使用NtQuerySystemInformation遍历进程信息[详细篇]
1.前提资料
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation, //系统进程信息 5号
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
2.代码测试
#include <windows.h>
#include <tchar.h>
#include<iostream>
#define UNICODE
#define _UNICODE
typedef LONG KPRIORITY;
#define SystemProcessInformation 5 // 功能号
#ifdef _M_IX86
typedef struct _CLIENT_ID
{
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
#endif // x86模式下
#ifdef _M_X64
typedef struct _CLIENT_ID
{
ULONG64 UniqueProcess;
ULONG64 UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
#endif // x64模式下
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
//进程结构体,从官网copy
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
BYTE Reserved1[48];
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
PVOID Reserved2;
ULONG HandleCount;
ULONG SessionId;
PVOID Reserved3;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG Reserved4;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
PVOID Reserved5;
SIZE_T QuotaPagedPoolUsage;
PVOID Reserved6;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved7[6];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
//线程结构体,从官网copy
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER Reserved1[3];
ULONG Reserved2;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG Reserved3;
ULONG ThreadState;
ULONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
//从NTDLL里定义原型
typedef DWORD(WINAPI* PNtQuerySystemInformation) (UINT systemInformation, PVOID SystemInformation, ULONG SystemInformationLength,
PULONG ReturnLength);
BOOL NtQueryAllProcess() {
BOOL ret = FALSE;
PNtQuerySystemInformation NtQuerySystemInformation = NULL;
NtQuerySystemInformation = (PNtQuerySystemInformation)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQuerySystemInformation");
PSYSTEM_PROCESS_INFORMATION sysProInfo = NULL, old = NULL;
if (NtQuerySystemInformation != NULL) {
ULONG cbSize = sizeof(SYSTEM_PROCESS_INFORMATION);
//查询
LONG status = 0;
do {
old = sysProInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(cbSize);
status = NtQuerySystemInformation(SystemProcessInformation, sysProInfo, cbSize, &cbSize);
if (status)
free(sysProInfo);
} while (status);
ret = TRUE;
//遍历进程
do {
if (sysProInfo->ImageName.Buffer != NULL)
{
_tprintf(L"进程名:\t%s \t进程ID:%u \t句柄总数:%u \t线程总数:%u \n", sysProInfo->ImageName.Buffer, sysProInfo->UniqueProcessId,
sysProInfo->HandleCount, sysProInfo->NumberOfThreads);
//打印线程信息
PSYSTEM_THREAD_INFORMATION threadInfo = NULL;
threadInfo = (PSYSTEM_THREAD_INFORMATION)((ULONG64)sysProInfo + sizeof(SYSTEM_PROCESS_INFORMATION));
DWORD curThreadIndex = 1;
do {
_tprintf(L"\t线程ID:%u\t起始地址:%x \t线程的状态码:%u\n", threadInfo->ClientId.UniqueThread, threadInfo->StartAddress, threadInfo->ThreadState);
threadInfo += 1;
} while (curThreadIndex++ < sysProInfo->NumberOfThreads);
_tprintf(L"\n");
}
//指针的加减运算的单位是根据所指向数据类型大小的。字节指针就是1,所以加减运算没问题。这里是结构体指针,所以必须转成数字类型再运算。
sysProInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG64)sysProInfo + sysProInfo->NextEntryOffset);
} while (sysProInfo->NextEntryOffset != 0);
free(old);
}
return ret;
}
int main() {
setlocale(LC_ALL, ".utf8");//控制台宽字符打印乱码解决方式
NtQueryAllProcess();
}
3.运行结果
版权声明:本文为weixin_42270114原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。