how can i verify that CreateToolhelp32Snapshot() is using NtQuerySystemInformation?

https://stackoverflow.com/questions/23537078

c++
winapi

17-07-2023
|

题

i read that CreateToolhelp32Snapshot(), EnumProcesses() and Windows TaskManager are all using the undocumented NtQuerySystemInformation function.

is there any way i can verify this? i am looking for a tool that can show me all the under layer api calling that programs do.

解决方案

There is a project named ReactOS which is mostly a reverse engineering of Windows. CreateToolhelp32Snapshot and its freinds could be found in the file toolhelp.c:

[ReactOS Path]/dll/win32/kernel32/client/toolhelp.c

which actually makes a call to NtQuerySystemInformation in this chain:

CreateToolhelp32Snapshot
  |
TH32CreateSnapshot
  |
NtQuerySystemInformation

As for EnumProcesses (dll/win32/psapi/psapi.c and lib/epsapi/enum/processes.c):

EnumProcesses
  |
PsaEnumerateProcesses
  |
PsaEnumerateProcessesAndThreads
  | 
PsaCaptureProcessesAndThreads
  |
NtQuerySystemInformation

Or using a disassembler, IDA:

NtQuerySystemInformation references to

https://i.stack.imgur.com/1rS6q.png

许可以下： CC-BY-SA 和归因

不隶属于 StackOverflow