ZwQuerySystemInfoMation函数使用

2019-07-02 17:08:28 浏览数 (2)

ZwQueryInfoMation函数很简单.就是4个参数.

代码语言:javascript复制
NTSTATUS WINAPI ZwQuerySystemInformation(
  _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
  _Inout_   PVOID                    SystemInformation,
  _In_      ULONG                    SystemInformationLength,
  _Out_opt_ PULONG                   ReturnLength
);

函数很简单.就4个参数. 参数已就是传个类型.代表你要查询什么类型.这个函数很强大.基本什么都是可以查询 参数2: 就是一个缓冲区.这个缓冲区是根据你查询的类型.当查询到数据.就会放到这个缓冲区.所以缓冲区可以接受你指定查询类型的数据.所以你想使用强转为一样的类型即可. 参数3: 缓冲区大小. 参数4: 返回大小

所以类别很多.但是MSDN不太全.看看下面吧. 可以定义类型.也有使用例子.

代码语言:javascript复制
#include <stdio.h>   
#include <windows.h>   
  
typedef LONG NTSTATUS;   
  
#define STATUS_SUCCESS                  ((NTSTATUS)0x00000000L)   
#define STATUS_UNSUCCESSFUL             ((NTSTATUS)0xC0000001L)   
#define STATUS_NOT_IMPLEMENTED          ((NTSTATUS)0xC0000002L)   
#define STATUS_INVALID_INFO_CLASS       ((NTSTATUS)0xC0000003L)   
#define STATUS_INFO_LENGTH_MISMATCH     ((NTSTATUS)0xC0000004L)   
  
typedef enum _SYSTEM_INFORMATION_CLASS   
{   
    SystemBasicInformation,                    //  0 Y N   
    SystemProcessorInformation,             //  1 Y N   
    SystemPerformanceInformation,           //  2 Y N   
    SystemTimeOfDayInformation,             //  3 Y N   
    SystemNotImplemented1,                  //  4 Y N   
    SystemProcessesAndThreadsInformation,   //  5 Y N   
    SystemCallCounts,                       //  6 Y N   
    SystemConfigurationInformation,         //  7 Y N   
    SystemProcessorTimes,                   //  8 Y N   
    SystemGlobalFlag,                       //  9 Y Y   
    SystemNotImplemented2,                  // 10 Y N   
    SystemModuleInformation,                // 11 Y N   
    SystemLockInformation,                  // 12 Y N   
    SystemNotImplemented3,                  // 13 Y N   
    SystemNotImplemented4,                  // 14 Y N   
    SystemNotImplemented5,                  // 15 Y N   
    SystemHandleInformation,                // 16 Y N   
    SystemObjectInformation,                // 17 Y N   
    SystemPagefileInformation,              // 18 Y N   
    SystemInstructionEmulationCounts,       // 19 Y N   
    SystemInvalidInfoClass1,                // 20   
    SystemCacheInformation,                 // 21 Y Y   
    SystemPoolTagInformation,               // 22 Y N   
    SystemProcessorStatistics,              // 23 Y N   
    SystemDpcInformation,                   // 24 Y Y   
    SystemNotImplemented6,                  // 25 Y N   
    SystemLoadImage,                        // 26 N Y   
    SystemUnloadImage,                      // 27 N Y   
    SystemTimeAdjustment,                   // 28 Y Y   
    SystemNotImplemented7,                  // 29 Y N   
    SystemNotImplemented8,                  // 30 Y N   
    SystemNotImplemented9,                  // 31 Y N   
    SystemCrashDumpInformation,             // 32 Y N   
    SystemExceptionInformation,             // 33 Y N   
    SystemCrashDumpStateInformation,        // 34 Y Y/N   
    SystemKernelDebuggerInformation,        // 35 Y N   
    SystemContextSwitchInformation,         // 36 Y N   
    SystemRegistryQuotaInformation,         // 37 Y Y   
    SystemLoadAndCallImage,                 // 38 N Y   
    SystemPrioritySeparation,               // 39 N Y   
    SystemNotImplemented10,                 // 40 Y N   
    SystemNotImplemented11,                 // 41 Y N   
    SystemInvalidInfoClass2,                // 42   
    SystemInvalidInfoClass3,                // 43   
    SystemTimeZoneInformation,              // 44 Y N   
    SystemLookasideInformation,             // 45 Y N   
    SystemSetTimeSlipEvent,                 // 46 N Y   
    SystemCreateSession,                    // 47 N Y   
    SystemDeleteSession,                    // 48 N Y   
    SystemInvalidInfoClass4,                // 49   
    SystemRangeStartInformation,            // 50 Y N   
    SystemVerifierInformation,              // 51 Y Y   
    SystemAddVerifier,                      // 52 N Y   
    SystemSessionProcessesInformation       // 53 Y N   
  
} SYSTEM_INFORMATION_CLASS;   
  
typedef struct _LSA_UNICODE_STRING   
{   
    USHORT Length;   
    USHORT MaximumLength;   
    PWSTR Buffer;   
       
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;   
  
typedef struct _CLIENT_ID   
{   
    HANDLE UniqueProcess;   
    HANDLE UniqueThread;   
  
} CLIENT_ID;   
  
typedef enum _THREAD_STATE   
{   
    StateInitialized,   
    StateReady,   
    StateRunning,   
    StateStandby,   
    StateTerminated,   
    StateWait,   
    StateTransition,   
    StateUnknown   
  
} THREAD_STATE;   
  
typedef enum _KWAIT_REASON   
{   
    Executive,   
    FreePage,   
    PageIn,   
    PoolAllocation,   
    DelayExecution,   
    Suspended,   
    UserRequest,   
    WrExecutive,   
    WrFreePage,   
    WrPageIn,   
    WrPoolAllocation,   
    WrDelayExecution,   
    WrSuspended,   
    WrUserRequest,   
    WrEventPair,   
    WrQueue,   
    WrLpcReceive,   
    WrLpcReply,   
    WrVirtualMemory,   
    WrPageOut,   
    WrRendezvous,   
    Spare2,   
    Spare3,   
    Spare4,   
    Spare5,   
    Spare6,   
    WrKernel   
  
} KWAIT_REASON;   
  
/*typedef struct _IO_COUNTERS   
{   
    LARGE_INTEGER ReadOperationCount;   //I/O读操作数目   
    LARGE_INTEGER WriteOperationCount;  //I/O写操作数目   
    LARGE_INTEGER OtherOperationCount;  //I/O其他操作数目   
    LARGE_INTEGER ReadTransferCount;    //I/O读数据数目   
    LARGE_INTEGER WriteTransferCount;   //I/O写数据数目   
    LARGE_INTEGER OtherTransferCount;   //I/O其他操作数据数目   
  
} IO_COUNTERS, *PIO_COUNTERS;   
  */
typedef struct _VM_COUNTERS   
{   
    ULONG PeakVirtualSize;              //虚拟存储峰值大小   
    ULONG VirtualSize;                  //虚拟存储大小   
    ULONG PageFaultCount;               //页故障数目   
    ULONG PeakWorkingSetSize;           //工作集峰值大小   
    ULONG WorkingSetSize;               //工作集大小   
    ULONG QuotaPeakPagedPoolUsage;      //分页池使用配额峰值   
    ULONG QuotaPagedPoolUsage;          //分页池使用配额   
    ULONG QuotaPeakNonPagedPoolUsage;   //非分页池使用配额峰值   
    ULONG QuotaNonPagedPoolUsage;       //非分页池使用配额   
    ULONG PagefileUsage;                //页文件使用情况   
    ULONG PeakPagefileUsage;            //页文件使用峰值   
  
} VM_COUNTERS, *PVM_COUNTERS;   
  
typedef LONG KPRIORITY;   
  
typedef struct _SYSTEM_THREADS   
{   
    LARGE_INTEGER KernelTime;   
    LARGE_INTEGER UserTime;   
    LARGE_INTEGER CreateTime;   
    ULONG WaitTime;   
    PVOID StartAddress;   
    CLIENT_ID ClientId;   
    KPRIORITY Priority;   
    KPRIORITY BasePriority;   
    ULONG ContextSwitchCount;   
    THREAD_STATE State;   
    KWAIT_REASON WaitReason;   
  
} SYSTEM_THREADS, *PSYSTEM_THREADS;   
  
typedef struct _SYSTEM_PROCESSES   
{   
    ULONG NextEntryDelta;   
    ULONG ThreadCount;   
    ULONG Reserved1[6];   
    LARGE_INTEGER CreateTime;   
    LARGE_INTEGER UserTime;   
    LARGE_INTEGER KernelTime;   
    UNICODE_STRING ProcessName;   
    KPRIORITY BasePriority;   
    ULONG ProcessId;   
    ULONG InheritedFromProcessId;   
    ULONG HandleCount;   
    ULONG Reserved2[2];   
    VM_COUNTERS  VmCounters;   
    IO_COUNTERS IoCounters;   
    SYSTEM_THREADS Threads[1];   
  
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;   
  
typedef struct _SYSTEM_BASIC_INFORMATION   
{   
    BYTE Reserved1[24];   
    PVOID Reserved2[4];   
    CCHAR NumberOfProcessors;   
  
} SYSTEM_BASIC_INFORMATION;   

typedef struct tagSYSTEM_MODULE_INFORMATION {
    ULONG Reserved[2];
    PVOID Base;
    ULONG Size;
    ULONG Flags;
    USHORT Index;
    USHORT Unknown;
    USHORT LoadCount;
    USHORT ModuleNameOffset;
    CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
  
typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);   
  
int main(void)   
{   

    HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");

    if (ntdll_dll == NULL) {
        printf("load ntdll.dll failed.n");
        return -1;
    }  

    NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
    
    ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");   
    if ( ZwQuerySystemInformation!=NULL )   
    {   
        SYSTEM_BASIC_INFORMATION sbi = {0};   
        NTSTATUS status = ZwQuerySystemInformation(SystemBasicInformation, (PVOID)&sbi, sizeof(sbi), NULL);   
        if ( status == STATUS_SUCCESS ) {   
            printf("处理器个数:%drn", sbi.NumberOfProcessors);   
        } else {   
            printf("rn SystemBasicInformation error");   
        }   
        
        DWORD dwNeedSize = 0;
        BYTE *pBuffer = NULL;

        printf("---------------------所有进程信息----------------------------------------n");   
        PSYSTEM_PROCESSES psp=NULL;
        status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);   
        if ( status == STATUS_INFO_LENGTH_MISMATCH ) {   
            pBuffer = new BYTE[dwNeedSize];   
            status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);   
            if ( status == STATUS_SUCCESS )   
            {   
                psp = (PSYSTEM_PROCESSES)pBuffer;
                printf("PID  线程数 工作集大小 进程名n");
                do {   
                    printf("%-4d", psp->ProcessId);
                    printf(" =", psp->ThreadCount);   
                    printf(" �KB", psp->VmCounters.WorkingSetSize/1024);
                    wprintf(L" %sn", psp->ProcessName.Buffer);
                    psp = (PSYSTEM_PROCESSES)((ULONG)psp   psp->NextEntryDelta );   
                } while ( psp->NextEntryDelta != 0 ); 
                
                delete []pBuffer;   
                pBuffer = NULL;   
            }else if ( status == STATUS_UNSUCCESSFUL ) {   
                printf("n STATUS_UNSUCCESSFUL");   
            } else if ( status == STATUS_NOT_IMPLEMENTED ) {
                printf("n STATUS_NOT_IMPLEMENTED");
            } else if ( status == STATUS_INVALID_INFO_CLASS ) {   
                printf("n STATUS_INVALID_INFO_CLASS");
            } else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {   
                printf("n STATUS_INFO_LENGTH_MISMATCH");
            }    
        }   

        printf("---------------------系统模块信息----------------------------------------n");   
        status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
        if (status == STATUS_INFO_LENGTH_MISMATCH) {        
            pBuffer = new BYTE[dwNeedSize];
            status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
            if (status == STATUS_SUCCESS) {
                UINT count = *((UINT*)pBuffer);
                printf("模块数:%dn", count);
                printf("基地址 模块大小 引用计数 模块路径n");
                PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer   sizeof(ULONG));
                for (UINT i = 0; i < count; i  ) {
                    printf("0xX ", pmi->Base);
                    printf("�KB ", pmi->Size / 1024);
                    printf("- ", pmi->LoadCount);
                    printf("%sn", pmi->ImageName);
                    pmi  ;
                }
            }
            delete []pBuffer;
        }


    } else {   
        printf("Get ZwQuerySystemInformation address error!");
    }   
           
    FreeLibrary(ntdll_dll);   
       
    return 0;

此博客非原创.是自己用到的时候查询了一下.觉得有用.所以拷贝到自己博客上.原博客链接 https://www.cnblogs.com/wuliqv/archive/2012/06/20/2557009.html

0 人点赞