-2

i read that CreateToolhelp32Snapshot(), EnumProcesses() and Windows TaskManager are all using the undocumented NtQuerySystemInformation function.

is there any way i can verify this? i am looking for a tool that can show me all the under layer api calling that programs do.

user1438233
  • 1,153
  • 1
  • 14
  • 30
  • possible duplicate of [Monitoring API calls](http://stackoverflow.com/questions/961779/monitoring-api-calls) and [Monitoring application calls to DLL](http://stackoverflow.com/q/311268) – Cody Gray - on strike May 08 '14 at 09:02

1 Answers1

1

There is a project named ReactOS which is mostly a reverse engineering of Windows. CreateToolhelp32Snapshot and its freinds could be found in the file toolhelp.c:

[ReactOS Path]/dll/win32/kernel32/client/toolhelp.c

which actually makes a call to NtQuerySystemInformation in this chain:

CreateToolhelp32Snapshot
  |
TH32CreateSnapshot
  |
NtQuerySystemInformation

As for EnumProcesses (dll/win32/psapi/psapi.c and lib/epsapi/enum/processes.c):

EnumProcesses
  |
PsaEnumerateProcesses
  |
PsaEnumerateProcessesAndThreads
  | 
PsaCaptureProcessesAndThreads
  |
NtQuerySystemInformation

Or using a disassembler, IDA:

NtQuerySystemInformation references to

https://i.stack.imgur.com/1rS6q.png

  • ReactOS is, however, a clean room reverse engineering of Windows. So although it strives to implement identical functionality, you cannot assume that it does so exactly the same way as Windows itself. That makes this a partial answer to the question. Indeed, you *can* implement `CreateToolhelp32Snapshot` via `NtQuerySystemInformation`, but that doesn't mean Windows *does*. – Cody Gray - on strike May 08 '14 at 21:03
  • @CodyGray It's possible to use a disassembler, ReactOS would save the time. Any way both functions do call `NtQuerySystemInformation` though the path is different. –  May 08 '14 at 22:10