NtQuerySystemInformation函数,其中SystemBasicInformation(0号功能)返回的结果是一个SYSTEM_BASIC_INFORMATION结构,其中的域bKeNumberProcessors将返回系统CPU的个数。
下面是该函数的具体说明:
/×-------------------------------------------------------------
NtQuerySystemInformation is used to check some system informations
avaiable only in KernelMode (above 0x80000000).
All avaiable (or all known) information classes are described
in SYSTEM_INFORMATION_CLASS.
Requirements
Client: Requires Windows XP or Windows 2000 Professional.
Server: Requires Windows 2000 Server.
Header: Declared in Winternl.h.
DLL: Requires Ntdll.dll.
[NtQuerySystemInformation is available for use in Windows 2000 and
Windows XP. It may be altered or unavailable in subsequent versions.
Applications should use the alternate functions listed in this topic.]
*/
注:NtQuerySystemInformation底层使用中写为ZwQuerySystemInformation,两个函数完全相同,只是入口不同。
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformation(
//SystemInformationClass
//[in] One of the values enumerated in SYSTEM_INFORMATION_CLASS,
//indicating the kind of system information to be retrieved.
IN SYSTEMINFOCLASS SystemInformationClass,
// SystemInformation
// [in, out] Points to a buffer where the requested information is
// to be returned. The size and structure of this information varies
// depending on the value of the SystemInformationClass parameter:
OUT PVOID pSystemInformation,
// SystemInformationLength
// [in] Size of the buffer pointed to by the SystemInformation parameter,
// in bytes.
IN ULONG uSystemInformationLength,
// ReturnLength
// [out, optional] Optional pointer to a location where the function
// writes the actual size of the information requested.
// If that size is less than or equal to the SystemInformationLength
// parameter, the function copies the information into the
// SystemInformation buffer; otherwise, it returns an NTSTATUS error code
// and returns in ReturnLength the size of buffer required to receive
// the requested information.
OUT PULONG puReturnLength OPTIONAL
);
// Return Values
// Returns an NTSTATUS success or error code.
// The forms and significance of NTSTATUS error codes are listed
// in the Ntstatus.h header file available in the Windows Device
// Driver Kit (DDK), and are described in the DDK documentation
// under Kernel-Mode Driver Architecture / Design Guide / Driver
// Programming Techniques / Logging Errors.
typedef enum _SYSTEMINFOCLASS
{
SystemBasicInformation, //0
SystemProcessorInformation, // 1
SystemPerformanceInformation, //2
SystemTimeOfDayInformation, //3
SystemPathInformation, //4 SystemNotImplemented1
SystemProcessInformation, //5 per process SystemProcessesAndThreadsInformation
SystemCallCountInformation, //6 SystemCallInformation
SystemConfigurationInformation, //7 SystemDeviceInformation
SystemProcessorPerformanceInformation, //8 per cpu SystemProcessorCounters
SystemGlobalFlag, //SystemFlagsInformation
SystemCallTimeInformation, //10
SystemModuleInformation, //11
SystemLockInformation, //12
SystemStackTraceInformation, //13 SystemNotImplemented2
SystemPagedPoolInformation, //14 checked build only
SystemNonPagedPoolInformation, //15 checked build only
SystemHandleInformation, //16
SystemObjectInformation, //17 SystemObjectTypeInformation
SystemPageFileInformation, //18 per page file
SystemVdmInstemulInformation, //19 SystemVdmInstemulInformation
SystemVdmBopInformation, //20
SystemFileCacheInformation, //21
SystemPoolTagInformation, //22
SystemInterruptInformation, //23
SystemDpcBehaviorInformation, //24
SystemFullMemoryInformation, //25 checked build only
SystemLoadGdiDriverInformation, //26 set mode only
SystemUnloadGdiDriverInformation, //27 set mode only
SystemTimeAdjustmentInformation, //28 writeable
SystemSummaryMemoryInformation, //29 checked build only
SystemNextEventIdInformation, //30 checked build only
SystemEventIdsInformation, //31 checked build only
SystemCrashDumpInformation, //32
SystemExceptionInformation, //33
SystemCrashDumpStateInformation, //34
SystemKernelDebuggerInformation, //35
SystemContextSwitchInformation, //36
SystemRegistryQuotaInformation, //37
SystemExtendServiceTableInformation, //38 set mode only SystemAddDriver
SystemPrioritySeperation, //39 set mode only SystemPrioritySeparationInformation
SystemPlugPlayBusInformation, //40 not implemented
SystemDockInformation, //41 not implemented
SystemPowerInformation, //42 XP only
SystemProcessorSpeedInformation, //43 XP only
SystemCurrentTimeZoneInformation, //44
SystemLookasideInformation, //45
SystemSetTimeSlipEvent, //46
SystemCreateSession, // set mode only
SystemDeleteSession, // set mode only
SystemInvalidInfoClass1, // invalid info class
SystemRangeStartInformation, // 0x0004 (fails if size != 4)
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation, // checked build only
MaxSystemInfoClass
} SYSTEMINFOCLASS, *PSYSTEMINFOCLASS;
typedef struct _SYSTEM_BASIC_INFORMATION
{
DWORD dwUnknown1; // 0
ULONG uKeMaximumIncrement; // x86: 0x0002625A or 0x00018730
ULONG uPageSize; // bytes
ULONG uMmNumberOfPhysicalPages;
ULONG uMmLowestPhysicalPage;
ULONG uMmHighestPhysicalPage;
ULONG uAllocationGranularity; // bytes
PVOID pLowestUserAddress;
PVOID pMmHighestUserAddress;
KAFFINITY uKeActiveProcessors;
BYTE bKeNumberProcessors;
BYTE bUnknown2;
WORD wUnknown3;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
DWORD InterruptCount;
DWORD dwUnknown1;
} SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
typedef struct _SYSTEM_PERFORMANCE_INFORMATION
{
LARGE_INTEGER liIdleTime;
LARGE_INTEGER IoReadTransferCount;
LARGE_INTEGER IoWriteTransferCount;
LARGE_INTEGER IoOtherTransferCount;
ULONG IoReadOperationCount;
ULONG IoWriteOperationCount;
ULONG IoOtherOperationCount;
ULONG AvailablePages;
ULONG CommittedPages;
ULONG CommitLimit;
ULONG PeakCommitment;
ULONG PageFaultCount;
ULONG CopyOnWriteCount;
ULONG TransitionCount;
ULONG CacheTransitionCount;
ULONG DemandZeroCount;
ULONG PageReadCount;
ULONG PageReadIoCount;
ULONG CacheReadCount;
ULONG CacheIoCount;
ULONG DirtyPagesWriteCount;
ULONG DirtyWriteIoCount;
ULONG MappedPagesWriteCount;
ULONG MappedWriteIoCount;
ULONG PagedPoolPages;
ULONG NonPagedPoolPages;
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG FreeSystemPtes;
ULONG ResidentSystemCodePage;
ULONG TotalSystemDriverPages;
ULONG TotalSystemCodePages;
ULONG NonPagedPoolLookasideHits;
ULONG PagedPoolLookasideHits;
ULONG Spare3Count;
ULONG ResidentSystemCachePage;
ULONG ResidentPagedPoolPage;
ULONG ResidentSystemDriverPage;
ULONG CcFastReadNoWait;
ULONG CcFastReadWait;
ULONG CcFastReadResourceMiss;
ULONG CcFastReadNotPossible;
ULONG CcFastMdlReadNoWait;
ULONG CcFastMdlReadWait;
ULONG CcFastMdlReadResourceMiss;
ULONG CcFastMdlReadNotPossible;
ULONG CcMapDataNoWait;
ULONG CcMapDataWait;
ULONG CcMapDataNoWaitMiss;
ULONG CcMapDataWaitMiss;
ULONG CcPinMappedDataCount;
ULONG CcPinReadNoWait;
ULONG CcPinReadWait;
ULONG CcPinReadNoWaitMiss;
ULONG CcPinReadWaitMiss;
ULONG CcCopyReadNoWait;
ULONG CcCopyReadWait;
ULONG CcCopyReadNoWaitMiss;
ULONG CcCopyReadWaitMiss;
ULONG CcMdlReadNoWait;
ULONG CcMdlReadWait;
ULONG CcMdlReadNoWaitMiss;
ULONG CcMdlReadWaitMiss;
ULONG CcReadAheadIos;
ULONG CcLazyWriteIos;
ULONG CcLazyWritePages;
ULONG CcDataFlushes;
ULONG CcDataPages;
ULONG ContextSwitches;
ULONG FirstLevelTbFills;
ULONG SecondLevelTbFills;
ULONG SystemCalls;
}
我们在任务管理器中所见到的所有信息只使用了下面5个调用:
0 SystemBasicInformation
2 SystemPerformanceInformation
5 SystemProcessInformation
8 SystemProcessorPerformanceInformation
21 SystemFileCacheInformation
初始化部分使用了其中的3个调用(0、2、8),这里给出的是任务管理器的初始化部分:
010058D6 InitPerfInfo proc near
010058D6
010058D6 SYSPROCPERFINFO= SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION ptr -76Ch
010058D6 SYSPERFINFO= SYSTEM_PERFORMANCE_INFORMATION ptr -16Ch
010058D6 SYSBASICINFO= SYSTEM_BASIC_INFORMATION ptr -34h
010058D6 pBuf= dword ptr -8
010058D6 i = dword ptr -4
010058D6
010058D6 push ebp
010058D7 mov ebp, esp
010058D9 sub esp, 76Ch
010058DF push ebx
010058E0 push esi
010058E1 xor ebx, ebx
010058E3 push edi
010058E4 push ebx ; puReturnLength
010058E5 lea eax, [ebp+SYSBASICINFO]
010058E8 push 2Ch ; SizeOf(SYSTEM_BASIC_INFORMATION)
010058EA push eax ; pSystemInformation
010058EB push ebx ; ebx = 0 SystemBasicInformation
010058EC call ds:NtQuerySystemInformation
010058F2 cmp eax, ebx
010058F4 jl Err_CpuNumAbove32
010058FA mov eax, [ebp+SYSBASICINFO.uPageSize]
010058FD mov g_PageSize, eax ; 页面大小
01005902 mov al, [ebp+SYSBASICINFO.bKeNumberProcessors]
01005905 cmp al, 32 ; 32位Windows操作系统最多允许系统有32个CPU
01005907 mov g_cProcessors, al ; CPU的个数
0100590C ja Err_CpuNumAbove32
01005912 mov esi, ds:LocalAlloc
01005918 mov edi, 1F40h
0100591D test al, al
0100591F jbe short CpuNumEquOne
01005921
01005921 Loop_for_AllocMem:
01005921 push edi
01005922 push LMEM_ZEROINIT
01005924 call esi ; LocalAlloc
01005926 test eax, eax
01005928 mov g_pCPUHistory[ebx*4], eax
0100592F jz Err_CpuNumAbove32
01005935 push edi
01005936 push LMEM_ZEROINIT
01005938 call esi ; LocalAlloc
0100593A test eax, eax
0100593C mov g_pKernelHistory[ebx*4], eax
01005943 jz Err_CpuNumAbove32
01005949 movzx eax, g_cProcessors
01005950 inc ebx
01005951 cmp ebx, eax
01005953 jl short Loop_for_AllocMem
01005955
01005955 CpuNumEquOne:
01005955 push edi
01005956 push LMEM_ZEROINIT
01005958 call esi ; LocalAlloc
0100595A test eax, eax
0100595C mov g_pMEMHistory, eax
01005961 jz Err_CpuNumAbove32
01005967 push 0 ; puReturnLength
01005969 lea eax, [ebp+SYSPROCPERFINFO]
0100596F push 600h ; 为32个CPU准备空间
0100596F ; SizeOf(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION)*32
01005974 push eax ; pSystemInformation
01005975 push SystemProcessorPerformanceInformation ; SystemInformationClass
01005977 call ds:NtQuerySystemInformation
0100597D test eax, eax
0100597F jl Err_CpuNumAbove32
01005985 movzx eax, g_cProcessors
0100598C and [ebp+i], 0
01005990 test eax, eax
01005992 jle short CpuNumEquOne_1
01005994 lea eax, [ebp+SYSPROCPERFINFO.KernelTime]
0100599A mov [ebp+pBuf], offset PreviousCPUKernelTime
010059A1
010059A1 Loop_IniCpuAllTime:
010059A1 mov ecx, [ebp+i]
010059A4 mov edx, [eax-8] ; edx = IdleTime.LowPart
010059A7 mov edi, [eax+8] ; edi = UserTime.LowPart
010059AA mov esi, [eax+4] ; esi = KernelTime.HighPart
010059AD shl ecx, 3 ; ecx = i X 8
010059B0 mov ebx, [eax+0Ch] ; ebx = UserTime.HighPart
010059B3 mov dword ptr PreviousCPUIdleTime.LowPart[ecx], edx
010059B9 mov edx, [eax-4] ; edx = IdleTime.HighPart
010059BC mov PreviousCPUIdleTime.HighPart[ecx], edx
010059C2 mov edx, [eax] ; KernelTime.LowPart
010059C4 add edi, edx ; edi = UserTime.LowPart + KernelTime.LowPart
010059C6 adc ebx, esi ; 带进位加
010059C6 ; ebx = UserTime.HighPart + KernelTime.HighPart
010059C8 add edx, [eax-8] ; edx = KernelTime.LowPart + IdleTime.LowPart
010059CB mov dword ptr PreviousCPUTotalTime.LowPart[ecx], edi
010059D1 mov PreviousCPUTotalTime.HighPart[ecx], ebx
010059D7 mov ecx, [ebp+pBuf] ; PreviousCPUKernelTime的指针
010059DA adc esi, [eax-4] ; 带进位加
010059DA ; esi = KernelTime.HighPart + IdleTime.HighPart
010059DD add eax, 30h ; 取下一个CPU的相关数据
010059DD ; SizeOf(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION)
010059E0 inc [ebp+i]
010059E3 mov [ecx], edx ; PreviousCPUTotalTime.LowPart = KernelTime.LowPart + IdleTime.LowPart
010059E5 mov [ecx+4], esi ; PreviousCPUTotalTime.HighPart = KernelTime.HighPart + IdleTime.HighPart
010059E8 add ecx, 8 ; 移动PreviousCPUKernelTime的指针
010059EB mov [ebp+pBuf], ecx ; 保存PreviousCPUKernelTime的指针
010059EE movzx ecx, g_cProcessors
010059F5 cmp [ebp+i], ecx ; 和Cpu的个数比较
010059F8 jl short Loop_IniCpuAllTime
010059FA
010059FA CpuNumEquOne_1: ; puReturnLength
010059FA push 0
010059FC lea eax, [ebp+SYSPERFINFO]
01005A02 push 138h ; SizeOf(SYSTEM_PERFORMANCE_INFORMATION)
01005A07 push eax ; pSystemInformation
01005A08 push SystemPerformanceInformation ; SystemInformationClass
01005A0A call ds:NtQuerySystemInformation
01005A10 test eax, eax
01005A12 jge short Init_Exit
01005A14
01005A14 Err_CpuNumAbove32: ; 如果出错返回 0
01005A14 xor al, al
01005A16 jmp short Exit
01005A18
01005A18 Init_Exit:
01005A18 mov eax, g_PageSize
01005A1D shr eax, 10
01005A20 imul eax, [ebp+SYSPERFINFO.CommitLimit]
01005A27 mov g_MEMMax, eax
01005A2C mov al, g_cProcessors ; 返回Cpu的个数
01005A31
01005A31 Exit:
01005A31 pop edi
01005A32 pop esi
01005A33 pop ebx
01005A34 leave
01005A35 retn
01005A35 InitPerfInfo endp
01005A35
NtQuerySystemInformation非常复杂,其中的结构随着Windows的版本变化会发生变化,这里给出的结构是2K系统的。