ZwQuerySystemInformation() chaos

OSR_Community_User · October 6, 2008, 3:22am

Hi,
The problem I am trying to solve looks pretty easy but as a matter of is rather complicated. I am trying to acquire a process ID by it’s full image name. The array of SYSTEM_PROCESS_INFORMATION structures is an out parameter for ZwQuerySystemInformation() but this structure is undocumented (as well as the function itself) so I do not know whether it’s a fix-sized structure or not. The first field however is ULONG NextEntryOffset; What does it mean? That the structure is not fix-sized and this is an offset of the next structure?
The problem is the fields in this structure seem rather junky to me and I don’t know what to do.
Please, help!!!

Lyndon_J_Clarke-2 · October 6, 2008, 4:14am

I dont know of the top of my head, but I’d guess this kind of infomation can
be found in the Nebbet book.

wrote in message news:xxxxx@ntfsd…
> Hi,
> The problem I am trying to solve looks pretty easy but as a matter of is
> rather complicated. I am trying to acquire a process ID by it’s full image
> name. The array of SYSTEM_PROCESS_INFORMATION structures is an out
> parameter for ZwQuerySystemInformation() but this structure is
> undocumented (as well as the function itself) so I do not know whether
> it’s a fix-sized structure or not. The first field however is ULONG
> NextEntryOffset; What does it mean? That the structure is not fix-sized
> and this is an offset of the next structure?
> The problem is the fields in this structure seem rather junky to me and I
> don’t know what to do.
> Please, help!!!
>
>

Gabriel_Bercea · October 6, 2008, 5:55am

Of course it’s not a fixed structure, because at any given time you do not
have the same number of opened processes.
Next entry offset acts like a relative virtual address where the next
SYSTEM_PROCESS_INFORMATION structure is.

So you might want to go through the structure like this

PSYSTEM_PROCESS_INFORMATION SysProcInfo; // the structure first allocated
PSYSTEM_PROCESS_INFORMATION aux = SysProcInfo; //the auxiliary

While(1)
{

//
//do processing with this SYSTEM_PROCESS_INFORMATION cell
//ex: if (aux->ProcessId == myId) . . . .
//

if (aux->NextEntryOffset == 0)
break;

aux = (PSYSTEM_PROCESS_INFORMATION)((char *)SysProcInfo +
aux->NextEntryOffset);
}

ExFreePoolWith(SysProcInfo, YOUR_DRIVER_TAG);

I am trying to acquire a process ID by its full image
name.

I don’t understand what do you mean by this.
If you know the PID you might want to use ZwQueryInformationProcess.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Monday, October 06, 2008 11:13 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] ZwQuerySystemInformation() chaos

I dont know of the top of my head, but I’d guess this kind of infomation can

be found in the Nebbet book.

wrote in message news:xxxxx@ntfsd…
> Hi,
> The problem I am trying to solve looks pretty easy but as a matter of is
> rather complicated. I am trying to acquire a process ID by it’s full image

> name. The array of SYSTEM_PROCESS_INFORMATION structures is an out
> parameter for ZwQuerySystemInformation() but this structure is
> undocumented (as well as the function itself) so I do not know whether
> it’s a fix-sized structure or not. The first field however is ULONG
> NextEntryOffset; What does it mean? That the structure is not fix-sized
> and this is an offset of the next structure?
> The problem is the fields in this structure seem rather junky to me and I
> don’t know what to do.
> Please, help!!!
>
>

—
NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · October 6, 2008, 6:00am

Thanks! It was a great help. Actually I am trying to obtain a pid having only an image name. I am running through the structures comparing the names which I aquire with ZwQueryInformationProcess and if I find a name I am looking for I am returning it’s UniqueProcessId.

Thanks a lot,
Dmitry.

Lyndon_J_Clarke-2 · October 6, 2008, 6:32am

Actually, I didnt find SYSTEM_PROCESS_INFORMATION in my Nebbet, but then I
found http://msdn.microsoft.com/en-us/library/ms725506(VS.85).aspx which I
guess you’d seen.

wrote in message news:xxxxx@ntfsd…
> Hi,
> The problem I am trying to solve looks pretty easy but as a matter of is
> rather complicated. I am trying to acquire a process ID by it’s full image
> name. The array of SYSTEM_PROCESS_INFORMATION structures is an out
> parameter for ZwQuerySystemInformation() but this structure is
> undocumented (as well as the function itself) so I do not know whether
> it’s a fix-sized structure or not. The first field however is ULONG
> NextEntryOffset; What does it mean? That the structure is not fix-sized
> and this is an offset of the next structure?
> The problem is the fields in this structure seem rather junky to me and I
> don’t know what to do.
> Please, help!!!
>
>

OSR_Community_User · October 6, 2008, 6:38am

Yes, and NtQuerySystemInformation() is documented in MSDN 2008 (Build date: 4/24/2008). The SYSTEM_PROCESS_INFORMATION structure is also found in winternl.h in Microsoft SDK. It was kind of confusing since I found at least 5 different definitions of this structure googling

Thanks for the reply!