(转)SystemProcessesAndThreadsInformation
http://hi.baidu.com/hanjdud8606/item/7a970408a95acc843d42e27f
NTSTATUS NTAPI ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
第一个参数是一个枚举类型,传入的是你需要查询的信息的类型,如果你要查询进程的相关信息,则你需要传入SystemProcessesAndThreadsInformation,以下是这个enmu类型的定义。
typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, // 0 Y N SystemProcessorInformation, // 1 Y N SystemPerformanceInformation, // 2 Y N SystemTimeOfDayInformation, // 3 Y N SystemNotImplemented1, // 4 Y N SystemProcessesAndThreadsInformation, // 5 Y N SystemCallCounts, // 6 Y N SystemConfigurationInformation, // 7 Y N SystemProcessorTimes, // 8 Y N SystemGlobalFlag, // 9 Y Y SystemNotImplemented2, // 10 Y N SystemModuleInformation, // 11 Y N SystemLockInformation, // 12 Y N SystemNotImplemented3, // 13 Y N SystemNotImplemented4, // 14 Y N SystemNotImplemented5, // 15 Y N SystemHandleInformation, // 16 Y N SystemObjectInformation, // 17 Y N SystemPagefileInformation, // 18 Y N SystemInstructionEmulationCounts, // 19 Y N SystemInvalidInfoClass1, // 20 SystemCacheInformation, // 21 Y Y SystemPoolTagInformation, // 22 Y N SystemProcessorStatistics, // 23 Y N SystemDpcInformation, // 24 Y Y SystemNotImplemented6, // 25 Y N SystemLoadImage, // 26 N Y SystemUnloadImage, // 27 N Y SystemTimeAdjustment, // 28 Y Y SystemNotImplemented7, // 29 Y N SystemNotImplemented8, // 30 Y N SystemNotImplemented9, // 31 Y N SystemCrashDumpInformation, // 32 Y N SystemExceptionInformation, // 33 Y N SystemCrashDumpStateInformation, // 34 Y Y/N SystemKernelDebuggerInformation, // 35 Y N SystemContextSwitchInformation, // 36 Y N SystemRegistryQuotaInformation, // 37 Y Y SystemLoadAndCallImage, // 38 N Y SystemPrioritySeparation, // 39 N Y SystemNotImplemented10, // 40 Y N SystemNotImplemented11, // 41 Y N SystemInvalidInfoClass2, // 42 SystemInvalidInfoClass3, // 43 SystemTimeZoneInformation, // 44 Y N SystemLookasideInformation, // 45 Y N SystemSetTimeSlipEvent, // 46 N Y SystemCreateSession, // 47 N Y SystemDeleteSession, // 48 N Y SystemInvalidInfoClass4, // 49 SystemRangeStartInformation, // 50 Y N SystemVerifierInformation, // 51 Y Y SystemAddVerifier, // 52 N Y SystemSessionProcessesInformation // 53 Y N }SYSTEM_INFORMATION_CLASS;
当我们第一个参数传入的是SystemProcessesAndThreadsInformation则返回的一片内存空间一个PSYSTEM_PROCESSES的结构。
typedef struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; //构成结构序列的偏移量; ULONG ThreadCount; //线程数目; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; //创建时间; LARGE_INTEGER UserTime;//用户模式(Ring 3)的CPU时间; LARGE_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间; UNICODE_STRING ProcessName; //进程名称; KPRIORITY BasePriority;//进程优先权; ULONG ProcessId; //进程标识符; ULONG InheritedFromProcessId; //父进程的标识符; ULONG HandleCount; //句柄数目; ULONG Reserved2[2]; VM_COUNTERS VmCounters; //虚拟存储器的结构,见下; IO_COUNTERS IoCounters; //IO计数结构,见下; SYSTEM_THREADS Threads[1]; //进程相关线程的结构数组 }SYSTEM_PROCESSES,*PSYSTEM_PROCESSES;
如果要遍历系统中的进程,我们只需要使用NextEntryDelta这个指针即可。
获取进程示例代码#include <windows.#include <ntsecapi.h>
#include "stdio.h" typedef DWORD (WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD); typedef struct _SYSTEM_PROCESS_INFORMATION { DWORD NextEntryDelta; DWORD ThreadCount; DWORD Reserved1[6]; FILETIME ftCreateTime; FILETIME ftUserTime; FILETIME ftKernelTime; UNICODE_STRING ProcessName; // 进程名. DWORD BasePriority; DWORD ProcessId; DWORD InheritedFromProcessId; DWORD HandleCount; DWORD Reserved2[2]; DWORD VmCounters; DWORD dCommitCharge; PVOID ThreadInfos[1]; } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; #define SystemProcessesAndThreadsInformation 5 void main() { HMODULE hNtDLL = GetModuleHandle( "ntdll.dll" ); if (!hNtDLL ) return; ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION) GetProcAddress(hNtDLL,"ZwQuerySystemInformation"); ULONG cbBuffer = 0x20000; // 设置缓冲大小,与系统有关. LPVOID pBuffer = NULL; pBuffer = malloc(cbBuffer);
if (pBuffer == NULL)
return; ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL); PSYSTEM_PROCESS_INFORMATION pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; for (;;) { printf("ProcessID: %d (%ls)\n", pInfo->ProcessId, pInfo->ProcessName.Buffer); if (pInfo->NextEntryDelta == 0) break; // 查找下一个进程的结构地址. pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryDelta); }
free(pBuffer); getchar(); //暂停. }
