ZwQuerySystemInformation 查看系统进程信息

#include <ntddk.h>

typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation, //5
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemNextEventIdInformation,
SystemEventIdsInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,
SystemDockInformation,
SystemPowerInformation2,
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER           KernelTime;
LARGE_INTEGER           UserTime;
LARGE_INTEGER           CreateTime;
ULONG                   WaitTime;
PVOID                   StartAddress;
CLIENT_ID               ClientId;
KPRIORITY               Priority;
LONG                    BasePriority;
ULONG                   ContextSwitchCount;
ULONG                   State;
KWAIT_REASON            WaitReason;
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;

typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG                   NextEntryOffset;
ULONG                   NumberOfThreads;
LARGE_INTEGER           Reserved[3];
LARGE_INTEGER           CreateTime;
LARGE_INTEGER           UserTime;
LARGE_INTEGER           KernelTime;
UNICODE_STRING          ImageName;
KPRIORITY               BasePriority;
HANDLE                  ProcessId;
HANDLE                  InheritedFromProcessId;
ULONG                   HandleCount;
ULONG                   Reserved2[2];
ULONG                   PrivatePageCount;
VM_COUNTERS             VirtualMemoryCounters;
IO_COUNTERS             IoCounters;
SYSTEM_THREAD_INFORMATION           Threads[0];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

//不加extern "C" 一直报link错误
extern "C"  NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);

VOID Unload(
__in  struct _DRIVER_OBJECT *DriverObject
)
{
KdPrint(("unload ....."));
}

NTSTATUS Ring0EnumProcess()
{
ULONG	cbBuffer = 0x8000; //32k
PVOID	pSystemInfo;
NTSTATUS status;
PSYSTEM_PROCESS_INFORMATION pInfo;

//为查找进程分配足够的空间
do
{
pSystemInfo = ExAllocatePool(NonPagedPool, cbBuffer);
if (pSystemInfo == NULL)	//申请空间失败，返回
{
return 1;
}
status = ZwQuerySystemInformation(SystemProcessInformation, pSystemInfo, cbBuffer, NULL );
if (status == STATUS_INFO_LENGTH_MISMATCH) //空间不足
{
ExFreePool(pSystemInfo);
cbBuffer *= 2;
}
else if(!NT_SUCCESS(status))
{
ExFreePool(pSystemInfo);
return 1;
}

} while(status == STATUS_INFO_LENGTH_MISMATCH); //如果是空间不足，就一直循环

pInfo = (PSYSTEM_PROCESS_INFORMATION)pSystemInfo; //把得到的信息放到pInfo中

for (;;)
{
LPWSTR pszProcessName = pInfo->ImageName.Buffer;
if (pszProcessName == NULL)
{
pszProcessName = L"NULL";
}
KdPrint(("PID:%d, process name:%S\n", pInfo->ProcessId, pszProcessName));
if (pInfo->NextEntryOffset == 0)	//==0，说明到达进程链的尾部了
{
break;
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryOffset); //遍历

}
return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(
__in  PDRIVER_OBJECT DriverObject,
__in  PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = Unload;
Ring0EnumProcess();
return STATUS_SUCCESS;
}