NtQuerySystemInformation判断线程是否被挂起/判断线程状态

NtQuerySystemInformation判断线程是否被挂起/判断线程状态

这里采用“功能号5”来枚举系统中所有的进程和线程及其相关信息.

#include "stdafx.h"

#include "Process.h"

//获取进程的状态

//返回0，表示发生异常

//返回1，表示进程处于挂起状态

//返回2，表示进程没有被挂起

DWORD GetProcessState(ULONG ulPID)

{

NtQuerySystemInformation pNtQuerySystemInformation;

HMODULE hModule=LoadLibrary(L"ntdll.dll");

if (hModule==NULL)

{

return 0;

}

pNtQuerySystemInformation=(NtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");

if (pNtQuerySystemInformation==NULL)

{

FreeLibrary(hModule);

return 0;

}

//枚举得到所有进程

ULONG n = 0x100;

PSYSTEM_PROCESSES sp = new SYSTEM_PROCESSES
;

while (pNtQuerySystemInformation(

5,sp, n*sizeof(SYSTEM_PROCESSES), 0)

== STATUS_INFO_LENGTH_MISMATCH)

{

delete[] sp;

sp = new SYSTEM_PROCESSES[n = n * 2];

}

bool done = false;

//遍历进程列表

for (PSYSTEM_PROCESSES p = sp; !done;

p = PSYSTEM_PROCESSES(PCHAR(p) + p->NextEntryDelta))

{

if (p->ProcessId==ulPID)

{

SYSTEM_THREADS systemThread=p->Threads[0];

if (systemThread.dwState==5 && systemThread.dwWaitReason==5)

{

delete[] sp;

FreeLibrary(hModule);

//进程处于挂起状态

return 1;

}

else

{

delete[] sp;

FreeLibrary(hModule);

//进程没有被挂起

return 2;

}

}

done = p->NextEntryDelta == 0;

}

delete[] sp;

FreeLibrary(hModule);

return 0;

}

//获取线程的状态

//返回0，表示发生异常

//返回1，表示线程处于挂起状态

//返回2，表示线程没有被挂起

DWORD GetThreadState(ULONG ulPID,ULONG ulTID)

{

NtQuerySystemInformation pNtQuerySystemInformation;

HMODULE hModule=LoadLibrary(L"ntdll.dll");

if (hModule==NULL)

{

return 0;

}

pNtQuerySystemInformation=(NtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");

if (pNtQuerySystemInformation==NULL)

{

FreeLibrary(hModule);

return 0;

}

//枚举得到所有进程

ULONG n = 0x100;

PSYSTEM_PROCESSES sp = new SYSTEM_PROCESSES
;

while (pNtQuerySystemInformation(

5,sp, n*sizeof(SYSTEM_PROCESSES), 0)

== STATUS_INFO_LENGTH_MISMATCH)

{

delete[] sp;

sp = new SYSTEM_PROCESSES[n = n * 2];

}

bool done = false;

//遍历进程列表

for (PSYSTEM_PROCESSES p = sp; !done;

p = PSYSTEM_PROCESSES(PCHAR(p) + p->NextEntryDelta))

{

if (p->ProcessId==ulPID)

{

for(int i=0;i<p->ThreadCount;i++)

{

SYSTEM_THREADS systemThread=p->Threads[i];

if(systemThread.ClientId.TID == ulTID) //找到线程

{

if(systemThread.dwState == StateWait && systemThread.dwWaitReason == Suspended) //线程被挂起

{

delete[] sp;

FreeLibrary(hModule);

return 1;

}

else

{

delete[] sp;

FreeLibrary(hModule);

return 2;

}

}

}

}

done = p->NextEntryDelta == 0;

}

delete[] sp;

FreeLibrary(hModule);

return 0;

}

//Process.h:包含一些进程操作等

//

//

#ifndef _PROCESS_

#define _PROCESS_

#include <stdio.h>

#include <windows.h>

#include <TlHelp32.h>

#include <PSAPI.H>

#pragma comment(lib,"User32.lib")

#pragma comment(lib,"psapi.lib")

#pragma comment(lib,"advapi32.lib")

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)

#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

typedef LONG NTSTATUS;

typedef struct _UNICODE_STRING {

USHORT Length;

USHORT MaximumLength;

PWSTR Buffer;

} UNICODE_STRING, *PUNICODE_STRING;

//系统模块信息

typedef struct _SYSTEM_MODULE_INFORMATION {

ULONG Reserved[2];

PVOID Base;

ULONG Size;

ULONG Flags;

USHORT Index;

USHORT Unknown;

USHORT LoadCount;

USHORT ModuleNameOffset;

CHAR ImageName[256];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

//存放系统模块列表

typedef struct _SystemModuleList{

ULONG ulCount;

SYSTEM_MODULE_INFORMATION smi[1];

} SYSTEMMODULELIST, *PSYSTEMMODULELIST;

typedef enum _THREAD_STATE{

StateInitialized,

StateReady,

StateRunning,

StateStandby,

StateTerminated,

StateWait,

StateTransition,

StateUnknown

} THREAD_STATE;

typedef enum _KWAIT_REASON {

Executive,

FreePage,

PageIn,

PoolAllocation,

DelayExecution,

Suspended,

UserRequest,

WrExecutive,

WrFreePage,

WrPageIn,

WrPoolAllocation,

WrDelayExecution,

WrSuspended,

WrUserRequest,

WrEventPair,

WrQueue,

WrLpcReceive,

WrLpcReply,

WrVirtualMemory,

WrPageOut,

WrRendezvous,

Spare2,

Spare3,

Spare4,

Spare5,

Spare6,

WrKernel

} KWAIT_REASON;

typedef struct _VM_COUNTERS {

ULONG PeakVirtualSize;

ULONG VirtualSize;

ULONG PageFaultCount;

ULONG PeakWorkingSetSize;

ULONG WorkingSetSize;

ULONG QuotaPeakPagedPoolUsage;

ULONG QuotaPagedPoolUsage;

ULONG QuotaPeakNonPagedPoolUsage;

ULONG QuotaNonPagedPoolUsage;

ULONG PagefileUsage;

ULONG PeakPagefileUsage;

} VM_COUNTERS, *PVM_COUNTERS;

typedef struct _CLIENT_ID

{

ULONG PID;

ULONG TID;

}CLIENT_ID,*PCLIENT_ID;

typedef struct _SYSTEM_THREADS {

LARGE_INTEGER KernelTime;

LARGE_INTEGER UserTime;

LARGE_INTEGER CreateTime;

ULONG WaitTime;

PVOID StartAddress;

CLIENT_ID ClientId;

//KPRIORITY Priority;

LONG Priority;

//KPRIORITY BasePriority;

LONG BasePriority;

ULONG ContextSwitchCount;

THREAD_STATE dwState;

//DWORD dwState;

KWAIT_REASON dwWaitReason;

//DWORD dwWaitReason;

} SYSTEM_THREADS, *PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES { // Information Class 5

ULONG NextEntryDelta;

ULONG ThreadCount;

ULONG Reserved1[6];

LARGE_INTEGER CreateTime;

LARGE_INTEGER UserTime;

LARGE_INTEGER KernelTime;

UNICODE_STRING ProcessName;

//KPRIORITY BasePriority;

LONG BasePriority;

ULONG ProcessId;

ULONG InheritedFromProcessId;

ULONG HandleCount;

ULONG Reserved2[2];

VM_COUNTERS VmCounters;

IO_COUNTERS IoCounters; // Windows 2000 only

SYSTEM_THREADS Threads[1];

} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;

//定义NtQuerySystemInformation函数原型

typedef ULONG (WINAPI *NtQuerySystemInformation)(

IN ULONG SysInfoClass,

IN OUT PVOID SystemInformation,

IN ULONG SystemInformationLength,

OUT PULONG nRet

);

//定义NtQueryInformationThread函数原型

typedef ULONG (WINAPI *NtQueryInformationThread)(

IN HANDLE ThreadHandle,

IN ULONG ThreadInformationClass,

OUT PVOID ThreadInformation,

IN ULONG ThreadInformationLength,

OUT PULONG ReturnLength OPTIONAL

);

//获取进程的状态

//返回0，表示发生异常

//返回1，表示进程处于挂起状态

//返回2，表示进程没有被挂起

DWORD GetProcessState(ULONG ulPID);

//获取进程的状态

//返回0，表示发生异常

//返回1，表示线程处于挂起状态

//返回2，表示线程没有被挂起

DWORD GetThreadState(ULONG ulPID,ULONG ulTID);

#endif //_PROCESS_