#include "stdafx.h" #include <windows.h> #include <tchar.h> #include <Winternl.h> typedef NTSTATUS (NTAPI *_NtQueryInformationProcess)( HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, DWORD ProcessInformationLength, PDWORD ReturnLength ); /* 写成一个函数,来获得所有的PEB结构体信息 */ TCHAR* GetProcessCommandLine(HANDLE hProcess) { UNICODE_STRING commandLine; TCHAR *commandLineContents = NULL; _NtQueryInformationProcess NtQuery = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (NtQuery) { PROCESS_BASIC_INFORMATION pbi; NTSTATUS isok = NtQuery(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL); if (NT_SUCCESS(isok)) { PEB peb; RTL_USER_PROCESS_PARAMETERS upps; PVOID rtlUserProcParamsAddress; if (ReadProcessMemory(hProcess, &(((_PEB*) pbi.PebBaseAddress)->ProcessParameters), &rtlUserProcParamsAddress, sizeof(PVOID), NULL)) { if (ReadProcessMemory(hProcess, &(((_RTL_USER_PROCESS_PARAMETERS*) rtlUserProcParamsAddress)->CommandLine), &commandLine, sizeof(commandLine), NULL)) { commandLineContents = (TCHAR *)malloc(commandLine.Length + sizeof(TCHAR)); memset(commandLineContents, 0, commandLine.Length + sizeof(TCHAR)); ReadProcessMemory(hProcess, commandLine.Buffer, commandLineContents, commandLine.Length, NULL); } } } } return commandLineContents; } int _tmain(int argc,TCHAR* argv[]) { HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | /* required for NtQueryInformationProcess */ PROCESS_VM_READ, /* required for ReadProcessMemory */ FALSE, 3088/*ProcessID*/); if (hProcess == NULL) return -1; TCHAR* pszProcessCmd = GetProcessCommandLine(hProcess); if (pszProcessCmd != NULL) wprintf(L"%s", pszProcessCmd); CloseHandle(hProcess); return 0; }
通过C++语言在应用层获取任意进程命令行参数
最新推荐文章于 2022-09-20 21:05:23 发布