Option Explicit
Private Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End Type
Private Const SYNCHRONIZE As Long = &H100000
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Declare Function NtOpenProcess Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, _
ByVal AccessMask As Long, _
ByRef ObjectAttributes As OBJECT_ATTRIBUTES, _
ByRef ClientID As CLIENT_ID) As Long
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End Type
Private Const PROCESS_VM_READ = &H10
Private Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_VM_OPERATION = &H8
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Const PROCESS_DUP_HANDLE As Long = (&H40)
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Private Declare Function NtClose Lib "NTDLL.DLL" (ByVal ObjectHandle As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByRef Destination As Any, _
ByRef Source As Any, _
ByVal Length As Long)
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal uExitCode As Long) As Long
Private Function GetProcessCommandLine(ByVal dwProcessId As Long) As String
Dim hRemProcess As Long, hThread As Long, lngResult As Long, pfnThreadRtn As Long, hKernel As Long
Dim dwEax As Long, dwTimeOut As Long
Dim objCid As CLIENT_ID
Dim objOa As OBJECT_ATTRIBUTES
Dim ntStatus As Long, bytBuffer(511) As Byte, strTmp As String
Dim hProcess As Long, dwAddr As Long, dwRead As Long
objOa.Length = Len(objOa)
objCid.UniqueProcess = dwProcessId
ntStatus = NtOpenProcess(hRemProcess, PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION, objOa, objCid)
hKernel = LoadLibrary("kernel32")
If hKernel = 0 Then
GetProcessCommandLine = ""
Exit Function
End If
pfnThreadRtn = GetProcAddress(hKernel, "GetCommandLineA")
If pfnThreadRtn = 0 Then
FreeLibrary hKernel
NtClose hRemProcess
GetProcessCommandLine = ""
Exit Function
End If
hThread = CreateRemoteThread(hRemProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal 0&, 0, ByVal 0&)
dwEax = WaitForSingleObject(hThread, 100)
If dwEax = &H102 Then
Call GetExitCodeThread(hThread, dwTimeOut)
Call TerminateThread(hThread, dwTimeOut)
NtClose hThread
GetProcessCommandLine = ""
Exit Function
End If
If hThread = 0 Then
FreeLibrary hKernel
GetProcessCommandLine = ""
Exit Function
End If
GetExitCodeThread hThread, lngResult
ReadProcessMemory hRemProcess, ByVal lngResult, bytBuffer(0), 512, ByVal 0&
strTmp = StrConv(bytBuffer, vbUnicode)
strTmp = Left(strTmp & Chr(0), InStr(strTmp & Chr(0), Chr(0)) - 1)
GetProcessCommandLine = strTmp
NtClose hThread
NtClose hRemProcess
FreeLibrary hKernel
End Function