ZwQueryInfoMation function is very simple. Is four parameters.
NTSTATUS WINAPI ZwQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);Function is very simple on four parameters are parameters that pass a type represents what you want to query the type of this function is very powerful basically what can be queried.....
Parameter 2: This buffer is a buffer is based on your query when the data type of query will buffer into this buffer so you can accept the specified query type of data you want to use so strong into the same type can be.....
parameter 3: the buffer size
parameter 4: returns the size
So many categories, but not too full MSDN Look below it. You can define types. There are also examples of use.
#include <stdio.h>
#include <windows.h>
typedef LONG NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _LSA_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID;
typedef enum _THREAD_STATE
{
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD_STATE;
typedef enum _KWAIT_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel
} KWAIT_REASON;
/*typedef struct _IO_COUNTERS
{
LARGE_INTEGER ReadOperationCount; //I/O读操作数目
LARGE_INTEGER WriteOperationCount; //I/O写操作数目
LARGE_INTEGER OtherOperationCount; //I/O其他操作数目
LARGE_INTEGER ReadTransferCount; //I/O读数据数目
LARGE_INTEGER WriteTransferCount; //I/O写数据数目
LARGE_INTEGER OtherTransferCount; //I/O其他操作数据数目
} IO_COUNTERS, *PIO_COUNTERS;
*/
typedef struct _VM_COUNTERS
{
ULONG PeakVirtualSize; //虚拟存储峰值大小
ULONG VirtualSize; //虚拟存储大小
ULONG PageFaultCount; //页故障数目
ULONG PeakWorkingSetSize; //工作集峰值大小
ULONG WorkingSetSize; //工作集大小
ULONG QuotaPeakPagedPoolUsage; //分页池使用配额峰值
ULONG QuotaPagedPoolUsage; //分页池使用配额
ULONG QuotaPeakNonPagedPoolUsage; //非分页池使用配额峰值
ULONG QuotaNonPagedPoolUsage; //非分页池使用配额
ULONG PagefileUsage; //页文件使用情况
ULONG PeakPagefileUsage; //页文件使用峰值
} VM_COUNTERS, *PVM_COUNTERS;
typedef LONG KPRIORITY;
typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;
} SYSTEM_THREADS, *PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _SYSTEM_BASIC_INFORMATION
{
BYTE Reserved1[24];
PVOID Reserved2[4];
CCHAR NumberOfProcessors;
} SYSTEM_BASIC_INFORMATION;
typedef struct tagSYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);
int main(void)
{
HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");
if (ntdll_dll == NULL) {
printf("load ntdll.dll failed.\n");
return -1;
}
NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");
if ( ZwQuerySystemInformation!=NULL )
{
SYSTEM_BASIC_INFORMATION sbi = {0};
NTSTATUS status = ZwQuerySystemInformation(SystemBasicInformation, (PVOID)&sbi, sizeof(sbi), NULL);
if ( status == STATUS_SUCCESS ) {
printf("处理器个数:%d\r\n", sbi.NumberOfProcessors);
} else {
printf("\r\n SystemBasicInformation error");
}
DWORD dwNeedSize = 0;
BYTE *pBuffer = NULL;
printf("---------------------所有进程信息----------------------------------------\n");
PSYSTEM_PROCESSES psp=NULL;
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);
if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
pBuffer = new BYTE[dwNeedSize];
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);
if ( status == STATUS_SUCCESS )
{
psp = (PSYSTEM_PROCESSES)pBuffer;
printf("PID 线程数 工作集大小 进程名\n");
do {
printf("%-4d", psp->ProcessId);
printf(" %3d", psp->ThreadCount);
printf(" %8dKB", psp->VmCounters.WorkingSetSize/1024);
wprintf(L" %s\n", psp->ProcessName.Buffer);
psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );
} while ( psp->NextEntryDelta != 0 );
delete []pBuffer;
pBuffer = NULL;
}else if ( status == STATUS_UNSUCCESSFUL ) {
printf("\n STATUS_UNSUCCESSFUL");
} else if ( status == STATUS_NOT_IMPLEMENTED ) {
printf("\n STATUS_NOT_IMPLEMENTED");
} else if ( status == STATUS_INVALID_INFO_CLASS ) {
printf("\n STATUS_INVALID_INFO_CLASS");
} else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
printf("\n STATUS_INFO_LENGTH_MISMATCH");
}
}
printf("---------------------系统模块信息----------------------------------------\n");
status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
if (status == STATUS_INFO_LENGTH_MISMATCH) {
pBuffer = new BYTE[dwNeedSize];
status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
if (status == STATUS_SUCCESS) {
UINT count = *((UINT*)pBuffer);
printf("模块数:%d\n", count);
printf("基地址 模块大小 引用计数 模块路径\n");
PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG));
for (UINT i = 0; i < count; i++) {
printf("0x%08X ", pmi->Base);
printf("%8dKB ", pmi->Size / 1024);
printf("%2d ", pmi->LoadCount);
printf("%s\n", pmi->ImageName);
pmi++;
}
}
delete []pBuffer;
}
} else {
printf("Get ZwQuerySystemInformation address error!");
}
FreeLibrary(ntdll_dll);
return 0;This non-original blog is time to use his own queries for a moment. Find it useful, so copy to your own blog. Original blog link
https://www.cnblogs.com/wuliqv/archive/2012/06/20/2557009. html