Tick Count

The tick count is, for all intents and purposes, simply another measure of time. When the GetTickCount API routine is called, the number of ticks is multiplied by the tick count multiplier. This multiplication effectively translates the number of ticks to the number of milliseconds that the system has been up. If one can safely assume that the that the system time used to generate the cookie was the same as the thread creation time, then the tick count at the time that the cookie was generated can simply be calculated using the thread creation time. The creation time isn't enough, though. Since the GetTickCount value measures the number of milliseconds that have occurred since boot, the actual uptime of the system has to be determined.

To determine the system uptime, a non-privileged user can again make use of the NtQuerySystemInformation native API, this time with the SystemTimeOfDayInformation system information class. This query returns the time that the system was booted as a 64-bit integer measured in 100 nanosecond intervals, just like the thread creation time. To calculate the system uptime in milliseconds, it's as simple as subtracting the boot time from the creation time and then dividing by 10000 to convert from 100 nanosecond intervals to 1 millisecond intervals:

Some experimentation shows that this calculation is pretty accurate, but some quantity is lost in translation. From what the author has observed, a constant scaling factor of 0x4e, or 78 milliseconds, needs to be added to the result of this calculation. The source of this constant is as of yet unknown, but it appears to be a required constant. This results in the actual equation being:

The end result is that the tick count can be calculated with a great degree of accuracy. If the system time calculation is off, then that will directly affect the calculation of the tick count.