{"componentChunkName":"component---src-templates-post-template-js","path":"/rust-winapi-use-ntapi-en","result":{"data":{"markdownRemark":{"id":"496425f6-ea73-58ef-a7a5-d4e802eed5e5","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/rust-winapi-use-ntapi\">original page</a>.</p>\n</blockquote>\n<p>Continuing on from the <a href=\"/tag/rust-win-api\">previous articles</a>, this time I tried creating a program that uses the <code class=\"language-text\">windows</code> crate in Rust to load a DLL with APIs such as GetModuleHandleW, and then uses NTAPI such as NtQuerySystemInformation, which is not included in the official <code class=\"language-text\">windows</code> crate.</p>\n<p>Reference: <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">NtQuerySystemInformation function (winternl.h) - Win32 apps | Microsoft Learn</a></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#the-code-i-wrote\">The Code I Wrote</a></li>\n<li><a href=\"#modules-used\">Modules Used</a></li>\n<li><a href=\"#using-getmodulehandlew\">Using GetModuleHandleW</a></li>\n<li><a href=\"#getting-the-address-of-ntquerysysteminformation\">Getting the Address of NtQuerySystemInformation</a></li>\n<li>\n<p><a href=\"#using-the-ntquerysysteminformation-function\">Using the NtQuerySystemInformation Function</a></p>\n<ul>\n<li><a href=\"#checking-the-array-size-to-retrieve\">Checking the Array Size to Retrieve</a></li>\n<li><a href=\"#retrieving-an-array-of-structures-containing-process-information\">Retrieving an Array of Structures Containing Process Information</a></li>\n</ul>\n</li>\n<li><a href=\"#parsing-the-structures\">Parsing the Structures</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"the-code-i-wrote\" style=\"position:relative;\"><a href=\"#the-code-i-wrote\" aria-label=\"the code i wrote permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Code I Wrote</h2>\n<p>The code I wrote this time is shown below.</p>\n<p>When you run this code, it uses the NtQuerySystemInformation API to enumerate information such as the processes and handles running in the system.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 844px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f955e5523d0bf6163bd29e31167ca15b/33e10/image-20250413192404220.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 57.50000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB20lEQVQoz02T25aqQAxE/QlRAQFFAbk2N3V8OPP/X5WTHYQ1D70gJKmqpItd3/cyT5M45+T1fsvPz0der5f8/vuVz+cj5/NZTqeT7Pd7O4fDQTzPs3eea7y+7wzw+ZRxHPUswGmaStd1MilRUTwkUtDsnkmWZXI8Ho2kKAqJ4shi6jm+78uurmvph0GqspS6aawwuVyk1PjxeNjzorHrnMWt1tBTVZWR1vqM41jCMLRJdpUmXe++RQquiikAqNHmPM8lVEU0F/pODtKu7VRxLlG0qGRcGxnWTscEAMkUo7RtW0mSRJq62Yiu16sBU3u9pipC1Wou1x4UboDO9TYCTDSxAnYKQfNdCVPQNM+zjcl4TDBoriwrzQXirYCww8w4qQJCMIyDFaGQCchzGZMSoRDypmmtt1CMMAi+CjUJADvECgaoRRQGQbAo7Af7BuBTHYEy9toq4PgliHWXWMdumSKk3+53tcfdmincABnZLSPjUb75fmAXg2JEbQrZ3QZ4u0muXhvMkwsgTcSrwrcCIoJmrDSpd8uqNK+aQgL+FHbEohkZg7P8BbBdAFUhTSjEAVwYgBC32pvo/g0QhfOsgK4zABwP4Ft/w/AvoN7yX4VcyqoQW511HZ53kP9udF9mbf8+kQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f955e5523d0bf6163bd29e31167ca15b/8ac56/image-20250413192404220.webp 240w,\n/static/f955e5523d0bf6163bd29e31167ca15b/d3be9/image-20250413192404220.webp 480w,\n/static/f955e5523d0bf6163bd29e31167ca15b/20d15/image-20250413192404220.webp 844w\"\n              sizes=\"(max-width: 844px) 100vw, 844px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f955e5523d0bf6163bd29e31167ca15b/8ff5a/image-20250413192404220.png 240w,\n/static/f955e5523d0bf6163bd29e31167ca15b/e85cb/image-20250413192404220.png 480w,\n/static/f955e5523d0bf6163bd29e31167ca15b/33e10/image-20250413192404220.png 844w\"\n            sizes=\"(max-width: 844px) 100vw, 844px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f955e5523d0bf6163bd29e31167ca15b/33e10/image-20250413192404220.png\"\n            alt=\"image-20250413192404220\"\n            title=\"image-20250413192404220\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token comment\">// cargo run --bin CallNtApi</span>\n\n<span class=\"token keyword\">use</span> <span class=\"token namespace\">windows<span class=\"token punctuation\">::</span></span><span class=\"token punctuation\">{</span>\n    <span class=\"token comment\">// core::{ HSTRING, PCSTR },</span>\n    <span class=\"token namespace\">core<span class=\"token punctuation\">::</span></span> <span class=\"token punctuation\">{</span> s<span class=\"token punctuation\">,</span> w <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Wdk</span><span class=\"token punctuation\">::</span><span class=\"token class-name\">System</span><span class=\"token punctuation\">::</span><span class=\"token class-name\">SystemServices</span><span class=\"token punctuation\">::</span><span class=\"token constant\">VM_COUNTERS</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Win32</span><span class=\"token punctuation\">::</span><span class=\"token punctuation\">{</span><span class=\"token class-name\">Foundation</span><span class=\"token punctuation\">::</span><span class=\"token class-name\">CloseHandle</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">System</span><span class=\"token punctuation\">::</span><span class=\"token punctuation\">{</span>\n        <span class=\"token class-name\">LibraryLoader</span><span class=\"token punctuation\">::</span><span class=\"token punctuation\">{</span> <span class=\"token class-name\">GetModuleHandleW</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">GetProcAddress</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n        <span class=\"token class-name\">Threading</span><span class=\"token punctuation\">::</span><span class=\"token constant\">IO_COUNTERS</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">use</span> <span class=\"token namespace\">std<span class=\"token punctuation\">::</span></span><span class=\"token punctuation\">{</span>\n    <span class=\"token comment\">// ffi::CString,</span>\n    <span class=\"token namespace\">io<span class=\"token punctuation\">::</span></span>stdin<span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">mem<span class=\"token punctuation\">::</span></span>transmute<span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">os<span class=\"token punctuation\">::</span>raw<span class=\"token punctuation\">::</span></span><span class=\"token punctuation\">{</span> c_void<span class=\"token punctuation\">,</span> c_ulong<span class=\"token punctuation\">,</span> c_ushort <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">ptr<span class=\"token punctuation\">::</span></span>null_mut<span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">slice<span class=\"token punctuation\">::</span></span>from_raw_parts\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">HANDLE</span> <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token keyword\">mut</span> c_void<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">ULONG</span> <span class=\"token operator\">=</span> c_ulong<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">USHORT</span> <span class=\"token operator\">=</span> c_ushort<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">WCHAR</span> <span class=\"token operator\">=</span> <span class=\"token keyword\">u16</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token attribute attr-name\">#[repr(C)]</span>\n<span class=\"token keyword\">struct</span> <span class=\"token type-definition class-name\">UNICODE_STRING</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">Length</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">USHORT</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">MaximumLength</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">USHORT</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">:</span> <span class=\"token operator\">*</span><span class=\"token keyword\">const</span> <span class=\"token constant\">WCHAR</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token attribute attr-name\">#[repr(C)]</span>\n<span class=\"token keyword\">struct</span> <span class=\"token type-definition class-name\">SYSTEM_PROCESS_INFORMATION</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">NextEntryOffset</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">NumberOfThreads</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Reserved</span><span class=\"token punctuation\">:</span> <span class=\"token punctuation\">[</span><span class=\"token keyword\">u8</span><span class=\"token punctuation\">;</span> <span class=\"token number\">48</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">UNICODE_STRING</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">BasePriority</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">UniqueProcessId</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">HANDLE</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">InheritedFromUniqueProcessId</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">HANDLE</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">HandleCount</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Reserved2</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">PrivatePageCount</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">VirtualMemoryCounters</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">VM_COUNTERS</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">IoCounters</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">IO_COUNTERS</span>\n    <span class=\"token comment\">// 省略 Threads: SYSTEM_THREAD</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">NtQuerySystemInformationFn</span> <span class=\"token operator\">=</span> <span class=\"token keyword\">unsafe</span> <span class=\"token keyword\">extern</span> <span class=\"token string\">\"system\"</span> <span class=\"token keyword\">fn</span><span class=\"token punctuation\">(</span>\n    <span class=\"token class-name\">SystemInformationClass</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">SystemInformation</span><span class=\"token punctuation\">:</span> <span class=\"token operator\">*</span><span class=\"token keyword\">mut</span> c_void<span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">SystemInformationLength</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">ReturnLength</span><span class=\"token punctuation\">:</span> <span class=\"token operator\">*</span><span class=\"token keyword\">mut</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">-></span> <span class=\"token keyword\">i32</span><span class=\"token punctuation\">;</span>\n\n\n<span class=\"token keyword\">fn</span> <span class=\"token function-definition function\">get_input</span><span class=\"token punctuation\">(</span>input_string<span class=\"token punctuation\">:</span> <span class=\"token operator\">&amp;</span><span class=\"token keyword\">str</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"{}\"</span><span class=\"token punctuation\">,</span> input_string<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">let</span> <span class=\"token keyword\">mut</span> input <span class=\"token operator\">=</span> <span class=\"token class-name\">String</span><span class=\"token punctuation\">::</span><span class=\"token function\">new</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">stdin</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">read_line</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span><span class=\"token keyword\">mut</span> input<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">expect</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed to read input.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n\n<span class=\"token keyword\">fn</span> <span class=\"token function-definition function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">unsafe</span> <span class=\"token punctuation\">{</span>\n\n        <span class=\"token comment\">// Load ntdll</span>\n        <span class=\"token comment\">// let ntdll = &amp;HSTRING::from(\"ntdll.dll\");</span>\n        <span class=\"token keyword\">let</span> ntdll <span class=\"token operator\">=</span> <span class=\"token macro property\">w!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ntdll.dll\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">let</span> h_ntdll_module <span class=\"token operator\">=</span> <span class=\"token class-name\">GetModuleHandleW</span><span class=\"token punctuation\">(</span>ntdll<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">unwrap</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">if</span> h_ntdll_module<span class=\"token punctuation\">.</span><span class=\"token function\">is_invalid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token macro property\">eprintln!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed to get handle to ntdll.dll\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Created h_ntdll: {:?}\"</span><span class=\"token punctuation\">,</span> h_ntdll_module<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n\n        <span class=\"token comment\">// Get proc address</span>\n        <span class=\"token comment\">// let s_func_name = CString::new(\"NtQuerySystemInformation\").unwrap();</span>\n        <span class=\"token keyword\">let</span> s_func_name <span class=\"token operator\">=</span> <span class=\"token macro property\">s!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">let</span> func_addr <span class=\"token operator\">=</span> <span class=\"token class-name\">GetProcAddress</span><span class=\"token punctuation\">(</span>h_ntdll_module<span class=\"token punctuation\">,</span> s_func_name<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">if</span> func_addr<span class=\"token punctuation\">.</span><span class=\"token function\">is_none</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token macro property\">eprintln!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed to get proc address.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Get proc address: {:?}\"</span><span class=\"token punctuation\">,</span> func_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">let</span> nt_query_system_information<span class=\"token punctuation\">:</span> <span class=\"token class-name\">NtQuerySystemInformationFn</span> <span class=\"token operator\">=</span> <span class=\"token function\">transmute</span><span class=\"token punctuation\">(</span>func_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        <span class=\"token comment\">// First call func</span>\n        <span class=\"token keyword\">let</span> system_process_information <span class=\"token operator\">=</span> <span class=\"token number\">5</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// SystemProcessInformation</span>\n        <span class=\"token keyword\">let</span> <span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">let</span> status <span class=\"token operator\">=</span> <span class=\"token function\">nt_query_system_information</span><span class=\"token punctuation\">(</span>\n            system_process_information<span class=\"token punctuation\">,</span>\n            <span class=\"token function\">null_mut</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n            <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n            <span class=\"token operator\">&amp;</span><span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token comment\">// println!(\"First NtQuerySystemInformation call status: {:#x}\", status);</span>\n        <span class=\"token macro property\">assert!</span><span class=\"token punctuation\">(</span>status <span class=\"token keyword\">as</span> <span class=\"token keyword\">u32</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xc0000004</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation return length: {:?}\"</span><span class=\"token punctuation\">,</span> u_return_length<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        <span class=\"token comment\">// Second call func</span>\n        <span class=\"token keyword\">let</span> buffer <span class=\"token operator\">=</span> <span class=\"token macro property\">vec!</span><span class=\"token punctuation\">[</span><span class=\"token number\">0u8</span><span class=\"token punctuation\">;</span> u_return_length <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">let</span> status <span class=\"token operator\">=</span> <span class=\"token function\">nt_query_system_information</span><span class=\"token punctuation\">(</span>\n            system_process_information<span class=\"token punctuation\">,</span>\n            buffer<span class=\"token punctuation\">.</span><span class=\"token function\">as_ptr</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token operator\">*</span><span class=\"token keyword\">mut</span> c_void<span class=\"token punctuation\">,</span>\n            u_return_length<span class=\"token punctuation\">,</span>\n            <span class=\"token operator\">&amp;</span><span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">if</span> status <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token macro property\">eprintln!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation failed: {:?}\"</span><span class=\"token punctuation\">,</span> status<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n\n        <span class=\"token comment\">// Analyze buffer</span>\n        <span class=\"token keyword\">let</span> <span class=\"token keyword\">mut</span> offset <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">while</span> offset <span class=\"token operator\">&lt;</span> u_return_length <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">let</span> spi <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>buffer<span class=\"token punctuation\">.</span><span class=\"token function\">as_ptr</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span>offset <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token operator\">*</span><span class=\"token keyword\">const</span> <span class=\"token constant\">SYSTEM_PROCESS_INFORMATION</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n            <span class=\"token keyword\">let</span> name <span class=\"token operator\">=</span> <span class=\"token keyword\">if</span> <span class=\"token operator\">!</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">.</span><span class=\"token function\">is_null</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Length</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n                <span class=\"token keyword\">let</span> slice <span class=\"token operator\">=</span> <span class=\"token function\">from_raw_parts</span><span class=\"token punctuation\">(</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Length</span> <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                <span class=\"token class-name\">String</span><span class=\"token punctuation\">::</span><span class=\"token function\">from_utf16_lossy</span><span class=\"token punctuation\">(</span>slice<span class=\"token punctuation\">)</span>\n            <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n                <span class=\"token class-name\">String</span><span class=\"token punctuation\">::</span><span class=\"token function\">from</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"System Idle Process\"</span><span class=\"token punctuation\">)</span>\n            <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n            <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span>\n                <span class=\"token string\">\"Name: {},\\tPID: {:?},\\tPPID: {:?},\\tThreads: {:?},\\tHandles: {:?}\"</span><span class=\"token punctuation\">,</span>\n                name<span class=\"token punctuation\">,</span>\n                spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">UniqueProcessId</span><span class=\"token punctuation\">,</span>\n                spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">InheritedFromUniqueProcessId</span><span class=\"token punctuation\">,</span>\n                spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">NumberOfThreads</span><span class=\"token punctuation\">,</span>\n                spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">HandleCount</span>\n            <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n            <span class=\"token keyword\">if</span> spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">NextEntryOffset</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n                <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n            <span class=\"token punctuation\">}</span>\n\n            offset <span class=\"token operator\">+=</span> spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">NextEntryOffset</span><span class=\"token punctuation\">;</span>\n\n        <span class=\"token punctuation\">}</span>\n\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token function\">get_input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Finish program.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h2 id=\"modules-used\" style=\"position:relative;\"><a href=\"#modules-used\" aria-label=\"modules used permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Modules Used</h2>\n<p>This time I load the following modules.</p>\n<p>The commented-out modules were ones I had been using to prepare <code class=\"language-text\">Param&lt;PCWSTR></code> and <code class=\"language-text\">Param&lt;PCSTR></code> values for Windows API arguments, but I stopped using them because it is more convenient to use handy macros such as <code class=\"language-text\">s!</code> and <code class=\"language-text\">w!</code> from <code class=\"language-text\">windows::core</code>.</p>\n<p>Reference: <a href=\"https://docs.rs/windows-sys/latest/windows_sys/core/macro.w.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">w in windows_sys::core - Rust</a></p>\n<p>Reference: <a href=\"https://docs.rs/windows-sys/latest/windows_sys/core/macro.s.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">s in windows_sys::core - Rust</a></p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token keyword\">use</span> <span class=\"token namespace\">windows<span class=\"token punctuation\">::</span></span><span class=\"token punctuation\">{</span>\n    <span class=\"token comment\">// core::{ HSTRING, PCSTR },</span>\n    <span class=\"token namespace\">core<span class=\"token punctuation\">::</span></span> <span class=\"token punctuation\">{</span> s<span class=\"token punctuation\">,</span> w <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Wdk</span><span class=\"token punctuation\">::</span><span class=\"token class-name\">System</span><span class=\"token punctuation\">::</span><span class=\"token class-name\">SystemServices</span><span class=\"token punctuation\">::</span><span class=\"token constant\">VM_COUNTERS</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Win32</span><span class=\"token punctuation\">::</span><span class=\"token punctuation\">{</span><span class=\"token class-name\">Foundation</span><span class=\"token punctuation\">::</span><span class=\"token class-name\">CloseHandle</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">System</span><span class=\"token punctuation\">::</span><span class=\"token punctuation\">{</span>\n        <span class=\"token class-name\">LibraryLoader</span><span class=\"token punctuation\">::</span><span class=\"token punctuation\">{</span> <span class=\"token class-name\">GetModuleHandleW</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">GetProcAddress</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n        <span class=\"token class-name\">Threading</span><span class=\"token punctuation\">::</span><span class=\"token constant\">IO_COUNTERS</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">use</span> <span class=\"token namespace\">std<span class=\"token punctuation\">::</span></span><span class=\"token punctuation\">{</span>\n    <span class=\"token comment\">// ffi::CString,</span>\n    <span class=\"token namespace\">io<span class=\"token punctuation\">::</span></span>stdin<span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">mem<span class=\"token punctuation\">::</span></span>transmute<span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">os<span class=\"token punctuation\">::</span>raw<span class=\"token punctuation\">::</span></span><span class=\"token punctuation\">{</span> c_void<span class=\"token punctuation\">,</span> c_ulong<span class=\"token punctuation\">,</span> c_ushort <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">ptr<span class=\"token punctuation\">::</span></span>null_mut<span class=\"token punctuation\">,</span>\n    <span class=\"token namespace\">slice<span class=\"token punctuation\">::</span></span>from_raw_parts\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span></code></pre></div>\n<h2 id=\"using-getmodulehandlew\" style=\"position:relative;\"><a href=\"#using-getmodulehandlew\" aria-label=\"using getmodulehandlew permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using GetModuleHandleW</h2>\n<p>First, I use the GetModuleHandleW API to obtain the module handle of ntdll.dll, which exports NtQuerySystemInformation.</p>\n<p>GetModuleHandleW is an API that can obtain the module handle of a module loaded in the caller process.</p>\n<p>Reference: <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlew\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GetModuleHandleW function (libloaderapi.h) - Win32 apps | Microsoft Learn</a></p>\n<p>Because GetModuleHandleW requires <code class=\"language-text\">Param&lt;PCWSTR></code> as an argument, I use <code class=\"language-text\">w!(\"ntdll.dll\")</code> to convert the string literal.</p>\n<p>Reference: <a href=\"https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/LibraryLoader/fn.GetModuleHandleW.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GetModuleHandleW in windows::Win32::System::LibraryLoader - Rust</a></p>\n<p>Reference: <a href=\"https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/Foundation/struct.HMODULE.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">HMODULE in windows::Win32::Foundation - Rust</a></p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token comment\">// Load ntdll</span>\n<span class=\"token comment\">// let ntdll = &amp;HSTRING::from(\"ntdll.dll\");</span>\n<span class=\"token keyword\">let</span> ntdll <span class=\"token operator\">=</span> <span class=\"token macro property\">w!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ntdll.dll\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> h_ntdll_module <span class=\"token operator\">=</span> <span class=\"token class-name\">GetModuleHandleW</span><span class=\"token punctuation\">(</span>ntdll<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">unwrap</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> h_ntdll_module<span class=\"token punctuation\">.</span><span class=\"token function\">is_invalid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\">eprintln!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed to get handle to ntdll.dll\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Created h_ntdll: {:?}\"</span><span class=\"token punctuation\">,</span> h_ntdll_module<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Also, the <code class=\"language-text\">windows</code> crate’s GetModuleHandleW returns <code class=\"language-text\">Result&lt;HMODULE></code>, so I use <code class=\"language-text\">unwrap</code> to extract the HMODULE.</p>\n<h2 id=\"getting-the-address-of-ntquerysysteminformation\" style=\"position:relative;\"><a href=\"#getting-the-address-of-ntquerysysteminformation\" aria-label=\"getting the address of ntquerysysteminformation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting the Address of NtQuerySystemInformation</h2>\n<p>Next, using the module handle I obtained, I call GetProcAddress to retrieve the function address of NtQuerySystemInformation.</p>\n<p>Reference: <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GetProcAddress function (libloaderapi.h) - Win32 apps | Microsoft Learn</a></p>\n<p>This one requires <code class=\"language-text\">Param&lt;PCSTR></code> rather than <code class=\"language-text\">Param&lt;PCWSTR></code>, so I pass a string literal converted with <code class=\"language-text\">s!(\"NtQuerySystemInformation\")</code>.</p>\n<p>Reference: <a href=\"https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/LibraryLoader/fn.GetProcAddress.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GetProcAddress in windows::Win32::System::LibraryLoader - Rust</a></p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token comment\">// Get proc address</span>\n<span class=\"token comment\">// let s_func_name = CString::new(\"NtQuerySystemInformation\").unwrap();</span>\n<span class=\"token keyword\">let</span> s_func_name <span class=\"token operator\">=</span> <span class=\"token macro property\">s!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> func_addr <span class=\"token operator\">=</span> <span class=\"token class-name\">GetProcAddress</span><span class=\"token punctuation\">(</span>h_ntdll_module<span class=\"token punctuation\">,</span> s_func_name<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> func_addr<span class=\"token punctuation\">.</span><span class=\"token function\">is_none</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\">eprintln!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed to get proc address.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Get proc address: {:?}\"</span><span class=\"token punctuation\">,</span> func_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">let</span> nt_query_system_information<span class=\"token punctuation\">:</span> <span class=\"token class-name\">NtQuerySystemInformationFn</span> <span class=\"token operator\">=</span> <span class=\"token function\">transmute</span><span class=\"token punctuation\">(</span>func_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<h2 id=\"using-the-ntquerysysteminformation-function\" style=\"position:relative;\"><a href=\"#using-the-ntquerysysteminformation-function\" aria-label=\"using the ntquerysysteminformation function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using the NtQuerySystemInformation Function</h2>\n<p>Next, I use the function address I obtained to enumerate process information via NtQuerySystemInformation.</p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token comment\">// First call func</span>\n<span class=\"token keyword\">let</span> system_process_information <span class=\"token operator\">=</span> <span class=\"token number\">5</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// SystemProcessInformation</span>\n<span class=\"token keyword\">let</span> <span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> status <span class=\"token operator\">=</span> <span class=\"token function\">nt_query_system_information</span><span class=\"token punctuation\">(</span>\n    system_process_information<span class=\"token punctuation\">,</span>\n    <span class=\"token function\">null_mut</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n    <span class=\"token operator\">&amp;</span><span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token comment\">// println!(\"First NtQuerySystemInformation call status: {:#x}\", status);</span>\n<span class=\"token macro property\">assert!</span><span class=\"token punctuation\">(</span>status <span class=\"token keyword\">as</span> <span class=\"token keyword\">u32</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xc0000004</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation return length: {:?}\"</span><span class=\"token punctuation\">,</span> u_return_length<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token comment\">// Second call func</span>\n<span class=\"token keyword\">let</span> buffer <span class=\"token operator\">=</span> <span class=\"token macro property\">vec!</span><span class=\"token punctuation\">[</span><span class=\"token number\">0u8</span><span class=\"token punctuation\">;</span> u_return_length <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> status <span class=\"token operator\">=</span> <span class=\"token function\">nt_query_system_information</span><span class=\"token punctuation\">(</span>\n    system_process_information<span class=\"token punctuation\">,</span>\n    buffer<span class=\"token punctuation\">.</span><span class=\"token function\">as_ptr</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token operator\">*</span><span class=\"token keyword\">mut</span> c_void<span class=\"token punctuation\">,</span>\n    u_return_length<span class=\"token punctuation\">,</span>\n    <span class=\"token operator\">&amp;</span><span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> status <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\">eprintln!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation failed: {:?}\"</span><span class=\"token punctuation\">,</span> status<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"checking-the-array-size-to-retrieve\" style=\"position:relative;\"><a href=\"#checking-the-array-size-to-retrieve\" aria-label=\"checking the array size to retrieve permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Checking the Array Size to Retrieve</h3>\n<p>Because the goal this time is to enumerate processes, I call the NtQuerySystemInformation function with the SystemProcessInformation flag as its argument.</p>\n<p>Reference: <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation#systemprocessinformation\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SystemProcessInformation</a></p>\n<p>At that point, the size of the returned array of <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code> structures is unknown, so I first call NtQuerySystemInformation once to obtain the size.</p>\n<p>This call fails with error <code class=\"language-text\">0xc0000004</code> because inappropriate values are set for the second and third arguments, but <code class=\"language-text\">u_return_length</code> is populated with the size of the returned structure array.</p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token comment\">// First call func</span>\n<span class=\"token keyword\">let</span> system_process_information <span class=\"token operator\">=</span> <span class=\"token number\">5</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// SystemProcessInformation</span>\n<span class=\"token keyword\">let</span> <span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> status <span class=\"token operator\">=</span> <span class=\"token function\">nt_query_system_information</span><span class=\"token punctuation\">(</span>\n    system_process_information<span class=\"token punctuation\">,</span>\n    <span class=\"token function\">null_mut</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n    <span class=\"token operator\">&amp;</span><span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token comment\">// println!(\"First NtQuerySystemInformation call status: {:#x}\", status);</span>\n<span class=\"token macro property\">assert!</span><span class=\"token punctuation\">(</span>status <span class=\"token keyword\">as</span> <span class=\"token keyword\">u32</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xc0000004</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation return length: {:?}\"</span><span class=\"token punctuation\">,</span> u_return_length<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<h3 id=\"retrieving-an-array-of-structures-containing-process-information\" style=\"position:relative;\"><a href=\"#retrieving-an-array-of-structures-containing-process-information\" aria-label=\"retrieving an array of structures containing process information permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Retrieving an Array of Structures Containing Process Information</h3>\n<p>Once I can obtain the size of the structure array returned by the first function call, I next call the NtQuerySystemInformation function again, using that size as the third argument, <code class=\"language-text\">SystemInformationLength</code>.</p>\n<p>The returned structure array is stored in a vector of size <code class=\"language-text\">u_return_length</code> allocated with the <code class=\"language-text\">vec!</code> macro.</p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token comment\">// Second call func</span>\n<span class=\"token keyword\">let</span> buffer <span class=\"token operator\">=</span> <span class=\"token macro property\">vec!</span><span class=\"token punctuation\">[</span><span class=\"token number\">0u8</span><span class=\"token punctuation\">;</span> u_return_length <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> status <span class=\"token operator\">=</span> <span class=\"token function\">nt_query_system_information</span><span class=\"token punctuation\">(</span>\n    system_process_information<span class=\"token punctuation\">,</span>\n    buffer<span class=\"token punctuation\">.</span><span class=\"token function\">as_ptr</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token operator\">*</span><span class=\"token keyword\">mut</span> c_void<span class=\"token punctuation\">,</span>\n    u_return_length<span class=\"token punctuation\">,</span>\n    <span class=\"token operator\">&amp;</span><span class=\"token keyword\">mut</span> u_return_length<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> status <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\">eprintln!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"NtQuerySystemInformation failed: {:?}\"</span><span class=\"token punctuation\">,</span> status<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>With this, I was able to obtain the <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code> structure array containing process information.</p>\n<h2 id=\"parsing-the-structures\" style=\"position:relative;\"><a href=\"#parsing-the-structures\" aria-label=\"parsing the structures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Parsing the Structures</h2>\n<p>Finally, I parse the information for each process from the array of <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code> structures I retrieved.</p>\n<p>Handling C-defined structures like <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code> from Rust was a little tedious, but it worked once I defined the structure information myself based on how it is implemented in the C header files.</p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">HANDLE</span> <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token keyword\">mut</span> c_void<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">ULONG</span> <span class=\"token operator\">=</span> c_ulong<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">USHORT</span> <span class=\"token operator\">=</span> c_ushort<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">type</span> <span class=\"token type-definition class-name\">WCHAR</span> <span class=\"token operator\">=</span> <span class=\"token keyword\">u16</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token attribute attr-name\">#[repr(C)]</span>\n<span class=\"token keyword\">struct</span> <span class=\"token type-definition class-name\">UNICODE_STRING</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">Length</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">USHORT</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">MaximumLength</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">USHORT</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">:</span> <span class=\"token operator\">*</span><span class=\"token keyword\">const</span> <span class=\"token constant\">WCHAR</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token attribute attr-name\">#[repr(C)]</span>\n<span class=\"token keyword\">struct</span> <span class=\"token type-definition class-name\">SYSTEM_PROCESS_INFORMATION</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">NextEntryOffset</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">NumberOfThreads</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Reserved</span><span class=\"token punctuation\">:</span> <span class=\"token punctuation\">[</span><span class=\"token keyword\">u8</span><span class=\"token punctuation\">;</span> <span class=\"token number\">48</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">UNICODE_STRING</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">BasePriority</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">UniqueProcessId</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">HANDLE</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">InheritedFromUniqueProcessId</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">HANDLE</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">HandleCount</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">Reserved2</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">PrivatePageCount</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">ULONG</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">VirtualMemoryCounters</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">VM_COUNTERS</span><span class=\"token punctuation\">,</span>\n    <span class=\"token class-name\">IoCounters</span><span class=\"token punctuation\">:</span> <span class=\"token constant\">IO_COUNTERS</span>\n    <span class=\"token comment\">// 省略 Threads: SYSTEM_THREAD</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>I use Rust’s <code class=\"language-text\">#[repr(C)]</code> to define the structure information.</p>\n<p>This notation instructs Rust to use the C data layout, making it possible to define a structure with the same memory layout as a C structure rather than allowing Rust to optimize the layout freely.</p>\n<p>Reference: <a href=\"https://ryochack.hatenablog.com/entry/2018/03/23/184943\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Rust Struct Memory Layout - ryochack.blog</a></p>\n<p>Reference: <a href=\"https://doc.rust-lang.org/nomicon/other-reprs.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Other reprs - The Rustonomicon</a></p>\n<p>This time I defined two structures: <code class=\"language-text\">UNICODE_STRING</code> and <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code>.</p>\n<p>However, I omitted the <code class=\"language-text\">SYSTEM_THREAD</code> structure this time because I could not find its definition and did not particularly need it.</p>\n<p>Reference: <a href=\"http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FSystem%20Information%2FStructures%2FSYSTEM_PROCESS_INFORMATION.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">NTAPI Undocumented Functions</a></p>\n<p>Reference: <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/ntdef/ns-ntdef-_unicode_string\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><em>UNICODE</em>STRING (ntdef.h) - Win32 apps | Microsoft Learn</a></p>\n<p>Once the structure definitions were ready, I finally parsed the array of <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code> structures obtained with the NtQuerySystemInformation function.</p>\n<p>Conveniently, the <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code> structure has a member called <code class=\"language-text\">NextEntryOffset</code> that contains the offset to the next array element, so I access the next element by adding that value inside the loop.</p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token comment\">// Analyze buffer</span>\n<span class=\"token keyword\">let</span> <span class=\"token keyword\">mut</span> offset <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">while</span> offset <span class=\"token operator\">&lt;</span> u_return_length <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">let</span> spi <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>buffer<span class=\"token punctuation\">.</span><span class=\"token function\">as_ptr</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span>offset <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token operator\">*</span><span class=\"token keyword\">const</span> <span class=\"token constant\">SYSTEM_PROCESS_INFORMATION</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">let</span> name <span class=\"token operator\">=</span> <span class=\"token keyword\">if</span> <span class=\"token operator\">!</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">.</span><span class=\"token function\">is_null</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Length</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">let</span> slice <span class=\"token operator\">=</span> <span class=\"token function\">from_raw_parts</span><span class=\"token punctuation\">(</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Length</span> <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token class-name\">String</span><span class=\"token punctuation\">::</span><span class=\"token function\">from_utf16_lossy</span><span class=\"token punctuation\">(</span>slice<span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token class-name\">String</span><span class=\"token punctuation\">::</span><span class=\"token function\">from</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"System Idle Process\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token macro property\">println!</span><span class=\"token punctuation\">(</span>\n        <span class=\"token string\">\"Name: {},\\tPID: {:?},\\tPPID: {:?},\\tThreads: {:?},\\tHandles: {:?}\"</span><span class=\"token punctuation\">,</span>\n        name<span class=\"token punctuation\">,</span>\n        spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">UniqueProcessId</span><span class=\"token punctuation\">,</span>\n        spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">InheritedFromUniqueProcessId</span><span class=\"token punctuation\">,</span>\n        spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">NumberOfThreads</span><span class=\"token punctuation\">,</span>\n        spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">HandleCount</span>\n    <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">if</span> spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">NextEntryOffset</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    offset <span class=\"token operator\">+=</span> spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">NextEntryOffset</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Also, in <code class=\"language-text\">&amp;*(buffer.as_ptr().add(offset as usize) as *const SYSTEM_PROCESS_INFORMATION);</code>, I declare a variable that interprets the address obtained by adding the offset from the array pointer to the target structure as a <code class=\"language-text\">SYSTEM_PROCESS_INFORMATION</code> structure.</p>\n<p>Furthermore, to extract the process name from <code class=\"language-text\">ImageName</code> stored in the <code class=\"language-text\">UNICODE_STRING</code> structure, I create a slice of UTF-16 code units with <code class=\"language-text\">from_raw_parts</code> and decode it with <code class=\"language-text\">from_utf16_lossy</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"rust\"><pre class=\"language-rust\"><code class=\"language-rust\"><span class=\"token keyword\">let</span> name <span class=\"token operator\">=</span> <span class=\"token keyword\">if</span> <span class=\"token operator\">!</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">.</span><span class=\"token function\">is_null</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Length</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">let</span> slice <span class=\"token operator\">=</span> <span class=\"token function\">from_raw_parts</span><span class=\"token punctuation\">(</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Buffer</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>spi<span class=\"token punctuation\">.</span><span class=\"token class-name\">ImageName</span><span class=\"token punctuation\">.</span><span class=\"token class-name\">Length</span> <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token keyword\">usize</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">String</span><span class=\"token punctuation\">::</span><span class=\"token function\">from_utf16_lossy</span><span class=\"token punctuation\">(</span>slice<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">String</span><span class=\"token punctuation\">::</span><span class=\"token function\">from</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"System Idle Process\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://doc.rust-lang.org/std/slice/fn.from_raw_parts.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">from<em>raw</em>parts in std::slice - Rust</a></p>\n<p>Reference: <a href=\"https://doc.rust-lang.org/std/string/struct.String.html#method.from_utf16_lossy\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">String in std::string - Rust</a></p>\n<p>With this, I was able to obtain various kinds of process information, including process names.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>Now I can use NTAPI from Rust as well.</p>\n<p>However, I am still not entirely sure whether there is any benefit to going out of my way to use it from Rust.</p>","fields":{"slug":"/rust-winapi-use-ntapi-en","tagSlugs":["/tag/rust/","/tag/windows/","/tag/rust-win-api/","/tag/english/"]},"frontmatter":{"date":"2025-04-13","description":"How to use NTAPI in Rust","tags":["Rust","Windows","Rust-WinAPI","English"],"title":"Using NTAPI in Rust","socialImage":{"publicURL":"/static/f6fe03f6828d1dd556ac8be98361963e/rust-winapi-use-ntapi.png"}}}},"pageContext":{"slug":"/rust-winapi-use-ntapi-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}