#include "stdafx.h"
#include <Windows.h>
#include <winternl.h>
using namespace std;
typedef NTSTATUS (WINAPI *PFUN_NtQuerySystemInformation)(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
int _tmain(int argc, _TCHAR* argv[])
{
PFUN_NtQuerySystemInformation pFun = NULL;
pFun = (PFUN_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
char szInfo[0x20000] = { 0 };
ULONG uReturnedLEngth = 0;
NTSTATUS status = pFun(SystemProcessInformation, szInfo, sizeof(szInfo), &uReturnedLEngth);
if (status != 0)
return 0;
PSYSTEM_PROCESS_INFORMATION pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)szInfo;
DWORD dwID = (DWORD)pSystemInformation->UniqueProcessId;
HANDLE hHandle = NULL;
PWCHAR pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c);
printf("ProcessID: %d\tprocessName: %ws \n", dwID, pImageName);
while (true)
{
if (pSystemInformation->NextEntryOffset == 0)
break;
pSystemInformation = (PSYSTEM_PROCESS_INFORMATION)((PCHAR)pSystemInformation + pSystemInformation->NextEntryOffset);
dwID = (DWORD)pSystemInformation->UniqueProcessId;
hHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwID);
pImageName = (PWCHAR)*(DWORD*)((PCHAR)pSystemInformation + 0x3c);
printf("ProcessID: %d\tprocessName: %ws \n", dwID, pImageName);
}
getchar();
}
知识兔