[VC++] Process Information with ZwQueryInformationProcess()

There is an undocumented native ZwQueryInformationProcess() API available in NTDLL.dll, with which we can get the process information such as process id, base priority, parent process id, affinity mask etc. Below code snippet shows how to use the same,

typedef struct
{
    ULONG ulExitStatus;
    PVOID pBaseAddress;
    ULONG ulAffinityMask;
    ULONG uBasePriority;
    ULONG_PTR pulUniqueProcessId;
    ULONG_PTR pulInheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;

typedef ULONG (WINAPI * ZwQueryInformationProcess)( HANDLE ProcessHandle,
                                                    ULONG  ProcessInformationClass,
                                                    PVOID  ProcessInformation,
                                                    ULONG  ProcessInformationLength,
                                                    PULONG ReturnLength );
// Load NTDLL
HMODULE hModule = LoadLibrary( "NTDLL.dll" );
// Get the ZwQueryInformationProcess() address
ZwQueryInformationProcess ZwQueryInformationProcessPtr = (ZwQueryInformationProcess)GetProcAddress( hModule, "ZwQueryInformationProcess");
PROCESS_BASIC_INFORMATION stProcessBasicInformation = { 0 };
if( ZwQueryInformationProcessPtr )
{
    // Get the process handle
    HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
    // Call the function
    ZwQueryInformationProcessPtr(hProcess, 0, &stProcessBasicInformation, sizeof(stProcessBasicInformation), 0);
}
FreeLibrary( hModule );

In my previous post I have shown you how to get the parent process id by iterating through the processes and in the above code stProcessBasicInformation.pulInheritedFromUniqueProcessId represents the parent process id.