• NtQuerySystemInformation 枚举进程


    函数原型:
     NTSTATUS WINAPI NtQuerySystemInformation(
        _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
        _Inout_   PVOID                    SystemInformation,
        _In_      ULONG                    SystemInformationLength,
        _Out_opt_ PULONG                   ReturnLength
        );

    该函数未文档化,再ntdll.dll 中导出,
    SYSTEM_INFORMATION_CLASS为要查询信息的类型,是一个枚举型的,其他参数不说了。
    简单举一例说明。
    这里我们要枚举的是SystemProcessInformation信息,
    先看一下该结构体:
    typedef struct _SYSTEM_PROCESS_INFORMATION {
        ULONG NextEntryOffset;      //下一个结构的偏移量,最后一个偏移量为0
        ULONG NumberOfThreads;
        LARGE_INTEGER SpareLi1;
        LARGE_INTEGER SpareLi2;
        LARGE_INTEGER SpareLi3;
        LARGE_INTEGER CreateTime;
        LARGE_INTEGER UserTime;
        LARGE_INTEGER KernelTime;
        UNICODE_STRING ImageName;     //进程名
        KPRIORITY BasePriority;
        HANDLE UniqueProcessId;               //进程ID
        HANDLE InheritedFromUniqueProcessId;   //父进程ID
        ULONG HandleCount;
        ULONG SessionId;       //会话ID                    
        ULONG_PTR PageDirectoryBase;
        SIZE_T PeakVirtualSize;
        SIZE_T VirtualSize;
        ULONG PageFaultCount;
        SIZE_T PeakWorkingSetSize;
        SIZE_T WorkingSetSize;
        SIZE_T QuotaPeakPagedPoolUsage;
        SIZE_T QuotaPagedPoolUsage;
        SIZE_T QuotaPeakNonPagedPoolUsage;
        SIZE_T QuotaNonPagedPoolUsage;
        SIZE_T PagefileUsage;
        SIZE_T PeakPagefileUsage;
        SIZE_T PrivatePageCount;
        LARGE_INTEGER ReadOperationCount;
        LARGE_INTEGER WriteOperationCount;
        LARGE_INTEGER OtherOperationCount;
        LARGE_INTEGER ReadTransferCount;
        LARGE_INTEGER WriteTransferCount;
        LARGE_INTEGER OtherTransferCount;
    } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

    #include "stdafx.h"
    #include <Windows.h>
    #include <winternl.h>
    using namespace std;
    
    typedef NTSTATUS (WINAPI *PFUN_NtQuerySystemInformation)(
    	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
    	_Inout_   PVOID                    SystemInformation,
    	_In_      ULONG                    SystemInformationLength,
    	_Out_opt_ PULONG                   ReturnLength
    	);
    int _tmain(int argc, _TCHAR* argv[])
    {	
    	PFUN_NtQuerySystemInformation pFun = NULL;
    	pFun = (PFUN_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
    
    	char szInfo[0x20000] = { 0 };
    	ULONG uReturnedLEngth = 0;
    	NTSTATUS status = pFun(SystemProcessInformation, szInfo, sizeof(szInfo), &uReturnedLEngth);
    	if (status != 0)
    		return 0;
    	PSYSTEM_PROCESS_INFORMATION pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)szInfo;
    	DWORD dwID = (DWORD)pSystemInformation->UniqueProcessId;
    	HANDLE hHandle = NULL;
    	PWCHAR pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c);
    	printf("ProcessID: %d	processName: %ws 
    ", dwID, pImageName);
    	while (true)
    	{
    		if (pSystemInformation->NextEntryOffset == 0)
    			break;
    
    		pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)((PCHAR)pSystemInformation + pSystemInformation->NextEntryOffset);
    		dwID = (DWORD)pSystemInformation->UniqueProcessId;
    		hHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwID);
    		pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c);
    		printf("ProcessID: %d	processName: %ws 
    ", dwID, pImageName);
    	}
            getchar();
    }
    
    结果如下:
    
    NtQuerySystemInformation 枚举进程 - Prairie - work labor and play
  • 相关阅读:
    Python+selenium怎么自定义函数进行翻页操作定位第二页元素
    序列
    元组
    读书笔记-活出意义来
    多线程源代码学习笔记
    MacOS环境下Redis安装
    django修改静态文件(css,js)之后,浏览器效果没改变
    JavaScript变量、值类型介绍和启发-day01
    99乘法法则(使用bootstrap做表格效果)
    do-while循环的与for循环,while循环的区别是什么——(摘抄)
  • 原文地址:https://www.cnblogs.com/priarieNew/p/9756157.html
Copyright © 2020-2023  润新知