(转)SystemProcessesAndThreadsInformation

http://hi.baidu.com/hanjdud8606/item/7a970408a95acc843d42e27f

NTSTATUS NTAPI ZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength
);

　　第一个参数是一个枚举类型，传入的是你需要查询的信息的类型，如果你要查询进程的相关信息，则你需要传入SystemProcessesAndThreadsInformation，以下是这个enmu类型的定义。

typedef enum _SYSTEM_INFORMATION_CLASS {SystemBasicInformation, // 0 Y NSystemProcessorInformation, // 1 Y NSystemPerformanceInformation, // 2 Y NSystemTimeOfDayInformation, // 3 Y NSystemNotImplemented1, // 4 Y NSystemProcessesAndThreadsInformation, // 5 Y NSystemCallCounts, // 6 Y NSystemConfigurationInformation, // 7 Y NSystemProcessorTimes, // 8 Y NSystemGlobalFlag, // 9 Y YSystemNotImplemented2, // 10 Y NSystemModuleInformation, // 11 Y NSystemLockInformation, // 12 Y NSystemNotImplemented3, // 13 Y NSystemNotImplemented4, // 14 Y NSystemNotImplemented5, // 15 Y NSystemHandleInformation, // 16 Y NSystemObjectInformation, // 17 Y NSystemPagefileInformation, // 18 Y NSystemInstructionEmulationCounts, // 19 Y NSystemInvalidInfoClass1, // 20SystemCacheInformation, // 21 Y YSystemPoolTagInformation, // 22 Y NSystemProcessorStatistics, // 23 Y NSystemDpcInformation, // 24 Y YSystemNotImplemented6, // 25 Y NSystemLoadImage, // 26 N YSystemUnloadImage, // 27 N YSystemTimeAdjustment, // 28 Y YSystemNotImplemented7, // 29 Y NSystemNotImplemented8, // 30 Y NSystemNotImplemented9, // 31 Y NSystemCrashDumpInformation, // 32 Y NSystemExceptionInformation, // 33 Y NSystemCrashDumpStateInformation, // 34 Y Y/NSystemKernelDebuggerInformation, // 35 Y NSystemContextSwitchInformation, // 36 Y NSystemRegistryQuotaInformation, // 37 Y YSystemLoadAndCallImage, // 38 N YSystemPrioritySeparation, // 39 N YSystemNotImplemented10, // 40 Y NSystemNotImplemented11, // 41 Y NSystemInvalidInfoClass2, // 42SystemInvalidInfoClass3, // 43SystemTimeZoneInformation, // 44 Y NSystemLookasideInformation, // 45 Y NSystemSetTimeSlipEvent, // 46 N YSystemCreateSession, // 47 N YSystemDeleteSession, // 48 N YSystemInvalidInfoClass4, // 49SystemRangeStartInformation, // 50 Y NSystemVerifierInformation, // 51 Y YSystemAddVerifier, // 52 N YSystemSessionProcessesInformation // 53 Y N
}SYSTEM_INFORMATION_CLASS;

　　当我们第一个参数传入的是SystemProcessesAndThreadsInformation则返回的一片内存空间一个PSYSTEM_PROCESSES的结构。

typedef struct _SYSTEM_PROCESSES
{ULONG NextEntryDelta; //构成结构序列的偏移量;ULONG ThreadCount; //线程数目;ULONG Reserved1[6];LARGE_INTEGER CreateTime; //创建时间;LARGE_INTEGER UserTime;//用户模式(Ring 3)的CPU时间;LARGE_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间;UNICODE_STRING ProcessName; //进程名称;KPRIORITY BasePriority;//进程优先权;ULONG ProcessId; //进程标识符;ULONG InheritedFromProcessId; //父进程的标识符;ULONG HandleCount; //句柄数目;ULONG Reserved2[2];VM_COUNTERS  VmCounters; //虚拟存储器的结构，见下;IO_COUNTERS IoCounters; //IO计数结构，见下;SYSTEM_THREADS Threads[1]; //进程相关线程的结构数组
}SYSTEM_PROCESSES,*PSYSTEM_PROCESSES;

　　如果要遍历系统中的进程，我们只需要使用NextEntryDelta这个指针即可。

　　获取进程示例代码#include <windows.#include <ntsecapi.h>

#include "stdio.h"typedef DWORD (WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);typedef struct _SYSTEM_PROCESS_INFORMATION {DWORD   NextEntryDelta;DWORD   ThreadCount;DWORD   Reserved1[6];FILETIME  ftCreateTime;   FILETIME  ftUserTime;   FILETIME  ftKernelTime;   UNICODE_STRING ProcessName;      // 进程名.
    DWORD   BasePriority;  DWORD   ProcessId;DWORD   InheritedFromProcessId;DWORD   HandleCount;DWORD   Reserved2[2];DWORD   VmCounters;  DWORD   dCommitCharge;  PVOID   ThreadInfos[1]; 
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;#define SystemProcessesAndThreadsInformation 5void main()
{HMODULE hNtDLL = GetModuleHandle( "ntdll.dll" );if (!hNtDLL )return;ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDLL,"ZwQuerySystemInformation");ULONG cbBuffer = 0x20000;   // 设置缓冲大小,与系统有关.LPVOID pBuffer = NULL;pBuffer = malloc(cbBuffer);

 　　if (pBuffer == NULL)
　　　　　　return;ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL);PSYSTEM_PROCESS_INFORMATION pInfo =  (PSYSTEM_PROCESS_INFORMATION)pBuffer;for (;;){printf("ProcessID: %d (%ls)\n", pInfo->ProcessId, pInfo->ProcessName.Buffer);if (pInfo->NextEntryDelta == 0)break;// 查找下一个进程的结构地址.pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryDelta);}

    free(pBuffer);getchar();  //暂停.
}