ZwQuerySystemInfoMation函数使用

ZwQueryInfoMation函数很简单.就是4个参数.

NTSTATUS WINAPI ZwQuerySystemInformation(
  _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
  _Inout_   PVOID                    SystemInformation,
  _In_      ULONG                    SystemInformationLength,
  _Out_opt_ PULONG                   ReturnLength
);

函数很简单.就4个参数. 参数已就是传个类型.代表你要查询什么类型.这个函数很强大.基本什么都是可以查询
参数2: 就是一个缓冲区.这个缓冲区是根据你查询的类型.当查询到数据.就会放到这个缓冲区.所以缓冲区可以接受你指定查询类型的数据.所以你想使用强转为一样的类型即可.
参数3: 缓冲区大小.
参数4: 返回大小

所以类别很多.但是MSDN不太全.看看下面吧. 可以定义类型.也有使用例子.

#include <stdio.h>   
#include <windows.h>   
  
typedef LONG NTSTATUS;   
  
#define STATUS_SUCCESS                  ((NTSTATUS)0x00000000L)   
#define STATUS_UNSUCCESSFUL             ((NTSTATUS)0xC0000001L)   
#define STATUS_NOT_IMPLEMENTED          ((NTSTATUS)0xC0000002L)   
#define STATUS_INVALID_INFO_CLASS       ((NTSTATUS)0xC0000003L)   
#define STATUS_INFO_LENGTH_MISMATCH     ((NTSTATUS)0xC0000004L)   
  
typedef enum _SYSTEM_INFORMATION_CLASS   
{   
    SystemBasicInformation,                    //  0 Y N   
    SystemProcessorInformation,             //  1 Y N   
    SystemPerformanceInformation,           //  2 Y N   
    SystemTimeOfDayInformation,             //  3 Y N   
    SystemNotImplemented1,                  //  4 Y N   
    SystemProcessesAndThreadsInformation,   //  5 Y N   
    SystemCallCounts,                       //  6 Y N   
    SystemConfigurationInformation,         //  7 Y N   
    SystemProcessorTimes,                   //  8 Y N   
    SystemGlobalFlag,                       //  9 Y Y   
    SystemNotImplemented2,                  // 10 Y N   
    SystemModuleInformation,                // 11 Y N   
    SystemLockInformation,                  // 12 Y N   
    SystemNotImplemented3,                  // 13 Y N   
    SystemNotImplemented4,                  // 14 Y N   
    SystemNotImplemented5,                  // 15 Y N   
    SystemHandleInformation,                // 16 Y N   
    SystemObjectInformation,                // 17 Y N   
    SystemPagefileInformation,              // 18 Y N   
    SystemInstructionEmulationCounts,       // 19 Y N   
    SystemInvalidInfoClass1,                // 20   
    SystemCacheInformation,                 // 21 Y Y   
    SystemPoolTagInformation,               // 22 Y N   
    SystemProcessorStatistics,              // 23 Y N   
    SystemDpcInformation,                   // 24 Y Y   
    SystemNotImplemented6,                  // 25 Y N   
    SystemLoadImage,                        // 26 N Y   
    SystemUnloadImage,                      // 27 N Y   
    SystemTimeAdjustment,                   // 28 Y Y   
    SystemNotImplemented7,                  // 29 Y N   
    SystemNotImplemented8,                  // 30 Y N   
    SystemNotImplemented9,                  // 31 Y N   
    SystemCrashDumpInformation,             // 32 Y N   
    SystemExceptionInformation,             // 33 Y N   
    SystemCrashDumpStateInformation,        // 34 Y Y/N   
    SystemKernelDebuggerInformation,        // 35 Y N   
    SystemContextSwitchInformation,         // 36 Y N   
    SystemRegistryQuotaInformation,         // 37 Y Y   
    SystemLoadAndCallImage,                 // 38 N Y   
    SystemPrioritySeparation,               // 39 N Y   
    SystemNotImplemented10,                 // 40 Y N   
    SystemNotImplemented11,                 // 41 Y N   
    SystemInvalidInfoClass2,                // 42   
    SystemInvalidInfoClass3,                // 43   
    SystemTimeZoneInformation,              // 44 Y N   
    SystemLookasideInformation,             // 45 Y N   
    SystemSetTimeSlipEvent,                 // 46 N Y   
    SystemCreateSession,                    // 47 N Y   
    SystemDeleteSession,                    // 48 N Y   
    SystemInvalidInfoClass4,                // 49   
    SystemRangeStartInformation,            // 50 Y N   
    SystemVerifierInformation,              // 51 Y Y   
    SystemAddVerifier,                      // 52 N Y   
    SystemSessionProcessesInformation       // 53 Y N   
  
} SYSTEM_INFORMATION_CLASS;   
  
typedef struct _LSA_UNICODE_STRING   
{   
    USHORT Length;   
    USHORT MaximumLength;   
    PWSTR Buffer;   
       
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;   
  
typedef struct _CLIENT_ID   
{   
    HANDLE UniqueProcess;   
    HANDLE UniqueThread;   
  
} CLIENT_ID;   
  
typedef enum _THREAD_STATE   
{   
    StateInitialized,   
    StateReady,   
    StateRunning,   
    StateStandby,   
    StateTerminated,   
    StateWait,   
    StateTransition,   
    StateUnknown   
  
} THREAD_STATE;   
  
typedef enum _KWAIT_REASON   
{   
    Executive,   
    FreePage,   
    PageIn,   
    PoolAllocation,   
    DelayExecution,   
    Suspended,   
    UserRequest,   
    WrExecutive,   
    WrFreePage,   
    WrPageIn,   
    WrPoolAllocation,   
    WrDelayExecution,   
    WrSuspended,   
    WrUserRequest,   
    WrEventPair,   
    WrQueue,   
    WrLpcReceive,   
    WrLpcReply,   
    WrVirtualMemory,   
    WrPageOut,   
    WrRendezvous,   
    Spare2,   
    Spare3,   
    Spare4,   
    Spare5,   
    Spare6,   
    WrKernel   
  
} KWAIT_REASON;   
  
/*typedef struct _IO_COUNTERS   
{   
    LARGE_INTEGER ReadOperationCount;   //I/O读操作数目   
    LARGE_INTEGER WriteOperationCount;  //I/O写操作数目   
    LARGE_INTEGER OtherOperationCount;  //I/O其他操作数目   
    LARGE_INTEGER ReadTransferCount;    //I/O读数据数目   
    LARGE_INTEGER WriteTransferCount;   //I/O写数据数目   
    LARGE_INTEGER OtherTransferCount;   //I/O其他操作数据数目   
  
} IO_COUNTERS, *PIO_COUNTERS;   
  */
typedef struct _VM_COUNTERS   
{   
    ULONG PeakVirtualSize;              //虚拟存储峰值大小   
    ULONG VirtualSize;                  //虚拟存储大小   
    ULONG PageFaultCount;               //页故障数目   
    ULONG PeakWorkingSetSize;           //工作集峰值大小   
    ULONG WorkingSetSize;               //工作集大小   
    ULONG QuotaPeakPagedPoolUsage;      //分页池使用配额峰值   
    ULONG QuotaPagedPoolUsage;          //分页池使用配额   
    ULONG QuotaPeakNonPagedPoolUsage;   //非分页池使用配额峰值   
    ULONG QuotaNonPagedPoolUsage;       //非分页池使用配额   
    ULONG PagefileUsage;                //页文件使用情况   
    ULONG PeakPagefileUsage;            //页文件使用峰值   
  
} VM_COUNTERS, *PVM_COUNTERS;   
  
typedef LONG KPRIORITY;   
  
typedef struct _SYSTEM_THREADS   
{   
    LARGE_INTEGER KernelTime;   
    LARGE_INTEGER UserTime;   
    LARGE_INTEGER CreateTime;   
    ULONG WaitTime;   
    PVOID StartAddress;   
    CLIENT_ID ClientId;   
    KPRIORITY Priority;   
    KPRIORITY BasePriority;   
    ULONG ContextSwitchCount;   
    THREAD_STATE State;   
    KWAIT_REASON WaitReason;   
  
} SYSTEM_THREADS, *PSYSTEM_THREADS;   
  
typedef struct _SYSTEM_PROCESSES   
{   
    ULONG NextEntryDelta;   
    ULONG ThreadCount;   
    ULONG Reserved1[6];   
    LARGE_INTEGER CreateTime;   
    LARGE_INTEGER UserTime;   
    LARGE_INTEGER KernelTime;   
    UNICODE_STRING ProcessName;   
    KPRIORITY BasePriority;   
    ULONG ProcessId;   
    ULONG InheritedFromProcessId;   
    ULONG HandleCount;   
    ULONG Reserved2[2];   
    VM_COUNTERS  VmCounters;   
    IO_COUNTERS IoCounters;   
    SYSTEM_THREADS Threads[1];   
  
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;   
  
typedef struct _SYSTEM_BASIC_INFORMATION   
{   
    BYTE Reserved1[24];   
    PVOID Reserved2[4];   
    CCHAR NumberOfProcessors;   
  
} SYSTEM_BASIC_INFORMATION;   

typedef struct tagSYSTEM_MODULE_INFORMATION {
    ULONG Reserved[2];
    PVOID Base;
    ULONG Size;
    ULONG Flags;
    USHORT Index;
    USHORT Unknown;
    USHORT LoadCount;
    USHORT ModuleNameOffset;
    CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
  
typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);   
  
int main(void)   
{   

    HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");

    if (ntdll_dll == NULL) {
        printf("load ntdll.dll failed.\n");
        return -1;
    }  

    NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
    
    ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");   
    if ( ZwQuerySystemInformation!=NULL )   
    {   
        SYSTEM_BASIC_INFORMATION sbi = {0};   
        NTSTATUS status = ZwQuerySystemInformation(SystemBasicInformation, (PVOID)&sbi, sizeof(sbi), NULL);   
        if ( status == STATUS_SUCCESS ) {   
            printf("处理器个数:%d\r\n", sbi.NumberOfProcessors);   
        } else {   
            printf("\r\n SystemBasicInformation error");   
        }   
        
        DWORD dwNeedSize = 0;
        BYTE *pBuffer = NULL;

        printf("---------------------所有进程信息----------------------------------------\n");   
        PSYSTEM_PROCESSES psp=NULL;
        status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);   
        if ( status == STATUS_INFO_LENGTH_MISMATCH ) {   
            pBuffer = new BYTE[dwNeedSize];   
            status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);   
            if ( status == STATUS_SUCCESS )   
            {   
                psp = (PSYSTEM_PROCESSES)pBuffer;
                printf("PID  线程数 工作集大小 进程名\n");
                do {   
                    printf("%-4d", psp->ProcessId);
                    printf(" %3d", psp->ThreadCount);   
                    printf(" %8dKB", psp->VmCounters.WorkingSetSize/1024);
                    wprintf(L" %s\n", psp->ProcessName.Buffer);
                    psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );   
                } while ( psp->NextEntryDelta != 0 ); 
                
                delete []pBuffer;   
                pBuffer = NULL;   
            }else if ( status == STATUS_UNSUCCESSFUL ) {   
                printf("\n STATUS_UNSUCCESSFUL");   
            } else if ( status == STATUS_NOT_IMPLEMENTED ) {
                printf("\n STATUS_NOT_IMPLEMENTED");
            } else if ( status == STATUS_INVALID_INFO_CLASS ) {   
                printf("\n STATUS_INVALID_INFO_CLASS");
            } else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {   
                printf("\n STATUS_INFO_LENGTH_MISMATCH");
            }    
        }   

        printf("---------------------系统模块信息----------------------------------------\n");   
        status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
        if (status == STATUS_INFO_LENGTH_MISMATCH) {        
            pBuffer = new BYTE[dwNeedSize];
            status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
            if (status == STATUS_SUCCESS) {
                UINT count = *((UINT*)pBuffer);
                printf("模块数:%d\n", count);
                printf("基地址 模块大小 引用计数 模块路径\n");
                PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG));
                for (UINT i = 0; i < count; i++) {
                    printf("0x%08X ", pmi->Base);
                    printf("%8dKB ", pmi->Size / 1024);
                    printf("%2d ", pmi->LoadCount);
                    printf("%s\n", pmi->ImageName);
                    pmi++;
                }
            }
            delete []pBuffer;
        }


    } else {   
        printf("Get ZwQuerySystemInformation address error!");
    }   
           
    FreeLibrary(ntdll_dll);   
       
    return 0;

此博客非原创.是自己用到的时候查询了一下.觉得有用.所以拷贝到自己博客上.原博客链接
https://www.cnblogs.com/wuliqv/archive/2012/06/20/2557009.html

posted @ 2019-06-23 16:25  iBinary  阅读(1387)  评论(0编辑  收藏  举报