如何得到其它进程的启动命令行参数

原创 2005年04月26日 22:42:00
ILSY:
这个程序可以得到其他进程的命令行参数。
// procmdline.cpp (Windows NT/2000)
//
// This example shows how to get the command line for almost any process
// on the system for Windows NT/2000
//
//
// (c)1999 Ashot Oganesyan K, SmartLine, Inc
// mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com

#include <windows.h>
#include <stdio.h>

#define ProcessBasicInformation 0

typedef struct
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct
{
    ULONG          AllocationSize;
    ULONG          ActualSize;
    ULONG          Flags;
    ULONG          Unknown1;
    UNICODE_STRING Unknown2;
    HANDLE         InputHandle;
    HANDLE         OutputHandle;
    HANDLE         ErrorHandle;
    UNICODE_STRING CurrentDirectory;
    HANDLE         CurrentDirectoryHandle;
    UNICODE_STRING SearchPaths;
    UNICODE_STRING ApplicationName;
    UNICODE_STRING CommandLine;
    PVOID          EnvironmentBlock;
    ULONG          Unknown[9];
    UNICODE_STRING Unknown3;
    UNICODE_STRING Unknown4;
    UNICODE_STRING Unknown5;
    UNICODE_STRING Unknown6;
} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;

typedef struct
{
    ULONG               AllocationSize;
    ULONG               Unknown1;
    HINSTANCE           ProcessHinstance;
    PVOID               ListDlls;
    PPROCESS_PARAMETERS ProcessParameters;
    ULONG               Unknown2;
    HANDLE              Heap;
} PEB, *PPEB;

typedef struct
{
    DWORD ExitStatus;
    PPEB  PebBaseAddress;
    DWORD AffinityMask;
    DWORD BasePriority;
    ULONG UniqueProcessId;
    ULONG InheritedFromUniqueProcessId;
}   PROCESS_BASIC_INFORMATION;


// ntdll!NtQueryInformationProcess (NT specific!)
//
// The function copies the process information of the
// specified type into a buffer
//
// NTSYSAPI
// NTSTATUS
// NTAPI
// NtQueryInformationProcess(
//    IN HANDLE ProcessHandle,              // handle to process
//    IN PROCESSINFOCLASS InformationClass, // information type
//    OUT PVOID ProcessInformation,         // pointer to buffer
//    IN ULONG ProcessInformationLength,    // buffer size in bytes
//    OUT PULONG ReturnLength OPTIONAL      // pointer to a 32-bit
//                                          // variable that receives
//                                          // the number of bytes
//                                          // written to the buffer
// );
typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);


PROCNTQSIP NtQueryInformationProcess;

BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen);

void main(int argc, char* argv[])
{
    if (argc<2)
    {
       printf("Usage:/n/ncmdline.exe ProcId/n");
       return;
    }

    NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(
                                            GetModuleHandle("ntdll"),
                                            "NtQueryInformationProcess"
                                            );

    if (!NtQueryInformationProcess)
       return;

    DWORD dwId;
    sscanf(argv[1],"%lu",&dwId);

    WCHAR wstr[255];

    if (GetProcessCmdLine(dwId,wstr,sizeof(wstr)))
       wprintf(L"Command line for process %lu is:/n%s/n",dwId,wstr);
    else
       wprintf(L"Could not get command line!");

}

BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen)
{
    LONG                      status;
    HANDLE                    hProcess;
    PROCESS_BASIC_INFORMATION pbi;
    PEB                       Peb;
    PROCESS_PARAMETERS        ProcParam;
    DWORD                     dwDummy;
    DWORD                     dwSize;
    LPVOID                    lpAddress;
    BOOL                      bRet = FALSE;

    // Get process handle
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,dwId);
    if (!hProcess)
       return FALSE;

    // Retrieve information
    status = NtQueryInformationProcess( hProcess,
                                        ProcessBasicInformation,
                                        (PVOID)&pbi,
                                        sizeof(PROCESS_BASIC_INFORMATION),
                                        NULL
                                      );


    if (status)
       goto cleanup;

    if (!ReadProcessMemory( hProcess,
                            pbi.PebBaseAddress,
                            &Peb,
                            sizeof(PEB),
                            &dwDummy
                          )
       )
       goto cleanup;

    if (!ReadProcessMemory( hProcess,
                            Peb.ProcessParameters,
                            &ProcParam,
                            sizeof(PROCESS_PARAMETERS),
                            &dwDummy
                          )
       )
       goto cleanup;

    lpAddress = ProcParam.CommandLine.Buffer;
    dwSize = ProcParam.CommandLine.Length;

    if (dwBufLen<dwSize)
       goto cleanup;

    if (!ReadProcessMemory( hProcess,
                            lpAddress,
                            wBuf,
                            dwSize,
                            &dwDummy
                          )
       )
       goto cleanup;


    bRet = TRUE;

cleanup:

    CloseHandle (hProcess);

    
    return bRet;
}
---


tombkeeper:
PEB结构中的ProcessParameters->CommandLine是个UNICODE_STRING,就是命令行。用ReadProcessMemory()读取就可以了。

1、从 fs:0定位PEB
2、PEB偏移0x10是ProcessParameters
3、ProcessParameters偏移0x40是CommandLine

tombkeeper:
不同版本的NT,PEB结构未必相同,可能需要区别对待。
还是ILSY的办法比较堂堂正正一点。

如何得到其它进程的启动命令行参数

ILSY:这个程序可以得到其他进程的命令行参数。// procmdline.cpp (Windows NT/2000)//// This example shows how to get the co...
  • chuiyun
  • chuiyun
  • 2007年10月19日 09:28
  • 614

C#中如何获取其他进程的命令行参数 ( How to get other processes's command line argument )

Subject: C#中如何获取其他进程的命令行参数 ( How to get other processes's command line argument )From: jiangong.li_S...
  • muzizongheng
  • muzizongheng
  • 2013年07月10日 15:42
  • 3415

C++ 获取其它进程命令行参数

wintenl.h 下载地址 #include "stdafx.h" #include "winternl.h" typedef NTSTATUS (WINAPI *NtQueryI...
  • DeathMemory
  • DeathMemory
  • 2015年12月11日 11:50
  • 2779

如何得到其它进程的启动命令行参数 (转)

 如何得到其它进程的启动命令行参数 ILSY:这个程序可以得到其他进程的命令行参数。// procmdline.cpp (Windows NT/2000)//// This example shows...
  • foxmail
  • foxmail
  • 2005年08月12日 10:54
  • 3970

获取其他进程的命令行

type  UNICODE_STRING = packed record    Length: Word;    MaximumLength: Word;    Buffer: PWideChar; ...
  • zswang
  • zswang
  • 2006年09月12日 22:26
  • 1338

C# 取得本机进程启动命令行参数

using System.Management;   private void WmiTest() { using (ManagementObjectSearc...
  • magicpang
  • magicpang
  • 2014年11月06日 15:29
  • 1652

C++ 获取其它进程命令行

winxp,win7,win8测试有效   #include #include #include //获取进程命令行 BOOL GetProcessCommandLine(HANDLE hPr...
  • sder3445555
  • sder3445555
  • 2013年08月11日 11:10
  • 3158

C++获取进程启动参数

#include "stdafx.h" #include #include #define ProcessBasicInformation 0 typedef struct { USHOR...
  • ts1011
  • ts1011
  • 2013年05月24日 10:28
  • 2108

Unity3D-获取命令行启动参数

using UnityEngine; using System.Collections; using System; using UnityEngine.UI; using System.Linq;p...
  • wsc122181582
  • wsc122181582
  • 2016年11月30日 20:25
  • 2908

windows 命令行获取进程参数

wmic process where name="QQ.exe" get CommandLine
  • duanbeibei
  • duanbeibei
  • 2014年12月01日 13:57
  • 2540
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:如何得到其它进程的启动命令行参数
举报原因:
原因补充:

(最多只允许输入30个字)