[NativeAPI.h] ZwQuerySystemInformation()

NTSTATUS WINAPI ZwQuerySystemInformation(
  __in       SYSTEM_INFORMATION_CLASS SystemInformationClass,  //얻어올 시스템 종류(핸들정보)
  __inout    PVOID SystemInformation,                          //버퍼
  __in       ULONG SystemInformationLength,                    //버퍼 크기
  __out_opt  PULONG ReturnLength                               //받아올 값의 크기
);

SystemInformationClass [in]


The type of system information to be retrieved. 

This parameter can be one of the following values from 

the SYSTEM_INFORMATION_CLASS enumeration type. 


SystemInformation [in, out]


A pointer to a buffer that receives the requested information. 
The size and structure of this information varies depending on 
the value of the SystemInformationClass parameter, as indicated in the following table.


SystemInformationLength [in]


The size of the buffer pointed to by the SystemInformation parameter, in bytes.


ReturnLength [out, optional]


An optional pointer to a location where the function writes the actual size of the information requested.
If that size is less than or equal to the SystemInformationLength parameter, the function copies
the information into the SystemInformation buffer; otherwise, it returns an NTSTATUS error code 
and returns in ReturnLength the size of buffer required to receive the requested information.






시스템에 로드된 모든 핸들의 정보를 조사하여 EPROCESS 구조체의 주소를 얻는다

  출처

  http://msdn.microsoft.com/en-us/library/ms725506(v=vs.85).aspx

  http://undocumented.ntinternals.net/

  http://blog.naver.com/PostView.nhn?blogId=ailoved&logNo=70072002067

  http://dakuo.tistory.com/169