zoukankan      html  css  js  c++  java
  • ZwQuerySystemInfoMation函数使用

    ZwQueryInfoMation函数很简单.就是4个参数.

    NTSTATUS WINAPI ZwQuerySystemInformation(
      _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
      _Inout_   PVOID                    SystemInformation,
      _In_      ULONG                    SystemInformationLength,
      _Out_opt_ PULONG                   ReturnLength
    );
    

    函数很简单.就4个参数. 参数已就是传个类型.代表你要查询什么类型.这个函数很强大.基本什么都是可以查询
    参数2: 就是一个缓冲区.这个缓冲区是根据你查询的类型.当查询到数据.就会放到这个缓冲区.所以缓冲区可以接受你指定查询类型的数据.所以你想使用强转为一样的类型即可.
    参数3: 缓冲区大小.
    参数4: 返回大小

    所以类别很多.但是MSDN不太全.看看下面吧. 可以定义类型.也有使用例子.

    #include <stdio.h>   
    #include <windows.h>   
      
    typedef LONG NTSTATUS;   
      
    #define STATUS_SUCCESS                  ((NTSTATUS)0x00000000L)   
    #define STATUS_UNSUCCESSFUL             ((NTSTATUS)0xC0000001L)   
    #define STATUS_NOT_IMPLEMENTED          ((NTSTATUS)0xC0000002L)   
    #define STATUS_INVALID_INFO_CLASS       ((NTSTATUS)0xC0000003L)   
    #define STATUS_INFO_LENGTH_MISMATCH     ((NTSTATUS)0xC0000004L)   
      
    typedef enum _SYSTEM_INFORMATION_CLASS   
    {   
        SystemBasicInformation,                    //  0 Y N   
        SystemProcessorInformation,             //  1 Y N   
        SystemPerformanceInformation,           //  2 Y N   
        SystemTimeOfDayInformation,             //  3 Y N   
        SystemNotImplemented1,                  //  4 Y N   
        SystemProcessesAndThreadsInformation,   //  5 Y N   
        SystemCallCounts,                       //  6 Y N   
        SystemConfigurationInformation,         //  7 Y N   
        SystemProcessorTimes,                   //  8 Y N   
        SystemGlobalFlag,                       //  9 Y Y   
        SystemNotImplemented2,                  // 10 Y N   
        SystemModuleInformation,                // 11 Y N   
        SystemLockInformation,                  // 12 Y N   
        SystemNotImplemented3,                  // 13 Y N   
        SystemNotImplemented4,                  // 14 Y N   
        SystemNotImplemented5,                  // 15 Y N   
        SystemHandleInformation,                // 16 Y N   
        SystemObjectInformation,                // 17 Y N   
        SystemPagefileInformation,              // 18 Y N   
        SystemInstructionEmulationCounts,       // 19 Y N   
        SystemInvalidInfoClass1,                // 20   
        SystemCacheInformation,                 // 21 Y Y   
        SystemPoolTagInformation,               // 22 Y N   
        SystemProcessorStatistics,              // 23 Y N   
        SystemDpcInformation,                   // 24 Y Y   
        SystemNotImplemented6,                  // 25 Y N   
        SystemLoadImage,                        // 26 N Y   
        SystemUnloadImage,                      // 27 N Y   
        SystemTimeAdjustment,                   // 28 Y Y   
        SystemNotImplemented7,                  // 29 Y N   
        SystemNotImplemented8,                  // 30 Y N   
        SystemNotImplemented9,                  // 31 Y N   
        SystemCrashDumpInformation,             // 32 Y N   
        SystemExceptionInformation,             // 33 Y N   
        SystemCrashDumpStateInformation,        // 34 Y Y/N   
        SystemKernelDebuggerInformation,        // 35 Y N   
        SystemContextSwitchInformation,         // 36 Y N   
        SystemRegistryQuotaInformation,         // 37 Y Y   
        SystemLoadAndCallImage,                 // 38 N Y   
        SystemPrioritySeparation,               // 39 N Y   
        SystemNotImplemented10,                 // 40 Y N   
        SystemNotImplemented11,                 // 41 Y N   
        SystemInvalidInfoClass2,                // 42   
        SystemInvalidInfoClass3,                // 43   
        SystemTimeZoneInformation,              // 44 Y N   
        SystemLookasideInformation,             // 45 Y N   
        SystemSetTimeSlipEvent,                 // 46 N Y   
        SystemCreateSession,                    // 47 N Y   
        SystemDeleteSession,                    // 48 N Y   
        SystemInvalidInfoClass4,                // 49   
        SystemRangeStartInformation,            // 50 Y N   
        SystemVerifierInformation,              // 51 Y Y   
        SystemAddVerifier,                      // 52 N Y   
        SystemSessionProcessesInformation       // 53 Y N   
      
    } SYSTEM_INFORMATION_CLASS;   
      
    typedef struct _LSA_UNICODE_STRING   
    {   
        USHORT Length;   
        USHORT MaximumLength;   
        PWSTR Buffer;   
           
    } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;   
      
    typedef struct _CLIENT_ID   
    {   
        HANDLE UniqueProcess;   
        HANDLE UniqueThread;   
      
    } CLIENT_ID;   
      
    typedef enum _THREAD_STATE   
    {   
        StateInitialized,   
        StateReady,   
        StateRunning,   
        StateStandby,   
        StateTerminated,   
        StateWait,   
        StateTransition,   
        StateUnknown   
      
    } THREAD_STATE;   
      
    typedef enum _KWAIT_REASON   
    {   
        Executive,   
        FreePage,   
        PageIn,   
        PoolAllocation,   
        DelayExecution,   
        Suspended,   
        UserRequest,   
        WrExecutive,   
        WrFreePage,   
        WrPageIn,   
        WrPoolAllocation,   
        WrDelayExecution,   
        WrSuspended,   
        WrUserRequest,   
        WrEventPair,   
        WrQueue,   
        WrLpcReceive,   
        WrLpcReply,   
        WrVirtualMemory,   
        WrPageOut,   
        WrRendezvous,   
        Spare2,   
        Spare3,   
        Spare4,   
        Spare5,   
        Spare6,   
        WrKernel   
      
    } KWAIT_REASON;   
      
    /*typedef struct _IO_COUNTERS   
    {   
        LARGE_INTEGER ReadOperationCount;   //I/O读操作数目   
        LARGE_INTEGER WriteOperationCount;  //I/O写操作数目   
        LARGE_INTEGER OtherOperationCount;  //I/O其他操作数目   
        LARGE_INTEGER ReadTransferCount;    //I/O读数据数目   
        LARGE_INTEGER WriteTransferCount;   //I/O写数据数目   
        LARGE_INTEGER OtherTransferCount;   //I/O其他操作数据数目   
      
    } IO_COUNTERS, *PIO_COUNTERS;   
      */
    typedef struct _VM_COUNTERS   
    {   
        ULONG PeakVirtualSize;              //虚拟存储峰值大小   
        ULONG VirtualSize;                  //虚拟存储大小   
        ULONG PageFaultCount;               //页故障数目   
        ULONG PeakWorkingSetSize;           //工作集峰值大小   
        ULONG WorkingSetSize;               //工作集大小   
        ULONG QuotaPeakPagedPoolUsage;      //分页池使用配额峰值   
        ULONG QuotaPagedPoolUsage;          //分页池使用配额   
        ULONG QuotaPeakNonPagedPoolUsage;   //非分页池使用配额峰值   
        ULONG QuotaNonPagedPoolUsage;       //非分页池使用配额   
        ULONG PagefileUsage;                //页文件使用情况   
        ULONG PeakPagefileUsage;            //页文件使用峰值   
      
    } VM_COUNTERS, *PVM_COUNTERS;   
      
    typedef LONG KPRIORITY;   
      
    typedef struct _SYSTEM_THREADS   
    {   
        LARGE_INTEGER KernelTime;   
        LARGE_INTEGER UserTime;   
        LARGE_INTEGER CreateTime;   
        ULONG WaitTime;   
        PVOID StartAddress;   
        CLIENT_ID ClientId;   
        KPRIORITY Priority;   
        KPRIORITY BasePriority;   
        ULONG ContextSwitchCount;   
        THREAD_STATE State;   
        KWAIT_REASON WaitReason;   
      
    } SYSTEM_THREADS, *PSYSTEM_THREADS;   
      
    typedef struct _SYSTEM_PROCESSES   
    {   
        ULONG NextEntryDelta;   
        ULONG ThreadCount;   
        ULONG Reserved1[6];   
        LARGE_INTEGER CreateTime;   
        LARGE_INTEGER UserTime;   
        LARGE_INTEGER KernelTime;   
        UNICODE_STRING ProcessName;   
        KPRIORITY BasePriority;   
        ULONG ProcessId;   
        ULONG InheritedFromProcessId;   
        ULONG HandleCount;   
        ULONG Reserved2[2];   
        VM_COUNTERS  VmCounters;   
        IO_COUNTERS IoCounters;   
        SYSTEM_THREADS Threads[1];   
      
    } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;   
      
    typedef struct _SYSTEM_BASIC_INFORMATION   
    {   
        BYTE Reserved1[24];   
        PVOID Reserved2[4];   
        CCHAR NumberOfProcessors;   
      
    } SYSTEM_BASIC_INFORMATION;   
    
    typedef struct tagSYSTEM_MODULE_INFORMATION {
        ULONG Reserved[2];
        PVOID Base;
        ULONG Size;
        ULONG Flags;
        USHORT Index;
        USHORT Unknown;
        USHORT LoadCount;
        USHORT ModuleNameOffset;
        CHAR ImageName[256];
    } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
      
    typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);   
      
    int main(void)   
    {   
    
        HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");
    
        if (ntdll_dll == NULL) {
            printf("load ntdll.dll failed.
    ");
            return -1;
        }  
    
        NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
        
        ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");   
        if ( ZwQuerySystemInformation!=NULL )   
        {   
            SYSTEM_BASIC_INFORMATION sbi = {0};   
            NTSTATUS status = ZwQuerySystemInformation(SystemBasicInformation, (PVOID)&sbi, sizeof(sbi), NULL);   
            if ( status == STATUS_SUCCESS ) {   
                printf("处理器个数:%d
    ", sbi.NumberOfProcessors);   
            } else {   
                printf("
     SystemBasicInformation error");   
            }   
            
            DWORD dwNeedSize = 0;
            BYTE *pBuffer = NULL;
    
            printf("---------------------所有进程信息----------------------------------------
    ");   
            PSYSTEM_PROCESSES psp=NULL;
            status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);   
            if ( status == STATUS_INFO_LENGTH_MISMATCH ) {   
                pBuffer = new BYTE[dwNeedSize];   
                status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);   
                if ( status == STATUS_SUCCESS )   
                {   
                    psp = (PSYSTEM_PROCESSES)pBuffer;
                    printf("PID  线程数 工作集大小 进程名
    ");
                    do {   
                        printf("%-4d", psp->ProcessId);
                        printf(" %3d", psp->ThreadCount);   
                        printf(" %8dKB", psp->VmCounters.WorkingSetSize/1024);
                        wprintf(L" %s
    ", psp->ProcessName.Buffer);
                        psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );   
                    } while ( psp->NextEntryDelta != 0 ); 
                    
                    delete []pBuffer;   
                    pBuffer = NULL;   
                }else if ( status == STATUS_UNSUCCESSFUL ) {   
                    printf("
     STATUS_UNSUCCESSFUL");   
                } else if ( status == STATUS_NOT_IMPLEMENTED ) {
                    printf("
     STATUS_NOT_IMPLEMENTED");
                } else if ( status == STATUS_INVALID_INFO_CLASS ) {   
                    printf("
     STATUS_INVALID_INFO_CLASS");
                } else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {   
                    printf("
     STATUS_INFO_LENGTH_MISMATCH");
                }    
            }   
    
            printf("---------------------系统模块信息----------------------------------------
    ");   
            status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
            if (status == STATUS_INFO_LENGTH_MISMATCH) {        
                pBuffer = new BYTE[dwNeedSize];
                status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
                if (status == STATUS_SUCCESS) {
                    UINT count = *((UINT*)pBuffer);
                    printf("模块数:%d
    ", count);
                    printf("基地址 模块大小 引用计数 模块路径
    ");
                    PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG));
                    for (UINT i = 0; i < count; i++) {
                        printf("0x%08X ", pmi->Base);
                        printf("%8dKB ", pmi->Size / 1024);
                        printf("%2d ", pmi->LoadCount);
                        printf("%s
    ", pmi->ImageName);
                        pmi++;
                    }
                }
                delete []pBuffer;
            }
    
    
        } else {   
            printf("Get ZwQuerySystemInformation address error!");
        }   
               
        FreeLibrary(ntdll_dll);   
           
        return 0;
    

    此博客非原创.是自己用到的时候查询了一下.觉得有用.所以拷贝到自己博客上.原博客链接
    https://www.cnblogs.com/wuliqv/archive/2012/06/20/2557009.html

  • 相关阅读:
    用于 webpack 打包后方便修改的配置文件
    antd 中对树形表格中二级元素进行筛选过滤
    layui快速搭建一个后台管理系统
    centos使用shell定时清空缓存
    内存异常原因查询
    Protocol "‘https" not supported or disabled in libcurl
    HTML table标签实现表头固定
    vue 查询某个对象在对象列表的索引位置
    vue 实现页面监听键盘按键 上下左右
    Vue 实现图片监听鼠标滑轮滚动实现图片缩小放大功能
  • 原文地址:https://www.cnblogs.com/iBinary/p/11073222.html
Copyright © 2011-2022 走看看