RtlCompareUnicodeString LONG RtlCompareUnicodeString( IN PUNICODE_STRING String1, IN PUNICODE_STRING String2, IN BOOLEAN CaseInSensitive );RtlCompareUnicodeString compares two Unicode strings.ParametersString1Points to the first string.String2Points to the second string.CaseInSensitiveIf TRUE, case should be ignored when doing the comparison.Return ValueRtlCompareUnicodeString returns a signed value that gives the results of the comparison:Zero String1 equals String2. < Zero String1 is less than String2. > Zero String1 is greater than String2. CommentsCallers of RtlCompareUnicodeString must be running at IRQL PASSIVE_LEVEL.NtQuerySystemInformation好像是未公开的api,帮你up
调用NTDLL.DLL中未公开API NtQuerySystemInformation枚举本地系统进程 #include <windows.h>#include <stdio.h>#include <stdlib.h> typedef unsigned long NTSTATUS;typedef unsigned short USHORT;typedef unsigned long ULONG;typedef unsigned long DWORD;typedef long LONG;typedef __int64 LONGLONG;typedef struct { USHORT Length; USHORT MaxLen; USHORT *Buffer;} UNICODE_STRING; struct process_info { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; ULONG BasePriority; ULONG ProcessId;}; typedef NTSTATUS (__stdcall *NtQuerySystemInformation1)( IN ULONG SysInfoClass,IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG RetLen ); int main(){ HINSTANCE hNtDll; NtQuerySystemInformation1 NtQuerySystemInformation; NTSTATUS rc; ULONG ulNeed = 0; void *buf = NULL; size_t len = 0; struct process_info *p ; int done; hNtDll = LoadLibrary ("NTDLL"); if (!hNtDll) return 0; NtQuerySystemInformation = (NtQuerySystemInformation1)GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (!NtQuerySystemInformation) return 0; do { len += 0x1000; buf = realloc (buf, len); if (!buf) return 0; rc = NtQuerySystemInformation (5, buf, len, &ulNeed); } while (rc == 0xc0000004); // STATUS_INFO_LEN_MISMATCH if (rc <0) { free (buf); return 0; } printf("\nProcessName ProcessID"); p = (struct process_info *)buf; done = 0; while (!done) { if ((p->ProcessName.Buffer != 0)) { printf("\n%-20S%d",p->ProcessName.Buffer,p->ProcessId); } done = p->NextEntryDelta == 0; p = (struct process_info *)(((char *)p) + p->NextEntryDelta); } free (buf); FreeLibrary (hNtDll); return 0;}
那NtQuerySystemInformation的参数都是什么意义呢?
sample: #include <windows.h> #include <stdio.h>#define SystemTimeInformation 3typedef struct _SYSTEM_TIME_INFORMATION { LARGE_INTEGER liKeBootTime; LARGE_INTEGER liKeSystemTime; LARGE_INTEGER liExpTimeZoneBias; ULONG uCurrentTimeZoneId; DWORD dwReserved; } SYSTEM_TIME_INFORMATION; // ntdll!NtQuerySystemInformation (NT specific!) // // The function copies the system information of the // specified type into a buffer // // NTSYSAPI // NTSTATUS // NTAPI // NtQuerySystemInformation( // IN UINT SystemInformationClass, // information type // OUT PVOID SystemInformation, // pointer to buffer // IN ULONG SystemInformationLength, // buffer size in bytes // OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit // // variable that receives // // the number of bytes // // written to the buffer // ); typedef LONG (WINAPI *PROCNTQSI)(UINT,PVOID,ULONG,PULONG); PROCNTQSI NtQuerySystemInformation; void main(void) { SYSTEM_TIME_INFORMATION Sti; LONG status; FILETIME ftSystemBoot; SYSTEMTIME stSystemBoot; NtQuerySystemInformation = (PROCNTQSI)GetProcAddress( GetModuleHandle("ntdll"), "NtQuerySystemInformation" ); if (!NtQuerySystemInformation) return; status = NtQuerySystemInformation(SystemTimeInformation,&Sti,sizeof(Sti),0); if (status!=NO_ERROR) return; ftSystemBoot = *(FILETIME *)&(Sti.liKeBootTime); FileTimeToLocalFileTime(&ftSystemBoot,&ftSystemBoot); FileTimeToSystemTime(&ftSystemBoot,&stSystemBoot); printf("Date: %02d-%02d-%04d\nTime: %02d:%02d:%02d\n", stSystemBoot.wMonth,stSystemBoot.wDay,stSystemBoot.wYear, stSystemBoot.wHour,stSystemBoot.wMinute,stSystemBoot.wSecond); }
LONG
RtlCompareUnicodeString(
IN PUNICODE_STRING String1,
IN PUNICODE_STRING String2,
IN BOOLEAN CaseInSensitive
);RtlCompareUnicodeString compares two Unicode strings.ParametersString1Points to the first string.String2Points to the second string.CaseInSensitiveIf TRUE, case should be ignored when doing the comparison.Return ValueRtlCompareUnicodeString returns a signed value that gives the results of the comparison:Zero String1 equals String2.
< Zero String1 is less than String2.
> Zero String1 is greater than String2.
CommentsCallers of RtlCompareUnicodeString must be running at IRQL PASSIVE_LEVEL.NtQuerySystemInformation好像是未公开的api,帮你up
#include <windows.h>#include <stdio.h>#include <stdlib.h> typedef unsigned long NTSTATUS;typedef unsigned short USHORT;typedef unsigned long ULONG;typedef unsigned long DWORD;typedef long LONG;typedef __int64 LONGLONG;typedef struct { USHORT Length; USHORT MaxLen; USHORT *Buffer;} UNICODE_STRING; struct process_info { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; ULONG BasePriority; ULONG ProcessId;}; typedef NTSTATUS (__stdcall *NtQuerySystemInformation1)( IN ULONG SysInfoClass,IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG RetLen ); int main(){ HINSTANCE hNtDll; NtQuerySystemInformation1 NtQuerySystemInformation; NTSTATUS rc; ULONG ulNeed = 0; void *buf = NULL; size_t len = 0; struct process_info *p ; int done; hNtDll = LoadLibrary ("NTDLL"); if (!hNtDll) return 0; NtQuerySystemInformation = (NtQuerySystemInformation1)GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (!NtQuerySystemInformation) return 0; do { len += 0x1000; buf = realloc (buf, len); if (!buf) return 0; rc = NtQuerySystemInformation (5, buf, len, &ulNeed); } while (rc == 0xc0000004); // STATUS_INFO_LEN_MISMATCH if (rc <0) { free (buf); return 0; } printf("\nProcessName ProcessID"); p = (struct process_info *)buf; done = 0; while (!done) { if ((p->ProcessName.Buffer != 0)) { printf("\n%-20S%d",p->ProcessName.Buffer,p->ProcessId); } done = p->NextEntryDelta == 0; p = (struct process_info *)(((char *)p) + p->NextEntryDelta); } free (buf); FreeLibrary (hNtDll); return 0;}
#include <windows.h>
#include <stdio.h>#define SystemTimeInformation 3typedef struct _SYSTEM_TIME_INFORMATION
{
LARGE_INTEGER liKeBootTime;
LARGE_INTEGER liKeSystemTime;
LARGE_INTEGER liExpTimeZoneBias;
ULONG uCurrentTimeZoneId;
DWORD dwReserved;
} SYSTEM_TIME_INFORMATION;
// ntdll!NtQuerySystemInformation (NT specific!)
//
// The function copies the system information of the
// specified type into a buffer
//
// NTSYSAPI
// NTSTATUS
// NTAPI
// NtQuerySystemInformation(
// IN UINT SystemInformationClass, // information type
// OUT PVOID SystemInformation, // pointer to buffer
// IN ULONG SystemInformationLength, // buffer size in bytes
// OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit
// // variable that receives
// // the number of bytes
// // written to the buffer
// );
typedef LONG (WINAPI *PROCNTQSI)(UINT,PVOID,ULONG,PULONG);
PROCNTQSI NtQuerySystemInformation;
void main(void)
{
SYSTEM_TIME_INFORMATION Sti;
LONG status;
FILETIME ftSystemBoot;
SYSTEMTIME stSystemBoot; NtQuerySystemInformation = (PROCNTQSI)GetProcAddress(
GetModuleHandle("ntdll"),
"NtQuerySystemInformation"
); if (!NtQuerySystemInformation)
return; status =
NtQuerySystemInformation(SystemTimeInformation,&Sti,sizeof(Sti),0);
if (status!=NO_ERROR)
return; ftSystemBoot = *(FILETIME *)&(Sti.liKeBootTime); FileTimeToLocalFileTime(&ftSystemBoot,&ftSystemBoot);
FileTimeToSystemTime(&ftSystemBoot,&stSystemBoot); printf("Date: %02d-%02d-%04d\nTime: %02d:%02d:%02d\n",
stSystemBoot.wMonth,stSystemBoot.wDay,stSystemBoot.wYear,
stSystemBoot.wHour,stSystemBoot.wMinute,stSystemBoot.wSecond);
}