【求助】新人请教一下SYSTEM_INFORMATION_CLASS的取值问题 [文字模式]
- 看雪安全论坛
查看完整版本 :
日曜の雨第一次使用ZwQuerySystemInformation()这个函数:3:
它的第一个参数是SYSTEM_INFORMATION_CLASS SystemInformationClass
在网上到处找资料，大概得出以下个人结论：SystemInformationClass是一个类型信息，它大概提供了50余种信息，所以你需要哪一种信息，就需要设置一个枚举值。看了一下各位前辈的代码，有这样写的：
enum SYSTEM_INFORMATION_CLASS {SystemKernelDebuggerInformation=35};
这样得到的是SYSTEM_KERNEL_DEBUGGER_INFORMATION这个结构体代表的信息。
所以想问下：
（1）各个枚举值代表都什么意思？比如我随便写一个enum SYSTEM_INFORMATION_CLASS {MyInfo=1}可以麽？是否有意义？
（2）谁能给个SYSTEM_INFORMATION_CLASS的完整定义？链接、出处都可以。
先谢谢大家！
combojiangSystemBasicInformation
SystemProcessorInformation
SystemPerformanceInformation
SystemTimeOfDayInformation
SystemNotImplemented1
SystemProcessesAndThreadsInformation
SystemCallCounts
SystemConfigurationInformation
SystemProcessorTimes
SystemGlobalFlag
SystemNotImplemented2
SystemModuleInformation
SystemLockInformation
SystemNotImplemented3
SystemNotImplemented4
SystemNotImplemented5
SystemHandleInformation
SystemObjectInformation
SystemPagefileInformation
SystemInstructionEmulationCounts
SystemInvalidInfoClass1
SystemCacheInformation
SystemPoolTagInformation
SystemProcessorStatistics
SystemDpcInformation
SystemNotImplemented6
SystemLoadImage
SystemUnloadImage
SystemTimeAdjustment
SystemNotImplemented7
SystemNotImplemented8
SystemNotImplemented9
SystemCrashDumpInformation
SystemExceptionInformation
SystemCrashDumpStateInformation
SystemKernelDebuggerInformation
SystemContextSwitchInformation
SystemRegistryQuotaInformation
SystemLoadAndCallImage
SystemPrioritySeparation
SystemNotImplemented10
SystemNotImplemented11
SystemInvalidInfoClass2
SystemInvalidInfoClass3
SystemTimeZoneInformation
SystemLookasideInformation
SystemSetTimeSlipEvent
SystemCreateSession
SystemDeleteSession
SystemInvalidInfoClass4
SystemRangeStartInformation
SystemVerifierInformation
SystemAddVerifier
SystemSessionProcessesInformation
日曜の雨谢谢LS 应该是从0开始一直顺着往下排吧？
很奇怪目前我只有SystemKernelDebuggerInformation时调用ZwQuerySystemInformation()才成功（返回0） 其他基本失败
我是在一个MFC的基于对话框的程序里调用ZwQuerySystemInformation()，并不是写驱动，请问是这个原因吗？
日曜の雨下面是我的代码，该定义的结构体都已经定义，这里就不写出了。EXE文件可以运行（一个MFC的对话框程序），但是ZwQuerySystemInformation()总是调用失败。:eek: 请哪位大虾指教一下？
enum SYSTEM_INFORMATION_CLASS {SystemHandleInformation=16};
typedef NTSTATUS(NTAPI *ZW_QUERY_SYSTEM_INFORMATION)
(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength);
HMODULE hModule=GetModuleHandle(&ntdll.dll&);
if(hModule==NULL)
AfxMessageBox(&GetModuleHandle Failed!&,MB_OK);
ZW_QUERY_SYSTEM_INFORMATION
zqsi=(ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule,&ZwQuerySystemInformation&);
if(zqsi==NULL)
AfxMessageBox(&GetProcAddress Failed!&,MB_OK);
SYSTEM_HANDLE_INFORMATION
ULONG len=sizeof(SYSTEM_HANDLE_INFORMATION);
ULONG needed=0;
if(0==zqsi(SystemHandleInformation,&info,len,&needed))
AfxMessageBox(&Succeeded!&,MB_OK);
炉子SYSTEM_HANDLE_INFORMATION
ULONG len=sizeof(SYSTEM_HANDLE_INFORMATION);
ULONG needed=0;
if(0==zqsi(SystemHandleInformation,&info,len,&needed))
AfxMessageBox(&Succeeded!&,MB_OK);
要协商缓存的
炉子%wrk%\public\sdk\inc\ntexapi.h
// System Information Classes.
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
// obsolete...delete
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass
// MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
// System Information Structures.
日曜の雨SYSTEM_HANDLE_INFORMATION
ULONG len=sizeof(SYSTEM_HANDLE_INFORMATION);
ULONG needed=0;
if(0==zqsi(SystemHandleInformation,&info,len...
谢谢回答。
协商缓存难道是利用循环让len持续＋1来检测？
那岂不是很费时间啊？
日曜の雨似乎解决了 原来是要不断尝试增加info和len的大小
谢谢各位！
炉子一般是len*2吧。。。