sysinfo.c

Undocumented Windows NT 经典书籍的源码

#define _X86_
#include <ntddk.h>
#include <stdio.h>

#include "undocnt.h"


BOOLEAN EnableOrDisablePrivilege(ULONG PrivilegeId, BOOLEAN bDisable)
{
	HANDLE hToken;
	TOKEN_PRIVILEGES PrivilegeSet;
	NTSTATUS rc;

	rc=NtOpenProcessToken(NtCurrentProcess(),
						TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
						&hToken);

	if (rc!=STATUS_SUCCESS) {
		DbgPrint("NtOpenProcessToken failed, rc=%x\n", rc);
		return FALSE;
	}

	memset(&PrivilegeSet, 0, sizeof(PrivilegeSet));
	PrivilegeSet.PrivilegeCount=1;
    PrivilegeSet.Privileges[0].Luid=RtlConvertUlongToLuid(PrivilegeId);
    PrivilegeSet.Privileges[0].Attributes = bDisable?0:SE_PRIVILEGE_ENABLED;

	rc=NtAdjustPrivilegesToken(hToken,
							FALSE,
							&PrivilegeSet,
							0,
							NULL,
							NULL);
	NtClose(hToken);

	if (rc!=STATUS_SUCCESS) {
		DbgPrint("NtAdjustPrivilegesToken failed, rc=%x\n", rc);
		return FALSE;
	}
	return TRUE;
}


void InfoBasicSystemInfo()
{
	BASICSYSTEMINFO BasicSystemInfo;
	NTSTATUS rc;

	memset(&BasicSystemInfo, 0, sizeof(BasicSystemInfo));
	rc=NtQuerySystemInformation(SystemBasicInfo,
							&BasicSystemInfo,
							sizeof(BasicSystemInfo),
							NULL);
	if (rc!=STATUS_SUCCESS) {
		printf("NtQuerySystemInformation failed with Information class 'SystemBasicInfo',  rc=%x\n", rc);
		return;
	}

	printf("AlwaysZero              = %d %x\n", BasicSystemInfo.AlwaysZero, BasicSystemInfo.AlwaysZero);
	printf("KeMaximumIncrement      = %d %x\n", BasicSystemInfo.KeMaximumIncrement, BasicSystemInfo.KeMaximumIncrement);
	printf("MmPageSize              = %d %x\n", BasicSystemInfo.MmPageSize, BasicSystemInfo.MmPageSize);
	printf("MmNumberOfPhysicalPages = %d %x\n", BasicSystemInfo.MmNumberOfPhysicalPages, BasicSystemInfo.MmNumberOfPhysicalPages);
	printf("MmLowestPhysicalPage    = %d %x\n", BasicSystemInfo.MmLowestPhysicalPage, BasicSystemInfo.MmLowestPhysicalPage);
	printf("MmHighestPhysicalPage   = %d %x\n", BasicSystemInfo.MmHighestPhysicalPage, BasicSystemInfo.MmHighestPhysicalPage);
	printf("MmLowestUserAddress     = %d %x\n", BasicSystemInfo.MmLowestUserAddress, BasicSystemInfo.MmLowestUserAddress);
	printf("MmLowestUserAddress1    = %d %x\n", BasicSystemInfo.MmLowestUserAddress1, BasicSystemInfo.MmLowestUserAddress1);
	printf("MmHighestUserAddress    = %d %x\n", BasicSystemInfo.MmHighestUserAddress, BasicSystemInfo.MmHighestUserAddress);
	printf("KeActiveProcessors      = %d %x\n", BasicSystemInfo.KeActiveProcessors, BasicSystemInfo.KeActiveProcessors);
	printf("KeNumberProcessors      = %d %x\n", BasicSystemInfo.KeNumberProcessors, BasicSystemInfo.KeNumberProcessors);
	printf("\n");
	return;
}

void InfoProcessorSystemInfo()
{
	PROCESSORSYSTEMINFO ProcessorSystemInfo;
	NTSTATUS rc;

	memset(&ProcessorSystemInfo, 0, sizeof(ProcessorSystemInfo));

	rc=NtQuerySystemInformation(SystemProcessorInfo,
							&ProcessorSystemInfo,
							sizeof(ProcessorSystemInfo),
							NULL);
	if (rc!=STATUS_SUCCESS) {
		printf("NtQuerySystemInformation failed with Information class 'SystemProcessorInfo',  rc=%x\n", rc);
		return;
	}

	printf("KeProcessorArchitecture = %d %x\n", ProcessorSystemInfo.KeProcessorArchitecture, ProcessorSystemInfo.KeProcessorArchitecture);
	printf("KeProcessorLevel        = %d %x\n", ProcessorSystemInfo.KeProcessorLevel, ProcessorSystemInfo.KeProcessorLevel);
	printf("KeProcessorRevision     = %d %x\n", ProcessorSystemInfo.KeProcessorRevision, ProcessorSystemInfo.KeProcessorRevision);
	printf("AlwaysZero              = %d %x\n", ProcessorSystemInfo.AlwaysZero, ProcessorSystemInfo.AlwaysZero);
	printf("KeFeatureBits           = %d %x\n", ProcessorSystemInfo.KeFeatureBits, ProcessorSystemInfo.KeFeatureBits);

	printf("\n");
	return;
}

void InfoPerformanceSystemInfo()
{
	PERFORMANCEINFO PerformanceSystemInfo;
	NTSTATUS rc;

	memset(&PerformanceSystemInfo, 0, sizeof(PerformanceSystemInfo));

	rc=NtQuerySystemInformation(SystemPerformanceInfo,
							&PerformanceSystemInfo,
							sizeof(PerformanceSystemInfo),
							NULL);
	if (rc!=STATUS_SUCCESS) {
		printf("NtQuerySystemInformation failed with Information class 'SystemPerformanceInfo',  rc=%x\n", rc);
		return;
	}
	printf("PerformanceSystemInfo.TotalProcessorTime=%I64x\n", PerformanceSystemInfo.TotalProcessorTime);
	printf("PerformanceSystemInfo.IoReadTransferCount=%I64x\n", PerformanceSystemInfo.IoReadTransferCount);
	printf("PerformanceSystemInfo.IoWriteTransferCount=%I64x\n", PerformanceSystemInfo.IoWriteTransferCount);
	printf("PerformanceSystemInfo.IoOtherTransferCount=%I64x\n", PerformanceSystemInfo.IoOtherTransferCount);
	printf("PerformanceSystemInfo.IoReadOperationCount=%x\n", PerformanceSystemInfo.IoReadOperationCount);
	printf("PerformanceSystemInfo.IoWriteOperationCount=%x\n", PerformanceSystemInfo.IoWriteOperationCount);
	printf("PerformanceSystemInfo.IoOtherOperationCount=%x\n", PerformanceSystemInfo.IoOtherOperationCount);
	printf("PerformanceSystemInfo.MmAvailablePages=%x\n", PerformanceSystemInfo.MmAvailablePages);
	printf("PerformanceSystemInfo.MmTotalCommitedPages=%x\n", PerformanceSystemInfo.MmTotalCommitedPages);
	printf("PerformanceSystemInfo.MmTotalCommitLimit=%x\n", PerformanceSystemInfo.MmTotalCommitLimit);
	printf("PerformanceSystemInfo.MmPeakLimit=%x\n", PerformanceSystemInfo.MmPeakLimit);
	printf("PerformanceSystemInfo.PageFaults=%x\n", PerformanceSystemInfo.PageFaults);
	printf("PerformanceSystemInfo.WriteCopies=%x\n", PerformanceSystemInfo.WriteCopies);
	printf("PerformanceSystemInfo.TransitionFaults=%x\n", PerformanceSystemInfo.TransitionFaults);
	printf("PerformanceSystemInfo.Unknown1=%x\n", PerformanceSystemInfo.Unknown1);
	printf("PerformanceSystemInfo.DemandZeroFaults=%x\n", PerformanceSystemInfo.DemandZeroFaults);
	printf("PerformanceSystemInfo.PagesInput=%x\n", PerformanceSystemInfo.PagesInput);
	printf("PerformanceSystemInfo.PagesRead=%x\n", PerformanceSystemInfo.PagesRead);
	printf("PerformanceSystemInfo.Unknown2=%x\n", PerformanceSystemInfo.Unknown2);
	printf("PerformanceSystemInfo.Unknown3=%x\n", PerformanceSystemInfo.Unknown3);
	printf("PerformanceSystemInfo.PagesOutput=%x\n", PerformanceSystemInfo.PagesOutput);
	printf("PerformanceSystemInfo.PageWrites=%x\n", PerformanceSystemInfo.PageWrites);
	printf("PerformanceSystemInfo.Unknown4=%x\n", PerformanceSystemInfo.Unknown4);
	printf("PerformanceSystemInfo.Unknown5=%x\n", PerformanceSystemInfo.Unknown5);
	printf("PerformanceSystemInfo.PoolPagedBytes=%x\n", PerformanceSystemInfo.PoolPagedBytes);
	printf("PerformanceSystemInfo.PoolNonPagedBytes=%x\n", PerformanceSystemInfo.PoolNonPagedBytes);
	printf("PerformanceSystemInfo.Unknown6=%x\n", PerformanceSystemInfo.Unknown6);
	printf("PerformanceSystemInfo.Unknown7=%x\n", PerformanceSystemInfo.Unknown7);
	printf("PerformanceSystemInfo.Unknown8=%x\n", PerformanceSystemInfo.Unknown8);
	printf("PerformanceSystemInfo.Unknown9=%x\n", PerformanceSystemInfo.Unknown9);
	printf("PerformanceSystemInfo.MmTotalSystemFreePtes=%x\n", PerformanceSystemInfo.MmTotalSystemFreePtes);
	printf("PerformanceSystemInfo.MmSystemCodepage=%x\n", PerformanceSystemInfo.MmSystemCodepage);
	printf("PerformanceSystemInfo.MmTotalSystemDriverPages=%x\n", PerformanceSystemInfo.MmTotalSystemDriverPages);
	printf("PerformanceSystemInfo.MmTotalSystemCodePages=%x\n", PerformanceSystemInfo.MmTotalSystemCodePages);
	printf("PerformanceSystemInfo.Unknown10=%x\n", PerformanceSystemInfo.Unknown10);
	printf("PerformanceSystemInfo.Unknown11=%x\n", PerformanceSystemInfo.Unknown11);
	printf("PerformanceSystemInfo.Unknown12=%x\n", PerformanceSystemInfo.Unknown12);
	printf("PerformanceSystemInfo.MmSystemCachePage=%x\n", PerformanceSystemInfo.MmSystemCachePage);
	printf("PerformanceSystemInfo.MmPagedPoolPage=%x\n", PerformanceSystemInfo.MmPagedPoolPage);
	printf("PerformanceSystemInfo.MmSystemDriverPage=%x\n", PerformanceSystemInfo.MmSystemDriverPage);
	printf("PerformanceSystemInfo.CcFastReadNoWait=%x\n", PerformanceSystemInfo.CcFastReadNoWait);
	printf("PerformanceSystemInfo.CcFastReadWait=%x\n", PerformanceSystemInfo.CcFastReadWait);
	printf("PerformanceSystemInfo.CcFastReadResourceMiss=%x\n", PerformanceSystemInfo.CcFastReadResourceMiss);
	printf("PerformanceSystemInfo.CcFastReadNotPossible=%x\n", PerformanceSystemInfo.CcFastReadNotPossible);
	printf("PerformanceSystemInfo.CcFastMdlReadNoWait=%x\n", PerformanceSystemInfo.CcFastMdlReadNoWait);
	printf("PerformanceSystemInfo.CcFastMdlReadWait=%x\n", PerformanceSystemInfo.CcFastMdlReadWait);
	printf("PerformanceSystemInfo.CcFastMdlReadResourceMiss=%x\n", PerformanceSystemInfo.CcFastMdlReadResourceMiss);
	printf("PerformanceSystemInfo.CcFastMdlReadNotPossible=%x\n", PerformanceSystemInfo.CcFastMdlReadNotPossible);
	printf("PerformanceSystemInfo.CcMapDataNoWait=%x\n", PerformanceSystemInfo.CcMapDataNoWait);
	printf("PerformanceSystemInfo.CcMapDataWait=%x\n", PerformanceSystemInfo.CcMapDataWait);
	printf("PerformanceSystemInfo.CcMapDataNoWaitMiss=%x\n", PerformanceSystemInfo.CcMapDataNoWaitMiss);
	printf("PerformanceSystemInfo.CcMapDataWaitMiss=%x\n", PerformanceSystemInfo.CcMapDataWaitMiss);
	printf("PerformanceSystemInfo.CcPinMappedDataCount=%x\n", PerformanceSystemInfo.CcPinMappedDataCount);
	printf("PerformanceSystemInfo.CcPinReadNoWait=%x\n", PerformanceSystemInfo.CcPinReadNoWait);
	printf("PerformanceSystemInfo.CcPinReadWait=%x\n", PerformanceSystemInfo.CcPinReadWait);
	printf("PerformanceSystemInfo.CcPinReadNoWaitMiss=%x\n", PerformanceSystemInfo.CcPinReadNoWaitMiss);
	printf("PerformanceSystemInfo.CcPinReadWaitMiss=%x\n", PerformanceSystemInfo.CcPinReadWaitMiss);
	printf("PerformanceSystemInfo.CcCopyReadNoWait=%x\n", PerformanceSystemInfo.CcCopyReadNoWait);
	printf("PerformanceSystemInfo.CcCopyReadWait=%x\n", PerformanceSystemInfo.CcCopyReadWait);
	printf("PerformanceSystemInfo.CcCopyReadNoWaitMiss=%x\n", PerformanceSystemInfo.CcCopyReadNoWaitMiss);
	printf("PerformanceSystemInfo.CcCopyReadWaitMiss=%x\n", PerformanceSystemInfo.CcCopyReadWaitMiss);
	printf("PerformanceSystemInfo.CcMdlReadNoWait=%x\n", PerformanceSystemInfo.CcMdlReadNoWait);
	printf("PerformanceSystemInfo.CcMdlReadWait=%x\n", PerformanceSystemInfo.CcMdlReadWait);
	printf("PerformanceSystemInfo.CcMdlReadNoWaitMiss=%x\n", PerformanceSystemInfo.CcMdlReadNoWaitMiss);
	printf("PerformanceSystemInfo.CcMdlReadWaitMiss=%x\n", PerformanceSystemInfo.CcMdlReadWaitMiss);
	printf("PerformanceSystemInfo.CcReadaheadIos=%x\n", PerformanceSystemInfo.CcReadaheadIos);
	printf("PerformanceSystemInfo.CcLazyWriteIos=%x\n", PerformanceSystemInfo.CcLazyWriteIos);
	printf("PerformanceSystemInfo.CcLazyWritePages=%x\n", PerformanceSystemInfo.CcLazyWritePages);
	printf("PerformanceSystemInfo.CcDataFlushes=%x\n", PerformanceSystemInfo.CcDataFlushes);
	printf("PerformanceSystemInfo.CcDataPages=%x\n", PerformanceSystemInfo.CcDataPages);
	printf("PerformanceSystemInfo.ContextSwitches=%x\n", PerformanceSystemInfo.ContextSwitches);
	printf("PerformanceSystemInfo.Unknown13=%x\n", PerformanceSystemInfo.Unknown13);
	printf("PerformanceSystemInfo.Unknown14=%x\n", PerformanceSystemInfo.Unknown14);
	printf("PerformanceSystemInfo.SystemCalls=%x\n", PerformanceSystemInfo.SystemCalls);
}

void InfoTimeSystemInfo()
{
	TIMESYSTEMINFO TimeSystemInfo;
	NTSTATUS rc;
	LARGE_INTEGER LocalTime;
	TIME_FIELDS TimeFields;

	memset(&TimeSystemInfo, 0, sizeof(TimeSystemInfo));

	rc=NtQuerySystemInformation(SystemTimeInfo,
							&TimeSystemInfo,
							sizeof(TimeSystemInfo),
							NULL);
	if (rc!=STATUS_SUCCESS) {
		printf("NtQuerySystemInformation failed with Information class 'SystemTimeInfo',  rc=%x\n", rc);
		return;
	}

	RtlSystemTimeToLocalTime(&TimeSystemInfo.KeBootTime, &LocalTime);
	RtlTimeToTimeFields(&LocalTime, &TimeFields);
	printf("KeBootTime      = %02d-%02d-%02d, %02d:%02d:%02d\n", TimeFields.Day, TimeFields.Month, TimeFields.Year,
					TimeFields.Hour, TimeFields.Minute, TimeFields.Second);

	RtlSystemTimeToLocalTime(&TimeSystemInfo.KeSystemTime, &LocalTime);
	RtlTimeToTimeFields(&LocalTime, &TimeFields);

	printf("KeSystemTime    = %02d-%02d-%02d, %02d:%02d:%02d\n", TimeFields.Day, TimeFields.Month, TimeFields.Year,
					TimeFields.Hour, TimeFields.Minute, TimeFields.Second);
	printf("ExpTimeZoneBias = %X%X\n", TimeSystemInfo.ExpTimeZoneBias.HighPart, TimeSystemInfo.ExpTimeZoneBias.LowPart);
	printf("ExpTimeZoneId   = %X\n", TimeSystemInfo.ExpTimeZoneId);
	printf("Unused          = %X\n", TimeSystemInfo.Unused);

	printf("\n");

	return;
}

void InfoSystemPathSystemInfo()
{
	char Buffer[1000];
	NTSTATUS rc;

	/* This information class seems to be obsolete. May be used in very early versions
	of Windows NT. On Windows NT 3.51 SP5, Windows NT 4.0 and Windows 2000, this information
	class dumps the following message in Debugger Window 
	
	"Ex:SystemPathInformation now available via SharedUserData"
	The information class returns STATUS_BREAKPOINT, since the NTOSKRNL calls DbgBreakPoint
	functions which has int 3 instruction */
	rc=NtQuerySystemInformation(SystemPathInfo,
							Buffer,
							sizeof(Buffer),
							NULL);
	if (rc!=STATUS_SUCCESS) {
		printf("NtQuerySystemInformation failed with Information class 'SystemPathInfo',  rc=%x\n", rc);
		return;
	}
}

void InfoProcessListSystemInfo()
{
	PPROCESSTHREADSYSTEMINFO pProcessThreadSystemInfo;
	char Buffer[0x4000];
	ULONG BytesReturned;
	NTSTATUS rc;
	ULONG i;


	memset(Buffer, 'A', sizeof(Buffer));

	rc=NtQuerySystemInformation(SystemProcessThreadInfo,
							Buffer,
							sizeof(Buffer),
							&BytesReturned);
	if (rc!=STATUS_SUCCESS) {
		printf("NtQuerySystemInformation failed with Information class 'SystemProcessListInfo',  rc=%x\n", rc);
		return;
	}
	pProcessThreadSystemInfo=(PPROCESSTHREADSYSTEMINFO)Buffer;
	while (1) {
		printf("%x -> %S\n", pProcessThreadSystemInfo->ProcessId, pProcessThreadSystemInfo->ProcessName.Buffer?pProcessThreadSystemInfo->ProcessName.Buffer:L"Unknown");
		printf("\tNumber of threads           = %d\n", pProcessThreadSystemInfo->nThreads);
		printf("\tProcessCreateTime           = %I64x\n", pProcessThreadSystemInfo->ProcessCreateTime);
		printf("\tProcessUserTime             = %I64x\n", pProcessThreadSystemInfo->ProcessUserTime);
		printf("\tProcessKernelTime           = %I64x\n", pProcessThreadSystemInfo->ProcessKernelTime);
		printf("\tBasePriority                = %x\n", pProcessThreadSystemInfo->BasePriority);
		printf("\tParentProcessId             = %x\n", pProcessThreadSystemInfo->ParentProcessId);
		printf("\tHandleCount                 = %x\n", pProcessThreadSystemInfo->HandleCount);
		printf("\tPeakVirtualSizeBytes        = %x\n", pProcessThreadSystemInfo->PeakVirtualSizeBytes);
		printf("\tTotalVirtualSizeBytes       = %x\n", pProcessThreadSystemInfo->TotalVirtualSizeBytes);
		printf("\tnPageFaults                 = %x\n", pProcessThreadSystemInfo->nPageFaults);
		printf("\tPeakWorkingSetSizeBytes     = %x\n", pProcessThreadSystemInfo->PeakWorkingSetSizeBytes);
		printf("\tTotalWorkingSetSizeBytes    = %x\n", pProcessThreadSystemInfo->TotalWorkingSetSizeBytes);
		printf("\tPeakPagedPoolUsagePages     = %x\n", pProcessThreadSystemInfo->PeakPagedPoolUsagePages);
		printf("\tTotalPagedPoolUsagePages    = %x\n", pProcessThreadSystemInfo->TotalPagedPoolUsagePages);
		printf("\tPeakNonPagedPoolUsagePages  = %x\n", pProcessThreadSystemInfo->PeakNonPagedPoolUsagePages);
		printf("\tTotalNonPagedPoolUsagePages = %x\n", pProcessThreadSystemInfo->TotalNonPagedPoolUsagePages);
		printf("\tTotalPageFileUsageBytes     = %x\n", pProcessThreadSystemInfo->TotalPageFileUsageBytes);
		printf("\tPeakPageFileUsageBytes      = %x\n", pProcessThreadSystemInfo->PeakPageFileUsageBytes);
		printf("\tTotalPrivateBytes           = %x\n", pProcessThreadSystemInfo->TotalPrivateBytes);