10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 3

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#include <windows.h>
#include <string.h>
#include <stdio.h>
 
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
// NTQUERYSYSTEMINFORMATION
 
typedef struct _tagThreadInfo
{
        FILETIME ftCreationTime;
        DWORD dwUnknown1;
        DWORD dwStartAddress;
        DWORD dwOwningPID;
        DWORD dwThreadID;
        DWORD dwCurrentPriority;
        DWORD dwBasePriority;
        DWORD dwContextSwitches;
        DWORD dwThreadState;
        DWORD dwWaitReason;
        DWORD dwUnknown2[5];
} THREADINFO, *PTHREADINFO;
 
#pragma warning(disable:4200)
typedef struct _tagProcessInfo
{
        DWORD dwOffset;
        DWORD dwThreadCount;
        DWORD dwUnknown1[6];
        FILETIME ftCreationTime;
        DWORD dwUnknown2[5];
        WCHAR* pszProcessName;
        DWORD dwBasePriority;
        DWORD dwProcessID;
        DWORD dwParentProcessID;
        DWORD dwHandleCount;
        DWORD dwUnknown3;
        DWORD dwUnknown4;
        DWORD dwVirtualBytesPeak;
        DWORD dwVirtualBytes;
        DWORD dwPageFaults;
        DWORD dwWorkingSetPeak;
        DWORD dwWorkingSet;
        DWORD dwUnknown5;
        DWORD dwPagedPool;
        DWORD dwUnknown6;
        DWORD dwNonPagedPool;
        DWORD dwPageFileBytesPeak;
        DWORD dwPrivateBytes;
        DWORD dwPageFileBytes;
        DWORD dwUnknown7[4];
        THREADINFO ti[0];
} _PROCESSINFO, *PPROCESSINFO;
#pragma warning( default:4200 )
 
long(__stdcall *NtQuerySystemInformation)(ULONG,PVOID,ULONG,ULONG) = NULL;
 
int main()
{
    BOOL   bLast    = FALSE;
    PBYTE pbyInfo   = NULL;
    DWORD cInfoSize = 0x2000;
    PPROCESSINFO pProcessInfo     = {0};
    char  szProcessName[MAX_PATH] = {0};
    if(!(pbyInfo  = (PBYTE)malloc(cInfoSize)))
        printf("Allocation memory error %s\n",strerror(GetLastError()));
    else
    NtQuerySystemInformation = 
    (long( __stdcall * )(ULONG,PVOID,ULONG,ULONG))
    GetProcAddress(GetModuleHandle("NTDLL.DLL"),"NtQuerySystemInformation");
    if (!NtQuerySystemInformation)
        printf("Error updating NtQueryInfo pointer %s\n",strerror(GetLastError()));
    else
    {
        printf(" PROCID | PARENT| PROCESS_NAME\n");
        while(NtQuerySystemInformation(/*SYSTEM_PROCESS_INFORMATION*/5 ,pbyInfo,cInfoSize,0)==STATUS_INFO_LENGTH_MISMATCH)
        {
            cInfoSize += 0x2000;
            pbyInfo    = (PBYTE)realloc(pbyInfo,cInfoSize);
        }
        pProcessInfo = (PPROCESSINFO)pbyInfo;
        while(!bLast)
        {
            if (pProcessInfo->dwOffset == 0) // последний ли процесс
                bLast = TRUE;
            else
            {
                if
                (
                    !WideCharToMultiByte
                    (
                        CP_ACP, 
                        0, 
                        pProcessInfo->pszProcessName, 
                        -1,
                        szProcessName, 
                        MAX_PATH, 
                        NULL, 
                        NULL
                    )// преобразуем имя процесса из WCHAR в char
                )
                sprintf(szProcessName,"%s",strerror(GetLastError()));
                CharToOem(szProcessName,szProcessName);
                if(pProcessInfo->dwProcessID) // ignore system idle
                printf
                (
                    " %03u\t| %03u\t| %s\n",
                    pProcessInfo->dwProcessID,
                    pProcessInfo->dwParentProcessID,
                    szProcessName
                );
                pProcessInfo=(PPROCESSINFO)((PBYTE)pProcessInfo+pProcessInfo->dwOffset); // next
            }
            
        }
    }
    system("pause");
    return 0;
}