首先需要获取该函数的地址,获取Native API地址的方法或直接调用的技术可参照 我的文章-《用户态应用程序调用 Native API 的方法》。
下面即为示例代码:
ULONG cbBuffer = 32*1024;
PUCHAR pBuffer = NULL; // declare pointer to a buffer
NTSTATUS Status;
do
{
pBuffer =
new UCHAR [cbBuffer];
//
// try to obtain system information into the buffer
//
ULONG ulReturnLength = 0;
Status = MyZwQuerySystemInformation (SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, &ulReturnLength);
//
// if the size of the information is larger than the size of the buffer
//
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer; // free the memory associated with the buffer
cbBuffer *= 2; // and increase buffer size twice its original size
}
else if (!NT_SUCCESS(Status)) // if operation is not succeeded by any other reason
{
delete [] pBuffer; // free the memory
return -1; //and exit
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
PSYSTEM_PROCESS_INFORMATION pInfo;
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
//
// List all the process information
//
for (;;)
{
_tprintf (_T ("Process ID:/t%i/tProcess Name:/t%s/n"), pInfo->ProcessId,
(LPWSTR)pInfo->ProcessName.Buffer);
//
// if there are no other entries in pInfo, exit the loop
//
if (pInfo->NextEntryDelta == 0)
break;
//
// if we are still in the loop, current entry does not contain
// the process we are looking for, but there is at least one more entry in pInfo
//
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta); // obtain that new entry
}
if (pBuffer)
delete [] pBuffer;
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
