我正在制作一个本机 Windows 程序,这意味着它没有 Windows 程序所具有的所有膨胀,因为它只链接到 ntdll 并且没有子系统。
因此我无法使用像 CreateToolhelp32Snapshot() 这样的函数,因为它们是我无法使用的 win32 api 的一部分。
有人知道我该怎么做吗?
如果你喜欢C,试试这个:
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize;
ULONG HardFaultCount;
ULONG NumberOfThreadsHighWatermark;
ULONGLONG CycleTime;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef NTSTATUS(NTAPI* PNT_QUERY_SYSTEM_INFORMATION)(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Out_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
int main() {
PNT_QUERY_SYSTEM_INFORMATION NtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle(L"ntdll"), "NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL) {
fprintf(stderr, "Error: Could not locate NtQuerySystemInformation\n");
return 1;
}
ULONG bufferSize = 0;
NtQuerySystemInformation(SystemProcessInformation, NULL, 0, &bufferSize);
PSYSTEM_PROCESS_INFORMATION processInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferSize);
NTSTATUS status = NtQuerySystemInformation(SystemProcessInformation, processInfo, bufferSize, NULL);
if (NT_SUCCESS(status)) {
while (processInfo->NextEntryOffset != 0) {
wprintf(L"Process ID: %I64u, Image Name: %.*s\n", processInfo->ProcessId, processInfo->ImageName.Length / sizeof(WCHAR), processInfo->ImageName.Buffer);
processInfo = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)processInfo + processInfo->NextEntryOffset);
}
} else {
fprintf(stderr, "Error: NtQuerySystemInformation failed with status 0x%08X\n", status);
}
free(processInfo);
return 0;
}