NtQuerySystemInformation 枚举进程

函数原型:
 NTSTATUS WINAPI NtQuerySystemInformation(
    _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
    _Inout_   PVOID                    SystemInformation,
    _In_      ULONG                    SystemInformationLength,
    _Out_opt_ PULONG                   ReturnLength
    );

该函数未文档化,再ntdll.dll 中导出,
SYSTEM_INFORMATION_CLASS为要查询信息的类型,是一个枚举型的,其他参数不说了。
简单举一例说明。
这里我们要枚举的是SystemProcessInformation信息,
先看一下该结构体:
typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;      //下一个结构的偏移量,最后一个偏移量为0
    ULONG NumberOfThreads;
    LARGE_INTEGER SpareLi1;
    LARGE_INTEGER SpareLi2;
    LARGE_INTEGER SpareLi3;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;     //进程名
    KPRIORITY BasePriority;
    HANDLE UniqueProcessId;               //进程ID
    HANDLE InheritedFromUniqueProcessId;   //父进程ID
    ULONG HandleCount;
    ULONG SessionId;       //会话ID                    
    ULONG_PTR PageDirectoryBase;
    SIZE_T PeakVirtualSize;
    SIZE_T VirtualSize;
    ULONG PageFaultCount;
    SIZE_T PeakWorkingSetSize;
    SIZE_T WorkingSetSize;
    SIZE_T QuotaPeakPagedPoolUsage;
    SIZE_T QuotaPagedPoolUsage;
    SIZE_T QuotaPeakNonPagedPoolUsage;
    SIZE_T QuotaNonPagedPoolUsage;
    SIZE_T PagefileUsage;
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER ReadOperationCount;
    LARGE_INTEGER WriteOperationCount;
    LARGE_INTEGER OtherOperationCount;
    LARGE_INTEGER ReadTransferCount;
    LARGE_INTEGER WriteTransferCount;
    LARGE_INTEGER OtherTransferCount;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

#include "stdafx.h"
#include <Windows.h>
#include <winternl.h>
using namespace std;

typedef NTSTATUS (WINAPI *PFUN_NtQuerySystemInformation)(
	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
	_Inout_   PVOID                    SystemInformation,
	_In_      ULONG                    SystemInformationLength,
	_Out_opt_ PULONG                   ReturnLength
	);
int _tmain(int argc, _TCHAR* argv[])
{	
	PFUN_NtQuerySystemInformation pFun = NULL;
	pFun = (PFUN_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");

	char szInfo[0x20000] = { 0 };
	ULONG uReturnedLEngth = 0;
	NTSTATUS status = pFun(SystemProcessInformation, szInfo, sizeof(szInfo), &uReturnedLEngth);
	if (status != 0)
		return 0;
	PSYSTEM_PROCESS_INFORMATION pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)szInfo;
	DWORD dwID = (DWORD)pSystemInformation->UniqueProcessId;
	HANDLE hHandle = NULL;
	PWCHAR pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c);
	printf("ProcessID: %d\tprocessName: %ws \n", dwID, pImageName);
	while (true)
	{
		if (pSystemInformation->NextEntryOffset == 0)
			break;

		pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)((PCHAR)pSystemInformation + pSystemInformation->NextEntryOffset);
		dwID = (DWORD)pSystemInformation->UniqueProcessId;
		hHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwID);
		pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c);
		printf("ProcessID: %d\tprocessName: %ws \n", dwID, pImageName);
	}
        getchar();
}

结果如下:
NtQuerySystemInformation 枚举进程 - Prairie - work labor and play

posted on 2018-10-08 18:45  priarieNew  阅读(2400)  评论(0编辑  收藏  举报

导航