Function 9 - information
about the execution flow
Options:
* eax = 9
- function number
* ebx =
pointer to 1kb buffer
* ecx =
stream slot number
* ecx =
-1 - get information about the current stream
Return value:
* eax =
maximum slot slot number
* the buffer pointed to by ebx contains the following information:
* +0: dword: CPU usage
(how many clock cycles per second it takes to execute exactly this thread)
* +4: word: position of the stream window in the
window stack
* +6: word: (not related to the requested
stream) The slot number of the stream whose window is
in the window stack at the position ecx
+8: word: reserved
* +10 = + 0xA: 11 bytes: the name of the process
(the name of the file being run is an executable file with no extension)
* +21 = + 0x15: byte: reserved, this byte does
not change
* +22 = + 0x16: dword:
the address of the process in memory
* +26 = + 0x1A: dword:
the size of the memory used - 1
* +30 = + 0x1E: dword:
PID / TID
* +34 = + 0x22: dword:
the x axis coordinate of the stream window
* +38 = + 0x26: dword:
y-axis of the stream window
* +42 = + 0x2A: dword:
x-axis size of the stream window
* +46 = + 0x2E: dword:
y-size of the stream window
* +50 = + 0x32: word: stream slot status:
* 0 = stream is running
* 1 = stream suspended
* 2 = stream suspended while waiting
for event
* 3 = thread terminates as a result
of calling function -1 or forcibly as a result of calling subfunction
2 of function 18 or shutting down the system
* 4 = flow terminates as a result of
an exception
* 5 = thread is waiting for an event
* 9 = requested slot is free, all
other slot information does not make sense
* +52 = + 0x34: word: reserved, this word does
not change
* +54 = + 0x36: dword:
coordinate of the beginning of the client area along the x axis
* +58 = + 0x3A: dword:
y-coordinate of the beginning of the client area
* +62 = + 0x3E: dword:
client area width
* +66 = + 0x42: dword:
height of the client area
* +70 = + 0x46: byte: window state - bit field
* bit 0
(mask 1): maximized window
* bit 1 (mask 2): minimized window
in the taskbar
* bit 2
(mask 4): the window is minimized
* +71 = + 0x47: dword:
event mask
* +75 = + 0x4B: byte: keyboard input mode (ASCII
= 0; SCAN = 1)
Remarks:
* Slots are numbered from 1.
* The return value is not the total number of threads, as there
are free slots.
* When creating a process, a thread is automatically
created.
* The function provides information about the stream. Each
process has at least one thread. One process can create several threads, in
this case each thread gets its own slot, and the fields +10, +22, +26 in these
slots are the same. For applications, there is no general way to determine if
two threads belong to the same process.
* Active window - a window located at the top of the window
stack, it receives messages about typing from the keyboard. For him, the
position in the window stack is the same as the return value.
* Slot 1 corresponds to a special operating system thread,
for which:
* the window is at the
bottom of the window stack, the +4 and +6 fields contain the value 1
* process name -
"OS / IDLE" (padded with spaces)
* process address in
memory is 0, the size of used memory is 16 Mb (0x1000000)
* PID = 1
* coordinates and
dimensions of the window, as well as the client area, are conditionally set
equal to 0
* slot status - always 0 (executed)
* the execution time is
the sum of the time spent on the work itself and the idle time waiting for the
interruption (which can be obtained by calling subfunction
4 of function 18).
* Starting from slot 2, the usual applications are placed.
* Normal applications are located in memory at address 0
(kernel constant std_application_base_address). Overlays do not occur,
because each process has its own page table.
* When creating a thread, it is assigned a slot in the
system table and an identifier (Process / Thread IDentifier
= PID / TID), which for a given stream does not change with time. After a
thread has completed, its slot can be reused for another thread. A thread
identifier cannot be assigned to another thread even after the first one is
completed. The identifiers assigned to new threads are monotonously increasing.
* If the thread has not yet defined its window by calling
function 0, then the position and size of this window is assumed to be zeros.
* The coordinates of the client area of the
window are taken relative to the window.
* Currently only part of the buffer of size 76 = 0x4C bytes
is used. However, it is recommended to use a buffer 1 KB for future
compatibility, some fields may be added in the future.
Constants for registers:
eax - SF_THREAD_INFO (9)