函数速查: http://msdn2.microsoft.com/en-us/library/aa491184.aspx
1.判断系统版本
BOOLEAN
RtlIsNtDdiVersionAvailable(
IN ULONG Version
);
2.系统补丁版本
BOOLEAN
RtlIsServicePackVersionInstalled(
IN ULONG Version
);
3.判断当前系统是否为基于NT架构的服务器版本
BOOLEAN
MmIsThisAnNtAsSystem(
VOID
);
4.获取系统版本信息
NTSTATUS
RtlGetVersion(
IN OUT PRTL_OSVERSIONINFOW lpVersionInformation
);
NTSTATUS
RtlVerifyVersionInfo(
IN PRTL_OSVERSIONINFOEXW VersionInfo,
IN ULONG TypeMask,
IN ULONGLONG ConditionMask
);
BOOLEAN
PsGetVersion(
PULONG MajorVersion OPTIONAL,
PULONG MinorVersion OPTIONAL,
PULONG BuildNumber OPTIONAL,
PUNICODE_STRING CSDVersion OPTIONAL
);
5.估算系统中内存大小
MM_SYSTEMSIZE
MmQuerySystemSize(
VOID
);
6.判断指定地址是否有效
BOOLEAN
MmIsAddressValid(
IN PVOID VirtualAddress
);
7.系统是否支持64位物理地址
PBOOLEAN Mm64BitPhysicalAddress;
8.获取指定虚拟地址的物理地址
PHYSICAL_ADDRESS
MmGetPhysicalAddress(
IN PVOID BaseAddress
);
9.使指定的内存页驻留内存,并锁定。
VOID
MmProbeAndLockPages(
IN OUT PMDL MemoryDescriptorList,
IN KPROCESSOR_MODE AccessMode,
IN LOCK_OPERATION Operation
);
10.取消内存页驻留
VOID
MmUnlockPages(
IN PMDL MemoryDescriptorList
);
11.指定某页内存为无效内存
PVOID MmBadPointer;
12.获取指定函数的入口地址
NTKERNELAPI
PVOID
MmGetSystemRoutineAddress(
IN PUNICODE_STRING SystemRoutineName
);
13.获取指定的内存块,跨越了多少分页
ULONG
ADDRESS_AND_SIZE_TO_SPAN_PAGES(
IN PVOID Va,
IN ULONG Size
);
14.获取指定对象的全路径
NTSTATUS
ObQueryNameString(
IN PVOID Object,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG Length,
OUT PULONG ReturnLength
);
15.获取对象指针
VOID
ObReferenceObject(
IN PVOID Object
);
NTSTATUS
ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
NTSTATUS
ObReferenceObjectByPointer(
IN PVOID Object,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode
);