- 注册时间
- 2021-4-16
- 最后登录
- 2024-9-9
- 在线时间
- 3 小时
编程入门
- 龙马币
- 40
|
ZwQuerySystemInformation 查看系统进程信息
- #include <ntddk.h>
- typedef enum _SYSTEM_INFORMATION_CLASS {
- SystemBasicInformation,
- SystemProcessorInformation,
- SystemPerformanceInformation,
- SystemTimeOfDayInformation,
- SystemPathInformation,
- SystemProcessInformation, //5
- SystemCallCountInformation,
- SystemDeviceInformation,
- SystemProcessorPerformanceInformation,
- SystemFlagsInformation,
- SystemCallTimeInformation,
- SystemModuleInformation,
- SystemLocksInformation,
- SystemStackTraceInformation,
- SystemPagedPoolInformation,
- SystemNonPagedPoolInformation,
- SystemHandleInformation,
- SystemObjectInformation,
- SystemPageFileInformation,
- SystemVdmInstemulInformation,
- SystemVdmBopInformation,
- SystemFileCacheInformation,
- SystemPoolTagInformation,
- SystemInterruptInformation,
- SystemDpcBehaviorInformation,
- SystemFullMemoryInformation,
- SystemLoadGdiDriverInformation,
- SystemUnloadGdiDriverInformation,
- SystemTimeAdjustmentInformation,
- SystemSummaryMemoryInformation,
- SystemNextEventIdInformation,
- SystemEventIdsInformation,
- SystemCrashDumpInformation,
- SystemExceptionInformation,
- SystemCrashDumpStateInformation,
- SystemKernelDebuggerInformation,
- SystemContextSwitchInformation,
- SystemRegistryQuotaInformation,
- SystemExtendServiceTableInformation,
- SystemPrioritySeperation,
- SystemPlugPlayBusInformation,
- SystemDockInformation,
- SystemPowerInformation2,
- SystemProcessorSpeedInformation,
- SystemCurrentTimeZoneInformation,
- SystemLookasideInformation
- } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
- typedef struct _SYSTEM_THREAD_INFORMATION {
- LARGE_INTEGER KernelTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER CreateTime;
- ULONG WaitTime;
- PVOID StartAddress;
- CLIENT_ID ClientId;
- KPRIORITY Priority;
- LONG BasePriority;
- ULONG ContextSwitchCount;
- ULONG State;
- KWAIT_REASON WaitReason;
- }SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
- typedef struct _SYSTEM_PROCESS_INFORMATION {
- ULONG NextEntryOffset;
- ULONG NumberOfThreads;
- LARGE_INTEGER Reserved[3];
- LARGE_INTEGER CreateTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER KernelTime;
- UNICODE_STRING ImageName;
- KPRIORITY BasePriority;
- HANDLE ProcessId;
- HANDLE InheritedFromProcessId;
- ULONG HandleCount;
- ULONG Reserved2[2];
- ULONG PrivatePageCount;
- VM_COUNTERS VirtualMemoryCounters;
- IO_COUNTERS IoCounters;
- SYSTEM_THREAD_INFORMATION Threads[0];
- } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
- //不加extern "C" 一直报link错误
- extern "C" NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength);
- VOID Unload( __in struct _DRIVER_OBJECT *DriverObject )
- {
- KdPrint(("unload ....."));
- }
- NTSTATUS Ring0EnumProcess()
- {
- ULONG cbBuffer = 0x8000; //32k
- PVOID pSystemInfo;
- NTSTATUS status;
- PSYSTEM_PROCESS_INFORMATION pInfo;
- //为查找进程分配足够的空间
- do
- {
- pSystemInfo = ExAllocatePool(NonPagedPool, cbBuffer);
- if (pSystemInfo == NULL) //申请空间失败,返回
- {
- return 1;
- }
- status = ZwQuerySystemInformation(SystemProcessInformation, pSystemInfo, cbBuffer, NULL );
- if (status == STATUS_INFO_LENGTH_MISMATCH) //空间不足
- {
- ExFreePool(pSystemInfo);
- cbBuffer *= 2;
- }
- else if(!NT_SUCCESS(status))
- {
- ExFreePool(pSystemInfo);
- return 1;
- }
- } while(status == STATUS_INFO_LENGTH_MISMATCH); //如果是空间不足,就一直循环
- pInfo = (PSYSTEM_PROCESS_INFORMATION)pSystemInfo; //把得到的信息放到pInfo中
- for (;;)
- {
- LPWSTR pszProcessName = pInfo->ImageName.Buffer;
- if (pszProcessName == NULL)
- {
- pszProcessName = L"NULL";
- }
- KdPrint(("PID:%d, process name:%S\n", pInfo->ProcessId, pszProcessName));
- if (pInfo->NextEntryOffset == 0) //==0,说明到达进程链的尾部了
- {
- break;
- }
- pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryOffset); //遍历
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS DriverEntry( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath)
- {
- DriverObject->DriverUnload = Unload;
- Ring0EnumProcess();
- return STATUS_SUCCESS;
- }
复制代码
|
|