MatteoZan.it

NtQuerySystemaInformation http://msdn.microsoft.com/en-us/library/ms724509(VS.85).aspx is useful undocumented and discouraged API of ntdll.dll. This API shouldn’t be used but in some case is a short way to get a lot information.

With this API you can make a lot of thinks but in this example is used to get some information about process.

This function should be linked at runtime, see more information at this link: http://msdn.microsoft.com/en-us/library/ms686944(VS.85).aspx.

To invoke NtQuerySystemInformation you should pass the follow argument:

• Kind of information that you want get, in this example the SystemProcessInformation.
• Address of a chunk of memory to place all information.
• Size of previous chunk of memory.
• A integer passed by reference that will filled with the size of return value.

Unfortunately size of second arguments isn’t know, a solution is pass a chunk of memory and if it is too small retry. This solution is possible because the NtQuerySystemInformation in case of a chunk of memory is too small it return a specific error code.

In this example enumerations and structures used by this program are placed in stdafx.h header file.

This example is written with Visual Studio 2008.

Download example

Tags: C++, Win32

This entry was posted on Saturday, December 27th, 2008 at 5:03 pm and is filed under C++, Coding. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.