📄 procinfo.c
字号:
}
}
void DumpDefaultHardErrorMode()
{
HARDERRORMODEINFO HardErrorModeInfoBuffer;
ULONG OldErrorMode;
NTSTATUS rc;
rc=NtQueryInformationProcess(ghProcess,
ProcessDefaultHardErrorMode,
&HardErrorModeInfoBuffer,
sizeof(HardErrorModeInfoBuffer),
NULL);
if (rc==STATUS_SUCCESS) {
printf("HardErrorModeInfoBuffer.HardErrorMode = %x\n", HardErrorModeInfoBuffer.HardErrorMode);
OldErrorMode=HardErrorModeInfoBuffer.HardErrorMode;
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessDefaultHardErrorMode', rc=%x\n", rc);
}
HardErrorModeInfoBuffer.HardErrorMode=SEM_FAILCRITICALERRORS|SEM_NOGPFAULTERRORBOX|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX;
rc=NtSetInformationProcess(ghProcess,
ProcessDefaultHardErrorMode,
&HardErrorModeInfoBuffer,
sizeof(HardErrorModeInfoBuffer));
if (rc==STATUS_SUCCESS) {
printf("Hard error mode set to SEM_FAILCRITICALERRORS|SEM_NOGPFAULTERRORBOX|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX\n");
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessDefaultHardErrorMode', rc=%x\n", rc);
}
HardErrorModeInfoBuffer.HardErrorMode=OldErrorMode;
rc=NtSetInformationProcess(ghProcess,
ProcessDefaultHardErrorMode,
&HardErrorModeInfoBuffer,
sizeof(HardErrorModeInfoBuffer));
if (rc==STATUS_SUCCESS) {
printf("Hard error mode reverted back to original\n");
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessDefaultHardErrorMode', rc=%x\n", rc);
}
}
void DumpIoPortHandlers()
{
/* No get method for this information class */
/* The set method only works from kernel mode, the structure of the Informationbuffer
to be passed is not known */
}
void DumpPooledUsageAndLimits()
{
/* No set method for this information class */
NTSTATUS rc;
POOLED_USAGE_AND_LIMITS PooledUsageAndLimitsInfo;
rc=NtQueryInformationProcess(ghProcess,
ProcessPooledUsageAndLimits,
&PooledUsageAndLimitsInfo,
sizeof(PooledUsageAndLimitsInfo),
NULL);
if (rc==STATUS_SUCCESS) {
printf("PooledUsageAndLimitsInfo.PeakPagedPoolUsage = %x\n", PooledUsageAndLimitsInfo.PeakPagedPoolUsage);
printf("PooledUsageAndLimitsInfo.PagedPoolUsage = %x\n", PooledUsageAndLimitsInfo.PagedPoolUsage);
printf("PooledUsageAndLimitsInfo.PagedPoolLimit = %x\n", PooledUsageAndLimitsInfo.PagedPoolLimit);
printf("PooledUsageAndLimitsInfo.PeakNonPagedPoolUsage = %x\n", PooledUsageAndLimitsInfo.PeakNonPagedPoolUsage);
printf("PooledUsageAndLimitsInfo.NonPagedPoolUsage = %x\n", PooledUsageAndLimitsInfo.NonPagedPoolUsage);
printf("PooledUsageAndLimitsInfo.NonPagedPoolLimit = %x\n", PooledUsageAndLimitsInfo.NonPagedPoolLimit);
printf("PooledUsageAndLimitsInfo.PeakPagefileUsage = %x\n", PooledUsageAndLimitsInfo.PeakPagefileUsage);
printf("PooledUsageAndLimitsInfo.PagefileUsage = %x\n", PooledUsageAndLimitsInfo.PagefileUsage);
printf("PooledUsageAndLimitsInfo.PagefileLimit = %x\n", PooledUsageAndLimitsInfo.PagefileLimit);
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessPooledUsageAndLimits', rc=%x\n", rc);
}
}
void DumpWorkingsetWatchInformation()
{
NTSTATUS rc;
char Buffer[0x2000];
PPROCESS_WS_WATCH_INFORMATION pWorkingsetWatchInfo;
static char x[10000];
/* Enable watching working set */
rc=NtSetInformationProcess(ghProcess,
ProcessWorkingSetWatch,
NULL,
0);
if (rc!=STATUS_SUCCESS) {
printf("NtSetInformationProcess failed with infoclass 'ProcessWorkingSetWatch', rc=%x\n", rc);
return;
}
/* memset the array so that some faults will occur */
memset(x, 0, sizeof(x));
pWorkingsetWatchInfo=(PPROCESS_WS_WATCH_INFORMATION)Buffer;
rc=NtQueryInformationProcess(ghProcess,
ProcessWorkingSetWatch,
Buffer,
sizeof(Buffer),
NULL);
if (rc==STATUS_SUCCESS) {
while ((pWorkingsetWatchInfo->FaultingPc!=0)&&(pWorkingsetWatchInfo->FaultingVa!=0)) {
printf("%08x %08x\n", pWorkingsetWatchInfo->FaultingPc, pWorkingsetWatchInfo->FaultingVa);
pWorkingsetWatchInfo++;
}
} else if (rc==STATUS_NO_MORE_ENTRIES){
printf("No faults occured due to memset\n");
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessWorkingSetWatch', rc=%x\n", rc);
}
}
void DumpBaseMemoryWithDirectPortIO()
{
unsigned short BaseMemory;
outp( 0x70, 0x15 );
BaseMemory = inp( 0x71 );
outp( 0x70, 0x16 );
BaseMemory += inp(0x71) << 8;
printf("Base memory = %dK\n", BaseMemory);
}
void DumpUserModeIOPL()
{
/* No get method for this information class */
/* If you set the IOPL to 3 using this method, you can do direct port I/O
from Ring 3. However it needs SE_TCB_PRIVILEGE for operation */
NTSTATUS rc;
IOPLINFO IoplInfo;
IoplInfo.Iopl=3;
if (!EnableOrDisablePrivilege(SE_TCB_PRIVILEGE, FALSE)) {
printf("Unable to enable SE_TCB_PRIVILEGE\n");
return;
}
rc=NtSetInformationProcess(ghProcess,
ProcessUserModeIOPL,
&IoplInfo,
sizeof(IoplInfo));
EnableOrDisablePrivilege(SE_TCB_PRIVILEGE, TRUE);
if (rc==STATUS_SUCCESS) {
printf("IOPL set to %d\n", IoplInfo.Iopl);
DumpBaseMemoryWithDirectPortIO();
} else {
printf("NtSetInformationProcess failed with infoclass 'ProcessUserModeIOPL', rc=%x\n", rc);
}
}
void DumpAllignmentFaultFixup()
{
/* No get method for this information class */
/* Does not seem to have any effect on X86 processors */
NTSTATUS rc;
ALLIGNMENTFAULTFIXUPINFO AllignmentFaultFixupInfo;
AllignmentFaultFixupInfo.bEnableAllignmentFaultFixup=TRUE;
rc=NtSetInformationProcess(ghProcess,
ProcessEnableAlignmentFaultFixup,
&AllignmentFaultFixupInfo,
sizeof(AllignmentFaultFixupInfo));
if (rc==STATUS_SUCCESS) {
printf("AlignmentFaultfixup enabled\n");
} else {
printf("NtSetInformationProcess failed with infoclass 'ProcessEnableAlignmentFaultFixup', rc=%x\n", rc);
}
}
void DumpPriorityClass()
{
/* No get method for this information class */
NTSTATUS rc;
static PRIORITYCLASSINFO PriorityClassInfo;
if (!EnableOrDisablePrivilege(SE_INC_BASE_PRIORITY_PRIVILEGE, FALSE)) {
printf("Unable to enable SE_SYSTEMTIME_PRIVILEGE\n");
return;
}
PriorityClassInfo.PriorityClass=KRNL_HIGH_PRIORITY_CLASS;
rc=NtSetInformationProcess(ghProcess,
ProcessPriorityClass,
&PriorityClassInfo,
sizeof(PriorityClassInfo));
EnableOrDisablePrivilege(SE_INC_BASE_PRIORITY_PRIVILEGE, TRUE);
if (rc==STATUS_SUCCESS) {
printf("PriorityClass set to KRNL_HIGH_PRIORITY_CLASS\n");
} else {
printf("NtSetInformationProcess failed with infoclass 'ProcessPriorityClass', rc=%x\n", rc);
}
}
void DumpX86Information()
{
/* No set method for this information class */
/* The get method always returns 0 in X86InfoBuffer, the actual code is not implemented */
NTSTATUS rc;
X86INFO X86InfoBuffer;
rc=NtQueryInformationProcess(ghProcess,
ProcessWx86Information,
&X86InfoBuffer,
sizeof(X86InfoBuffer),
NULL);
if (rc==STATUS_SUCCESS) {
printf("X86InfoBuffer.x86Info=%x\n", X86InfoBuffer.x86Info);
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessWx86Information', rc=%x\n", rc);
}
}
void DumpHandleCount()
{
/* No set method for this information class */
NTSTATUS rc;
HANDLECOUNTINFO HandleCountInfo;
rc=NtQueryInformationProcess(ghProcess,
ProcessHandleCount,
&HandleCountInfo,
sizeof(HandleCountInfo),
NULL);
if (rc==STATUS_SUCCESS) {
printf("HandleCountInfo.HandleCount=%x\n", HandleCountInfo.HandleCount);
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessHandleCount', rc=%x\n", rc);
}
}
void DumpAffinityMask()
{
/* No get method for this information class, The GetProcessAffinityMask function
uses ProcessBasicInformation infoclass to extract the affinity mask of process*/
NTSTATUS rc;
AFFINITYMASKINFO AffinityMaskInfo;
AffinityMaskInfo.AffinityMask=1;
rc=NtSetInformationProcess(ghProcess,
ProcessAffinityMask,
&AffinityMaskInfo,
sizeof(AffinityMaskInfo));
if (rc==STATUS_SUCCESS) {
printf("AffinityMask set for the process\n");
} else {
printf("NtSetInformationProcess failed with infoclass 'ProcessAffinityMask', rc=%x\n", rc);
}
}
void DumpPriorityBoost()
{
NTSTATUS rc;
PRIORITYBOOSTINFO PriorityBoostInfo;
rc=NtQueryInformationProcess(ghProcess,
ProcessPriorityBoost,
&PriorityBoostInfo,
sizeof(PriorityBoostInfo),
NULL);
if (rc!=STATUS_SUCCESS) {
printf("NtQueryInformationProcess failed with infoclass 'ProcessPriorityBoost', rc=%x\n", rc);
return;
}
printf("PriorityBoostInfo.bPriorityBoostEnabled=%x\n", PriorityBoostInfo.bPriorityBoostEnabled);
PriorityBoostInfo.bPriorityBoostEnabled=TRUE;
rc=NtSetInformationProcess(ghProcess,
ProcessPriorityBoost,
&PriorityBoostInfo,
sizeof(PriorityBoostInfo));
if (rc!=STATUS_SUCCESS) {
printf("NtSetInformationProcess failed with infoclass 'ProcessPriorityBoost', rc=%x\n", rc);
return;
}
rc=NtQueryInformationProcess(ghProcess,
ProcessPriorityBoost,
&PriorityBoostInfo,
sizeof(PriorityBoostInfo),
NULL);
if (rc!=STATUS_SUCCESS) {
printf("NtQueryInformationProcess failed with infoclass 'ProcessPriorityBoost', rc=%x\n", rc);
return;
}
printf("PriorityBoostInfo.bPriorityBoostEnabled=%x\n", PriorityBoostInfo.bPriorityBoostEnabled);
}
void DumpDeviceMap()
{
NTSTATUS rc;
PROCESS_DEVICEMAP_INFORMATION ProcessDeviceMapInfo;
rc=NtQueryInformationProcess(ghProcess,
ProcessDeviceMap,
&ProcessDeviceMapInfo,
sizeof(ProcessDeviceMapInfo),
NULL);
if (rc==STATUS_SUCCESS) {
ULONG i;
printf("ProcessDeviceMapInfo.Query.DriveMap=%08x\n", ProcessDeviceMapInfo.Query.DriveMap);
for (i=0; i<sizeof(ProcessDeviceMapInfo.Query.DriveType); i++) {
if (!ProcessDeviceMapInfo.Query.DriveType[i]) {
continue;
}
printf("%c:\\ ", 'A'+ i);
switch(ProcessDeviceMapInfo.Query.DriveType[i]) {
case DRIVE_NO_ROOT_DIR:
printf("DRIVE_NO_ROOT_DIR\n");
break;
case DRIVE_REMOVABLE:
printf("DRIVE_REMOVABLE\n");
break;
case DRIVE_FIXED:
printf("DRIVE_FIXED\n");
break;
case DRIVE_REMOTE:
printf("DRIVE_REMOTE\n");
break;
case DRIVE_CDROM:
printf("DRIVE_CDROM\n");
break;
case DRIVE_RAMDISK:
printf("DRIVE_RAMDISK\n");
break;
}
}
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessDeviceMap', rc=%x\n", rc);
}
}
void DumpSessionId()
{
NTSTATUS rc;
PROCESS_SESSION_INFORMATION ProcessSessionInfo;
rc=NtQueryInformationProcess(ghProcess,
ProcessSessionInformation,
&ProcessSessionInfo,
sizeof(ProcessSessionInfo),
NULL);
if (rc==STATUS_SUCCESS) {
printf("ProcessSessionInfo.SessionId=%x\n", ProcessSessionInfo.SessionId);
} else {
printf("NtQueryInformationProcess failed with infoclass 'ProcessSessionInformation', rc=%x\n", rc);
}
}
void func()
{
ULONG i;
NTSTATUS rc;
char Buffer[10000];
printf("%d\n", ProcessWow64Information);
for (i=0; i<40; i++) {
rc=NtQueryInformationProcess(NtCurrentProcess(),
i,
Buffer,
sizeof(Buffer),
NULL);
if (rc!=STATUS_INVALID_INFO_CLASS) {
printf("%d ", i);
}
}
printf("\n");
for (i=0; i<40; i++) {
rc=NtSetInformationProcess(NtCurrentProcess(),
i,
Buffer,
sizeof(Buffer));
if (rc!=STATUS_INVALID_INFO_CLASS) {
printf("%d ", i);
}
}
printf("\n");
}
int main(int argc, char **argv)
{
if (argc==2) {
NTSTATUS rc;
CLIENT_ID ClientId;
OBJECT_ATTRIBUTES ObjAttr;
InitializeObjectAttributes(&ObjAttr,
NULL,
0,
NULL,
NULL);
ClientId.UniqueProcess=(HANDLE)atoi(argv[1]);
ClientId.UniqueThread=(HANDLE)0;
rc=NtOpenProcess(&ghProcess,
PROCESS_ALL_ACCESS,
&ObjAttr,
&ClientId);
if (rc!=STATUS_SUCCESS) {
printf("NtOpenProcess failed, rc=%x\n", rc);
return 0;
}
} else {
ghProcess=NtCurrentProcess();
}
DumpBasicInformation();
DumpQuotaLimitsInformation();
DumpIoCounters();
DumpVmCounters();
DumpProcessTimes();
DumpBasePriority();
DumpRaisePriority();
DumpDebugPort();
DumpExceptionPort();
DumpAccessToken();
DumpLdtInformation();
DumpLdtSizeInformation();
DumpDefaultHardErrorMode();
DumpIoPortHandlers();
DumpPooledUsageAndLimits();
DumpWorkingsetWatchInformation();
DumpUserModeIOPL();
DumpAllignmentFaultFixup();
DumpPriorityClass();
DumpX86Information();
DumpHandleCount();
DumpAffinityMask();
DumpPriorityBoost();
DumpDeviceMap();
DumpSessionId();
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -