typedef
struct
_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
// SystemProcessInformation
typedef struct _SYSTEM_PROCESS_INFORMATION
{
DWORD dwNextEntryOffset;
DWORD dwNumberOfThreads;
LARGE_INTEGER qSpareLi1;
LARGE_INTEGER qSpareLi2;
LARGE_INTEGER qSpareLi3;
LARGE_INTEGER qCreateTime;
LARGE_INTEGER qUserTime;
LARGE_INTEGER qKernelTime;
UNICODE_STRING ImageName;
int nBasePriority;
DWORD dwProcessId;
DWORD dwInheritedFromUniqueProcessId;
DWORD dwHandleCount;
DWORD dwSessionId;
ULONG dwSpareUl3;
SIZE_T tPeakVirtualSize;
SIZE_T tVirtualSize;
DWORD dwPageFaultCount;
DWORD dwPeakWorkingSetSize;
DWORD dwWorkingSetSize;
SIZE_T tQuotaPeakPagedPoolUsage;
SIZE_T tQuotaPagedPoolUsage;
SIZE_T tQuotaPeakNonPagedPoolUsage;
SIZE_T tQuotaNonPagedPoolUsage;
SIZE_T tPagefileUsage;
SIZE_T tPeakPagefileUsage;
SIZE_T tPrivatePageCount;
LARGE_INTEGER qReadOperationCount;
LARGE_INTEGER qWriteOperationCount;
LARGE_INTEGER qOtherOperationCount;
LARGE_INTEGER qReadTransferCount;
LARGE_INTEGER qWriteTransferCount;
LARGE_INTEGER qOtherTransferCount;
}SYSTEM_PROCESS_INFORMATION;
#define SystemProcessInformation 5
#define SystemTimeOfDayInformation 3
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((LONG)0xC0000004L)
VOID * GetDllProc(CHAR * pDllName, CHAR * pProcName)
{
HMODULE hMod;
hMod = LoadLibraryA(pDllName);
if (hMod == NULL)
return NULL;
return GetProcAddress(hMod, pProcName);
}
typedef LONG (WINAPI * Fun_NtQuerySystemInformation) (
int SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT ULONG * pReturnLength OPTIONAL);
BOOL NSystem::GetSysProcInfo(SYSTEM_PROCESS_INFORMATION ** ppSysProcInfo)
{
Fun_NtQuerySystemInformation _NtQuerySystemInformation;
_NtQuerySystemInformation = (Fun_NtQuerySystemInformation)::GetDllProc( " NTDLL.DLL " , " NtQuerySystemInformation " );
if (_NtQuerySystemInformation == NULL)
return FALSE;
DWORD dwSize = 1024 * 1024 ;
VOID * pBuf = NULL;
LONG lRetVal;
for (;;)
{
if (pBuf)
free(pBuf);
pBuf = (VOID * )malloc(dwSize);
lRetVal = _NtQuerySystemInformation(SystemProcessInformation,
pBuf, dwSize, NULL);
if (STATUS_INFO_LENGTH_MISMATCH != lRetVal)
break ;
dwSize *= 2 ;
}
if (lRetVal == 0 )
{
* ppSysProcInfo = (SYSTEM_PROCESS_INFORMATION * )pBuf;
return TRUE;
}
free(pBuf);
return FALSE;
}
typedef BYTE (WINAPI * Fun_WinStationGetProcessSid)(HANDLE hServer,DWORD ProcessId , FILETIME ProcessStartTime,PBYTE pProcessUserSid ,PDWORD dwSidSize);
typedef VOID (WINAPI * Fun_CachedGetUserFromSid)( PSID pSid , PWCHAR pUserName,PULONG cbUserName);
BOOL NSystem::GetProcessUser(DWORD dwPid, _bstr_t * pbStrUser)
{
Fun_WinStationGetProcessSid _WinStationGetProcessSid;
Fun_CachedGetUserFromSid _CachedGetUserFromSid;
_WinStationGetProcessSid = (Fun_WinStationGetProcessSid)
GetDllProc( " Winsta.dll " , " WinStationGetProcessSid " );
_CachedGetUserFromSid = (Fun_CachedGetUserFromSid)
GetDllProc( " utildll.dll " , " CachedGetUserFromSid " );
if (_WinStationGetProcessSid == NULL || _CachedGetUserFromSid == NULL)
return FALSE;
BYTE cRetVal;
FILETIME ftStartTime;
DWORD dwSize;
BYTE * pSid;
BOOL bRetVal, bFind;
SYSTEM_PROCESS_INFORMATION * pProcInfo, * pCurProcInfo;
bRetVal = GetSysProcInfo( & pProcInfo);
if (bRetVal == FALSE || pProcInfo == NULL)
return FALSE;
bFind = FALSE;
pCurProcInfo = pProcInfo;
for (;;)
{
if (pCurProcInfo -> dwProcessId == dwPid)
{
memcpy( & ftStartTime, & pCurProcInfo -> qCreateTime, sizeof (ftStartTime));
bFind = TRUE;
break ;
}
if (pCurProcInfo -> dwNextEntryOffset == 0 )
break ;
pCurProcInfo = (SYSTEM_PROCESS_INFORMATION * )((BYTE * )pCurProcInfo +
pCurProcInfo -> dwNextEntryOffset);
}
if (bFind == FALSE)
{
free(pProcInfo);
return FALSE;
}
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, NULL, & dwSize);
if (cRetVal != 0 )
return FALSE;
pSid = new BYTE[dwSize];
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, pSid, & dwSize);
if (cRetVal == 0 )
{
delete [] pSid;
return FALSE;
}
WCHAR szUserName[ 1024 ];
dwSize = 1024 ;
_CachedGetUserFromSid(pSid, szUserName, & dwSize);
delete [] pSid;
if (dwSize == 0 )
return FALSE;
* pbStrUser = szUserName;
return TRUE;
}
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
// SystemProcessInformation
typedef struct _SYSTEM_PROCESS_INFORMATION
{
DWORD dwNextEntryOffset;
DWORD dwNumberOfThreads;
LARGE_INTEGER qSpareLi1;
LARGE_INTEGER qSpareLi2;
LARGE_INTEGER qSpareLi3;
LARGE_INTEGER qCreateTime;
LARGE_INTEGER qUserTime;
LARGE_INTEGER qKernelTime;
UNICODE_STRING ImageName;
int nBasePriority;
DWORD dwProcessId;
DWORD dwInheritedFromUniqueProcessId;
DWORD dwHandleCount;
DWORD dwSessionId;
ULONG dwSpareUl3;
SIZE_T tPeakVirtualSize;
SIZE_T tVirtualSize;
DWORD dwPageFaultCount;
DWORD dwPeakWorkingSetSize;
DWORD dwWorkingSetSize;
SIZE_T tQuotaPeakPagedPoolUsage;
SIZE_T tQuotaPagedPoolUsage;
SIZE_T tQuotaPeakNonPagedPoolUsage;
SIZE_T tQuotaNonPagedPoolUsage;
SIZE_T tPagefileUsage;
SIZE_T tPeakPagefileUsage;
SIZE_T tPrivatePageCount;
LARGE_INTEGER qReadOperationCount;
LARGE_INTEGER qWriteOperationCount;
LARGE_INTEGER qOtherOperationCount;
LARGE_INTEGER qReadTransferCount;
LARGE_INTEGER qWriteTransferCount;
LARGE_INTEGER qOtherTransferCount;
}SYSTEM_PROCESS_INFORMATION;
#define SystemProcessInformation 5
#define SystemTimeOfDayInformation 3
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((LONG)0xC0000004L)
VOID * GetDllProc(CHAR * pDllName, CHAR * pProcName)
{
HMODULE hMod;
hMod = LoadLibraryA(pDllName);
if (hMod == NULL)
return NULL;
return GetProcAddress(hMod, pProcName);
}
typedef LONG (WINAPI * Fun_NtQuerySystemInformation) (
int SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT ULONG * pReturnLength OPTIONAL);
BOOL NSystem::GetSysProcInfo(SYSTEM_PROCESS_INFORMATION ** ppSysProcInfo)
{
Fun_NtQuerySystemInformation _NtQuerySystemInformation;
_NtQuerySystemInformation = (Fun_NtQuerySystemInformation)::GetDllProc( " NTDLL.DLL " , " NtQuerySystemInformation " );
if (_NtQuerySystemInformation == NULL)
return FALSE;
DWORD dwSize = 1024 * 1024 ;
VOID * pBuf = NULL;
LONG lRetVal;
for (;;)
{
if (pBuf)
free(pBuf);
pBuf = (VOID * )malloc(dwSize);
lRetVal = _NtQuerySystemInformation(SystemProcessInformation,
pBuf, dwSize, NULL);
if (STATUS_INFO_LENGTH_MISMATCH != lRetVal)
break ;
dwSize *= 2 ;
}
if (lRetVal == 0 )
{
* ppSysProcInfo = (SYSTEM_PROCESS_INFORMATION * )pBuf;
return TRUE;
}
free(pBuf);
return FALSE;
}
typedef BYTE (WINAPI * Fun_WinStationGetProcessSid)(HANDLE hServer,DWORD ProcessId , FILETIME ProcessStartTime,PBYTE pProcessUserSid ,PDWORD dwSidSize);
typedef VOID (WINAPI * Fun_CachedGetUserFromSid)( PSID pSid , PWCHAR pUserName,PULONG cbUserName);
BOOL NSystem::GetProcessUser(DWORD dwPid, _bstr_t * pbStrUser)
{
Fun_WinStationGetProcessSid _WinStationGetProcessSid;
Fun_CachedGetUserFromSid _CachedGetUserFromSid;
_WinStationGetProcessSid = (Fun_WinStationGetProcessSid)
GetDllProc( " Winsta.dll " , " WinStationGetProcessSid " );
_CachedGetUserFromSid = (Fun_CachedGetUserFromSid)
GetDllProc( " utildll.dll " , " CachedGetUserFromSid " );
if (_WinStationGetProcessSid == NULL || _CachedGetUserFromSid == NULL)
return FALSE;
BYTE cRetVal;
FILETIME ftStartTime;
DWORD dwSize;
BYTE * pSid;
BOOL bRetVal, bFind;
SYSTEM_PROCESS_INFORMATION * pProcInfo, * pCurProcInfo;
bRetVal = GetSysProcInfo( & pProcInfo);
if (bRetVal == FALSE || pProcInfo == NULL)
return FALSE;
bFind = FALSE;
pCurProcInfo = pProcInfo;
for (;;)
{
if (pCurProcInfo -> dwProcessId == dwPid)
{
memcpy( & ftStartTime, & pCurProcInfo -> qCreateTime, sizeof (ftStartTime));
bFind = TRUE;
break ;
}
if (pCurProcInfo -> dwNextEntryOffset == 0 )
break ;
pCurProcInfo = (SYSTEM_PROCESS_INFORMATION * )((BYTE * )pCurProcInfo +
pCurProcInfo -> dwNextEntryOffset);
}
if (bFind == FALSE)
{
free(pProcInfo);
return FALSE;
}
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, NULL, & dwSize);
if (cRetVal != 0 )
return FALSE;
pSid = new BYTE[dwSize];
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, pSid, & dwSize);
if (cRetVal == 0 )
{
delete [] pSid;
return FALSE;
}
WCHAR szUserName[ 1024 ];
dwSize = 1024 ;
_CachedGetUserFromSid(pSid, szUserName, & dwSize);
delete [] pSid;
if (dwSize == 0 )
return FALSE;
* pbStrUser = szUserName;
return TRUE;
}