Window information
MS provides us with a function of opening a specific desktop and enumerating a desktop window.
HDESK = OpenDesktop (LPSZDESKTOP, 0, FALSE, Desktop_ENUMERATE);
// Open our default default desktop;
EnumdesktopWindows (HDESK, (WndenumProc) EnumwindowProc, 0);
// Enumerate all the windows on the desktop, implemented by the callback function.
BOOL __STDCALL ENUMWINDOWPROC (HWND, LPARAM);
/ / In the callback function, we can get the title and related processes, thread information;
GetWindowText (hwnd, szwindowtext, dwmaxcount);
GetWindowThreadProcessId (hwnd, & dwpid);
2. Equipment driver information (service and device drives are similar, do not repeat this)
Device Driver Information has Service Control Manager (SCM) to manage, I want to open the service control manager and enumerate all
Equipment driver.
OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS);
// Open the service control manager with all permissions;
EnumserviceSstatus (Schmanager, DwdeviceType, DWDeviceState,
Enumstatus, dwbufsize, & dwbytesneeded,
& dwdevicesReturned, & dwresumehandle))
// Enumerate the current status of all devices;
CloseServiceHandle (Schmanager);
// Remember, turn off the service handle after the end of the visit;
OpenService (Schmanager, szdevicename, service_all_access);
// Open a specific device driver;
QueryServiceConfig (Schdevice, LPDeviceConfig,
1024 * 8, & dwbytesneeded);
// Query the service configuration information of the drive;
QueryServiceStatus (SchDevice, & DeviceStatus);
// Query the current state of the device driver;
QueryServiceConfig2 (Schdevice, Service_Config_Description,
(Lpbyte) LPDeviceDescription, 8 * 1024, & dwbytesneeded)
// Query the description of the device;
StartService (SchDevice, 0, Null);
// Start the device;
ControlService (SchDevice, Service_Control_stop, & DeviceStatus);
// stop the device;
DeleteService;
// Delete the device;
3. Disk information
We want to get information on all systems of the system, including floppy disks, hard drives, discs, etc.
GetLogicalDriveStrings (dwbufferLength, lpbuffer);
// Get information on logical devices;
GetVolumeInformation (lprootpathname, lpvoluMenamebuffer,
DWVoluMenameSize, & dwvolumeserialnumber,
& dwmaximumcomponentlength, & dwfilesystemflags,
LPFileSystemNameBuffer, dwfilesystemNameSize; // Get disk volume information, including volume name and format type;
GetDiskFreespaceEx (lprootpathname, & freebytesavailable,
& TotalNumberofbytes, & TotalNumberoffreebytes;
/ / Detect the space usage of the disk;
4. Environment variable
We can get the environment block from the registry: hkey_local_machine / system / currentcontrols
ET / Control / Session Manager / Environment, of course, the function of the registry is used.
RegopenKeyex (HKEY_LOCAL_MACHINE, RegKey, 0, Key_Query_Value, & HKe);
// Open the key of the registry;
RegenumValue (HKEY, DWINDEX, ENVIRONVARIABLE,
& DWVARIABLENGTH, NULL, NULL, NULL, NULL
// Query the information value we need;
GetEnvironmentvariable (Environvariable, EnvironString, 1024);
/ / A string information for environment variables;
5. Event record information
OpenEventLog (NULL, SZLOG);
// Open the time logging;
GetoldesteventLogRecord (HEVENT, & DWTHISRECORD);
/ / Get the latest log information to continue looking up;
ReadeventLog (HEVENT, EVENTLOG_FORWARDS_READ │ EventLog_SEquential_read,
0, PEVENTLOGRECORD, 1024 * 32, & dwread, & dwneeded)
// read the log information;
Lookupaccountsid (NULL, PSID, SZNAME, & DWNAME, SZDOMAIN, & DWDOMAIN, & SNU);
/ / Get the SID of the account to get the user name of the account;
GetNumberofEventLogRecords (HEVENT, & DWTOTAL);
// Get the total number of event logs;
CloseEventlog (hen);
/ / Don't forget to turn off the event handle;
6. Network sharing
We use the second level of network sharing search;
Netshareenum (Null, Dwlevel, (Pbyte *) & Pbuf, Max_Preferred_length, & EntriesRefer, & T
Otalentries, & resme;
/ / List all shared directories and related information;
Netapibufferfree (PBUF);
/ / Release the buffer;
Netsharedel (NULL, (CHAR *) LPSHARENAMEW, 0);
// Delete the network sharing directory;
7. Network Adapter Information
We want to detect NIC information and network traffic;
GetAdaptersInfo (& AdapterInfo, & Outbufflen);
// Get adapter information;
8. System performance
Get the memory usage of the system;
GetPerformanceInfo (& Perfinfo, Sizeof (Performace_information))
// Get system performance information;
9. Process / Thread / Module Information
Here we use tool help functions (Toolhelp32) and systems
OpenProcessToken (GetCurrentProcess (), Token_Query │ token_adjust_privileges, & htokeen;
/ / Open the token of the process, improve permissions;
AdjustTokenPrivileges (HToken, False, & tokenprivileges, Sizeof (Token_Privileges),
NULL, NULL);
// Enhance the permissions of the process to support debugging (debug);
CreateToolHelp32Snapshot (TH32CS_SNAPPROCESS, 0);
// Create a snapshot of the process;
Process32First (HProcessSnap, & Processentry32);
Process32First (HProcessSnap, & Processentry32);
// Enumerate all processes;
OpenProcess (Process_Query_Information, false, processentry32.th32processid);
// Open a specific process to query the relevant information related information;
GetProceSstimes (HProcess, & Createtime, & ExitTime, & KernelTime, & Usertime);
// Get time information of the process;
GetProcessMemoryInfo (HProcess, & Pmcounter, Sizeof (Pmcounter);
// Get the storage area information of the process;
GetPriorityClass (HProcess);
// Get the priority of the process;
GetProcessiocounters (HProcess, & Iocounters);
// Get the IO usage of the process;
CreateToolHelp32Snapshot (TH32CS_SNAPMODULE, DWPROCESSID);
// Create a module snapshot;
Module32First (HModulesnap, & ModuleEntry32);
Module32Next (HModulesnap, & ModuleEntry32);
// Enumerate the process module information;
CreateToolHelp32Snapshot (TH32CS_SNAPTHREAD, 0);
// Create a thread snapshot;
Thread32First (hthreadsnap, & threadentry32);
Thread32Next (hthreadsnap, & threadentry32);
// Enumerate thread information;
OpenThread (Thread_all_access, false, threadentry32.th32threadid);
// Turn on the thread, you must get this function address;
TerminateProcess (HProcess, 0);
// Terminate the process;
Suspendthread (HTHREAD);
// Suspension thread;
ResumeThread (hthread);
// activate the thread;
10. Shutdown
AdjustTokenPrivileges (HToken, False, & tokenprivileges, Sizeof (Token_Privileges),
NULL, NULL);
// Adjust the process token to support it;
EXITWINDOWSEX (EWX_LOGOFF, 0);
// Logout system;
LockWorkstation (); // Lock system;
INITIATESYSTEMSHUTDOWN (NULL, SZMESSAGE, DWTIMEOUT, FALSE, BSIG);
// Support to the shutdown / restart of the message display;
SetSystemPowerstate (BSIG, FALSE);
// System sleep / hibernation;
11. User information
Netuserenum (NULL, DWLEVEL, FILTER_NORMAL_ACCOUNT, (LPBYTE *) & PBUF,
DWPREFMAXLEN, & DWENTRIESREAD, & DWTOTALENTRIES, & DWRESUMEHANDLE;
// Enumerate system user information;
NetUserDel (NULL, LPUSERNAMEW);
/ / Delete the specified user;
12. System version information
GetversionEx & OsVIEX;
/ / Get the version information of the operating system;
We can also pass the registry (HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CURRENT
Version) Get relevant information:
Gettickcount ();
// Get boot time;
GetComputername (Szinfo, & dwinfo);
// Get the computer name;
GetUserName (Szinfo, & dwinfo);
// Get the computer username;
GetWindowsDirectory (Szinfo, Max_Path 1);
// Get a Windows directory;
GetsystemDirectory (Szinfo, Max_Path 1);
/ / Get the system directory;
