Probe Windows2K / XP / 2003 local system information Author: TOo2y
Native API is a native system service that provides an interface for the upper WIN32 API in Windows user mode. It usually we always call MS to implement our system's functionality for our utility. (PS: Not long, I have written a Windows Task Manager to support desktops, process / threads, system performance, disks, environment variables, event logs, networks, equipment drivers, Win32 services, sharing, users, systems, and shutdown, etc. The detection and control of information is completely based on the Win32 API, you can go to our home page to download). Today we have to talk about how to detect local system information through this unit system service (Native API). Of course, Microsoft did not provide us with the documentation (undocument), which would not provide any guarantee for its use, so we do not advocate using the Native API to develop software. However, in special circumstances, the system service provides us with shortcuts to "secret". The information mentioned herein is only tested on Windows2000 / XP / 2003.
Today, we focus on a function ntquerysysteminformation (zwQuerySystemInformation). Of course, you don't want to look at such a function, but it provides us with rich system information, as well as control and settings for certain information. The following is the prototype of this function:
typedef NTSTATUS (__stdcall * NTQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL); NTQUERYSYSTEMINFORMATION NtQuerySystemInformation; which you can see, SystemInformationClass is a type of information, it probably offers more than 50 kinds of information, That is, we can detect or set up approximately more than 50 system information through this function. SystemInformation is a LPVOID type pointer that provides us with information you need, or system information we need to set. SystemInformationLength is the length of SystemInformation, which is determined based on the type of detection. As for ReturnLength, the length of the need returned by the system is typically set to a null pointer (NULL).
First, let's take a look at everyone's familiar system process / thread-related information. This topic has been discussed online for many years, so I am not talking about the old life, huh, huh. Then put forward this definition of this structure:
typedef struct _SYSTEM_PROCESSES {ULONG NextEntryDelta; // offset configuration of the structural sequence; ULONG ThreadCount; // number of threads; ULONG Reserved1 [6]; LARGE_INTEGER CreateTime; // creation time; LARGE_INTEGER UserTime; // user mode (Ring 3) CPU time; LARGE_INTEGER KERNELTIME; // Kernel mode (RING 0) CPU time; unicode_string processname; // process name; kpriority basepriority; // process priority; ulong processID; // process identifier; ulong inheritedFromProcessID; // The identifier of the parent; Ulong Handlecount; // handle number; ulong reserved2 [2]; vm_counters vmcounters; // virtual memory structure, see below; IO_COUNTERS IOCOUNTERS; // IO count structure, see below; system_threads threads [1] ; // array of structures related to the process threads, see below;} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES; typedef struct _SYSTEM_THREADS {LARGE_INTEGER KernelTime; // CPU kernel mode time; LARGE_INTEGER UserTime; // CPU user mode time; LARGE_INTEGER CreateTime; // Thread creation time; ulong waittime; // Waiting time; pvoid startaddress; // thread starts in virtual address; client_id clientID; // thread identifier; kpriority priority; // thread priority; KPRIORITY BASEPRIRITY; / / Basic priority Ulong contextswitchcount; // Environmental switching number; thread_state state; // current state; kwait_reason waitreason; // Waiting for the reason;} system_threads, * p SYSTEM_THREADS; typedef struct _VM_COUNTERS {ULONG PeakVirtualSize; // virtual storage peak magnitude; ULONG VirtualSize; // virtual storage size; ULONG PageFaultCount; // number of page faults; ULONG PeakWorkingSetSize; // peak working set size; ULONG WorkingSetSize; // Working set size; ULONG QuotaPeakPagedPoolUsage; // paged pool usage quotas peak; ULONG QuotaPagedPoolUsage; // paged pool usage quotas; ULONG QuotaPeakNonPagedPoolUsage; // nonpaged pool usage quota peak; ULONG QuotaNonPagedPoolUsage; // nonpaged pool usage quota; ULONG PagefileUsage; // Page file usage; ulong peakpagefileusage; // page file uses peak;} vm_counters, * pvm_counters;
typedef struct _IO_COUNTERS {LARGE_INTEGER ReadOperationCount; // I / read operation number O; LARGE_INTEGER WriteOperationCount; // I / O number of write operations; LARGE_INTEGER OtherOperationCount; other number of operations // I / O; LARGE_INTEGER ReadTransferCount; // I / O read data Number; LARGE_INTEGER WRITRANSFERCOUNT; // I / O write data number; Large_integer OtHERTRANSFERCOUNT; // I / O number of other operations data;}} IO_COUNTERS, * PIO_COUNTERS; The above information should be comparable, in Win32 API, provide us The way PSAPI (process status) and Toolhelp32 are used in the way of detecting system processes / thread information, they support them in Windows2K / XP / 2003. Now let's take a look at the performance information of the system, the performance structure system_performance_information provides us with more than 70 system performance information, it is too rich, please feel slowly ~
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {LARGE_INTEGER IdleTime; // CPU idle time; LARGE_INTEGER ReadTransferCount; // I / read operation number O; LARGE_INTEGER WriteTransferCount; // I / O number of write operations; LARGE_INTEGER OtherTransferCount; other number of operations // I / O; ULONG ReadOperationCount; // I / O read data; Ulong WriteOperationCount; // I / O write data number; Ulong OtherOperationCount; // I / O Other operational data number; ulong availablepages; // Number of pages available; Ulong TotalcommittedPages ; / / A total of pages in a total; Ulong TotalcommitLimit; // The number of pages has been submitted; ulong peakcommitment; // Submit peak; ulong PageFaults; // Page Fault Number; Ulong Writecopy Faults; // Copy-ON-WRITE Fault Number Ulong TransitionFaults; // Soft Page Fault Number; Ulong Reserved1; Ulong Demandzerofaults; // Requirements 0 Fault Number; Ulong PageSread; // Read Number; Ulong PageReadios; // Read I / O Operation; Ulong Reserved2 2]; Ulong PageFilePagesWritten; // Has written file pages; Ulong PageFilePageWriteios; // Has written file operand; ulong mappedfilepagesWritten; // Have written map file page number; ulong mappedfilewriteios; // written map file operand Ulong pagedpoolusage; // Sub-pane pool use; Ulong NonPoolusage; // Non-paging pool use; Ulong PagedPoolAlocs; // Sub-paneling allocation; ulong pagedpoolfrees; // Sub-paneling pool release Ulong nonpagedpoolocs; // Non-paging pool allocation; ulong nonpagedpoolfress; // Non-paging pool release situation; Ulong TotalFreesystemptes; // System page table item release total number; ulong systemcode; // Operating system code page number; Ulong TotalsystemDriverpages; / / driver pageable pages; ULONG TotalSystemCodePages; // number of operating system code page; ULONG SmallNonPagedLookasideListAllocateHits; // allocate a small number of non-paged list side; ULONG SmallPagedLookasideListAllocateHits; // allocate a small number of list tab side; ULONG Reserved3; ULONG MMSystemCachePage; // System cache page; Ulong PagedPoolPage; // Sub-page pool page number; Ulong SystemDriver; // can be paid to the number of pages; ulong fastreadnowait;
// Asynchronous fast reading; ulong fastvewait; // Synchronize fast reading; ulong fastreadresourcemiss; // Quick read resource conflict; ulong fastNotpossible; // Quick read failure; ulong fastmdlreadnowait; // Asynchronous MDL Quick reading; ulong Fastmdlreadwait; // Synchronous MDL quick reading; Ulong fastmdlreadResourceMiss; // MDL read resource conflict number; Ulong fastmdlreadnotpossible; // MDL read failure; ulong mapdatanowait; // Asynchronous mapping data; // Synchronize mapping data number Ulong mapDataNowaitmiss; // Asynchronous mapping data conflict; Ulong MapdataWaitmiss; // Synchronous map data conflict; ulong pinMappedDataCount; // Touch the number of map data; Ulong PinreadNowait; // Touching asynchronous reading; Ulong PinReadwait; // Touch synchronization Reading; Ulong PinreadNowaitmiss; // Touch the number of asynchronous readings; Ulong PinReadwaitmiss; // Touching the number of simultaneous readings; ulong copyreadnowait; // Asynchronous copy Reading; ulong copyreadwait; // Ulong CopyReadnowaitmiss; Ulong CopyReadnowaitmiss; Asynchronous copy reading fault times; ulong copyreadwaitmiss; // Synchronous copy reading fault; ulong mdlreadnowait; // Asynchronous MDL reading; ulong mdlreadwait; // Synchronous MDL Reading; Ulong MDLReadwaitmiss; Ulong MDLReadwaitmiss ; // Synchronize MDL reading fault times; ulong readaheadios; // to read the number of operations; Ulong lazywriteios; // Lazy Write the number of writes; Ulong lazywritepages; // Lazy write file number; ulong dataflushes; // Cache Refresh Number; Ulong DataPages; // Cache refresh page number; Ulong ContextSwitches; // Environmental switching number; ulong firstleveltbfills; // First layer buffer fill; Ulong SecondlevelTbfills; // Second layer buffer fill; ulong systemcall; // System call times;} system_performance_information, * psystem_performance_information; now see the system processor supplied by SYSTEM_PROCESSOR_TIMES, including the use time and interrupts in various cases:
typedef struct __SYSTEM_PROCESSOR_TIMES {LARGE_INTEGER IdleTime; // idle time; LARGE_INTEGER KernelTime; // Kernel mode time; LARGE_INTEGER UserTime; // user mode time; LARGE_INTEGER DpcTime; // deferred procedure call time; LARGE_INTEGER InterruptTime; // interrupt time; ULONG InterruptCount ; // number of interruptions;} SYSTEM_PROCESSOR_TIMES, * PSYSTEM_PROCESSOR_TIMES; usage page document, SYSTEM_PAGEFILE_INFORMATION provide the required information: typedef struct _SYSTEM_PAGEFILE_INFORMATION {ULONG NetxEntryOffset; // offset to the next structure; ULONG CurrentSize; // current Page file size; ulong totalused; // Currently used page file number; ulong peakused; // Currently used page file peak number; unicode_string filename; // page file file name;} system_pagefile_information, * psystem_pagefile_information; system cache See the information provided by SYSTEM_CACHE_INFORMATION:
typedef struct _SYSTEM_CACHE_INFORMATION {ULONG SystemCacheWsSize; // cache size; ULONG SystemCacheWsPeakSize; // cache peak magnitude; ULONG SystemCacheWsFaults; cache page number of failures //; ULONG SystemCacheWsMinimum; // cache minimum page size; ULONG SystemCacheWsMaximum; // Cache maximum page size; Ulong TransitionsharedPages; // Shared page number; Ulong TransitionsharedPagespeak; // Shared page peak number; ulong reserved [2];} system_cache_information, * psystem_cache_information; appendix: (all full source code, you can go to us FZ5FZ homepage download).
1.T-PMList's header file source code:
#ifndef T_PMLIST_H #define T_PMLIST_H #include
typedef struct _SYSTEM_THREADS {LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; THREAD_STATE State; KWAIT_REASON WaitReason;} SYSTEM_THREADS, * PSYSTEM_THREADS; typedef struct _SYSTEM_PROCESSES {ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1 [6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2 [2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREADS Threads [1] ;} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES; typedef DWORD SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (__stdcall * NTQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL); NTQUERYSYSTEMINFORMATION NtQuerySystemInformation; DWORD EnumProcess () {PSYSTEM_PROCESSES p SystemProc; HMODULE hNtDll = NULL; LPVOID lpSystemInfo = NULL; DWORD dwNumberBytes = MAX_INFO_BUF_LEN; DWORD dwTotalProcess = 0; DWORD dwReturnLength; NTSTATUS Status; LONGLONG llTempTime; __try {hNtDll = LoadLibrary ( "NtDll.dll"); if (hNtDll == NULL ) {printf ( "LoadLibrary Error:% d / n", GetLastError ()); __leave;} NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) {printf ( "GetProcAddress for NtQuerySystemInformation Error:% D / N ", getLastError ()); __leave;} lpsysteminfo = (lpvoid) Malloc (dwnumberbytes); status =
NtQuerySystemInformation (NT_PROCESSTHREAD_INFO, lpSystemInfo, dwNumberBytes, & dwReturnLength); if (Status == STATUS_INFO_LENGTH_MISMATCH) {printf ( "STATUS_INFO_LENGTH_MISMATCH / n"); __leave;} else if (Status = STATUS_SUCCESS!) {Printf ( "NtQuerySystemInformation Error:% d / n ", GetLastError ()); __leave;} Printf ("% - 20S% 6S% 7S% 8S / N "," ProcessName "," PID "," PPID "," WSSIZE ", "PRIO.", "Thread", "Handle", "CPU Time"); Printf ("-------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- / n ") ; pSystemProc = (PSYSTEM_PROCESSES) lpSystemInfo; while (! pSystemProc-> NextEntryDelta = 0) {if (! pSystemProc-> ProcessId = 0) {wprintf (L "% - 20s", pSystemProc-> ProcessName.Buffer);} else { WPrintf (L "% - 20s", l "system idle process");} printf ("% 6d", psystemproc-> processid; printf ("% 7d", psystemproc-> inheritedFromProcessID); Printf ("% 7dk" , psystemproc-> vmcounters.workingsetsize / 1024); Printf ("% 6d", psystemproc-> basepriority); Printf ("% 7d", psystemproc-> threadcount); Printf ("% 7d", psystemproc-> handlecount);llTempTime = pSystemProc-> KernelTime.QuadPart pSystemProc-> UserTime.QuadPart; llTempTime / = 10000; printf ( "% 3d:", llTempTime / (60 * 60 * 1000)); llTempTime% = 60 * 60 * 1000; printf ("% .2d:", lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%. 2D.", Lltemptime / 1000); lltemptime% = 1000; printf ("%. 3d" , lltemptime; printf ("/ n"); dwtotalprocess ; psystemproc = (psystem_processes) ((char *) psystemproc psystemproc-> nextentryDelta);
Printf ("------------------------------------------------------------------------------------------ -------------------------- / n "); Printf (" / NTOTAL% D Process (es)! / n / n " , DWTOTALPROCESS; Printf ("PID / T ==> Process Identification / N"); Printf ("PPID / T ==> Parent Process Identification / N"); Printf ("WSSIZE / T ==> Working Set Size) N "); Printf (" prio./t ==> base priority / n "); Printf (" Thread / T ==> Thread Count / N "); Printf (" Handle / T ==> Handle Count / N "); Printf (" CPU Time ==> Processor Time / N ");} __final all {i (lpsysteminfo! = null) {free (lpsysteminfo);} if (hntdll! = null) {freeelibrary (hntdll);}} return 0;} DWORD SpeciProcess (DWORD dwPID) {PSYSTEM_PROCESSES pSystemProc = NULL; PSYSTEM_THREADS pSystemThre = NULL; HMODULE hNtDll = NULL; LPVOID lpSystemInfo = NULL; DWORD dwNumberBytes = MAX_INFO_BUF_LEN; DWORD dwTotalProcess = 0; DWORD dwReturnLength; NTSTATUS Status; LONGLONG llTempTime; Ulong Ulindex; __Try {hntdll = loadingLibrary ("ntdll.dll"); if (hntdll == null) {printf ("LoadLibrary Error:% D / N", getLastError ()); __leave;} ntquerys ystemInformation = (NTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) {printf ( "GetProcAddress for NtQuerySystemInformation Error:% d / n", GetLastError ()); __leave;} lpSystemInfo = (LPVOID) malloc (dwNumberBytes); Status = NtQuerySystemInformation (NT_PROCESSTHREAD_INFO, lpSystemInfo, dwNumberBytes, & dwReturnLength); if (Status == STATUS_INFO_LENGTH_MISMATCH) {printf ( "STATUS_INFO_LENGTH_MISMATCH / n"); __leave;
} Else if (Status = STATUS_SUCCESS!) {Printf ( "NtQuerySystemInformation Error:% d / n", GetLastError ()); __leave;} pSystemProc = (PSYSTEM_PROCESSES) lpSystemInfo; while (! PSystemProc-> NextEntryDelta = 0) {if ( psystemproc-> processid == dwpid) {printf ("processname: / t / t"); if (psystemproc-> processid! = 0) {WPRINTF (L "% - 20s / n", psystemproc-> processname.buffer) } else {WPRINTF (L "% - 20s / n", l "system idle process");} Printf ("Processid: / T% D / T / T / T / T", psystemproc-> processid; printf (" ParentProcessid: / T% D / N ", psystemproc-> inheritedFromProcessID); Printf (" kernelTime: / t / t "); lltemptime = psystemproc-> kerneltime.quadpart; lltemptime / = 10000; printf ("% d: ", LLTemptime / (60 * 60 * 1000); lltemptime% = 60 * 60 * 1000; Printf ("%. 2D:", lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%. 2D. ", Lltemptime / 1000; lltemptime% = 1000; Printf ("%. 3D / t ", lltemptime; printf (" useertime: / t / t "); lltemptime = psystemproc-> user.quadpart; lltemptime / = 10000; Printf ("% d:", lltemptime / (60 * 60 * 1000)); lltemptime% = 60 * 60 * 1000; Prin TF ("%. 2D:", LLTemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%. 2D.", lltemptime / 1000); lltemptime% = 1000; printf ("%. 3d) / N ", lltemptime); Printf (" Privilege: / T %% / T / T / T ", (psystemproc-> kerneltime.quadpart * 100) / (psystemproc-> kerneltime.quadpart psystemproc-> useertime. Quadpart); Printf ("User: / T / T %%% / N", (psystemproc-> usertime.quadpart * 100) / (psystemproc-> kerneltime.quadpart psystemproc-> useertime.quadpart)) PRINTF ("ThreadCount: / T% D / T / T", psystemproc->
Threadcount); Printf ("Handlecount: / T% D / N", psystemproc-> handlecount; Printf ("BasePriority: / T% -2D / T / T", psystemproc-> basepriority; printf "PageFaultCount: / T% D / N / N", psystemproc-> vmcounters.pagefaultcount; Printf ("PeakworkingsetSize (K): / T% -8D / T", psystemproc-> vmcounters.peakworkingsetsize / 1024); Printf ("WorkingSetsize (K): / T% -8D / N", psystemproc-> vmcounters.workingsetsize / 1024); Printf ("PeakPagedPool (K): / T% -8D / t", psystemproc-> vmcounters.quotapeakPagedPoolusage / 1024); Printf ("PageDPool (K): / T / T% -8D / N", psystemproc-> vmcounters.quotapagedpoolusage / 1024); Printf ("PeaknonPagedPook (K): / T% -8D / t", pSystemProc-> VmCounters.QuotaPeakNonPagedPoolUsage / 1024); printf ( "NonePagedPook (K): / t% -8d / n", pSystemProc-> VmCounters.QuotaNonPagedPoolUsage / 1024); printf ( "PeakPagefile (K): / t% -8d /T", psystemProc- anddvmcounters.peakpagefileusage/1024); Printf ("PageFile (K): / T% -8D / N", psystemproc-> vmcounters.pagefileusage / 1024); Printf ("PeakVirtualsize (K) : / T% -8d / t ", psystemproc-> vmcounters.peakvirtualsize / 1024); Printf (" V IRTUALSIZE (K): / T / T% -8D / N / N ", psystemproc-> vmcounters.virtualsize / 1024); Printf (" ReadTransfer: / T% -8D / T ", psystemproc-> Iocounters.ReadTransferCount ); Printf ("ReadOperationCount: / T% -8D / N", psystemproc-> ocounts.readoperationcount); Printf ("WRITETRANSFER: / T% -8D / T", psystemproc-> ocounters.writetransfercount); Printf "WriteOperationCount: / t% -8d / n", pSystemProc-> IoCounters.WriteOperationCount); printf ( "OtherTransfer: / t / t% -8d / t", pSystemProc-> IoCounters.OtherTransferCount); printf ( "OtherOperationCount: / T% -8d / n / n ", psystemproc->
Iocounters.otheroperationcount; Printf ("% - 5S% 3S% 4S% 5S% 5S% 11S% 12S% 12S% 7S% 6S% 9S / N", "TID", "PRI", "BPR", "Priv" , "User", "KernelTime", "UserTime", "Startaddr", "CSwitc", "State", "WTREASON"); Printf ("--------------- -------------------------------------------------- ---------- / N "); for (ulindex = 0; ulindex
printf ( "0x% .8X", pSystemProc-> Threads [ulIndex] .StartAddress); printf ( "% 7d", pSystemProc-> Threads [ulIndex] .ContextSwitchCount); switch (pSystemProc-> Threads [ulIndex] .State) {Case StateInitialized: Printf ("% 6s", "init."); Break; Case StateReady: Printf ("% 6s", "Ready"); Break; Case Staterunning: Printf ("% 6s", "run") Break; Case Statestandby: Printf ("% 6s", "stby."); Break; Case Stateterminated: Printf ("% 6s", "Term."); Break; Case StateWait: Printf ("% 6s", " Wait "); Break; Case StateTransition: Printf ("% 6s "," TRAN. "); Break; Case StateunkNown: Printf ("% 6s "," unkn. "); Break; default: printf ("% 6s " "Unkn."); Break;} switch (psystemproc-> threads [ulindex] .waitreason) {CASE EXECUTIVE: Printf ("% -8s", "executi."); Break; Case FreePage: Printf ("%) 8S "," FreePag. "); Break; Case Pagein: Printf ("% -8s "," pagein "); Break; Case Poolocation: Printf ("% -8s "," poolall. "); Break; Case DelayExecution : Printf ("% -8s", "delayex."); Break; Case suspended: Printf ("% -8s", "suspend."); Break; Case UserRequest: Printf ("% -8s" , "UserReq."); Break; Case Wrexecutive: Printf ("% -8s", "Wrexect."); Break; Case WRFreePage: Printf ("% -8s", "WRFREPG."); Break; Case WRPAGEIN: Printf ("% -8s", "wrpagein"); Break; Case WrpoolAlocation: Printf ("% -8s", "wrpoola."); Break; Case Wrsuspended: Printf ("% -8s", "wrsuspe.") Break; Case WruserRequest: Printf ("% -8s", "WrusReq."); Break;
Case WreventPair: Printf ("% -8s", "Wrevent."); Break; Case WRQUE: Printf ("% -8s", "wrqueue"); Break; Case WRLPCRECE: Printf ("% -8s", "WRLPCRV Break; Case WRLPCReply: Printf ("% -8s", "WRLPCRP."); Break; Case WrvertualMemory: Printf ("% -8s", "Wrvermm."); Break; Case WrPageout: Printf (" % -8s "," WRPGOUT. "); Break; Case Wrrendezvous: Printf ("% -8s "," WRRENDE. "); Break; Case Wrkernel: Printf ("% -8s "," WRkernel "); Break; Default: Printf ("% -8s", "unknown"); Break;} printf ("/ n");} printf ("-------------------------------------------------------------------------------------- -------------------------------------------------- ------- / n / n "); Printf (" Total% D Thread (S)! / n / n ", ulindex; dwtotalprocess ; break;} psystemproc = (psystem_processes) ((( Char *) psystemproc psystemproc-> nextenTryDelta);}} __finally {if (dwtotalprocess == 0) {Printf ("Could Not Found T% D Process! / N", DWPID);} else {printf ("TID: / T / t ====> / TTHREAD IDENTIFICATION / N "); Printf (" PRI: / T / T =====> / TPRIORITY / N "); Printf (" BPR: / T / T ========================================================================================================================================= > / TBASE priority / N "); Printf (" priv: / t / t ====> / tprivilege / n "); Printf (" STARTADDR: / T =====> / TTHREAD START Address / N "); Printf (" CSwitc: / t / t ====> / tcontext switch count / n "); Printf (" WTREASON: / T =====> / TWAIT REASON / N ");} if (lpsysteminfo! = Null) {free (lpsysteminfo);} if (hntdll! = Null) {freeelibrary (hntdll);}} return 0; } Void start () {Printf ("T-PMLIST, BY TOO2Y / N"); Printf ("e-mail: TOO2Y @
SafeChina.Net/N "); Printf (" HomePage: www.safechina.net/n "); Printf (" Date: 05-10-2003 / N / N "); Return;} void usage () {printf "USAGE: / TT-PMLIST [-E] | [-S PID] / N"); Printf ("-e / t enumerate all processes / n"); Printf ("-s Pid Show Special Process Information INFORMATION with PID / n / n "); return;} #endif 2.T-PMPerf header file source code: #ifndef T_PMPERF_H #define T_PMPERF_H #include" windows.h "#include" stdio.h "#define SYSTEM_PERF_INFO 0x02 #define SYSTEM_PROC_TIME 0x08 #define SYSTEM_PAGE_INFO 0x12 #define SYSTEM_CACHE_INFO 0x15 #define MAX_INFO_BUF_LEN 0x500000 #define STATUS_SUCCESS ((NTSTATUS) 0x00000000L) typedef LONG NTSTATUS; typedef DWORD SYSTEM_INFORMATION_CLASS; typedef struct _LSA_UNICODE_STRING {USHORT Length; USHORT MaximumLength; PWSTR Buffer;} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING; typedef LSA_UNICODE_STRING Unicode_string, * punicode_string; typedef struct _system_performance_information {large_integer idletime; large_integer readtransfercount; large_integer ostransfercount; large_integer ot erTransferCount; ULONG ReadOperationCount; ULONG WriteOperationCount; ULONG OtherOperationCount; ULONG AvailablePages; ULONG TotalCommittedPages; ULONG TotalCommitLimit; ULONG PeakCommitment; ULONG PageFaults; ULONG WriteCopyFaults; ULONG TransitionFaults; ULONG Reserved1; ULONG DemandZeroFaults; ULONG PagesRead; ULONG PageReadIos; ULONG Reserved2 [2]; ULONG PagefilePagesWritten; ULONG PagefilePageWriteIos; ULONG MappedFilePagesWritten; ULONG MappedFileWriteIos; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; ULONG PagedPoolAllocs; ULONG PagedPoolFrees; ULONG NonPagedPoolAllocs; ULONG NonPagedPoolFress; ULONG TotalFreeSystemPtes; ULONG SystemCodePage;
ULONG TotalSystemDriverPages; ULONG TotalSystemCodePages; ULONG SmallNonPagedLookasideListAllocateHits; ULONG SmallPagedLookasideListAllocateHits; ULONG Reserved3; ULONG MmSystemCachePage; ULONG PagedPoolPage; ULONG SystemDriverPage; ULONG FastReadNoWait; ULONG FastReadWait; ULONG FastReadResourceMiss; ULONG FastReadNotPossible; ULONG FastMdlReadNoWait; ULONG FastMdlReadWait; ULONG FastMdlReadResourceMiss; ULONG FastMdlReadNotPossible; ULONG MapDataNoWait ; ULONG MapDataWait; ULONG MapDataNoWaitMiss; ULONG MapDataWaitMiss; ULONG PinMappedDataCount; ULONG PinReadNoWait; ULONG PinReadWait; ULONG PinReadNoWaitMiss; ULONG PinReadWaitMiss; ULONG CopyReadNoWait; ULONG CopyReadWait; ULONG CopyReadNoWaitMiss; ULONG CopyReadWaitMiss; ULONG MdlReadNoWait; ULONG MdlReadWait; ULONG MdlReadNoWaitMiss; ULONG MdlReadWaitMiss; ULONG Readaheadios; Ulong lazywriteios; Ulong lazywritepages; Ulong DataFlushes; Ulong CONTEXTSWITCHES; ULONG FIRSTLEVELTBFILLS; Ulong SecondleVeltbfills; ulong SystemCall;} SYSTEM_PERFORMANCE_INFORMATION, * PSYSTEM_PERFORMANCE_INFORMATION; typedef struct __SYSTEM_PROCESSOR_TIMES {LARGE_INTEGER IdleTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER DpcTime; LARGE_INTEGER InterruptTime; ULONG InterruptCount;} SYSTEM_PROCESSOR_TIMES, * PSYSTEM_PROCESSOR_TIMES; typedef struct _SYSTEM_PAGEFILE_INFORMATION {ULONG NetxEntryOffset; ULONG CurrentSize; ULONG TotalUsed; ULONG PeakUsed; UNICODE_STRING FileName;} SYSTEM_PAGEFILE_INFORMATION, * PSYSTEM_PAGEFILE_INFORMATION; typedef struct _SYSTEM_CACHE_INFORMATION {ULONG SystemCacheWsSize; ULONG SystemCacheWsPeakSize; ULONG SystemCacheWsFaults; ULONG SystemCacheWsMinimum; ULONG SystemCacheWsMaximum; ULONG TransitionSharedPages;
ULONG TransitionSharedPagesPeak; ULONG Reserved [2];} SYSTEM_CACHE_INFORMATION, * PSYSTEM_CACHE_INFORMATION; typedef NTSTATUS (__stdcall * NTQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, INT ULONG, OUT PULONG OPTION); NTQUERYSYSTEMINFORMATION NtQuerySystemInformation; DWORD PerfInfo () {SYSTEM_PERFORMANCE_INFORMATION SystemPerfInfo; HMODULE hNtDll = NULL; DWORD dwNumberBytes; DWORD dwReturnLength; NTSTATUS Status; LONGLONG llTempTime; __try {hNtDll = LoadLibrary ( "ntDll.dll"); if (hNtDll == NULL) {printf ( "LoadLibrary Error:% d / n", GetLastError ()); __leave;} NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) {printf ( "GetProcAddress for NtQuerySystemInformation Error:% d / n", GetLastError ()); __leave; } dwNumberBytes = sizeof (SYSTEM_PERFORMANCE_INFORMATION); Status = NtQuerySystemInformation (SYSTEM_PERF_INFO, & SystemPerfInfo, dwNumberBytes, & dwReturnLength);! if (Status = STATUS_SUC CESS) {printf ( "NtQuerySystemInformation for Performance Error:% d / n", GetLastError ()); __leave;} printf ( "IdleTime: / t / t"); llTempTime = SystemPerfInfo.IdleTime.QuadPart; llTempTime / = 10000; Printf ("% D:", lltemptime / (60 * 60 * 1000)); lltemptime% = 60 * 60 * 1000; Printf ("%. 2D:", lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%. 2D.", Lltemptime / 1000); lltemptime% = 1000; printf ("%. 3D / n", lltemptime); Printf ("ReadOperationCount: / T% -10D / T", SystemPerfinfo .ReadOperationcount; Printf ("ReadTransferCount: / T% D / N", SystemPerfinfo.readTransferCount; Printf ("
WriteOperationCount: / t% -10d / t ", SystemPerfInfo.WriteOperationCount); printf (" WriteTransferCount: / t% d / n ", SystemPerfInfo.WriteTransferCount); printf (" OtherOperationCount: / t% -10d / t ", SystemPerfInfo. OtherOperationCount); printf ( "OtherTransferCount: / t% d / n", SystemPerfInfo.OtherTransferCount); printf ( "AvailablePages: / t / t% -10d / t", SystemPerfInfo.AvailablePages); printf ( "TotalCommittedPage: / t% D / N ", systemperfinfo.totalcommittedpages); Printf (" Commitlimit: / T% -10D / T ", SystemPerfinfo.totalcommitLimit; Printf (" peakcommit: / t / t% d / n ", systemperfinfo.pecommitment) PRINTF ("Pagefault: / T% -10d / T", SystemPerfinfo.pagefaults; Printf ("WritecopyFault: / T% D / N", SystemPerfinfo.writecopyFaults; Printf ("TransitionFault: / t% -10D / t ", SystemPerfinfo.TransitionFaults; Printf (" Demandzerofault: / T% D / N ", SystemPerfinfo.demandzerofaults; Printf (" PageSread: / T% -10D / T ", SystemPerfinfo.pageSread; Printf ("PageReadios: / T% D / N", SystemPerfinfo.pageReadios; Printf ("Pageswritten: / T% -10D / T", SystemPerfinfo.pageFilepageswri tten); printf ( "PageWriteIos: / t / t% d / n", SystemPerfInfo.PagefilePageWriteIos); printf ( "MappedFilePagesWritten: / t% -10d / t", SystemPerfInfo.MappedFilePagesWritten); printf ( "MappedFileWriteIos: / t% d / n ", SystemPerfInfo.MappedFileWriteIos); printf (" PagedPoolUsage: / t / t% -10d / t ", SystemPerfInfo.PagedPoolUsage); printf (" NonPagedPoolUsage: / t% d / n ", SystemPerfInfo.NonPagedPoolUsage); printf ( "PagedPoolAllocs: / t% -10d / t", SystemPerfInfo.PagedPoolAllocs); printf ( "NonPagedPoolAllocs: / t% d / n", SystemPerfInfo.NonPagedPoolAllocs); printf ( "PagedPoolFrees: / t / t% -10d / t "
, SystemPerfInfo.PagedPoolFrees); printf ( "NonPagedPoolFrees: / t% d / n", SystemPerfInfo.NonPagedPoolFress); printf ( "SystemCodePage: / t / t% -10d / t", SystemPerfInfo.SystemCodePage); printf ( "TotalSystemCodePage: /t%d/n",SystemPerfInfo.TotalSystemCodePages); printf ( "TotalFreeSysPTE: / t% -10d / t", SystemPerfInfo.TotalFreeSystemPtes); printf ( "TotalSystemDriverPages: / t% d / n", SystemPerfInfo.TotalSystemDriverPages); Printf ("PageDPoolPage: / T% -10D / T", SystemPerfinfo.PagedPoolpage); Printf ("SystemDriverPage: / T% D / N", SystemPerfinfo.systemDriverPage); Printf ("FastReadwait: / t / t% - 10d / t ", SystemPerfInfo.FastReadWait); printf (" FastReadNoWait: / t / t% d / n ", SystemPerfInfo.FastReadNoWait); printf (" FastReadNoPossible: / t% -10d / t ", SystemPerfInfo.FastReadNotPossible); printf ( "FastReadResourceMiss: / t% d / n", SystemPerfInfo.FastReadResourceMiss); printf ( "FastMdlReadWait: / t% -10d / t", SystemPerfInfo.FastMdlReadWait); printf ( "FastMdlReadNoWait: / t% d / n", SystemPerfInfo .Fastmdlreadnowait; Printf ("fastmdlreadnotpossible: / t% -10d / t", SystemPerfinfo .FastMdlReadNotPossible); printf ( "FastMdlReadResourceMiss:% d / n", SystemPerfInfo.FastMdlReadResourceMiss); printf ( "MapDataWait: / t / t% -10d / t", SystemPerfInfo.MapDataWait); printf ( "MapDataNoWait: / t / t % d / n ", SystemPerfInfo.MapDataNoWait); printf (" MapDataWaitMiss: / t% -10d / t ", SystemPerfInfo.MapDataWaitMiss); printf (" MapDataNoWaitMiss: / t% d / n ", SystemPerfInfo.MapDataNoWaitMiss); printf ( "Readaheadios: / T / T% -10D / T", SystemPerfinfo.readaheadios; Printf ("PinmappedDataCount: / T% D / N", SystemPerfinfo.pinmappedDataCount; Printf ("PinReadwait: / t / t% -10d / t ", systemperfinfo.pinreadwait);
Printf ("PinreadNowait: / T% D / N", SystemPerfinfo.pinreadNowait; Printf ("PinReadwaitmiss: / T% -10D / T", SystemPerfinfo.pinreadwaitmiss); Printf ("PinReadNowaitmiss: / T% D / N ", SystemPerfInfo.PinReadNoWaitMiss); printf (" CopyReadWait: / t / t% -10d / t ", SystemPerfInfo.CopyReadWait); printf (" CopyReadNoWait: / t / t% d / n ", SystemPerfInfo.CopyReadNoWait); printf ( "CopyReadWaitMiss: / t% -10d / t", SystemPerfInfo.CopyReadWaitMiss); printf ( "CopyReadNoWaitMiss: / t% -10d / n", SystemPerfInfo.CopyReadNoWaitMiss); printf ( "MdlReadWait: / t / t% -10d / t ", SystemPerfInfo.MdlReadWait); printf (" MdlReadNoWait: / t / t% d / n ", SystemPerfInfo.MdlReadNoWait); printf (" MdlReadWaitMiss: / t% -10d / t ", SystemPerfInfo.MdlReadWaitMiss); printf (" MdlReadNoWaitMiss : / T% D / N ", SystemPerfinfo.mdlreadnowaitmiss; Printf (" LazyWriteios: / T% -10D / T ", SystemPerfinfo.lazywriteios; Printf (" LazyWritePages: / T / T% D / N ", Systemperfinfo.lazywritepages); Printf ("DataPages: / T% -10D / T", SystemPerfinfo.dataPages); Printf ("DataFlushes: / T% D / N", SystemPerfinfo.dataFlushes; Printf ("Firstfelt) bFills: / t% -10d / t ", SystemPerfInfo.FirstLevelTbFills); printf (" SecondLevelTbFills: / t% d / n ", SystemPerfInfo.SecondLevelTbFills); printf (" ContextSwitches: / t% -10d / t ", SystemPerfInfo. ContextSwitches); printf ( "SytemCall: / t / t% d / n", SystemPerfInfo.SystemCall); printf ( "MemorySystemCachePage: / t / t / t% d / n", SystemPerfInfo.MmSystemCachePage); printf ( "SmallPagedLookasideListAllocateHits: /t%d/n",SystemPerfInfo.SmallPagedLookasideListAllocateHits); printf ( "SmallNonPagedLookasideListAllocateHits: / t% d / n", SystemPerfInfo.SmallNonPagedLookasideListAllocateHits);} __finally {if (hNtDll =!
NULL) {FreeLibrary (hNtDll);}} return 0;} DWORD ProcTime () {SYSTEM_PROCESSOR_TIMES SystemProcTime; HMODULE hNtDll = NULL; DWORD dwNumberBytes; DWORD dwReturnLength; NTSTATUS Status; LONGLONG llTempTime; __try {hNtDll = LoadLibrary ( "NtDll.dll" ); if (hNtDll == NULL) {printf ( "LoadLibrary Error:% d / n", GetLastError ()); __leave;} NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL ) {printf ( "GetProcAddress for NtQuerySystemInformation Error:% d / n", GetLastError ()); __leave;} dwNumberBytes = sizeof (SYSTEM_PROCESSOR_TIMES); NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) {printf ( "GetProcAddress Error:% d / n", GetLastError ()); __leave;}! Status = NtQuerySystemInformation (SYSTEM_PROC_TIME, & SystemProcTime, dwNumberBytes, & dwReturnLength); if (Status = STATUS_SUCCESS) {printf ( "NtQuerySystemInformation for Process Or Time Error:% D / N ", getLastError ()); __leave;} Printf (" iDletime: / t / t "); lltemptime = systemPROctime.idletime.quadpart; lltemptime / = 10000; printf ("% D: " , lltemptime / (60 * 60 * 1000)); lltemptime% = 60 * 60 * 1000; Printf ("%. 2D:", lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%% .2d. ", Lltemptime / 1000; lltemptime% = 1000; Printf ("%. 3D / N ", lltemptime); Printf (" kernelTime: / t / t "); lltemptime = systemPROctime.kerneltime.quadpart; lltemptime / = 10000; Printf ("% D:", LLTemptime / (60 * 60 * 1000)); lltemptime% = 60 * 60 * 1000; Printf ("%. 2D:"
, lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%. 2D.", lltemptime / 1000); lltemptime% = 1000; Printf ("%. 3D / n", lltemptime; printf ("Useertime: / t / t"); lltemptime = systemPROctime.usertime.quadpart; lltemptime / = 10000; Printf ("% D:", lltemptime / (60 * 60 * 1000)); lltemptime% = 60 * 60 * 1000; Printf ("%. 2D:", lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%. 2D.", Lltemptime / 1000); lltemptime% = 1000; printf ("% .3D / N ", lltemptime); Printf (" DPCTIME: / T / T / T "); lltemptime = systemPROctime.dpctime.quadpart; lltemptime / = 10000; Printf ("% d: ", lltemptime / (60 * 60 * 1000 )); lltemptime% = 60 * 60 * 1000; Printf ("%. 2D:", lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf ("%. 2D.", lltemptime / 1000) Lltemptime% = 1000; Printf ("%. 3D / N", lltemptime); Printf ("InterruptTime: / T / T"); lltemptime = systemProctime.Interrupttime.quadpart; lltemptime / = 10000; Printf ("% D: ", lltemptime / (60 * 60 * 1000); lltemptime% = 60 * 60 * 1000; Printf ("%. 2D: ", lltemptime / (60 * 1000)); lltemptime% = 60 * 1000; Printf (" % .2d. ", Lltemptime / 1000); lltemptim E% = 1000; Printf ("%. 3D / N", lltemptime); Printf ("InterruptCount: / T% D / N", SystemProctime.InterruptCount;} __finally {if (HNTDLL! = null) {freeelibrary (hNtDll);}} return 0;} DWORD PagefileInfo () {PSYSTEM_PAGEFILE_INFORMATION pSystemPagefileInfo; PVOID pBuffer; HMODULE hNtDll = NULL; DWORD dwNumberBytes; DWORD dwReturnLength; NTSTATUS Status; __try {hNtDll = LoadLibrary ( "ntDll.dll"); if ( HNTDLL == NULL) {Printf ("LoadLibrary Error:% D / N", getLastError ()); __leave;} ntQuerySystemInformation =
(NTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) {printf ( "GetProcAddress for NtQuerySystemInformation Error:% d / n", GetLastError ()); __leave;} dwNumberBytes = MAX_INFO_BUF_LEN; pBuffer = (LPVOID ) malloc (dwNumberBytes); Status = NtQuerySystemInformation (SYSTEM_PAGE_INFO, pBuffer, dwNumberBytes, & dwReturnLength); if (Status = STATUS_SUCCESS) {printf ( "NtQuerySystemInformation for Pagefile Error:% d / n", GetLastError (); __leave;!)} pSystemPagefileInfo = (PSYSTEM_PAGEFILE_INFORMATION) pBuffer; do {printf ( "CurrentPagefileSize: / t% d / n", pSystemPagefileInfo-> CurrentSize); printf ( "TotalPagefileUsed: / t% d / n", pSystemPagefileInfo-> TotalUsed); printf ( "PeakPagefileUsed : / t% d / n ", pSystemPagefileInfo-> PeakUsed); wprintf (L" PagefileFileName: / t% s / n ", pSystemPagefileInfo-> FileName.Buffer); pSystemPagefileInfo = (PSYSTEM_PAGEFILE_INFORMATION) ((char *) pBuffer pSystemPagefileInfo -> NetxENTRYOFFSET);} while (psystempagefileinfo-> NetxentryOffset! = 0); } __Finally {if (pBuffer = NULL!) {Free (pBuffer);} if (hNtDll = NULL!) {FreeLibrary (hNtDll);}} return 0;} DWORD CacheInfo () {SYSTEM_CACHE_INFORMATION SystemCacheInfo; HMODULE hNtDll = NULL; DWORD dwNumberBytes; DWORD dwReturnLength; NTSTATUS Status; __try {hNtDll = LoadLibrary ( "ntDll.dll"); if (hNtDll == NULL) {printf ( "LoadLibrary Error:% d / n", GetLastError ()); __leave;} NtQuerySystemInformation = (NTQuerySystemInformation) getProcaddress (HNTDLL, "NTQuerySystemInformation"); if (ntquerysysteminformation == null) {printf ("
GetProcAddress for NtQuerySystemInformation Error:% d / n ", GetLastError ()); __leave;} dwNumberBytes = sizeof (SYSTEM_CACHE_INFORMATION); Status = NtQuerySystemInformation (SYSTEM_CACHE_INFO, & SystemCacheInfo, dwNumberBytes, & dwReturnLength); if (Status = STATUS_SUCCESS) {printf (!" NtQuerySystemInformation for Cache Error:% d / n ", GetLastError ()); __leave;} printf (" CacheWorkingSetSize: / t / t% d (KB) / n ", SystemCacheInfo.SystemCacheWsSize / 1024); printf (" CacheWorkingSetPeakSize: / t% d (KB) / n ", SystemCacheInfo.SystemCacheWsPeakSize / 1024); printf (" CacheWorkingSetFaults: / t / t% d / n ", SystemCacheInfo.SystemCacheWsFaults); printf (" CacheWorkingSetMinimum: / t / t% d / n ", SystemCacheInfo.SystemCacheWsMinimum); printf (" CacheWorkingSetMaximum: / t / t% d / n ", SystemCacheInfo.SystemCacheWsMaximum); printf (" TransitionSharedPages: / t / t% d / n ", SystemCacheInfo.TransitionSharedPages); printf (" TransitionsharedPagespeak: / T% D / N ", SystemCacheInfo.transageSharedPagespeak;} __final = null (HNTDLL! = Null) {freeelibrary (hntdll);}} returnograph } Void start () {Printf ("T-PMPERF, BY TOO2Y / N"); Printf ("e-mail: Too2y@safechina.net/N"); Printf ("Homepage: www.safechina.net/n" ); Printf ("DATE: 05-09-2003 / N / N"); return; void usage () {printf ("USAGE: / TT-PMPERF
FZ5FZ, we are engaged in the learning and research of network / system security, in-depth programming technology analysis and discussion, adhere to original, pursue sharing. FZ5FZ Homepage: http://fz5fz.yeah.net
