ZwQuerySystemInformation 5号功能 : SystemProcessesAndThreadsInformation

最新推荐文章于 2021-01-11 18:13:38 发布

dog0230

最新推荐文章于 2021-01-11 18:13:38 发布

阅读量333

点赞数

原文链接：http://www.cnblogs.com/DreamOfGalaxy/articles/4491780.html

版权

NTSTATUS NTAPI ZwQuerySystemInformation(
       ULONG SystemInformationClass,
       PVOID SystemInformation,
       ULONG SystemInformationLength,
       PULONG ReturnLength
);

第一个参数是一个枚举类型，传入的是你需要查询的信息的类型，如果你要查询进程的相关信息，则你需要传入SystemProcessesAndThreadsInformation，以下是这个enmu类型的定义。

 1 typedef enum _SYSTEM_INFORMATION_CLASS {
 2     SystemBasicInformation, // 0 Y N
 3     SystemProcessorInformation, // 1 Y N
 4     SystemPerformanceInformation, // 2 Y N
 5     SystemTimeOfDayInformation, // 3 Y N
 6     SystemNotImplemented1, // 4 Y N
 7     SystemProcessesAndThreadsInformation, // 5 Y N
 8     SystemCallCounts, // 6 Y N
 9     SystemConfigurationInformation, // 7 Y N
10     SystemProcessorTimes, // 8 Y N
11     SystemGlobalFlag, // 9 Y Y
12     SystemNotImplemented2, // 10 Y N
13     SystemModuleInformation, // 11 Y N
14     SystemLockInformation, // 12 Y N
15     SystemNotImplemented3, // 13 Y N
16     SystemNotImplemented4, // 14 Y N
17     SystemNotImplemented5, // 15 Y N
18     SystemHandleInformation, // 16 Y N
19     SystemObjectInformation, // 17 Y N
20     SystemPagefileInformation, // 18 Y N
21     SystemInstructionEmulationCounts, // 19 Y N
22     SystemInvalidInfoClass1, // 20
23     SystemCacheInformation, // 21 Y Y
24     SystemPoolTagInformation, // 22 Y N
25     SystemProcessorStatistics, // 23 Y N
26     SystemDpcInformation, // 24 Y Y
27     SystemNotImplemented6, // 25 Y N
28     SystemLoadImage, // 26 N Y
29     SystemUnloadImage, // 27 N Y
30     SystemTimeAdjustment, // 28 Y Y
31     SystemNotImplemented7, // 29 Y N
32     SystemNotImplemented8, // 30 Y N
33     SystemNotImplemented9, // 31 Y N
34     SystemCrashDumpInformation, // 32 Y N
35     SystemExceptionInformation, // 33 Y N
36     SystemCrashDumpStateInformation, // 34 Y Y/N
37     SystemKernelDebuggerInformation, // 35 Y N
38     SystemContextSwitchInformation, // 36 Y N
39     SystemRegistryQuotaInformation, // 37 Y Y
40     SystemLoadAndCallImage, // 38 N Y
41     SystemPrioritySeparation, // 39 N Y
42     SystemNotImplemented10, // 40 Y N
43     SystemNotImplemented11, // 41 Y N
44     SystemInvalidInfoClass2, // 42
45     SystemInvalidInfoClass3, // 43
46     SystemTimeZoneInformation, // 44 Y N
47     SystemLookasideInformation, // 45 Y N
48     SystemSetTimeSlipEvent, // 46 N Y
49     SystemCreateSession, // 47 N Y
50     SystemDeleteSession, // 48 N Y
51     SystemInvalidInfoClass4, // 49
52     SystemRangeStartInformation, // 50 Y N
53     SystemVerifierInformation, // 51 Y Y
54     SystemAddVerifier, // 52 N Y
55     SystemSessionProcessesInformation // 53 Y N
56 }SYSTEM_INFORMATION_CLASS;

当我们第一个参数传入的是SystemProcessesAndThreadsInformation则返回的一片内存空间一个PSYSTEM_PROCESSES的结构。

 1 typedef struct _SYSTEM_PROCESSES
 2 {
 3     ULONG NextEntryDelta; //构成结构序列的偏移量;
 4     ULONG ThreadCount; //线程数目;
 5     ULONG Reserved1[6];
 6     LARGE_INTEGER CreateTime; //创建时间;
 7     LARGE_INTEGER UserTime;//用户模式(Ring 3)的CPU时间;
 8     LARGE_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间;
 9     UNICODE_STRING ProcessName; //进程名称;
10     KPRIORITY BasePriority;//进程优先权;
11     ULONG ProcessId; //进程标识符;
12     ULONG InheritedFromProcessId; //父进程的标识符;
13     ULONG HandleCount; //句柄数目;
14     ULONG Reserved2[2];
15     VM_COUNTERS  VmCounters; //虚拟存储器的结构，见下;
16     IO_COUNTERS IoCounters; //IO计数结构，见下;
17     SYSTEM_THREADS Threads[1]; //进程相关线程的结构数组
18 }SYSTEM_PROCESSES,*PSYSTEM_PROCESSES;

如果要遍历系统中的进程，我们只需要使用NextEntryDelta这个指针即可。

获取进程示例代码#include <windows.#include <ntsecapi.h>

 1 #include "stdio.h"
 2 
 3 typedef DWORD (WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);
 4 
 5 typedef struct _SYSTEM_PROCESS_INFORMATION {
 6     DWORD   NextEntryDelta;
 7     DWORD   ThreadCount;
 8     DWORD   Reserved1[6];
 9     FILETIME  ftCreateTime;   
10     FILETIME  ftUserTime;   
11     FILETIME  ftKernelTime;   
12     UNICODE_STRING ProcessName;      // 进程名.
13     DWORD   BasePriority;  
14     DWORD   ProcessId;
15     DWORD   InheritedFromProcessId;
16     DWORD   HandleCount;
17     DWORD   Reserved2[2];
18     DWORD   VmCounters;  
19     DWORD   dCommitCharge;  
20     PVOID   ThreadInfos[1]; 
21 } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
22 
23 #define SystemProcessesAndThreadsInformation 5
24 
25 void main()
26 {
27     HMODULE hNtDLL = GetModuleHandle( "ntdll.dll" );
28     if (!hNtDLL )
29         return;
30  
31     ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)
32 　　　　　　　　　　　　  GetProcAddress(hNtDLL,"ZwQuerySystemInformation");
33  
34     ULONG cbBuffer = 0x20000;   // 设置缓冲大小,与系统有关.
35     LPVOID pBuffer = NULL;
36  
37  　　pBuffer = malloc(cbBuffer);
38 
39  　　if (pBuffer == NULL)
40 　　　　　　return;
41  
42  　　ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL);
43     PSYSTEM_PROCESS_INFORMATION pInfo =  (PSYSTEM_PROCESS_INFORMATION)pBuffer;
44  
45     for (;;)
46     {
47   　　　printf("ProcessID: %d (%ls)\n", pInfo->ProcessId, pInfo->ProcessName.Buffer);
48   
49   　　　if (pInfo->NextEntryDelta == 0)
50    　　　　break;
51   
52   　　　// 查找下一个进程的结构地址.
53   　　　pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryDelta);
54     }
55 
56     free(pBuffer);
57     getchar();  //暂停.
58 }

转载于:https://www.cnblogs.com/DreamOfGalaxy/articles/4491780.html

dog0230

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
ZwQuerySystemInformation 5号功能 : SystemProcessesAndThreadsInformation

NTSTATUS NTAPI ZwQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);第一个参...
复制链接

扫一扫