Summary of function zwquerysysteminformation

The function exists in the dynamic link library of NTDLL. dll. Ntdll. dll is responsible for communication between ring3 and ring0. Ntdll. dll and ssdt are used in combination when a system call is performed using a subsystem.
The zwquerysysteminformation function can be used to query 54 system information, including process information, kernel information, hardware information (such as the number of CPUs), handle information, and time information.
The prototype of this function is

NTSTATUS WINAPI ZwQuerySystemInformation(  __in          SYSTEM_INFORMATION_CLASSSystemInformationClass,  __in_out     PVOIDSystemInformation,  __in          ULONGSystemInformationLength,  __out_opt    PULONGReturnLength);

The first parameter system_information_class is an enumeration structure. All 54 system information is enumerated. This structure will be listed at the end.

1. zwquerysysteminformation in user mode
In user mode, you must use loadlibrary and getprocaddress to obtain the function address.
The Code is as follows,

Declare a function first. Typedef ntstatus (winapi * ntquerysysteminformation) (insystem_information_class, in out pvoid, inulong, outpulong); load NTDLL. dll and obtain the function address. Ntquerysysteminformationzwquerysysteminformation = NULL; zwquerysysteminformation = (ntquerysysteminformation) getprocaddress (NTDLL. dll, "zwquerysysteminfromation ");

Example: Enumerate Process Information
To obtain process information, you must use the second parameter. The second parameter points to a piece of memory. You must use the struct corresponding to each system information in parameter 1 to convert the memory.
Suppose we want to enumerate the process information. We must use the following structure, which describes the process name, number of threads, pointer to the next module, creation time, and so on. The structure is described as follows:

Typedef struct _ system_processes {ulong nextentrydelta; // The offset that constitutes the structure sequence; ulong threadcount; // Number of threads; ulong reserved1 [6]; large_integer createtime; // creation time; large_integer usertime; // CPU time in Ring 3; large_integer kerneltime; // CPU time in kernel mode (RING 0); unicode_string processname; // process name; kpriority basepriority; // process priority; handle processid; // process identifier; handle inheritedfromprocessid; // identifier of the parent process; ulong handlecount; // Number of handles; ulong reserved2 [2]; vm_counters vmcounters; // structure of virtual memory; io_counters iocounters; // Io count structure; system_threads threads [1]; // an array of process-related threads;} system_processes, * psystem_processes;

The loop program is as follows:

Psystem_processes PSP = NULL; // set parameter 2 to null first, and dwneedsize to obtain the memory size for storing the struct. Status = zwquerysysteminformation (systemprocessesandthreadsinformation, null, 0, & dwneedsize ); // If the buffer size provided by the user is not enough, return status_info_length_mismatch, and return the actual buffer size if (status = status_info_length_mismatch) {pbuffer = new byte [dwneedsize]; status = zwquerysysteminformation (systemprocessesandthreadsinformation, (pvoid) pbuffer, dwneedsize, null); I F (status = STATUS_SUCCESS) {PSP = (psystem_processes) pbuffer; // force conversion printf ("PID thread count working set size process name \ n "); do {printf ("%-4D", PSP-> processid); printf ("% 3d", PSP-> threadcount); printf ("% 8dkb ", PSP-> vmcounters. workingsetsize/1024); wprintf (L "% s \ n", PSP-> processname. buffer); PSP = (psystem_processes) (ulong) PSP + PSP-> nextentrydelta);} while (PSP-> nextentrydelta! = 0); // looping} Delete [] pbuffer; pbuffer = NULL ;}

Ii. zwquerysysteminformation in kernel mode
In kernel mode, obtaining the zwquerysysteminformation address is not as troublesome as the application layer. Declare the function directly. See http://www.2cto.com/kf/200901/31447.html

NTSYSAPINTSTATUSNTAPI ZwQuerySystemInformation(            IN ULONG SystemInformationClass,            IN OUT PVOID SystemInformation,            IN ULONG SystemInformationLength,            OUT PULONG ReturnLength);

Use it directly:
Zwquerysysteminformation (systemprocessesandthreadsinformation, pbuffer, cbbuffer, null );

This is a C-code program written at the ring3 layer. The main content is to obtain the number of CPUs, enumeration processes, and enumeration kernel modules. This code is downloaded from the Internet, because this function is used, so I have a little research.