NtQuerySystemInformation
#include "stdafx.h" #include <Windows.h> #include <winternl.h> using namespace std; typedef NTSTATUS (WINAPI *PFUN_NtQuerySystemInformation)( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); int _tmain(int argc, _TCHAR* argv[]) { PFUN_NtQuerySystemInformation pFun = NULL; pFun = (PFUN_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation"); char szInfo[0x20000] = { 0 }; ULONG uReturnedLEngth = 0; NTSTATUS status = pFun(SystemProcessInformation, szInfo, sizeof(szInfo), &uReturnedLEngth); if (status != 0) return 0; PSYSTEM_PROCESS_INFORMATION pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)szInfo; DWORD dwID = (DWORD)pSystemInformation->UniqueProcessId; HANDLE hHandle = NULL; PWCHAR pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c); printf("ProcessID: %d\tprocessName: %ws \n", dwID, pImageName); while (true) { if (pSystemInformation->NextEntryOffset == 0) break; pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)((PCHAR)pSystemInformation + pSystemInformation->NextEntryOffset); dwID = (DWORD)pSystemInformation->UniqueProcessId; hHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwID); pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c); printf("ProcessID: %d\tprocessName: %ws \n", dwID, pImageName); } getchar(); }