ZwQueryInfoMation函数很简单.就是4个参数.
NTSTATUS WINAPI ZwQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
函数很简单.就4个参数. 参数已就是传个类型.代表你要查询什么类型.这个函数很强大.基本什么都是可以查询
参数2: 就是一个缓冲区.这个缓冲区是根据你查询的类型.当查询到数据.就会放到这个缓冲区.所以缓冲区可以接受你指定查询类型的数据.所以你想使用强转为一样的类型即可.
参数3: 缓冲区大小.
参数4: 返回大小
所以类别很多.但是MSDN不太全.看看下面吧. 可以定义类型.也有使用例子.
#include <stdio.h> #include <windows.h>typedef LONG NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N} SYSTEM_INFORMATION_CLASS;
typedef struct _LSA_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;} CLIENT_ID;
typedef enum _THREAD_STATE
{
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown} THREAD_STATE;
typedef enum _KWAIT_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel} KWAIT_REASON;
/*typedef struct _IO_COUNTERS
{
LARGE_INTEGER ReadOperationCount; //I/O读操作数目
LARGE_INTEGER WriteOperationCount; //I/O写操作数目
LARGE_INTEGER OtherOperationCount; //I/O其他操作数目
LARGE_INTEGER ReadTransferCount; //I/O读数据数目
LARGE_INTEGER WriteTransferCount; //I/O写数据数目
LARGE_INTEGER OtherTransferCount; //I/O其他操作数据数目} IO_COUNTERS, *PIO_COUNTERS;
*/
typedef struct _VM_COUNTERS
{
ULONG PeakVirtualSize; //虚拟存储峰值大小
ULONG VirtualSize; //虚拟存储大小
ULONG PageFaultCount; //页故障数目
ULONG PeakWorkingSetSize; //工作集峰值大小
ULONG WorkingSetSize; //工作集大小
ULONG QuotaPeakPagedPoolUsage; //分页池使用配额峰值
ULONG QuotaPagedPoolUsage; //分页池使用配额
ULONG QuotaPeakNonPagedPoolUsage; //非分页池使用配额峰值
ULONG QuotaNonPagedPoolUsage; //非分页池使用配额
ULONG PagefileUsage; //页文件使用情况
ULONG PeakPagefileUsage; //页文件使用峰值} VM_COUNTERS, *PVM_COUNTERS;
typedef LONG KPRIORITY;
typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;} SYSTEM_THREADS, *PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[1];} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _SYSTEM_BASIC_INFORMATION
{
BYTE Reserved1[24];
PVOID Reserved2[4];
CCHAR NumberOfProcessors;} SYSTEM_BASIC_INFORMATION;
typedef struct tagSYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);
int main(void)
{HINSTANCE ntdll_dll = GetModuleHandle(<span class="hljs-string">"ntdll.dll"</span>); <span class="hljs-keyword">if</span> (ntdll_dll == <span class="hljs-literal">NULL</span>) { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"load ntdll.dll failed.\n"</span>); <span class="hljs-keyword">return</span> <span class="hljs-number">-1</span>; } NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = <span class="hljs-literal">NULL</span>; ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, <span class="hljs-string">"ZwQuerySystemInformation"</span>); <span class="hljs-keyword">if</span> ( ZwQuerySystemInformation!=<span class="hljs-literal">NULL</span> ) { SYSTEM_BASIC_INFORMATION sbi = {<span class="hljs-number">0</span>}; NTSTATUS status = ZwQuerySystemInformation(SystemBasicInformation, (PVOID)&sbi, <span class="hljs-keyword">sizeof</span>(sbi), <span class="hljs-literal">NULL</span>); <span class="hljs-keyword">if</span> ( status == STATUS_SUCCESS ) { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"处理器个数:%d\r\n"</span>, sbi.NumberOfProcessors); } <span class="hljs-keyword">else</span> { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"\r\n SystemBasicInformation error"</span>); } DWORD dwNeedSize = <span class="hljs-number">0</span>; BYTE *pBuffer = <span class="hljs-literal">NULL</span>; <span class="hljs-built_in">printf</span>(<span class="hljs-string">"---------------------所有进程信息----------------------------------------\n"</span>); PSYSTEM_PROCESSES psp=<span class="hljs-literal">NULL</span>; status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, <span class="hljs-literal">NULL</span>, <span class="hljs-number">0</span>, &dwNeedSize); <span class="hljs-keyword">if</span> ( status == STATUS_INFO_LENGTH_MISMATCH ) { pBuffer = <span class="hljs-keyword">new</span> BYTE[dwNeedSize]; status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, <span class="hljs-literal">NULL</span>); <span class="hljs-keyword">if</span> ( status == STATUS_SUCCESS ) { psp = (PSYSTEM_PROCESSES)pBuffer; <span class="hljs-built_in">printf</span>(<span class="hljs-string">"PID 线程数 工作集大小 进程名\n"</span>); <span class="hljs-keyword">do</span> { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%-4d"</span>, psp->ProcessId); <span class="hljs-built_in">printf</span>(<span class="hljs-string">" %3d"</span>, psp->ThreadCount); <span class="hljs-built_in">printf</span>(<span class="hljs-string">" %8dKB"</span>, psp->VmCounters.WorkingSetSize/<span class="hljs-number">1024</span>); wprintf(<span class="hljs-string">L" %s\n"</span>, psp->ProcessName.Buffer); psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta ); } <span class="hljs-keyword">while</span> ( psp->NextEntryDelta != <span class="hljs-number">0</span> ); <span class="hljs-keyword">delete</span> []pBuffer; pBuffer = <span class="hljs-literal">NULL</span>; }<span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> ( status == STATUS_UNSUCCESSFUL ) { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"\n STATUS_UNSUCCESSFUL"</span>); } <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> ( status == STATUS_NOT_IMPLEMENTED ) { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"\n STATUS_NOT_IMPLEMENTED"</span>); } <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> ( status == STATUS_INVALID_INFO_CLASS ) { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"\n STATUS_INVALID_INFO_CLASS"</span>); } <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> ( status == STATUS_INFO_LENGTH_MISMATCH ) { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"\n STATUS_INFO_LENGTH_MISMATCH"</span>); } } <span class="hljs-built_in">printf</span>(<span class="hljs-string">"---------------------系统模块信息----------------------------------------\n"</span>); status = ZwQuerySystemInformation(SystemModuleInformation, <span class="hljs-literal">NULL</span>, <span class="hljs-number">0</span>, &dwNeedSize); <span class="hljs-keyword">if</span> (status == STATUS_INFO_LENGTH_MISMATCH) { pBuffer = <span class="hljs-keyword">new</span> BYTE[dwNeedSize]; status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize); <span class="hljs-keyword">if</span> (status == STATUS_SUCCESS) { UINT count = *((UINT*)pBuffer); <span class="hljs-built_in">printf</span>(<span class="hljs-string">"模块数:%d\n"</span>, count); <span class="hljs-built_in">printf</span>(<span class="hljs-string">"基地址 模块大小 引用计数 模块路径\n"</span>); PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + <span class="hljs-keyword">sizeof</span>(ULONG)); <span class="hljs-keyword">for</span> (UINT i = <span class="hljs-number">0</span>; i < count; i++) { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"0x%08X "</span>, pmi->Base); <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%8dKB "</span>, pmi->Size / <span class="hljs-number">1024</span>); <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%2d "</span>, pmi->LoadCount); <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s\n"</span>, pmi->ImageName); pmi++; } } <span class="hljs-keyword">delete</span> []pBuffer; } } <span class="hljs-keyword">else</span> { <span class="hljs-built_in">printf</span>(<span class="hljs-string">"Get ZwQuerySystemInformation address error!"</span>); } FreeLibrary(ntdll_dll); <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;
此博客非原创.是自己用到的时候查询了一下.觉得有用.所以拷贝到自己博客上.原博客链接
https://www.cnblogs.com/wuliqv/archive/2012/06/20/2557009.html
坚持两字,简单,轻便,但是真正的执行起来确实需要很长很长时间.当你把坚持两字当做你要走的路,那么你总会成功.
想学习,有问题请加群.群号:725864912(收费)群名称: 逆向学习小分队 群里有大量学习资源. 以及定期直播答疑.有一个良好的学习氛围. 涉及到外挂反外挂病毒 司法取证加解密 驱动过保护 VT 等技术,期待你的进入。
详情请点击链接查看置顶博客
https://www.cnblogs.com/iBinary/p/7572603.html
分类: windows下常用代码<div id="blog_post_info">
关注 - 7
粉丝 - 466 +加关注 0 0
<div class="clear"></div>
<div id="post_next_prev">
<a href="https://www.cnblogs.com/iBinary/p/11026661.html" class="p_n_p_prefix">« </a> 上一篇: <a href="https://www.cnblogs.com/iBinary/p/11026661.html" title="发布于 2019-06-15 10:16">64位内核开发第十三讲,内核中常用的链表等数据结构</a>
<br>
<a href="https://www.cnblogs.com/iBinary/p/11223324.html" class="p_n_p_prefix">» </a> 下一篇: <a href="https://www.cnblogs.com/iBinary/p/11223324.html" title="发布于 2019-07-21 23:18">X86 下的SSDT HOOK</a>