ZwQuerySystemInformation用法示例

ZwQuerySystemInformation是一个非常有用的函数，用法可以得到很多系统信息。任务管理器就是通过这个函数得到系统进程信息。

关于这个函数的使用下面给出一个例子。代码在VS2010驱动编译通过，用DriverMonitor加载。

/*
信息类型
*/
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,  //0
SystemProcessorInformation,  //1
SystemPerformanceInformation,  //2
SystemTimeOfDayInformation,  //3
SystemPathInformation,  //4
SystemProcessInformation, //5  进程信息
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,  //10
SystemModuleInformation,  //模块信息
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,  //20
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemNextEventIdInformation,  //30
SystemEventIdsInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,  //40
SystemDockInformation,
SystemPowerInformation2,
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

//我们在任务管理器中所见到的所有信息只使用了下面5个调用：
0    SystemBasicInformation
2    SystemPerformanceInformation
5    SystemProcessInformation
8    SystemProcessorPerformanceInformation
21   SystemFileCacheInformation

源码如下（VS2010驱动编译通过）：

/*示例：
得到进程的信息
*/
#include <ntddk.h>
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER           KernelTime;
LARGE_INTEGER           UserTime;
LARGE_INTEGER           CreateTime;
ULONG                   WaitTime;
PVOID                   StartAddress;
CLIENT_ID               ClientId;
KPRIORITY               Priority;
LONG                    BasePriority;
ULONG                   ContextSwitchCount;
ULONG                   State;
KWAIT_REASON            WaitReason;
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;

typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG                   NextEntryOffset;
ULONG                   NumberOfThreads;
LARGE_INTEGER           Reserved[3];
LARGE_INTEGER           CreateTime;
LARGE_INTEGER           UserTime;
LARGE_INTEGER           KernelTime;
UNICODE_STRING          ImageName;
KPRIORITY               BasePriority;
HANDLE                  ProcessId;
HANDLE                  InheritedFromProcessId;
ULONG                   HandleCount;
ULONG                   Reserved2[2];
ULONG                   PrivatePageCount;
VM_COUNTERS             VirtualMemoryCounters;
IO_COUNTERS             IoCounters;
SYSTEM_THREAD_INFORMATION           Threads[0];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

//实现
DRIVER_UNLOAD Unload;
NTSTATUS
DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
PSYSTEM_PROCESS_INFORMATION pSystemInfo;
ULONG BufferSize;
PVOID pBuffer=NULL;//缓冲区
int i=0;//计数用的
int NumOfProcess;//结构数
NTSTATUS status;

DriverObject->DriverUnload=Unload;
status=ZwQuerySystemInformation(0x05,NULL,0,&BufferSize);//0x05表示5号类型，这里得到进程信息数据需要的空间大小
if(!NT_SUCCESS(status) && status != STATUS_INFO_LENGTH_MISMATCH)
{
return status;
}
DbgPrint("BufferSize:%d\n",BufferSize);
pBuffer=ExAllocatePoolWithTag(NonPagedPool,BufferSize,'test');//申请内存
if(NULL==pBuffer)
{
return STATUS_UNSUCCESSFUL;
}
status=ZwQuerySystemInformation(0x05,pBuffer,BufferSize,NULL);//得到进程信息
if(!NT_SUCCESS(status) && status != STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(pBuffer);
return status;
}
pSystemInfo=(PSYSTEM_PROCESS_INFORMATION)pBuffer;//转换为进程信息结构体指针
while (TRUE)                    //打印一些信息出来
{
DbgPrint("%d NextEntryOffset:%d  ProcessName:%S  ProcessId:%d  HandleCount:%d  ClientId:%d\n",
i++,                      //%S的"S"一定要大写,因为输出的字符为宽字节
pSystemInfo->NextEntryOffset,//下一个偏移字节
pSystemInfo->ImageName.Buffer,//进程名
pSystemInfo->ProcessId,//PID
pSystemInfo->HandleCount,
pSystemInfo->Threads[0].ClientId
);
if (0==pSystemInfo->NextEntryOffset)//==0，说明到达进程链的尾部了
{
break;
}
pSystemInfo=(PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pSystemInfo)+pSystemInfo->NextEntryOffset);//下一个
}
return STATUS_SUCCESS;
}
VOID Unload(IN PDRIVER_OBJECT DriverObject){
UNREFERENCED_PARAMETER( DriverObject );
DbgPrint("Unload!\n");
}

//其它的类型这样用