ZwQuerySystemInformation 查看系统进程信息
#include <ntddk.h>
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation, //5
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemNextEventIdInformation,
SystemEventIdsInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,
SystemDockInformation,
SystemPowerInformation2,
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
ULONG State;
KWAIT_REASON WaitReason;
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
ULONG PrivatePageCount;
VM_COUNTERS VirtualMemoryCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[0];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
//不加extern "C" 一直报link错误
extern "C" NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
VOID Unload(
__in struct _DRIVER_OBJECT *DriverObject
)
{
KdPrint(("unload ....."));
}
NTSTATUS Ring0EnumProcess()
{
ULONG cbBuffer = 0x8000; //32k
PVOID pSystemInfo;
NTSTATUS status;
PSYSTEM_PROCESS_INFORMATION pInfo;
//为查找进程分配足够的空间
do
{
pSystemInfo = ExAllocatePool(NonPagedPool, cbBuffer);
if (pSystemInfo == NULL) //申请空间失败,返回
{
return 1;
}
status = ZwQuerySystemInformation(SystemProcessInformation, pSystemInfo, cbBuffer, NULL );
if (status == STATUS_INFO_LENGTH_MISMATCH) //空间不足
{
ExFreePool(pSystemInfo);
cbBuffer *= 2;
}
else if(!NT_SUCCESS(status))
{
ExFreePool(pSystemInfo);
return 1;
}
} while(status == STATUS_INFO_LENGTH_MISMATCH); //如果是空间不足,就一直循环
pInfo = (PSYSTEM_PROCESS_INFORMATION)pSystemInfo; //把得到的信息放到pInfo中
for (;;)
{
LPWSTR pszProcessName = pInfo->ImageName.Buffer;
if (pszProcessName == NULL)
{
pszProcessName = L"NULL";
}
KdPrint(("PID:%d, process name:%S\n", pInfo->ProcessId, pszProcessName));
if (pInfo->NextEntryOffset == 0) //==0,说明到达进程链的尾部了
{
break;
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryOffset); //遍历
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = Unload;
Ring0EnumProcess();
return STATUS_SUCCESS;
}
2742
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
