NtQuerySystemInformation判断线程是否被挂起/判断线程状态
这里采用“功能号5”来枚举系统中所有的进程和线程及其相关信息.
C++语言: Process.cpp
001 #include "stdafx.h"
002 #include "Process.h"
003
004 //获取进程的状态
005 //返回0,表示发生异常
006 //返回1,表示进程处于挂起状态
007 //返回2,表示进程没有被挂起
008 DWORD GetProcessState(ULONG ulPID)
009 {
010 NtQuerySystemInformation pNtQuerySystemInformation;
011 HMODULE hModule=LoadLibrary(L"ntdll.dll");
012 if (hModule==NULL)
013 {
014 return 0;
015 }
016 pNtQuerySystemInformation=(NtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");
017 if (pNtQuerySystemInformation==NULL)
018 {
019 FreeLibrary(hModule);
020 return 0;
021 }
022
023 //枚举得到所有进程
024 ULONG n = 0x100;
025 PSYSTEM_PROCESSES sp = new SYSTEM_PROCESSES[n];
026
027 while (pNtQuerySystemInformation(
028 5,sp, n*sizeof(SYSTEM_PROCESSES), 0)
029 == STATUS_INFO_LENGTH_MISMATCH)
030 {
031 delete[] sp;
032 sp = new SYSTEM_PROCESSES[n = n * 2];
033 }
034
035 bool done = false;
036
037 //遍历进程列表
038 for (PSYSTEM_PROCESSES p = sp; !done;
039 p = PSYSTEM_PROCESSES(PCHAR(p) + p->NextEntryDelta))
040 {
041 if (p->ProcessId==ulPID)
042 {
043 SYSTEM_THREADS systemThread=p->Threads[0];
044 if (systemThread.dwState==5 && systemThread.dwWaitReason==5)
045 {
046 delete[] sp;
047 FreeLibrary(hModule);
048 //进程处于挂起状态
049 return 1;
050 }
051 else
052 {
053 delete[] sp;
054 FreeLibrary(hModule);
055 //进程没有被挂起
056 return 2;
057 }
058 }
059 done = p->NextEntryDelta == 0;
060 }
061
062 delete[] sp;
063 FreeLibrary(hModule);
064 return 0;
065 }
066
067 //获取线程的状态
068 //返回0,表示发生异常
069 //返回1,表示线程处于挂起状态
070 //返回2,表示线程没有被挂起
071 DWORD GetThreadState(ULONG ulPID,ULONG ulTID)
072 {
073 NtQuerySystemInformation pNtQuerySystemInformation;
074 HMODULE hModule=LoadLibrary(L"ntdll.dll");
075 if (hModule==NULL)
076 {
077 return 0;
078 }
079 pNtQuerySystemInformation=(NtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");
080 if (pNtQuerySystemInformation==NULL)
081 {
082 FreeLibrary(hModule);
083 return 0;
084 }
085
086 //枚举得到所有进程
087 ULONG n = 0x100;
088 PSYSTEM_PROCESSES sp = new SYSTEM_PROCESSES[n];
089
090 while (pNtQuerySystemInformation(
091 5,sp, n*sizeof(SYSTEM_PROCESSES), 0)
092 == STATUS_INFO_LENGTH_MISMATCH)
093 {
094 delete[] sp;
095 sp = new SYSTEM_PROCESSES[n = n * 2];
096 }
097
098 bool done = false;
099
100 //遍历进程列表
101 for (PSYSTEM_PROCESSES p = sp; !done;
102 p = PSYSTEM_PROCESSES(PCHAR(p) + p->NextEntryDelta))
103 {
104 if (p->ProcessId==ulPID)
105 {
106 for(int i=0;i<p->ThreadCount;i++)
107 {
108 SYSTEM_THREADS systemThread=p->Threads[i];
109 if(systemThread.ClientId.TID == ulTID) //找到线程
110 {
111 if(systemThread.dwState == StateWait && systemThread.dwWaitReason == Suspended) //线程被挂起
112 {
113 delete[] sp;
114 FreeLibrary(hModule);
115 return 1;
116 }
117 else
118 {
119 delete[] sp;
120 FreeLibrary(hModule);
121 return 2;
122 }
123 }
124 }
125 }
126 done = p->NextEntryDelta == 0;
127 }
128
129 delete[] sp;
130 FreeLibrary(hModule);
131 return 0;
132 }
002 #include "Process.h"
003
004 //获取进程的状态
005 //返回0,表示发生异常
006 //返回1,表示进程处于挂起状态
007 //返回2,表示进程没有被挂起
008 DWORD GetProcessState(ULONG ulPID)
009 {
010 NtQuerySystemInformation pNtQuerySystemInformation;
011 HMODULE hModule=LoadLibrary(L"ntdll.dll");
012 if (hModule==NULL)
013 {
014 return 0;
015 }
016 pNtQuerySystemInformation=(NtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");
017 if (pNtQuerySystemInformation==NULL)
018 {
019 FreeLibrary(hModule);
020 return 0;
021 }
022
023 //枚举得到所有进程
024 ULONG n = 0x100;
025 PSYSTEM_PROCESSES sp = new SYSTEM_PROCESSES[n];
026
027 while (pNtQuerySystemInformation(
028 5,sp, n*sizeof(SYSTEM_PROCESSES), 0)
029 == STATUS_INFO_LENGTH_MISMATCH)
030 {
031 delete[] sp;
032 sp = new SYSTEM_PROCESSES[n = n * 2];
033 }
034
035 bool done = false;
036
037 //遍历进程列表
038 for (PSYSTEM_PROCESSES p = sp; !done;
039 p = PSYSTEM_PROCESSES(PCHAR(p) + p->NextEntryDelta))
040 {
041 if (p->ProcessId==ulPID)
042 {
043 SYSTEM_THREADS systemThread=p->Threads[0];
044 if (systemThread.dwState==5 && systemThread.dwWaitReason==5)
045 {
046 delete[] sp;
047 FreeLibrary(hModule);
048 //进程处于挂起状态
049 return 1;
050 }
051 else
052 {
053 delete[] sp;
054 FreeLibrary(hModule);
055 //进程没有被挂起
056 return 2;
057 }
058 }
059 done = p->NextEntryDelta == 0;
060 }
061
062 delete[] sp;
063 FreeLibrary(hModule);
064 return 0;
065 }
066
067 //获取线程的状态
068 //返回0,表示发生异常
069 //返回1,表示线程处于挂起状态
070 //返回2,表示线程没有被挂起
071 DWORD GetThreadState(ULONG ulPID,ULONG ulTID)
072 {
073 NtQuerySystemInformation pNtQuerySystemInformation;
074 HMODULE hModule=LoadLibrary(L"ntdll.dll");
075 if (hModule==NULL)
076 {
077 return 0;
078 }
079 pNtQuerySystemInformation=(NtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");
080 if (pNtQuerySystemInformation==NULL)
081 {
082 FreeLibrary(hModule);
083 return 0;
084 }
085
086 //枚举得到所有进程
087 ULONG n = 0x100;
088 PSYSTEM_PROCESSES sp = new SYSTEM_PROCESSES[n];
089
090 while (pNtQuerySystemInformation(
091 5,sp, n*sizeof(SYSTEM_PROCESSES), 0)
092 == STATUS_INFO_LENGTH_MISMATCH)
093 {
094 delete[] sp;
095 sp = new SYSTEM_PROCESSES[n = n * 2];
096 }
097
098 bool done = false;
099
100 //遍历进程列表
101 for (PSYSTEM_PROCESSES p = sp; !done;
102 p = PSYSTEM_PROCESSES(PCHAR(p) + p->NextEntryDelta))
103 {
104 if (p->ProcessId==ulPID)
105 {
106 for(int i=0;i<p->ThreadCount;i++)
107 {
108 SYSTEM_THREADS systemThread=p->Threads[i];
109 if(systemThread.ClientId.TID == ulTID) //找到线程
110 {
111 if(systemThread.dwState == StateWait && systemThread.dwWaitReason == Suspended) //线程被挂起
112 {
113 delete[] sp;
114 FreeLibrary(hModule);
115 return 1;
116 }
117 else
118 {
119 delete[] sp;
120 FreeLibrary(hModule);
121 return 2;
122 }
123 }
124 }
125 }
126 done = p->NextEntryDelta == 0;
127 }
128
129 delete[] sp;
130 FreeLibrary(hModule);
131 return 0;
132 }
C++语言: Process.h
001 //Process.h:包含一些进程操作等
002 //
003 //
004 #ifndef _PROCESS_
005 #define _PROCESS_
006
007 #include <stdio.h>
008 #include <windows.h>
009 #include <TlHelp32.h>
010 #include <PSAPI.H>
011 #pragma comment(lib,"User32.lib")
012 #pragma comment(lib,"psapi.lib")
013 #pragma comment(lib,"advapi32.lib")
014
015 #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
016 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
017
018 typedef LONG NTSTATUS;
019
020 typedef struct _UNICODE_STRING {
021 USHORT Length;
022 USHORT MaximumLength;
023 PWSTR Buffer;
024 } UNICODE_STRING, *PUNICODE_STRING;
025
026 //系统模块信息
027 typedef struct _SYSTEM_MODULE_INFORMATION {
028 ULONG Reserved[2];
029 PVOID Base;
030 ULONG Size;
031 ULONG Flags;
032 USHORT Index;
033 USHORT Unknown;
034 USHORT LoadCount;
035 USHORT ModuleNameOffset;
036 CHAR ImageName[256];
037 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
038
039 //存放系统模块列表
040 typedef struct _SystemModuleList{
041 ULONG ulCount;
042 SYSTEM_MODULE_INFORMATION smi[1];
043 } SYSTEMMODULELIST, *PSYSTEMMODULELIST;
044
045 typedef enum _THREAD_STATE{
046 StateInitialized,
047 StateReady,
048 StateRunning,
049 StateStandby,
050 StateTerminated,
051 StateWait,
052 StateTransition,
053 StateUnknown
054 } THREAD_STATE;
055
056 typedef enum _KWAIT_REASON {
057 Executive,
058 FreePage,
059 PageIn,
060 PoolAllocation,
061 DelayExecution,
062 Suspended,
063 UserRequest,
064 WrExecutive,
065 WrFreePage,
066 WrPageIn,
067 WrPoolAllocation,
068 WrDelayExecution,
069 WrSuspended,
070 WrUserRequest,
071 WrEventPair,
072 WrQueue,
073 WrLpcReceive,
074 WrLpcReply,
075 WrVirtualMemory,
076 WrPageOut,
077 WrRendezvous,
078 Spare2,
079 Spare3,
080 Spare4,
081 Spare5,
082 Spare6,
083 WrKernel
084 } KWAIT_REASON;
085
086 typedef struct _VM_COUNTERS {
087 ULONG PeakVirtualSize;
088 ULONG VirtualSize;
089 ULONG PageFaultCount;
090 ULONG PeakWorkingSetSize;
091 ULONG WorkingSetSize;
092 ULONG QuotaPeakPagedPoolUsage;
093 ULONG QuotaPagedPoolUsage;
094 ULONG QuotaPeakNonPagedPoolUsage;
095 ULONG QuotaNonPagedPoolUsage;
096 ULONG PagefileUsage;
097 ULONG PeakPagefileUsage;
098 } VM_COUNTERS, *PVM_COUNTERS;
099
100 typedef struct _CLIENT_ID
101 {
102 ULONG PID;
103 ULONG TID;
104 }CLIENT_ID,*PCLIENT_ID;
105
106 typedef struct _SYSTEM_THREADS {
107 LARGE_INTEGER KernelTime;
108 LARGE_INTEGER UserTime;
109 LARGE_INTEGER CreateTime;
110 ULONG WaitTime;
111 PVOID StartAddress;
112 CLIENT_ID ClientId;
113 //KPRIORITY Priority;
114 LONG Priority;
115 //KPRIORITY BasePriority;
116 LONG BasePriority;
117 ULONG ContextSwitchCount;
118 THREAD_STATE dwState;
119 //DWORD dwState;
120 KWAIT_REASON dwWaitReason;
121 //DWORD dwWaitReason;
122 } SYSTEM_THREADS, *PSYSTEM_THREADS;
123
124 typedef struct _SYSTEM_PROCESSES { // Information Class 5
125 ULONG NextEntryDelta;
126 ULONG ThreadCount;
127 ULONG Reserved1[6];
128 LARGE_INTEGER CreateTime;
129 LARGE_INTEGER UserTime;
130 LARGE_INTEGER KernelTime;
131 UNICODE_STRING ProcessName;
132 //KPRIORITY BasePriority;
133 LONG BasePriority;
134 ULONG ProcessId;
135 ULONG InheritedFromProcessId;
136 ULONG HandleCount;
137 ULONG Reserved2[2];
138 VM_COUNTERS VmCounters;
139 IO_COUNTERS IoCounters; // Windows 2000 only
140 SYSTEM_THREADS Threads[1];
141 } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
142
143 //定义NtQuerySystemInformation函数原型
144 typedef ULONG (WINAPI *NtQuerySystemInformation)(
145 IN ULONG SysInfoClass,
146 IN OUT PVOID SystemInformation,
147 IN ULONG SystemInformationLength,
148 OUT PULONG nRet
149 );
150
151 //定义NtQueryInformationThread函数原型
152 typedef ULONG (WINAPI *NtQueryInformationThread)(
153 IN HANDLE ThreadHandle,
154 IN ULONG ThreadInformationClass,
155 OUT PVOID ThreadInformation,
156 IN ULONG ThreadInformationLength,
157 OUT PULONG ReturnLength OPTIONAL
158 );
159
160 //获取进程的状态
161 //返回0,表示发生异常
162 //返回1,表示进程处于挂起状态
163 //返回2,表示进程没有被挂起
164 DWORD GetProcessState(ULONG ulPID);
165
166 //获取进程的状态
167 //返回0,表示发生异常
168 //返回1,表示线程处于挂起状态
169 //返回2,表示线程没有被挂起
170 DWORD GetThreadState(ULONG ulPID,ULONG ulTID);
171
172 #endif //_PROCESS_
002 //
003 //
004 #ifndef _PROCESS_
005 #define _PROCESS_
006
007 #include <stdio.h>
008 #include <windows.h>
009 #include <TlHelp32.h>
010 #include <PSAPI.H>
011 #pragma comment(lib,"User32.lib")
012 #pragma comment(lib,"psapi.lib")
013 #pragma comment(lib,"advapi32.lib")
014
015 #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
016 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
017
018 typedef LONG NTSTATUS;
019
020 typedef struct _UNICODE_STRING {
021 USHORT Length;
022 USHORT MaximumLength;
023 PWSTR Buffer;
024 } UNICODE_STRING, *PUNICODE_STRING;
025
026 //系统模块信息
027 typedef struct _SYSTEM_MODULE_INFORMATION {
028 ULONG Reserved[2];
029 PVOID Base;
030 ULONG Size;
031 ULONG Flags;
032 USHORT Index;
033 USHORT Unknown;
034 USHORT LoadCount;
035 USHORT ModuleNameOffset;
036 CHAR ImageName[256];
037 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
038
039 //存放系统模块列表
040 typedef struct _SystemModuleList{
041 ULONG ulCount;
042 SYSTEM_MODULE_INFORMATION smi[1];
043 } SYSTEMMODULELIST, *PSYSTEMMODULELIST;
044
045 typedef enum _THREAD_STATE{
046 StateInitialized,
047 StateReady,
048 StateRunning,
049 StateStandby,
050 StateTerminated,
051 StateWait,
052 StateTransition,
053 StateUnknown
054 } THREAD_STATE;
055
056 typedef enum _KWAIT_REASON {
057 Executive,
058 FreePage,
059 PageIn,
060 PoolAllocation,
061 DelayExecution,
062 Suspended,
063 UserRequest,
064 WrExecutive,
065 WrFreePage,
066 WrPageIn,
067 WrPoolAllocation,
068 WrDelayExecution,
069 WrSuspended,
070 WrUserRequest,
071 WrEventPair,
072 WrQueue,
073 WrLpcReceive,
074 WrLpcReply,
075 WrVirtualMemory,
076 WrPageOut,
077 WrRendezvous,
078 Spare2,
079 Spare3,
080 Spare4,
081 Spare5,
082 Spare6,
083 WrKernel
084 } KWAIT_REASON;
085
086 typedef struct _VM_COUNTERS {
087 ULONG PeakVirtualSize;
088 ULONG VirtualSize;
089 ULONG PageFaultCount;
090 ULONG PeakWorkingSetSize;
091 ULONG WorkingSetSize;
092 ULONG QuotaPeakPagedPoolUsage;
093 ULONG QuotaPagedPoolUsage;
094 ULONG QuotaPeakNonPagedPoolUsage;
095 ULONG QuotaNonPagedPoolUsage;
096 ULONG PagefileUsage;
097 ULONG PeakPagefileUsage;
098 } VM_COUNTERS, *PVM_COUNTERS;
099
100 typedef struct _CLIENT_ID
101 {
102 ULONG PID;
103 ULONG TID;
104 }CLIENT_ID,*PCLIENT_ID;
105
106 typedef struct _SYSTEM_THREADS {
107 LARGE_INTEGER KernelTime;
108 LARGE_INTEGER UserTime;
109 LARGE_INTEGER CreateTime;
110 ULONG WaitTime;
111 PVOID StartAddress;
112 CLIENT_ID ClientId;
113 //KPRIORITY Priority;
114 LONG Priority;
115 //KPRIORITY BasePriority;
116 LONG BasePriority;
117 ULONG ContextSwitchCount;
118 THREAD_STATE dwState;
119 //DWORD dwState;
120 KWAIT_REASON dwWaitReason;
121 //DWORD dwWaitReason;
122 } SYSTEM_THREADS, *PSYSTEM_THREADS;
123
124 typedef struct _SYSTEM_PROCESSES { // Information Class 5
125 ULONG NextEntryDelta;
126 ULONG ThreadCount;
127 ULONG Reserved1[6];
128 LARGE_INTEGER CreateTime;
129 LARGE_INTEGER UserTime;
130 LARGE_INTEGER KernelTime;
131 UNICODE_STRING ProcessName;
132 //KPRIORITY BasePriority;
133 LONG BasePriority;
134 ULONG ProcessId;
135 ULONG InheritedFromProcessId;
136 ULONG HandleCount;
137 ULONG Reserved2[2];
138 VM_COUNTERS VmCounters;
139 IO_COUNTERS IoCounters; // Windows 2000 only
140 SYSTEM_THREADS Threads[1];
141 } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
142
143 //定义NtQuerySystemInformation函数原型
144 typedef ULONG (WINAPI *NtQuerySystemInformation)(
145 IN ULONG SysInfoClass,
146 IN OUT PVOID SystemInformation,
147 IN ULONG SystemInformationLength,
148 OUT PULONG nRet
149 );
150
151 //定义NtQueryInformationThread函数原型
152 typedef ULONG (WINAPI *NtQueryInformationThread)(
153 IN HANDLE ThreadHandle,
154 IN ULONG ThreadInformationClass,
155 OUT PVOID ThreadInformation,
156 IN ULONG ThreadInformationLength,
157 OUT PULONG ReturnLength OPTIONAL
158 );
159
160 //获取进程的状态
161 //返回0,表示发生异常
162 //返回1,表示进程处于挂起状态
163 //返回2,表示进程没有被挂起
164 DWORD GetProcessState(ULONG ulPID);
165
166 //获取进程的状态
167 //返回0,表示发生异常
168 //返回1,表示线程处于挂起状态
169 //返回2,表示线程没有被挂起
170 DWORD GetThreadState(ULONG ulPID,ULONG ulTID);
171
172 #endif //_PROCESS_
