21 Apr
2023
21 Apr
'23
6:16 p.m.
In this case, isn't CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS) better? I mean, NtQuerySystemInformation works, but it is undocumented internal Windows function and if there is a documented way to do the same shouldn't that be preferred in a program?
Sure, I just forgot that there actually is a kernel32 interface to that.
Well, actually, it's worth mentioning that ntdll reports some extra information that we need and doesn't seem to be accessible from toolhelp—the VM counters, at least. That may be all, though.