In the Windows system, Windows saves Windows information through some structures. Many of these are related to Microsoft's unapproved documents. The system_base_information structure is one of them. It can get the value of this structure by calling the ZwQuerySystemInformation function in NTDLL.DLL. Below is a demo code: #include "stdafx.h" #include
TypedEf long NTSTATUS;
Typedef enum _system_information_class {systembasicinformat} system_information_class;
typedef struct _SYSTEM_BASIC_INFORMATION {ULONG Unknown; // Always contains zero ULONG MaximumIncrement; // a clock unit of measurement ULONG PhysicalPageSize; ULONG NumberOfPhysicalPages // size of a memory page; // system manages how many pages ULONG LowestPhysicalPage; // low-end memory page ULONG HighestPhysicalPage; // upper memory pages ULONG AllocationGranularity; ULONG LowestUserAddress; // the address of the end user ULONG HighestUserAddress; // end user address ULONG ActiveProcessors; // active processor UCHAR NumberProcessors; // number of processors} System_basic_information, * psystem_basic_information;
typedef NTSTATUS (__stdcall * ZWQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformat, IN ULONG SystemInformatLength, OUT PULONG ReturnLength OPTIONAL);
STATIC ZWQUERYSYSTEMINFORMATION ZWQUERYSYSTEMINFORMATION = NULL;
INT _TMAIN (int Argc, _tchar * argv []) {system_basic_information sysbaseinfo; ntstatus status;
IF (! (zwQuerySystemInformation) getProcaddress ("NTDLL.DLL"), "ntdll.dll"), "zwQuerySysteminformation"))) {Printf ("getProcaddress Failed"); return -1;}
Status = ZwQuerySystemInformation (SystemBasicinFormat, & SysbasicInfo, SizeOf (SysbaseInfo), 0); if (status! = no_error) {Printf ("ZWQuerySystemInformation Failed); Return -1;}
