c语言 ZwQuerySystemInformation查看进程信息 

#include <stdio.h>
#define STATUS_SUCCESS                  ((NTSTATUS)0x00000000L)   
#define STATUS_UNSUCCESSFUL             ((NTSTATUS)0xC0000001L)   
#define STATUS_INFO_LENGTH_MISMATCH     ((NTSTATUS)0xC0000004L)   
typedef struct _LSA_UNICODE_STRING   
{   
    USHORT Length;   
    USHORT MaximumLength;   
    PWSTR Buffer;   

} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING; 

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG ThreadCount;   
    ULONG Reserved1[6];   
    LARGE_INTEGER CreateTime;   
    LARGE_INTEGER UserTime;   
    LARGE_INTEGER KernelTime;   
    UNICODE_STRING ProcessName;   
    long BasePriority;   
    ULONG ProcessId;   
    ULONG InheritedFromProcessId;   
    ULONG HandleCount;   
    ULONG Reserved2[2];   
    SIZE_T  VmCounters;   
    IO_COUNTERS IoCounters;   
    LARGE_INTEGER Threads[1];   
} SYSTEM_PROCESS_INFORMATION,*PSYSTEM_PROCESS_INFORMATION;

typedef LONG NTSTATUS; 

/**     
     名称:getAPIAddress
     功能: 根据模块名称和函数名称获取函数地址
     参数: TCHAR * moduleName  模块名称        TCHAR * funcName  函数名称
     返回值:return 1 represent moduleName is wrong
             return 0 represent funcName is wrong
**/
FARPROC getAPIAddress(TCHAR * moduleName,TCHAR * wFuncName){
    char funcName[MAX_PATH] = {0,};

        
    WideCharToMultiByte(CP_ACP, NULL,(LPCWSTR)wFuncName,-1,funcName,MAX_PATH,0,0);

    
    HMODULE hKer;
    hKer = GetModuleHandle(moduleName);
    if(!hKer)
        return (FARPROC)-1;
    return GetProcAddress(hKer,funcName);
}
void main(){
    
    //导入ZwQuerySystemInformation函数
    long (WINAPI *ZwQuerySystemInformation)(UINT, PVOID, ULONG ,PULONG );
    ZwQuerySystemInformation =( long (WINAPI *)(UINT, PVOID, ULONG ,PULONG ))getAPIAddress(L"ntdll.dll",L"NtQuerySystemInformation");
    
    DWORD len;
    NTSTATUS result;
    PSYSTEM_PROCESS_INFORMATION spi;
    BYTE * pBuf;
    //获取数据长度
    result = ZwQuerySystemInformation((UINT)5,NULL,0,&len);
    pBuf =new BYTE[len];

    if (result==STATUS_INFO_LENGTH_MISMATCH )
    {    //获取数据
        result = ZwQuerySystemInformation(5,pBuf,len,&len);
        if (result == STATUS_SUCCESS)
        {    
            PSYSTEM_PROCESS_INFORMATION pre = spi = (PSYSTEM_PROCESS_INFORMATION)pBuf;
        do 
        {
         printf(" %ws\n", spi->ProcessName.Buffer);
            pre = spi;
            spi = (PSYSTEM_PROCESS_INFORMATION)((ULONG)spi + spi->NextEntryOffset);
        } while (pre->NextEntryOffset!=0);
        }
    }
}

运行环境 win32 编译环境:vs2010 宽字符

posted @ 2021-04-11 13:06  乘舟凉  阅读(310)  评论(0编辑  收藏  举报