作者:陆麟
转载请征得作者同意.
2000.7.7

typedef struct ThreadSysInfo_t {
 LARGE_INTEGER ThreadKernelTime;
 LARGE_INTEGER ThreadUserTime;
 LARGE_INTEGER ThreadCreateTime;
 ULONG TickCount;
 ULONG StartEIP;
 CLIENT_ID ClientId;
 ULONG DynamicPriority;
 ULONG BasePriority;
 ULONG nSwitches;
 ULONG Unknown;
 KWAIT_REASON WaitReason;
}THREADSYSINFO, *PTHREADSYSINFO;

typedef struct ProcessThreadSystemInfo {
 ULONG RelativeOffset;
 ULONG nThreads;
 ULONG Unused1[6];
 LARGE_INTEGER ProcessCreateTime;
 LARGE_INTEGER ProcessUserTime;
 LARGE_INTEGER ProcessKernelTime;
 UNICODE_STRING ProcessName;
 ULONG BasePriority;
 ULONG ProcessId;
 ULONG ParentProcessId;
 ULONG HandleCount;
 ULONG Unused2[2];
 ULONG PeakVirtualSizeBytes;
 ULONG TotalVirtualSizeBytes;
 ULONG nPageFaults;
 ULONG PeakWorkingSetSizeBytes;
 ULONG TotalWorkingSetSizeBytes;
 ULONG PeakPagedPoolUsagePages;
 ULONG TotalPagedPoolUsagePages;
 ULONG PeakNonPagedPoolUsagePages;
 ULONG TotalNonPagedPoolUsagePages;
 ULONG TotalPageFileUsageBytes;
 ULONG PeakPageFileUsageBytes;
 ULONG TotalPrivateBytes;
 THREADSYSINFO ThreadSysInfo[1];
} PROCESSTHREADSYSTEMINFO, *PPROCESSTHREADSYSTEMINFO;

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformation(
 IN SYSTEMINFOCLASS SystemInfoClass, //Set to 5 for enumerate all process
 OUT PVOID SystemInfoBuffer,
 IN ULONG SystemInfoBufferSize,
 OUT PULONG BytesReturned OPTIONAL
);

当然,KMD也可以在PASSIVE LEVEL运用此函数的内核引出:
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
 IN SYSTEMINFOCLASS SystemInfoClass, //Set to 5 for enumerate all process
 OUT PVOID SystemInfoBuffer,
 IN ULONG SystemInfoBufferSize,
 OUT PULONG BytesReturned OPTIONAL
);
妙极否?:)由于查询功能太过强大,此函数必须有SE_TCB_NAME特权才能运作.大家感受到了SE_TCB_NAME特权的吸引人之处了吧!:DDD特权特权我所爱也.;)))