SendMessage. ldc.i4.m1 means push -1 to stack, so the API call is SendMessage(-1,a,b,2).

SendMessage belongs to user32.dll:


Second argument, a is 0x04000003:


Third argument, b is 0x04000004:


So the only API call needed turned out to be user32!SendMessage(-1,0x04000003,0x04000004,2).
Posted by at No comments:
Subscribe to: Posts (Atom)