#include <stdio.h>
#include <windows.h>
typedef LONG NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _LSA_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID;
typedef enum _THREAD_STATE
{
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD_STATE;
typedef enum _KWAIT_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel
} KWAIT_REASON;
/* typedef struct _IO_COUNTERS
{
LARGE_INTEGER ReadOperationCount; //I/O讀操作數目
LARGE_INTEGER WriteOperationCount; //I/O寫操作數目
LARGE_INTEGER OtherOperationCount; //I/O其他操作數目
LARGE_INTEGER ReadTransferCount; //I/O讀數據數目
LARGE_INTEGER WriteTransferCount; //I/O寫數據數目
LARGE_INTEGER OtherTransferCount; //I/O其他操作數據數目
} IO_COUNTERS, *PIO_COUNTERS;
*/
typedef struct _VM_COUNTERS
{
ULONG PeakVirtualSize; // 虛擬存儲峰值大小
ULONG VirtualSize; // 虛擬存儲大小
ULONG PageFaultCount; // 頁故障數目
ULONG PeakWorkingSetSize; // 工作集峰值大小
ULONG WorkingSetSize; // 工作集大小
ULONG QuotaPeakPagedPoolUsage; // 分頁池使用配額峰值
ULONG QuotaPagedPoolUsage; // 分頁池使用配額
ULONG QuotaPeakNonPagedPoolUsage; // 非分頁池使用配額峰值
ULONG QuotaNonPagedPoolUsage; // 非分頁池使用配額
ULONG PagefileUsage; // 頁文件使用情況
ULONG PeakPagefileUsage; // 頁文件使用峰值
} VM_COUNTERS, *PVM_COUNTERS;
typedef LONG KPRIORITY;
typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;
} SYSTEM_THREADS, *PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[ 6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[ 2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[ 1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _SYSTEM_BASIC_INFORMATION
{
BYTE Reserved1[ 24];
PVOID Reserved2[ 4];
CCHAR NumberOfProcessors;
} SYSTEM_BASIC_INFORMATION;
typedef struct tagSYSTEM_MODULE_INFORMATION {
ULONG Reserved[ 2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[ 256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);
int main( void)
{
HINSTANCE ntdll_dll = GetModuleHandle( " ntdll.dll ");
if (ntdll_dll == NULL) {
printf( " load ntdll.dll failed.\n ");
return - 1;
}
NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, " ZwQuerySystemInformation ");
if ( ZwQuerySystemInformation!=NULL )
{
SYSTEM_BASIC_INFORMATION sbi = { 0};
NTSTATUS status = ZwQuerySystemInformation(SystemBasicInformation, (PVOID)&sbi, sizeof(sbi), NULL);
if ( status == STATUS_SUCCESS ) {
printf( " 處理器個數:%d\r\n ", sbi.NumberOfProcessors);
} else {
printf( " \r\n SystemBasicInformation error ");
}
DWORD dwNeedSize = 0;
BYTE *pBuffer = NULL;
printf( " ---------------------所有進程信息----------------------------------------\n ");
PSYSTEM_PROCESSES psp=NULL;
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);
if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
pBuffer = new BYTE[dwNeedSize];
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);
if ( status == STATUS_SUCCESS )
{
psp = (PSYSTEM_PROCESSES)pBuffer;
printf( " PID 線程數 工作集大小 進程名\n ");
do {
printf( " %-4d ", psp->ProcessId);
printf( " %3d ", psp->ThreadCount);
printf( " %8dKB ", psp->VmCounters.WorkingSetSize/ 1024);
wprintf(L " %s\n ", psp->ProcessName.Buffer);
psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );
} while ( psp->NextEntryDelta != 0 );
delete []pBuffer;
pBuffer = NULL;
} else if ( status == STATUS_UNSUCCESSFUL ) {
printf( " \n STATUS_UNSUCCESSFUL ");
} else if ( status == STATUS_NOT_IMPLEMENTED ) {
printf( " \n STATUS_NOT_IMPLEMENTED ");
} else if ( status == STATUS_INVALID_INFO_CLASS ) {
printf( " \n STATUS_INVALID_INFO_CLASS ");
} else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
printf( " \n STATUS_INFO_LENGTH_MISMATCH ");
}
}
printf( " ---------------------系統模塊信息----------------------------------------\n ");
status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
if (status == STATUS_INFO_LENGTH_MISMATCH) {
pBuffer = new BYTE[dwNeedSize];
status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
if (status == STATUS_SUCCESS) {
UINT count = *((UINT*)pBuffer);
printf( " 模塊數:%d\n ", count);
printf( " 基地址 模塊大小 引用計數 模塊路徑\n ");
PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG));
for (UINT i = 0; i < count; i++) {
printf( " 0x%08X ", pmi->Base);
printf( " %8dKB ", pmi->Size / 1024);
printf( " %2d ", pmi->LoadCount);
printf( " %s\n ", pmi->ImageName);
pmi++;
}
}
delete []pBuffer;
}
} else {
printf( " Get ZwQuerySystemInformation address error! ");
}
FreeLibrary(ntdll_dll);
return 0;
#include <windows.h>
typedef LONG NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _LSA_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID;
typedef enum _THREAD_STATE
{
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD_STATE;
typedef enum _KWAIT_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel
} KWAIT_REASON;
/* typedef struct _IO_COUNTERS
{
LARGE_INTEGER ReadOperationCount; //I/O讀操作數目
LARGE_INTEGER WriteOperationCount; //I/O寫操作數目
LARGE_INTEGER OtherOperationCount; //I/O其他操作數目
LARGE_INTEGER ReadTransferCount; //I/O讀數據數目
LARGE_INTEGER WriteTransferCount; //I/O寫數據數目
LARGE_INTEGER OtherTransferCount; //I/O其他操作數據數目
} IO_COUNTERS, *PIO_COUNTERS;
*/
typedef struct _VM_COUNTERS
{
ULONG PeakVirtualSize; // 虛擬存儲峰值大小
ULONG VirtualSize; // 虛擬存儲大小
ULONG PageFaultCount; // 頁故障數目
ULONG PeakWorkingSetSize; // 工作集峰值大小
ULONG WorkingSetSize; // 工作集大小
ULONG QuotaPeakPagedPoolUsage; // 分頁池使用配額峰值
ULONG QuotaPagedPoolUsage; // 分頁池使用配額
ULONG QuotaPeakNonPagedPoolUsage; // 非分頁池使用配額峰值
ULONG QuotaNonPagedPoolUsage; // 非分頁池使用配額
ULONG PagefileUsage; // 頁文件使用情況
ULONG PeakPagefileUsage; // 頁文件使用峰值
} VM_COUNTERS, *PVM_COUNTERS;
typedef LONG KPRIORITY;
typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;
} SYSTEM_THREADS, *PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[ 6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[ 2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[ 1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _SYSTEM_BASIC_INFORMATION
{
BYTE Reserved1[ 24];
PVOID Reserved2[ 4];
CCHAR NumberOfProcessors;
} SYSTEM_BASIC_INFORMATION;
typedef struct tagSYSTEM_MODULE_INFORMATION {
ULONG Reserved[ 2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[ 256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);
int main( void)
{
HINSTANCE ntdll_dll = GetModuleHandle( " ntdll.dll ");
if (ntdll_dll == NULL) {
printf( " load ntdll.dll failed.\n ");
return - 1;
}
NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, " ZwQuerySystemInformation ");
if ( ZwQuerySystemInformation!=NULL )
{
SYSTEM_BASIC_INFORMATION sbi = { 0};
NTSTATUS status = ZwQuerySystemInformation(SystemBasicInformation, (PVOID)&sbi, sizeof(sbi), NULL);
if ( status == STATUS_SUCCESS ) {
printf( " 處理器個數:%d\r\n ", sbi.NumberOfProcessors);
} else {
printf( " \r\n SystemBasicInformation error ");
}
DWORD dwNeedSize = 0;
BYTE *pBuffer = NULL;
printf( " ---------------------所有進程信息----------------------------------------\n ");
PSYSTEM_PROCESSES psp=NULL;
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);
if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
pBuffer = new BYTE[dwNeedSize];
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);
if ( status == STATUS_SUCCESS )
{
psp = (PSYSTEM_PROCESSES)pBuffer;
printf( " PID 線程數 工作集大小 進程名\n ");
do {
printf( " %-4d ", psp->ProcessId);
printf( " %3d ", psp->ThreadCount);
printf( " %8dKB ", psp->VmCounters.WorkingSetSize/ 1024);
wprintf(L " %s\n ", psp->ProcessName.Buffer);
psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );
} while ( psp->NextEntryDelta != 0 );
delete []pBuffer;
pBuffer = NULL;
} else if ( status == STATUS_UNSUCCESSFUL ) {
printf( " \n STATUS_UNSUCCESSFUL ");
} else if ( status == STATUS_NOT_IMPLEMENTED ) {
printf( " \n STATUS_NOT_IMPLEMENTED ");
} else if ( status == STATUS_INVALID_INFO_CLASS ) {
printf( " \n STATUS_INVALID_INFO_CLASS ");
} else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
printf( " \n STATUS_INFO_LENGTH_MISMATCH ");
}
}
printf( " ---------------------系統模塊信息----------------------------------------\n ");
status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
if (status == STATUS_INFO_LENGTH_MISMATCH) {
pBuffer = new BYTE[dwNeedSize];
status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
if (status == STATUS_SUCCESS) {
UINT count = *((UINT*)pBuffer);
printf( " 模塊數:%d\n ", count);
printf( " 基地址 模塊大小 引用計數 模塊路徑\n ");
PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG));
for (UINT i = 0; i < count; i++) {
printf( " 0x%08X ", pmi->Base);
printf( " %8dKB ", pmi->Size / 1024);
printf( " %2d ", pmi->LoadCount);
printf( " %s\n ", pmi->ImageName);
pmi++;
}
}
delete []pBuffer;
}
} else {
printf( " Get ZwQuerySystemInformation address error! ");
}
FreeLibrary(ntdll_dll);
return 0;
}