使用未导出函数ZwQuerySystemInformation获

#include

#include

#include

typedef struct _UNICODE_STRING {

USHORT Length;//UNICODE占用的内存字节数，个数*2；

USHORT MaximumLength;

PWSTR Buffer;

} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _SYSTEM_BASIC_INFORMATION{

ULONG Reserved;

ULONG TimerResolution;

ULONG PageSize;

ULONG NumberOfPhysicalPages;

ULONG LowestPhysicalPageNumber;

ULONG HighestPhysicalPageNumber;

ULONG AllocationGranularity;

ULONG_PTR MinimumUserModeAddress;

ULONG_PTR MaximumUserModeAddress;

ULONG_PTR ActiveProcessorsAffinityMask;

CCHAR NumberOfProcessors;

}SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemBasicInformation,// 0 Y N

SystemProcessorInformation,// 1 Y N

SystemPerformanceInformation,// 2 Y N

SystemTimeOfDayInformation,// 3 Y N

SystemNotImplemented1,// 4 Y N // SystemPathInformation

SystemProcessesAndThreadsInformation,// 5 Y N

SystemCallCounts,// 6 Y N

SystemConfigurationInformation,// 7 Y N

SystemProcessorTimes,// 8 Y N

SystemGlobalFlag,// 9 Y Y

SystemNotImplemented2,// 10 YN // SystemCallTimeInformation

SystemModuleInformation,// 11 YN

SystemLockInformation,// 12 YN

SystemNotImplemented3,// 13 YN // SystemStackTraceInformation

SystemNotImplemented4,// 14 YN // SystemPagedPoolInformation

SystemNotImplemented5,// 15 YN // SystemNonPagedPoolInformation

SystemHandleInformation,// 16 YN

SystemObjectInformation,// 17 YN

SystemPagefileInformation,// 18 YN

SystemInstructionEmulationCounts,// 19 YN

SystemInvalidInfoClass1,// 20

SystemCacheInformation,// 21 YY

SystemPoolTagInformation,// 22 YN

SystemProcessorStatistics,// 23 YN

SystemDpcInformation,// 24 YY

SystemNotImplemented6,// 25 YN // SystemFullMemoryInformation

SystemLoadImage,// 26 NY // SystemLoadGdiDriverInformation

SystemUnloadImage,// 27 NY

SystemTimeAdjustment,// 28 YY

SystemNotImplemented7,// 29 YN // SystemSummaryMemoryInformation

SystemNotImplemented8,// 30 YN // SystemNextEventIdInformation

SystemNotImplemented9,// 31 YN // SystemEventIdsInformation

SystemCrashDumpInformation,// 32 YN

SystemExceptionInformation,// 33 YN

SystemCrashDumpStateInformation,// 34 YY/N

SystemKernelDebuggerInformation,// 35 YN

SystemContextSwitchInformation,// 36 YN

SystemRegistryQuotaInformation,// 37 YY

SystemLoadAndCallImage,// 38 NY // SystemExtendServiceTableInformation

SystemPrioritySeparation,// 39 NY

SystemNotImplemented10,// 40 YN // SystemPlugPlayBusInformation

SystemNotImplemented11,// 41 YN // SystemDockInformation

SystemInvalidInfoClass2,// 42 // SystemPowerInformation

SystemInvalidInfoClass3,// 43 // SystemProcessorSpeedInformation

SystemTimeZoneInformation,// 44 YN

SystemLookasideInformation,// 45 YN

SystemSetTimeSlipEvent,// 46 NY

SystemCreateSession,// 47 NY

SystemDeleteSession,// 48 NY

SystemInvalidInfoClass4,// 49

SystemRangeStartInformation,// 50 YN

SystemVerifierInformation,// 51 YY

SystemAddVerifier,// 52 NY

SystemSessionProcessesInformation// 53 YN

} SYSTEM_INFORMATION_CLASS;

int main(int argc, PCHAR argv[]){

NTSTATUS hModule;

hModule = LoadLibrary("ntdll.dll");

DWORD dizhi = GetProcAddress(hModule, "KiFastSystemCall");

printf("地址是: %p KiFastSystemCall地址是: %p\n", hModule, dizhi);

//定义一个函数指针类型,参数符合对应函数

typedef NTSTATUS (WINAPI *SIFC)(IN SYSTEM_INFORMATION_CLASS, IN PVOID, IN ULONG, OUT PULONG);

//这样就可以用这个没有声明的函数了 NTSTATUS WINAPI ZwQuerySystemInformation(IN SYSTEM_INFORMATION_CLASS, IN PVOID, IN ULONG, OUT PULONG);

SIFC ZwQuerySystemInformation = (SIFC)GetProcAddress(hModule, "ZwQuerySystemInformation");

SYSTEM_INFORMATION_CLASS SystemInformationClass = 1;//要检索的系统信息的类型 所有进程信息

ULONG SystemInformationLength = sizeof(SYSTEM_BASIC_INFORMATION);//一个进程信息的结构大小

LPVOID processinfo = VirtualAlloc(NULL, SystemInformationLength, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);//分配默认大小的内存

if (processinfo == NULL){

printf("分配虚拟内存失败: %d\n", GetLastError());

} else{

printf("分配虚拟内存成功\n");

}

ZwQuerySystemInformation(SystemInformationClass, &processinfo, SystemInformationLength, NULL);

PSYSTEM_BASIC_INFORMATION proinfo;

proinfo = (PSYSTEM_BASIC_INFORMATION)processinfo;

printf("处理器个数 = %d\n", proinfo->NumberOfProcessors);

VirtualFree(processinfo, SystemInformationLength, MEM_DECOMMIT);//释放内存

//MessageBoxA(NULL, "hello world", "默认的弹窗", MB_OK);

getchar();

return 0;

}