none
[HELP] how to get process used "NtQuerySystemInformation" [VB.NET] RRS feed

  • Question

  • hi guys..

    how can i get the processess name are used function NtQuerySystemInformation in vb.net

    • Moved by Stanly Fan Friday, June 23, 2017 3:40 AM from windows form general
    Friday, June 23, 2017 12:54 AM

All replies

  • hi guys..

    how can i get the processess name are used function NtQuerySystemInformation in vb.net

    Friday, June 23, 2017 1:00 AM
  • See if this is of assistance

    https://forum.sysinternals.com/discussion-howto-enumerate-handles_topic19403_page8.html


    Please remember to mark the replies as answers if they help and unmark them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.
    VB Forums - moderator
    profile for Karen Payne on Stack Exchange, a network of free, community-driven Q&A sites

    Friday, June 23, 2017 2:04 AM
    Moderator
  • If you want the list of current processes with NtQuerySystemInformation()

    you call it with the parameter 5 (SystemProcessInformation)

    <DllImport("NtDll", SetLastError:=True, CallingConvention:=CallingConvention.StdCall, CharSet:=CharSet.Auto)>
        Public Shared Function NtQuerySystemInformation(SystemInformationClass As SYSTEM_INFORMATION_CLASS, SystemInformation As IntPtr, SystemInformationLength As Integer, ByRef ReturnLength As Integer) As Integer
        End Function


    Friday, June 23, 2017 3:14 AM
  • If you want all the opened handles, you call it with

    SYSTEM_INFORMATION_CLASS.SystemHandleInformation

    If you want all the processes, you call it with

    SYSTEM_INFORMATION_CLASS.SystemProcessInformation

    I made a test on Windows 10 for both and it works fine, like in C++

    Declarations :

    Public Enum SYSTEM_INFORMATION_CLASS
        SystemBasicInformation
        SystemProcessorInformation
        SystemPerformanceInformation
        SystemTimeOfDayInformation
        SystemPathInformation
        SystemProcessInformation
        SystemCallCountInformation
        SystemDeviceInformation
        SystemProcessorPerformanceInformation
        SystemFlagsInformation
        SystemCallTimeInformation
        SystemModuleInformation
        SystemLocksInformation
        SystemStackTraceInformation
        SystemPagedPoolInformation
        SystemNonPagedPoolInformation
        SystemHandleInformation
        SystemObjectInformation
        SystemPageFileInformation
        SystemVdmInstemulInformation
        SystemVdmBopInformation
        SystemFileCacheInformation
        SystemPoolTagInformation
        SystemInterruptInformation
        SystemDpcBehaviorInformation
        SystemFullMemoryInformation
        SystemLoadGdiDriverInformation
        SystemUnloadGdiDriverInformation
        SystemTimeAdjustmentInformation
        SystemSummaryMemoryInformation
        SystemMirrorMemoryInformation
        SystemPerformanceTraceInformation
        SystemObsolete0
        SystemExceptionInformation
        SystemCrashDumpStateInformation
        SystemKernelDebuggerInformation
        SystemContextSwitchInformation
        SystemRegistryQuotaInformation
        SystemExtendServiceTableInformation
        SystemPrioritySeperation
        SystemVerifierAddDriverInformation
        SystemVerifierRemoveDriverInformation
        SystemProcessorIdleInformation
        SystemLegacyDriverInformation
        SystemCurrentTimeZoneInformation
        SystemLookasideInformation
        SystemTimeSlipNotification
        SystemSessionCreate
        SystemSessionDetach
        SystemSessionInformation
        SystemRangeStartInformation
        SystemVerifierInformation
        SystemVerifierThunkExtend
        SystemSessionProcessInformation
        SystemLoadGdiDriverInSystemSpace
        SystemNumaProcessorMap
        SystemPrefetcherInformation
        SystemExtendedProcessInformation
        SystemRecommendedSharedDataAlignment
        SystemComPlusPackage
        SystemNumaAvailableMemory
        SystemProcessorPowerInformation
        SystemEmulationBasicInformation
        SystemEmulationProcessorInformation
        SystemExtendedHandleInformation
        SystemLostDelayedWriteInformation
        SystemBigPoolInformation
        SystemSessionPoolTagInformation
        SystemSessionMappedViewInformation
        SystemHotpatchInformation
        SystemObjectSecurityMode
        SystemWatchdogTimerHandler
        SystemWatchdogTimerInformation
        SystemLogicalProcessorInformation
        SystemWow64SharedInformationObsolete
        SystemRegisterFirmwareTableInformationHandler
        SystemFirmwareTableInformation
        SystemModuleInformationEx
        SystemVerifierTriageInformation
        SystemSuperfetchInformation
        SystemMemoryListInformation
        SystemFileCacheInformationEx
        SystemThreadPriorityClientIdInformation
        SystemProcessorIdleCycleTimeInformation
        SystemVerifierCancellationInformation
        SystemProcessorPowerInformationEx
        SystemRefTraceInformation
        SystemSpecialPoolInformation
        SystemProcessIdInformation
        SystemErrorPortInformation
        SystemBootEnvironmentInformation
        SystemHypervisorInformation
        SystemVerifierInformationEx
        SystemTimeZoneInformation
        SystemImageFileExecutionOptionsInformation
        SystemCoverageInformation
        SystemPrefetchPatchInformation
        SystemVerifierFaultsInformation
        SystemSystemPartitionInformation
        SystemSystemDiskInformation
        SystemProcessorPerformanceDistribution
        SystemNumaProximityNodeInformation
        SystemDynamicTimeZoneInformation
        SystemCodeIntegrityInformation
        SystemProcessorMicrocodeUpdateInformation
        MaxSystemInfoClass
    End Enum
    
    
    <StructLayout(LayoutKind.Explicit)>
    Public Structure LARGE_INTEGER
        <FieldOffset(0)>
        Public LowPart As Integer
    
        <FieldOffset(4)>
        Public HighPart As Integer
    
        <FieldOffset(0)>
        Public QuadPart As Long
    End Structure
    
    
    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)>
    Public Structure UNICODE_STRING
        Public Length As UShort
        Public MaximumLength As UShort
        <MarshalAs(UnmanagedType.LPWStr)>
        Public Buffer As String
    End Structure
    
    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)>
    Public Structure SYSTEM_PROCESS_INFORMATION
        Public NextEntryOffset As UInteger
        Public NumberOfThreads As UInteger
        Public WorkingSetPrivateSize As LARGE_INTEGER
        Public SpareLi2 As LARGE_INTEGER
        Public SpareLi3 As LARGE_INTEGER
        Public CreateTime As LARGE_INTEGER
        Public UserTime As LARGE_INTEGER
        Public KernelTime As LARGE_INTEGER
        Public ImageName As UNICODE_STRING
        Public BasePriority As Integer
        Public UniqueProcessId As Integer
        Public InheritedFromUniqueProcessId As Integer
        Public HandleCount As UInteger
        Public SessionId As UInteger
        Public UniqueProcessKey As UInteger
        Public PeakVirtualSize As UInteger
        Public VirtualSize As UInteger
        Public PageFaultCount As UInteger
        Public PeakWorkingSetSize As UInteger
        Public WorkingSetSize As UInteger
        Public QuotaPeakPagedPoolUsage As UInteger
        Public QuotaPagedPoolUsage As UInteger
        Public QuotaPeakNonPagedPoolUsage As UInteger
        Public QuotaNonPagedPoolUsage As UInteger
        Public PagefileUsage As UInteger
        Public PeakPagefileUsage As UInteger
        Public PrivatePageCount As UInteger
        Public ReadOperationCount As LARGE_INTEGER
        Public WriteOperationCount As LARGE_INTEGER
        Public OtherOperationCount As LARGE_INTEGER
        Public ReadTransferCount As LARGE_INTEGER
        Public WriteTransferCount As LARGE_INTEGER
        Public OtherTransferCount As LARGE_INTEGER
    End Structure
    
    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)>
    Public Structure SYSTEM_HANDLE_INFORMATION
        Public ProcessId As UInteger
        Public ObjectTypeNumber As Byte
        Public Flags As Byte
        Public Handle As UShort
        Public pObject As IntPtr
        Public GrantedAccess As Integer
    End Structure
    
    <DllImport("NtDll", SetLastError:=True, CallingConvention:=CallingConvention.StdCall, CharSet:=CharSet.Auto)>
    Public Shared Function NtQuerySystemInformation(SystemInformationClass As SYSTEM_INFORMATION_CLASS, SystemInformation As IntPtr, SystemInformationLength As Integer, ByRef ReturnLength As Integer) As Integer
    End Function
    


    • Edited by Castorix31 Friday, June 23, 2017 4:30 AM
    Friday, June 23, 2017 4:29 AM
  • If you want all the opened handles, you call it with

    SYSTEM_INFORMATION_CLASS.SystemHandleInformation

    If you want all the processes, you call it with

    SYSTEM_INFORMATION_CLASS.SystemProcessInformation

    I made a test on Windows 10 for both and it works fine, like in C++

    Declarations :

    Public Enum SYSTEM_INFORMATION_CLASS
        SystemBasicInformation
        SystemProcessorInformation
        SystemPerformanceInformation
        SystemTimeOfDayInformation
        SystemPathInformation
        SystemProcessInformation
        SystemCallCountInformation
        SystemDeviceInformation
        SystemProcessorPerformanceInformation
        SystemFlagsInformation
        SystemCallTimeInformation
        SystemModuleInformation
        SystemLocksInformation
        SystemStackTraceInformation
        SystemPagedPoolInformation
        SystemNonPagedPoolInformation
        SystemHandleInformation
        SystemObjectInformation
        SystemPageFileInformation
        SystemVdmInstemulInformation
        SystemVdmBopInformation
        SystemFileCacheInformation
        SystemPoolTagInformation
        SystemInterruptInformation
        SystemDpcBehaviorInformation
        SystemFullMemoryInformation
        SystemLoadGdiDriverInformation
        SystemUnloadGdiDriverInformation
        SystemTimeAdjustmentInformation
        SystemSummaryMemoryInformation
        SystemMirrorMemoryInformation
        SystemPerformanceTraceInformation
        SystemObsolete0
        SystemExceptionInformation
        SystemCrashDumpStateInformation
        SystemKernelDebuggerInformation
        SystemContextSwitchInformation
        SystemRegistryQuotaInformation
        SystemExtendServiceTableInformation
        SystemPrioritySeperation
        SystemVerifierAddDriverInformation
        SystemVerifierRemoveDriverInformation
        SystemProcessorIdleInformation
        SystemLegacyDriverInformation
        SystemCurrentTimeZoneInformation
        SystemLookasideInformation
        SystemTimeSlipNotification
        SystemSessionCreate
        SystemSessionDetach
        SystemSessionInformation
        SystemRangeStartInformation
        SystemVerifierInformation
        SystemVerifierThunkExtend
        SystemSessionProcessInformation
        SystemLoadGdiDriverInSystemSpace
        SystemNumaProcessorMap
        SystemPrefetcherInformation
        SystemExtendedProcessInformation
        SystemRecommendedSharedDataAlignment
        SystemComPlusPackage
        SystemNumaAvailableMemory
        SystemProcessorPowerInformation
        SystemEmulationBasicInformation
        SystemEmulationProcessorInformation
        SystemExtendedHandleInformation
        SystemLostDelayedWriteInformation
        SystemBigPoolInformation
        SystemSessionPoolTagInformation
        SystemSessionMappedViewInformation
        SystemHotpatchInformation
        SystemObjectSecurityMode
        SystemWatchdogTimerHandler
        SystemWatchdogTimerInformation
        SystemLogicalProcessorInformation
        SystemWow64SharedInformationObsolete
        SystemRegisterFirmwareTableInformationHandler
        SystemFirmwareTableInformation
        SystemModuleInformationEx
        SystemVerifierTriageInformation
        SystemSuperfetchInformation
        SystemMemoryListInformation
        SystemFileCacheInformationEx
        SystemThreadPriorityClientIdInformation
        SystemProcessorIdleCycleTimeInformation
        SystemVerifierCancellationInformation
        SystemProcessorPowerInformationEx
        SystemRefTraceInformation
        SystemSpecialPoolInformation
        SystemProcessIdInformation
        SystemErrorPortInformation
        SystemBootEnvironmentInformation
        SystemHypervisorInformation
        SystemVerifierInformationEx
        SystemTimeZoneInformation
        SystemImageFileExecutionOptionsInformation
        SystemCoverageInformation
        SystemPrefetchPatchInformation
        SystemVerifierFaultsInformation
        SystemSystemPartitionInformation
        SystemSystemDiskInformation
        SystemProcessorPerformanceDistribution
        SystemNumaProximityNodeInformation
        SystemDynamicTimeZoneInformation
        SystemCodeIntegrityInformation
        SystemProcessorMicrocodeUpdateInformation
        MaxSystemInfoClass
    End Enum
    
    
    <StructLayout(LayoutKind.Explicit)>
    Public Structure LARGE_INTEGER
        <FieldOffset(0)>
        Public LowPart As Integer
    
        <FieldOffset(4)>
        Public HighPart As Integer
    
        <FieldOffset(0)>
        Public QuadPart As Long
    End Structure
    
    
    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)>
    Public Structure UNICODE_STRING
        Public Length As UShort
        Public MaximumLength As UShort
        <MarshalAs(UnmanagedType.LPWStr)>
        Public Buffer As String
    End Structure
    
    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)>
    Public Structure SYSTEM_PROCESS_INFORMATION
        Public NextEntryOffset As UInteger
        Public NumberOfThreads As UInteger
        Public WorkingSetPrivateSize As LARGE_INTEGER
        Public SpareLi2 As LARGE_INTEGER
        Public SpareLi3 As LARGE_INTEGER
        Public CreateTime As LARGE_INTEGER
        Public UserTime As LARGE_INTEGER
        Public KernelTime As LARGE_INTEGER
        Public ImageName As UNICODE_STRING
        Public BasePriority As Integer
        Public UniqueProcessId As Integer
        Public InheritedFromUniqueProcessId As Integer
        Public HandleCount As UInteger
        Public SessionId As UInteger
        Public UniqueProcessKey As UInteger
        Public PeakVirtualSize As UInteger
        Public VirtualSize As UInteger
        Public PageFaultCount As UInteger
        Public PeakWorkingSetSize As UInteger
        Public WorkingSetSize As UInteger
        Public QuotaPeakPagedPoolUsage As UInteger
        Public QuotaPagedPoolUsage As UInteger
        Public QuotaPeakNonPagedPoolUsage As UInteger
        Public QuotaNonPagedPoolUsage As UInteger
        Public PagefileUsage As UInteger
        Public PeakPagefileUsage As UInteger
        Public PrivatePageCount As UInteger
        Public ReadOperationCount As LARGE_INTEGER
        Public WriteOperationCount As LARGE_INTEGER
        Public OtherOperationCount As LARGE_INTEGER
        Public ReadTransferCount As LARGE_INTEGER
        Public WriteTransferCount As LARGE_INTEGER
        Public OtherTransferCount As LARGE_INTEGER
    End Structure
    
    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)>
    Public Structure SYSTEM_HANDLE_INFORMATION
        Public ProcessId As UInteger
        Public ObjectTypeNumber As Byte
        Public Flags As Byte
        Public Handle As UShort
        Public pObject As IntPtr
        Public GrantedAccess As Integer
    End Structure
    
    <DllImport("NtDll", SetLastError:=True, CallingConvention:=CallingConvention.StdCall, CharSet:=CharSet.Auto)>
    Public Shared Function NtQuerySystemInformation(SystemInformationClass As SYSTEM_INFORMATION_CLASS, SystemInformation As IntPtr, SystemInformationLength As Integer, ByRef ReturnLength As Integer) As Integer
    End Function


    you don't understand what i want

    listen: i will explain i need make simple console app and get just the processess running Which are used NtQuerySystemInformation example i stared 3 process

    1- notepad2

    2- Vlc player

    3- TaskMgr

    the taskMgr used NtQuerySystemInformation to detected the process running

    i need just get the TaskMgr why? because he used this function NtQuerySystemInformation

    Friday, June 23, 2017 7:50 AM
  • You cannot find an app which used a particular API.

    You must use API Hooking to detect the API calls, but VB.NET is not the best language for that.

    I use C++ with MS Detours library , but there are many ways to hook APIs, like for example

    easy way to set up global API hooks


    • Edited by Castorix31 Friday, June 23, 2017 8:48 AM
    Friday, June 23, 2017 8:46 AM