Windows内核代码片段
使用ZwQuerySystemInformation函数枚举进程
2021-09-07
112
0
使用ZwQuerySystemInformation函数枚举Windows系统进程
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta; //构成结构序列的偏移量;
ULONG ThreadCount; //线程数目;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime; //创建时间;
LARGE_INTEGER UserTime; //用户模式(Ring 3)的CPU时间;
LARGE_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间;
UNICODE_STRING ProcessName; //进程名称;
KPRIORITY BasePriority; //进程优先权;
HANDLE ProcessId; //进程标识符;
HANDLE InheritedFromProcessId; //父进程的标识符;
ULONG HandleCount; //句柄数目;
ULONG Reserved2[2];
VM_COUNTERS VmCounters; //虚拟存储器的结构;
IO_COUNTERS IoCounters; //IO计数结构;
SYSTEM_THREADS Threads[1]; //进程相关线程的结构数组;
}SYSTEM_PROCESSES,*PSYSTEM_PROCESSES;?
PSYSTEM_PROCESSES psp=NULL;
//先为参数2设为空,dwNeedSize获取保存该结构体的内存大小
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);
//若用户提供的缓冲区大小不够,则返回STATUS_INFO_LENGTH_MISMATCH,并返回实际需要的缓冲区大小
if ( status ==STATUS_INFO_LENGTH_MISMATCH ) {
pBuffer = new BYTE[dwNeedSize];
status =ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer,dwNeedSize, NULL);
if ( status ==STATUS_SUCCESS )
{
psp = (PSYSTEM_PROCESSES)pBuffer; //强制转换
printf("PID 线程数工作集大小进程名\n");
do {
printf("%-4d",psp->ProcessId);
printf(" %3d",psp->ThreadCount);
printf(" %8dKB",psp->VmCounters.WorkingSetSize/1024);
wprintf(L" %s\n",psp->ProcessName.Buffer);
psp = (PSYSTEM_PROCESSES)((ULONG)psp +psp->NextEntryDelta );
}while ( psp->NextEntryDelta != 0 );//循环遍历
}
delete []pBuffer;
pBuffer =NULL;
}
//////////////////////////////////////////////////////////////////////////
//
// 使用ZwQuerySystemInformation函数枚举进程
//
//////////////////////////////////////////////////////////////////////////
VOID
EnumProcessList1()
{
ULONG cbBuffer = 0x10000;
ULONG dwCount = 0;
PVOID pBuffer = NULL;
PSYSTEM_PROCESS_INFORMATION pInfo;
pBuffer = ExAllocatePool(PagedPool, cbBuffer);
// 获取进程信息
KdPrint(("We Use ZwQuerySystemInformation!"));
ZwQuerySystemInformation( SystemProcessesAndThreadsInformation,
pBuffer,
cbBuffer,
NULL);
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
for( ; ; )
{
dwCount++;
if (pInfo->ProcessId == 0)
{
KdPrint(("[%6d] System Idle Process", pInfo->ProcessId));
}
else
{
KdPrint(("[%6d] %wZ", pInfo->ProcessId, pInfo->ProcessName));
}
if (pInfo->NextEntryDelta == 0)
{
break;
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryDelta);
}
KdPrint(("ProcessCount = %d", dwCount));
ExFreePool(pBuffer);
}
ypedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientID;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
#ifdef _WIN64
ULONG Reserved; //Add
#else
#endif
}SYSTEM_THREADS,*PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
HANDLE ProcessId; //Modify
HANDLE InheritedFromProcessId;//Modify
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR PageDirectoryBase;
VM_COUNTERS VmCounters;
SIZE_T PrivatePageCount;//Add
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
}SYSTEM_PROCESSES,*PSYSTEM_PROCESSES;
//还有关键的一个结构体,之前看到某些资料上的也不对,关键是32位下网上用的是ULONG,这是不对的,应该用SIZE_T(32位下4字节,64位下8字节),导致了原数据的偏移错误。
typedef struct _VM_COUNTERS
{
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS, *PVM_COUNTERS;
