使用NATIVE API,下面乃是一老外的做法.需要SE_TCB_PRIVELE.你尝试一下吧.:)Or all one needs the header attached to this message!NtQuerySystemsInformation (in NTDLL.DLL) is at the heart of many of
Microsoft's utilities; including the PSAPI DLL. I wanted to use it; so,
I figured out how it works. You are getting the benefit of my hard work.To use NtQuerySystemInformation, one either has to a) create an import
library from NTDLL.DLL, or b) use LoadLibrary + GetProcAddress.
NtQuerySystemInformation is like a lot of NT calls, you need to call it
repeatedly until you have passed a large enough buffer to hold the
result. Example:char* snapshot;
ULONG snapshotSize;
ULONG bytesNeeded;
NT_PROCESS_INFO* processInfo;
Example:while
(NtQuerySystemInformation(ProcessInformation,snapshot,snapshotSize,&bytesNeeded))
{
delete [] snapshot;
snapshotSize *= 2;
snapshot = new char[snapshotSize];
}// After the call has completed successfully, all one needs to do is walk the shapshot. processInfo = (NT_PROCESS_INFO*)snapshot;do
{
// do something with the process-information processInfo = pProcessInfo->OffsetToNextProcess ?(NT_PROCESS_INFO*)((char*)processInfo +
processInfo->OffsetToNextProcess) : NULL;
}
while (processInfo);
Merry Christmas! :-)
Mark
P.S. I have also included a few other goodies in this hearder. have
fun!
--- cut this code and place in a file called ntdll.h ---/*
-----------------------------------------------------------------------------
-- Unit Name : ntdll.h
-- Purpose : This unit defines an interface to NTDLL.DLL.
-- Software Engineer : Mark T. Van Ditta
-----------------------------------------------------------------------------
-- R e v i s i o n H i s t o r y
-----------------------------------------------------------------------------
*/#ifndef _NTDLL_H_
#define _NTDLL_H_#ifdef __cplusplus
extern "C" {
#endif#pragma option push
#pragma pack(1)// I named this structure because I have not found its documented name.
// It and the NtReadVirtualMemory prototype were created via an all-night
// session.
// Mark T. Van Dittatypedef struct _NT_MODULE_CONTROL_BLOCK
{
void* Unknown0;
void* Unknown1;
void* NextBlockAddressPlusEightBytes;
void* Unknown2;
void* Unknown3;
void* Unknown4;
void* ModuleHandle;
void* Unknown5;
void* Unknown6;
void* Unknown7;
void* Unknown8;
short NameLength;
short NameLengthIncludingZero;
WCHAR* Name;
void* Unknown10;
void* Unknown11;
void* Unknown12;
void* Unknown13;
void* Unknown14;
} NT_MODULE_CONTROL_BLOCK;#pragma option popULONG __stdcall NtReadVirtualMemory(HANDLE ProcessHandle, void*
FromAddress,
void* ToAddress, ULONG NumberOfBytes, ULONG* NumberOfBytesRead);typedef ULONG __stdcall (*PNtReadVirtualMemory)(HANDLE ProcessHandle,
void* FromAddress, void* ToAddress, ULONG NumberOfBytes,
ULONG* NumberOfBytesRead);typedef enum { ProcessInformation = 5 } NT_SYSTEM_INFO_CLASS;typedef struct
{
DWORD OffsetToNextProcess;
DWORD ThreadCount;
DWORD Unknown0;
DWORD Unknown1;
DWORD Unknown2;
DWORD Unknown3;
DWORD Unknown4;
DWORD Unknown5;
__int64 CreateTime;
__int64 UserTime;
__int64 KernelTime;
DWORD Unknown6;
WCHAR* ProcessName;
DWORD BasePriority;
DWORD ProcessID;
DWORD ParentProcessID;
DWORD HandleCount;
DWORD Unknown7;
DWORD Unknown8;
DWORD PeakVirtualMemorySize;
DWORD VirtualMemorySize;
DWORD PageFaultCount;
DWORD PeakWorkingSetSize;
DWORD WorkingSetSize;
DWORD QuotaPeakPagedPoolUsage;
DWORD QuotaPagedPoolUsage;
DWORD QuotaPeakNonPagedPoolUsage;
DWORD QuotaNonPagedPoolUsage;
DWORD PagefileUsage;
DWORD PeakPagefileUsage;
DWORD PrivateBytes;
} NT_PROCESS_INFO;
typedef NT_PROCESS_INFO *PNT_PROCESS_INFO;ULONG __stdcall NtQuerySystemInformation(NT_SYSTEM_INFO_CLASS
SystemInformationClass,
void* SystemInformation, ULONG SystemInformationLength, ULONG*
returnLength);typedef ULONG __stdcall
(*PNtQuerySystemInformation)(NT_SYSTEM_INFO_CLASS,
void*, ULONG, ULONG*);
typedef enum _NT_PROCESS_INFO_CLASS
{
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers, // Note: this is kernel mode only
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
MaxProcessInfoClass
} NT_PROCESS_INFO_CLASS;typedef enum _NT_THREAD_INFO_CLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
MaxThreadInfoClass
} NT_THREAD_INFO_CLASS;typedef struct _NT_PROCESS_WS_WATCH_INFORMATION
{
PVOID FaultingPc;
PVOID FaultingVa;
} NT_PROCESS_WS_WATCH_INFORMATION, *PNT_PROCESS_WS_WATCH_INFORMATION;typedef struct _NT_PROCESS_BASIC_INFORMATION
{
ULONG ExitStatus;
void* PebBaseAddress;
ULONG AffinityMask;
LONG BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} NT_PROCESS_BASIC_INFORMATION;typedef NT_PROCESS_BASIC_INFORMATION *PNT_PROCESS_BASIC_INFORMATION;
typedef struct _NT_QUOTA_LIMITS
{
ULONG PagedPoolLimit;
ULONG NonPagedPoolLimit;
ULONG MinimumWorkingSetSize;
ULONG MaximumWorkingSetSize;
ULONG PagefileLimit;
__int64 TimeLimit;
} NT_QUOTA_LIMITS;
typedef NT_QUOTA_LIMITS *PNT_QUOTA_LIMITS;typedef struct _NT_IO_COUNTERS
{
ULONG ReadOperationCount;
ULONG WriteOperationCount;
ULONG OtherOperationCount;
__int64 ReadTransferCount;
__int64 WriteTransferCount;
__int64 OtherTransferCount;
} NT_IO_COUNTERS;typedef NT_IO_COUNTERS *PNT_IO_COUNTERS;typedef struct _NT_VM_COUNTERS
{
ULONG PeakVirtualSize;
ULONG VirtualSize;
ULONG PageFaultCount;
ULONG PeakWorkingSetSize;
ULONG WorkingSetSize;
ULONG QuotaPeakPagedPoolUsage;
ULONG QuotaPagedPoolUsage;
ULONG QuotaPeakNonPagedPoolUsage;
ULONG QuotaNonPagedPoolUsage;
ULONG PagefileUsage;
ULONG PeakPagefileUsage;
} NT_VM_COUNTERS;typedef NT_VM_COUNTERS *PNT_VM_COUNTERS;typedef struct _NT_POOLED_USAGE_AND_LIMITS
{
ULONG PeakPagedPoolUsage;
ULONG PagedPoolUsage;
ULONG PagedPoolLimit;
ULONG PeakNonPagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG NonPagedPoolLimit;
ULONG PeakPagefileUsage;
ULONG PagefileUsage;
ULONG PagefileLimit;
} NT_POOLED_USAGE_AND_LIMITS;typedef NT_POOLED_USAGE_AND_LIMITS *PNT_POOLED_USAGE_AND_LIMITS;typedef struct _NT_PROCESS_ACCESS_TOKEN
{
HANDLE Token;
HANDLE Thread;
} NT_PROCESS_ACCESS_TOKEN, *PNT_PROCESS_ACCESS_TOKEN;typedef struct _NT_KERNEL_USER_TIMES
{
__int64 CreateTime;
__int64 ExitTime;
__int64 KernelTime;
__int64 UserTime;
} NT_KERNEL_USER_TIMES;typedef NT_KERNEL_USER_TIMES *PNT_KERNEL_USER_TIMES;ULONG __stdcall NtQueryInformationProcess(HANDLE ProcessHandle,
NT_PROCESS_INFO_CLASS ProcessInformationClass, void*
ProcessInformation,
ULONG ProcessInformationLength, ULONG* ReturnLength);typedef ULONG __stdcall (*PNtQueryInformationProcess)(HANDLE,
NT_PROCESS_INFO_CLASS, void*,ULONG, ULONG*);
#ifdef __cplusplus
}
#endif
#endif // _NTDLL_H_
--- end of cut this code and place in a file called ntdll.h ---
As promised earlier, here is some code to read the process name out of
memory (it requires the header I posted a couple of days ago.) NT_PROCESS_BASIC_INFORMATION basicInfo;
NT_MODULE_CONTROL_BLOCK moduleControlBlock;
WCHAR fileName[256];
void* block1;
void* block2;
// this code assumes one already has a handle open the the process if (ERROR_SUCCESS == NtQueryInformationProcess(processHandle,
ProcessBasicInformation,(void*)&basicInfo,
sizeof(NT_PROCESS_BASIC_INFORMATION),NULL))
if (ERROR_SUCCESS == NtReadVirtualMemory(processHandle,
(char*)basicInfo.PebBaseAddress + 0x0000000c,
&block1,sizeof(void*),NULL))
if (ERROR_SUCCESS == NtReadVirtualMemory(processHandle,
(char*)block1 + 0x00000014,&block2, sizeof(void*),NULL))
if (block1 != block2)
if (ERROR_SUCCESS ==
NtReadVirtualMemory(processHandle,
(char*)block2 - 0x00000008,&moduleControlBlock,
sizeof(NT_MODULE_CONTROL_BLOCK),NULL))
NtReadVirtualMemory(processHandle,moduleControlBlock.Name,
fileName,moduleControlBlock.NameLengthIncludingZero,
NULL));
Mark
Microsoft's utilities; including the PSAPI DLL. I wanted to use it; so,
I figured out how it works. You are getting the benefit of my hard work.To use NtQuerySystemInformation, one either has to a) create an import
library from NTDLL.DLL, or b) use LoadLibrary + GetProcAddress.
NtQuerySystemInformation is like a lot of NT calls, you need to call it
repeatedly until you have passed a large enough buffer to hold the
result. Example:char* snapshot;
ULONG snapshotSize;
ULONG bytesNeeded;
NT_PROCESS_INFO* processInfo;
Example:while
(NtQuerySystemInformation(ProcessInformation,snapshot,snapshotSize,&bytesNeeded))
{
delete [] snapshot;
snapshotSize *= 2;
snapshot = new char[snapshotSize];
}// After the call has completed successfully, all one needs to do is walk the shapshot. processInfo = (NT_PROCESS_INFO*)snapshot;do
{
// do something with the process-information processInfo = pProcessInfo->OffsetToNextProcess ?(NT_PROCESS_INFO*)((char*)processInfo +
processInfo->OffsetToNextProcess) : NULL;
}
while (processInfo);
Merry Christmas! :-)
Mark
P.S. I have also included a few other goodies in this hearder. have
fun!
--- cut this code and place in a file called ntdll.h ---/*
-----------------------------------------------------------------------------
-- Unit Name : ntdll.h
-- Purpose : This unit defines an interface to NTDLL.DLL.
-- Software Engineer : Mark T. Van Ditta
-----------------------------------------------------------------------------
-- R e v i s i o n H i s t o r y
-----------------------------------------------------------------------------
*/#ifndef _NTDLL_H_
#define _NTDLL_H_#ifdef __cplusplus
extern "C" {
#endif#pragma option push
#pragma pack(1)// I named this structure because I have not found its documented name.
// It and the NtReadVirtualMemory prototype were created via an all-night
// session.
// Mark T. Van Dittatypedef struct _NT_MODULE_CONTROL_BLOCK
{
void* Unknown0;
void* Unknown1;
void* NextBlockAddressPlusEightBytes;
void* Unknown2;
void* Unknown3;
void* Unknown4;
void* ModuleHandle;
void* Unknown5;
void* Unknown6;
void* Unknown7;
void* Unknown8;
short NameLength;
short NameLengthIncludingZero;
WCHAR* Name;
void* Unknown10;
void* Unknown11;
void* Unknown12;
void* Unknown13;
void* Unknown14;
} NT_MODULE_CONTROL_BLOCK;#pragma option popULONG __stdcall NtReadVirtualMemory(HANDLE ProcessHandle, void*
FromAddress,
void* ToAddress, ULONG NumberOfBytes, ULONG* NumberOfBytesRead);typedef ULONG __stdcall (*PNtReadVirtualMemory)(HANDLE ProcessHandle,
void* FromAddress, void* ToAddress, ULONG NumberOfBytes,
ULONG* NumberOfBytesRead);typedef enum { ProcessInformation = 5 } NT_SYSTEM_INFO_CLASS;typedef struct
{
DWORD OffsetToNextProcess;
DWORD ThreadCount;
DWORD Unknown0;
DWORD Unknown1;
DWORD Unknown2;
DWORD Unknown3;
DWORD Unknown4;
DWORD Unknown5;
__int64 CreateTime;
__int64 UserTime;
__int64 KernelTime;
DWORD Unknown6;
WCHAR* ProcessName;
DWORD BasePriority;
DWORD ProcessID;
DWORD ParentProcessID;
DWORD HandleCount;
DWORD Unknown7;
DWORD Unknown8;
DWORD PeakVirtualMemorySize;
DWORD VirtualMemorySize;
DWORD PageFaultCount;
DWORD PeakWorkingSetSize;
DWORD WorkingSetSize;
DWORD QuotaPeakPagedPoolUsage;
DWORD QuotaPagedPoolUsage;
DWORD QuotaPeakNonPagedPoolUsage;
DWORD QuotaNonPagedPoolUsage;
DWORD PagefileUsage;
DWORD PeakPagefileUsage;
DWORD PrivateBytes;
} NT_PROCESS_INFO;
typedef NT_PROCESS_INFO *PNT_PROCESS_INFO;ULONG __stdcall NtQuerySystemInformation(NT_SYSTEM_INFO_CLASS
SystemInformationClass,
void* SystemInformation, ULONG SystemInformationLength, ULONG*
returnLength);typedef ULONG __stdcall
(*PNtQuerySystemInformation)(NT_SYSTEM_INFO_CLASS,
void*, ULONG, ULONG*);
typedef enum _NT_PROCESS_INFO_CLASS
{
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers, // Note: this is kernel mode only
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
MaxProcessInfoClass
} NT_PROCESS_INFO_CLASS;typedef enum _NT_THREAD_INFO_CLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
MaxThreadInfoClass
} NT_THREAD_INFO_CLASS;typedef struct _NT_PROCESS_WS_WATCH_INFORMATION
{
PVOID FaultingPc;
PVOID FaultingVa;
} NT_PROCESS_WS_WATCH_INFORMATION, *PNT_PROCESS_WS_WATCH_INFORMATION;typedef struct _NT_PROCESS_BASIC_INFORMATION
{
ULONG ExitStatus;
void* PebBaseAddress;
ULONG AffinityMask;
LONG BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} NT_PROCESS_BASIC_INFORMATION;typedef NT_PROCESS_BASIC_INFORMATION *PNT_PROCESS_BASIC_INFORMATION;
typedef struct _NT_QUOTA_LIMITS
{
ULONG PagedPoolLimit;
ULONG NonPagedPoolLimit;
ULONG MinimumWorkingSetSize;
ULONG MaximumWorkingSetSize;
ULONG PagefileLimit;
__int64 TimeLimit;
} NT_QUOTA_LIMITS;
typedef NT_QUOTA_LIMITS *PNT_QUOTA_LIMITS;typedef struct _NT_IO_COUNTERS
{
ULONG ReadOperationCount;
ULONG WriteOperationCount;
ULONG OtherOperationCount;
__int64 ReadTransferCount;
__int64 WriteTransferCount;
__int64 OtherTransferCount;
} NT_IO_COUNTERS;typedef NT_IO_COUNTERS *PNT_IO_COUNTERS;typedef struct _NT_VM_COUNTERS
{
ULONG PeakVirtualSize;
ULONG VirtualSize;
ULONG PageFaultCount;
ULONG PeakWorkingSetSize;
ULONG WorkingSetSize;
ULONG QuotaPeakPagedPoolUsage;
ULONG QuotaPagedPoolUsage;
ULONG QuotaPeakNonPagedPoolUsage;
ULONG QuotaNonPagedPoolUsage;
ULONG PagefileUsage;
ULONG PeakPagefileUsage;
} NT_VM_COUNTERS;typedef NT_VM_COUNTERS *PNT_VM_COUNTERS;typedef struct _NT_POOLED_USAGE_AND_LIMITS
{
ULONG PeakPagedPoolUsage;
ULONG PagedPoolUsage;
ULONG PagedPoolLimit;
ULONG PeakNonPagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG NonPagedPoolLimit;
ULONG PeakPagefileUsage;
ULONG PagefileUsage;
ULONG PagefileLimit;
} NT_POOLED_USAGE_AND_LIMITS;typedef NT_POOLED_USAGE_AND_LIMITS *PNT_POOLED_USAGE_AND_LIMITS;typedef struct _NT_PROCESS_ACCESS_TOKEN
{
HANDLE Token;
HANDLE Thread;
} NT_PROCESS_ACCESS_TOKEN, *PNT_PROCESS_ACCESS_TOKEN;typedef struct _NT_KERNEL_USER_TIMES
{
__int64 CreateTime;
__int64 ExitTime;
__int64 KernelTime;
__int64 UserTime;
} NT_KERNEL_USER_TIMES;typedef NT_KERNEL_USER_TIMES *PNT_KERNEL_USER_TIMES;ULONG __stdcall NtQueryInformationProcess(HANDLE ProcessHandle,
NT_PROCESS_INFO_CLASS ProcessInformationClass, void*
ProcessInformation,
ULONG ProcessInformationLength, ULONG* ReturnLength);typedef ULONG __stdcall (*PNtQueryInformationProcess)(HANDLE,
NT_PROCESS_INFO_CLASS, void*,ULONG, ULONG*);
#ifdef __cplusplus
}
#endif
#endif // _NTDLL_H_
--- end of cut this code and place in a file called ntdll.h ---
As promised earlier, here is some code to read the process name out of
memory (it requires the header I posted a couple of days ago.) NT_PROCESS_BASIC_INFORMATION basicInfo;
NT_MODULE_CONTROL_BLOCK moduleControlBlock;
WCHAR fileName[256];
void* block1;
void* block2;
// this code assumes one already has a handle open the the process if (ERROR_SUCCESS == NtQueryInformationProcess(processHandle,
ProcessBasicInformation,(void*)&basicInfo,
sizeof(NT_PROCESS_BASIC_INFORMATION),NULL))
if (ERROR_SUCCESS == NtReadVirtualMemory(processHandle,
(char*)basicInfo.PebBaseAddress + 0x0000000c,
&block1,sizeof(void*),NULL))
if (ERROR_SUCCESS == NtReadVirtualMemory(processHandle,
(char*)block1 + 0x00000014,&block2, sizeof(void*),NULL))
if (block1 != block2)
if (ERROR_SUCCESS ==
NtReadVirtualMemory(processHandle,
(char*)block2 - 0x00000008,&moduleControlBlock,
sizeof(NT_MODULE_CONTROL_BLOCK),NULL))
NtReadVirtualMemory(processHandle,moduleControlBlock.Name,
fileName,moduleControlBlock.NameLengthIncludingZero,
NULL));
Mark
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货