C++

Forum

 
NtQuerySystemInformation ...

Mimo0Cool (1)
one of the most powerfull Native-Function (in Ntdll.dll) is NtQuerySystemInformation,, So I want to use it ... but the problem i have is that i don't really know how to manipulate parameters to get results returned by the function !

I need to a little example of using,, for example get Process List using this Function "NtQuerySystemInformation" !

Thank You !
winStudent (11)
1
2
3
4
 
NTSTATUS WINAPI NtQuerySystemInformation( __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                          __inout PVOID SystemInformation,
                                          __in ULONG SystemInformationLength,
                                          __out_opt PULONG ReturnLength);


The first argument is only partially documented, if at all. It is an array of structures holding SYSTEM_PROCESS_INFORMATION_ENTRY entries. If you set the second argument to NULL and the third to 0 and provide a valid argument for the optional parameter, the function call will store the length of the buffer that holds the SYSTEM_PROCESS_INFORMATION_ENTRY array. You use this length to allocate the right amount of memory, then call the function again using the correct parameters to fill the array pointed to by the second parameter.

EDIT: I am curious, why do you want to call this function?
Last edited on
Computergeek01 (5613)
To get a process list you're actually better off using: "CreateToolhelp32Snapshot()" then "Process32First()" and "Process32Next()". If you try to use "NtQuerySystemInformation()" you won't even give you the name of the process that you're looking at so it's kind of useless.

Anyway to augment winStudent's post, the first argument is an enumeration telling the "NtQuerySystemInformation()" function what it is you want. The second argument should be an array of the types of structures you indicated in the first argument, after you've gotten the number of them to expect as winStudent pointed out earlier. The information for that particular object is of pretty limited use IMO, if you want to see for yourself what it is then just crack open 'winternl.h' with your favorite text editor and take a look.
zdzero (38)
This is kinda undocumented.
The first argument is actually an enum and from one of my old projects that I still have, it goes like this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
typedef enum _SYSTEM_INFORMATION_CLASS
{
    SystemBasicInformation,
    SystemProcessorInformation,
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemPathInformation,
    SystemProcessInformation,
    SystemCallCountInformation,
    SystemDeviceInformation,
    SystemProcessorPerformanceInformation,
    SystemFlagsInformation,
    SystemCallTimeInformation,
    SystemModuleInformation,
    SystemLocksInformation,
    SystemStackTraceInformation,
    SystemPagedPoolInformation,
    SystemNonPagedPoolInformation,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPageFileInformation,
    SystemVdmInstemulInformation,
    SystemVdmBopInformation,
    SystemFileCacheInformation,
    SystemPoolTagInformation,
    SystemInterruptInformation,
    SystemDpcBehaviorInformation,
    SystemFullMemoryInformation,
    SystemLoadGdiDriverInformation,
    SystemUnloadGdiDriverInformation,
    SystemTimeAdjustmentInformation,
    SystemSummaryMemoryInformation,
    SystemNextEventIdInformation,
    SystemEventIdsInformation,
    SystemCrashDumpInformation,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemExtendServiceTableInformation,
    SystemPrioritySeperation,
    SystemPlugPlayBusInformation,
    SystemDockInformation,
    SystemPowerInformation,
    SystemProcessorSpeedInformation,
    SystemCurrentTimeZoneInformation,
    SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;


If I remember correctly this worked on a x86 Windows 7. Might be different on other versions. But, to be fair, I never used all of these, so many may be wrong. I think their name is suggestive enough.
You can get the one for your system using WinDbg (if you have the requirements) or you can go by trial and error if you have the time. Right now I don't have a WinDbg on my system (old laptop used mainly for fooling around on the internet now, I'm surprised I have a VS on this one).

There is no guarantee - I'm speaking from my memory and from this (poorly written) old project of mine, but you can first call the function with SystemInformationLength set to 0 and check the ReturnLength to see how much memory you need to allocate for the real function call. You can be paranoid about this and allocate a bit more.

Now, this function can be useful in some situations, but there are also situations where there are better (and easier) ways of doing whatever you want. Give some context.
Last edited on
Topic archived. No new replies allowed.