windowsNativeAPI资源-CSDN下载

需积分: 10 119 浏览量 2009-04-05 03:04:34 上传评论收藏 1.6MB PDF 举报

### Windows Native API：深入了解 ZwQuerySystemInformation #### 标题解析 **Windows Native API**，这一术语指的是在Windows操作系统中，直接与内核交互的一系列API接口。它们提供了对操作系统核心功能的直接访问，通常用于高级系统管理和底层硬件操作。 #### 描述解析 **Windows native API** 被描述为进入内核前的最后一个调用界面，这意味着这些API是在用户空间应用和操作系统内核之间的一个关键层。通过这些API，应用程序可以直接请求系统资源和服务，而无需经过更高层次的API或中间件。 #### 标签解析 **ntdll.dll** 是一个重要的Windows DLL文件，其中包含了多个Native API函数，包括本文档中提到的 **ZwQuerySystemInformation** 函数。这些函数通常被用于低级别的系统管理任务，如内存管理、进程控制等。 #### 内容分析文档中提到的 **ZwQuerySystemInformation** 函数是一个核心Native API函数，用于查询有关整个系统的各种信息，而非特定于某个对象。以下是对该函数及其参数的详细解释： ##### 函数定义 ```c NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); ``` ##### 参数说明 - **SystemInformationClass**：指定了要查询的信息类型。它是一个枚举值，代表了不同种类的系统信息类别。 - **SystemInformation**：指向一个由调用者分配的缓冲区，用于接收查询到的系统信息。 - **SystemInformationLength**：表示 `SystemInformation` 缓冲区的大小（以字节为单位）。根据不同的 `SystemInformationClass` 类型，调用者需要设置合适的大小。 - **ReturnLength**：可选参数，用于返回实际写入 `SystemInformation` 的字节数量。如果缓冲区太小无法容纳所有数据，则此参数通常被设为零。对于某些信息类（例如 6 和 11），则会返回所需缓冲区的最小大小。 ##### 返回值 - 如果调用成功，则返回 `STATUS_SUCCESS`。 - 若失败，则返回错误状态代码，如 `STATUS_INVALID_INFO_CLASS`（无效的信息类）、`STATUS_NOT_IMPLEMENTED`（未实现）或 `STATUS_INFO_LENGTH_MISMATCH`（信息长度不匹配）。 ##### 相关 Win32 函数 - **GetSystemInfo**：获取关于当前系统的通用信息。 - **GetTimeZoneInformation**：获取当前时区信息。 - **GetSystemTimeAdjustment**：获取或设置系统时间调整信息。 - **PSAPI functions**：一组用于性能监控和系统信息收集的函数。 - **性能计数器**：用于监测系统性能的指标。 ##### 备注 - **ZwQuerySystemInformation** 是许多系统工具获取性能监控信息的主要来源，包括但不限于缓存、内存、对象、分页文件、进程、处理器、系统和线程等类别的信息。 - **ReturnLength** 信息在某些情况下可能无效，具体取决于所请求的信息类别。即使函数返回 `STATUS_SUCCESS`，也可能出现这种情况。 #### 使用场景示例假设我们要查询当前系统的内存信息，可以按照以下步骤使用 **ZwQuerySystemInformation** 函数： 1. 定义一个合适的 `SystemInformationClass` 枚举值，比如 `SystemBasicInformation`。 2. 分配足够的缓冲区来存储返回的信息，并确定 `SystemInformationLength`。 3. 调用 `ZwQuerySystemInformation` 函数并检查返回值是否为 `STATUS_SUCCESS`。 4. 解析 `SystemInformation` 中的数据，并根据需要进行进一步处理。 **ZwQuerySystemInformation** 是Windows Native API中的一个重要组成部分，它为开发者提供了一种高效且直接的方式来获取有关系统的各种信息。通过对该函数的理解和应用，可以更好地掌握Windows系统的内部工作原理，从而开发出更加高效、稳定的系统管理工具。

资源推荐

资源详情

资源评论

System Information

and Control

The system services described in this chapter operate on the system as a whole rather

than on individual objects within the system.They mostly gather information about

the performance and operation of the system and set system parameters.

ZwQuerySystemInformation

ZwQuerySystemInformation queries information about the system.

NTSYSAPI

NTSTATUS

NTAPI

ZwQuerySystemInformation(

IN SYSTEM_INFORMATION_CLASS SystemInformationClass,

IN OUT PVOID SystemInformation,

IN ULONG SystemInformationLength,

OUT PULONG ReturnLength OPTIONAL

);

Parameters

SystemInformationClass

The type of system information to be queried.The permitted values are a subset of

the enumeration

SYSTEM_INFORMATION_CLASS, described in the following section.

SystemInformation

Points to a caller-allocated buffer or variable that receives the requested system

information.

SystemInformationLength

The size in bytes of SystemInformation, which the caller should set according to the

given

SystemInformationClass.

1996 CH01 11/19/99 12:24 PM Page 1

System Information and Control: ZwQuerySystem Information

ReturnLength

Optionally points to a variable that receives the number of bytes actually returned to

SystemInformation; if SystemInformationLength is too small to contain the available

information, the variable is normally set to zero except for two information classes

(6 and 11) when it is set to the number of bytes required for the available information.

If this information is not needed,

ReturnLength may be a null pointer.

Return Value

Returns STATUS_SUCCESS or an error status, such as STATUS_INVALID_INFO_CLASS,

STATUS_NOT_IMPLEMENTED or STATUS_INFO_LENGTH_MISMATCH.

Related Win32 Functions

GetSystemInfo, GetTimeZoneInformation, GetSystemTimeAdjustment, PSAPI functions,

and performance counters.

Remarks

ZwQuerySystemInformation is the source of much of the information displayed by

“Performance Monitor” for the classes Cache, Memory, Objects, Paging File, Process,

Processor, System, and Thread. It is also frequently used by resource kit utilities that

display information about the system.

The

ReturnLength information is not always valid (depending on the information

class), even when the routine returns

STATUS_SUCCESS.When the return value indicates

STATUS_INFO_LENGTH_MISMATCH, only some of the information classes return an estimate

of the required length.

Some information classes are implemented only in the “checked” version of the

kernel. Some, such as

SystemCallCounts, return useful information only in “checked”

versions of the kernel.

Some information classes require certain flags to have been set in

NtGlobalFlags at

boot time. For example,

SystemObjectInformation requires that

FLG_MAINTAIN_OBJECT_TYPELIST be set at boot time.

Information class

SystemNotImplemented1 (4) would return STATUS_NOT_IMPLEMENTED

if it were not for the fact that it uses DbgPrint to print the text “EX:

SystemPathInformation now available via SharedUserData.

” and then calls

DbgBreakPoint.The breakpoint exception is caught by a frame based exception handler

(in the absence of intervention by a debugger) and causes

ZwQuerySystemInformation

to return with STATUS_BREAKPOINT.

ZwSetSystemInformation

ZwSetSystemInformation sets information that affects the operation of the system.

NTSYSAPI

NTSTATUS

NTAPI

ZwSetSystemInformation(

IN SYSTEM_INFORMATION_CLASS SystemInformationClass,

IN OUT PVOID SystemInformation,

1996 CH01 11/19/99 12:24 PM Page 2

System Information and Control: SYSTEM_INFORMATION_CLASS

IN ULONG SystemInformationLength

);

Parameters

SystemInformationClass

The type of system information to be set.The permitted values are a subset of the

enumeration

SYSTEM_INFORMATION_CLASS, described in the following section.

SystemInformation

Points to a caller-allocated buffer or variable that contains the system information to

be set.

SystemInformationLength

The size in bytes of SystemInformation, which the caller should set according to the

given

SystemInformationClass.

Return Value

Returns STATUS_SUCCESS or an error status, such as STATUS_INVALID_INFO_CLASS,

STATUS_NOT_IMPLEMENTED or STATUS_INFO_LENGTH_MISMATCH.

Related Win32 Functions

SetSystemTimeAdjustment.

Remarks

At least one of the information classes uses the SystemInformation parameter for both

input and output.

SYSTEM_INFORMATION_CLASS

The system information classes available in the “free” (retail) build of the system are

listed below along with a remark as to whether the information class can be queried,

set, or both. Some of the information classes labeled “

SystemNotImplementedXxx”are

implemented in the “checked” build, and a few of these classes are briefly described

later.

Query Set

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemBasicInformation, // 0 Y N

SystemProcessorInformation, // 1 Y N

SystemPerformanceInformation, // 2 Y N

SystemTimeOfDayInformation, // 3 Y N

SystemNotImplemented1, // 4 Y N

SystemProcessesAndThreadsInformation, // 5 Y N

SystemCallCounts, // 6 Y N

SystemConfigurationInformation, // 7 Y N

SystemProcessorTimes, // 8 Y N

SystemGlobalFlag, // 9 Y Y

SystemNotImplemented2, // 10 Y N

SystemModuleInformation, // 11 Y N

1996 CH01 11/19/99 12:24 PM Page 3

System Information and Control: SYSTEM_INFORMATION_CLASS

SystemLockInformation, // 12 Y N

SystemNotImplemented3, // 13 Y N

SystemNotImplemented4, // 14 Y N

SystemNotImplemented5, // 15 Y N

SystemHandleInformation, // 16 Y N

SystemObjectInformation, // 17 Y N

SystemPagefileInformation, // 18 Y N

SystemInstructionEmulationCounts, // 19 Y N

SystemInvalidInfoClass1, // 20

SystemCacheInformation, // 21 Y Y

SystemPoolTagInformation, // 22 Y N

SystemProcessorStatistics, // 23 Y N

SystemDpcInformation, // 24 Y Y

SystemNotImplemented6, // 25 Y N

SystemLoadImage, // 26 N Y

SystemUnloadImage, // 27 N Y

SystemTimeAdjustment, // 28 Y Y

SystemNotImplemented7, // 29 Y N

SystemNotImplemented8, // 30 Y N

SystemNotImplemented9, // 31 Y N

SystemCrashDumpInformation, // 32 Y N

SystemExceptionInformation, // 33 Y N

SystemCrashDumpStateInformation, // 34 Y Y/N

SystemKernelDebuggerInformation, // 35 Y N

SystemContextSwitchInformation, // 36 Y N

SystemRegistryQuotaInformation, // 37 Y Y

SystemLoadAndCallImage, // 38 N Y

SystemPrioritySeparation, // 39 N Y

SystemNotImplemented10, // 40 Y N

SystemNotImplemented11, // 41 Y N

SystemInvalidInfoClass2, // 42

SystemInvalidInfoClass3, // 43

SystemTimeZoneInformation, // 44 Y N

SystemLookasideInformation, // 45 Y N

SystemSetTimeSlipEvent, // 46 N Y

SystemCreateSession, // 47 N Y

SystemDeleteSession, // 48 N Y

SystemInvalidInfoClass4, // 49

SystemRangeStartInformation, // 50 Y N

SystemVerifierInformation, // 51 Y Y

SystemAddVerifier, // 52 N Y

SystemSessionProcessesInformation // 53 Y N

} SYSTEM_INFORMATION_CLASS;

SystemBasicInformation

typedef struct _SYSTEM_BASIC_INFORMATION { // Information Class 0

ULONG Unknown;

ULONG MaximumIncrement;

ULONG PhysicalPageSize;

ULONG NumberOfPhysicalPages;

ULONG LowestPhysicalPage;

ULONG HighestPhysicalPage;

ULONG AllocationGranularity;

ULONG LowestUserAddress;

ULONG HighestUserAddress;

ULONG ActiveProcessors;

UCHAR NumberProcessors;

} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;

1996 CH01 11/19/99 12:24 PM Page 4

剩余544页未读，继续阅读

评论收藏

内容反馈

zylthinking

粉丝: 5

windows NativeAPI

最新资源

windows NativeAPI

windows Native API开发参考书 工具书.windows的程序有三种_应用程序ring3_驱动程序ring0_Native Applicat

Windows NativeAPI

windows nt native api

Windows NT_2000 Native API

windows nt native api pdf格式

Hook windows native API 的示例源代码

Windows 2000 Native API+demo源代码.zip

使用native API时需要的ntdll.h与ntdll.lib

Native_API.zip_Native API_Native API delphi_delphi Native_native

microsoft windows Native_API

Windows NT 2000 Native API Reference

Windows NT(2000) Native API Reference

Windows 2000 Native API (source code)

windows2000 native api

NativeApi参考.chm

Inside the native api

探测Windows系统信息(Native API)vc++.rar_API_Native API_Vc_windows 系统信息

Windows Nt 2003 NativeApi Reference中文版

Windows.NT.2000.Native.API.Reference

Call_Ntdll_API.rar如何才能调用Native API即ntdll.dll

Windows2000 NATIVE API大全

Windows NT 2000 Native API Reference.RAR

论文研究-利用WindowsNativeAPI调用序列和基于决策树算法的主机异常检测.pdf

Windows Vista/NT/XP Native API

delphi Native_API

Notepad++安装包

安卓期末大作业（AndroidStudio开发），垃圾分类助手app，分为前台后台，代码有注释，均能正常运行

微信小程序源码-合集1.rar

网络版AIS接收机SLR350N

Task-Colledge:只是分享。好好享受

最新资源

windows Native API开发参考书工具书.windows的程序有三种_应用程序ring3_驱动程序ring0_Native Applicat