ZwQuerySystemInformation 查看系统进程信息

最新推荐文章于 2024-02-07 11:42:06 发布

转载最新推荐文章于 2024-02-07 11:42:06 发布 · 661 阅读

本文介绍了一个简单的Windows驱动程序，该驱动程序利用内核API ZwQuerySystemInformation 来枚举当前系统中的所有进程，并打印出每个进程的ID及名称。通过分析源代码，读者可以了解如何使用内核API获取系统信息。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

#include <ntddk.h>  
  
typedef enum _SYSTEM_INFORMATION_CLASS {  
    SystemBasicInformation,  
    SystemProcessorInformation,  
    SystemPerformanceInformation,  
    SystemTimeOfDayInformation,  
    SystemPathInformation,  
    SystemProcessInformation, //5  
    SystemCallCountInformation,  
    SystemDeviceInformation,  
    SystemProcessorPerformanceInformation,  
    SystemFlagsInformation,  
    SystemCallTimeInformation,  
    SystemModuleInformation,  
    SystemLocksInformation,  
    SystemStackTraceInformation,  
    SystemPagedPoolInformation,  
    SystemNonPagedPoolInformation,  
    SystemHandleInformation,  
    SystemObjectInformation,  
    SystemPageFileInformation,  
    SystemVdmInstemulInformation,  
    SystemVdmBopInformation,  
    SystemFileCacheInformation,  
    SystemPoolTagInformation,  
    SystemInterruptInformation,  
    SystemDpcBehaviorInformation,  
    SystemFullMemoryInformation,  
    SystemLoadGdiDriverInformation,  
    SystemUnloadGdiDriverInformation,  
    SystemTimeAdjustmentInformation,  
    SystemSummaryMemoryInformation,  
    SystemNextEventIdInformation,  
    SystemEventIdsInformation,  
    SystemCrashDumpInformation,  
    SystemExceptionInformation,  
    SystemCrashDumpStateInformation,  
    SystemKernelDebuggerInformation,  
    SystemContextSwitchInformation,  
    SystemRegistryQuotaInformation,  
    SystemExtendServiceTableInformation,  
    SystemPrioritySeperation,  
    SystemPlugPlayBusInformation,  
    SystemDockInformation,  
    SystemPowerInformation2,  
    SystemProcessorSpeedInformation,  
    SystemCurrentTimeZoneInformation,  
    SystemLookasideInformation  
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;  
  
typedef struct _SYSTEM_THREAD_INFORMATION {  
    LARGE_INTEGER           KernelTime;  
    LARGE_INTEGER           UserTime;  
    LARGE_INTEGER           CreateTime;  
    ULONG                   WaitTime;  
    PVOID                   StartAddress;  
    CLIENT_ID               ClientId;  
    KPRIORITY               Priority;  
    LONG                    BasePriority;  
    ULONG                   ContextSwitchCount;  
    ULONG                   State;  
    KWAIT_REASON            WaitReason;  
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;  
  
typedef struct _SYSTEM_PROCESS_INFORMATION {  
    ULONG                   NextEntryOffset;  
    ULONG                   NumberOfThreads;  
    LARGE_INTEGER           Reserved[3];  
    LARGE_INTEGER           CreateTime;  
    LARGE_INTEGER           UserTime;  
    LARGE_INTEGER           KernelTime;  
    UNICODE_STRING          ImageName;  
    KPRIORITY               BasePriority;  
    HANDLE                  ProcessId;  
    HANDLE                  InheritedFromProcessId;  
    ULONG                   HandleCount;  
    ULONG                   Reserved2[2];  
    ULONG                   PrivatePageCount;  
    VM_COUNTERS             VirtualMemoryCounters;  
    IO_COUNTERS             IoCounters;  
    SYSTEM_THREAD_INFORMATION           Threads[0];  
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;  
  
//不加extern "C" 一直报link错误  
 extern "C"  NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(   
    IN ULONG SystemInformationClass,   
    IN PVOID SystemInformation,   
    IN ULONG SystemInformationLength,   
    OUT PULONG ReturnLength);  
  
VOID Unload(  
    __in  struct _DRIVER_OBJECT *DriverObject  
    )  
{  
    KdPrint(("unload ....."));  
}  
  
NTSTATUS Ring0EnumProcess()  
{  
    ULONG   cbBuffer = 0x8000; //32k  
    PVOID   pSystemInfo;  
    NTSTATUS status;  
    PSYSTEM_PROCESS_INFORMATION pInfo;  
  
    //为查找进程分配足够的空间  
    do   
    {  
        pSystemInfo = ExAllocatePool(NonPagedPool, cbBuffer);  
        if (pSystemInfo == NULL)    //申请空间失败，返回  
        {  
            return 1;  
        }  
        status = ZwQuerySystemInformation(SystemProcessInformation, pSystemInfo, cbBuffer, NULL );  
        if (status == STATUS_INFO_LENGTH_MISMATCH) //空间不足  
        {  
            ExFreePool(pSystemInfo);  
            cbBuffer *= 2;  
        }  
        else if(!NT_SUCCESS(status))  
        {  
            ExFreePool(pSystemInfo);  
            return 1;  
        }  
  
    } while(status == STATUS_INFO_LENGTH_MISMATCH); //如果是空间不足，就一直循环  
  
    pInfo = (PSYSTEM_PROCESS_INFORMATION)pSystemInfo; //把得到的信息放到pInfo中  
  
    for (;;)  
    {  
        LPWSTR pszProcessName = pInfo->ImageName.Buffer;  
        if (pszProcessName == NULL)  
        {  
            pszProcessName = L"NULL";  
        }  
        KdPrint(("PID:%d, process name:%S\n", pInfo->ProcessId, pszProcessName));  
        if (pInfo->NextEntryOffset == 0) //==0，说明到达进程链的尾部了  
        {  
            break;  
        }  
        pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryOffset); //遍历  
  
    }  
    return STATUS_SUCCESS;  
}  
  
NTSTATUS DriverEntry(  
    __in  PDRIVER_OBJECT DriverObject,  
    __in  PUNICODE_STRING RegistryPath  
    )  
{  
    DriverObject->DriverUnload = Unload;  
    Ring0EnumProcess();  
    return STATUS_SUCCESS;  
}