DWORD g_GetCmdLine(DWORD dwPID,TCHAR* pCmdLine,DWORD dwBufLen)
{
#define BUFFER_LEN 512 //reading buffer for the commandline
HANDLE hProc = OpenProcess(PROCESS_VM_READ,FALSE,dwPID);
if(hProc == NULL)
{
return GetLastError();
}
DWORD dwRet = -1;
DWORD dwAddr = *(DWORD*)((DWORD)GetCommandLine + 1);//第2个字节开始才是我们要读的地址
TCHAR tcBuf[BUFFER_LEN] = {0};
DWORD dwRead = 0;
//判断平台
DWORD dwVer = GetVersion();
try
{
if(dwVer < 0×80000000) // Windows NT/2000/XP
{
if(ReadProcessMemory(hProc,(LPVOID)dwAddr,&dwAddr,4,&dwRead))
{
if(ReadProcessMemory(hProc,(LPVOID)dwAddr,tcBuf,BUFFER_LEN,&dwRead))
{
_tcsncpy(pCmdLine,tcBuf,dwBufLen); //最好检查一下dwRead和dwBufLen的大小,使用较小的那个
dwRet = 0;
}
}
}
else // Windows 95/98/Me and Win32s
{
while(true) //使用while是为了出错时方便跳出循环
{
if(!ReadProcessMemory(hProc,(LPVOID)dwAddr,&dwAddr,4,&dwRead)) break;
if(!ReadProcessMemory(hProc,(LPVOID)dwAddr,&dwAddr,4,&dwRead)) break;
if(!ReadProcessMemory(hProc,(LPVOID)(dwAddr + 0xC0),tcBuf,BUFFER_LEN,&dwRead)) break;
if(*tcBuf == 0)
{
if(!ReadProcessMemory(hProc,(LPVOID)(dwAddr + 0×40),&dwAddr,4,&dwRead)) break;
if(!ReadProcessMemory(hProc,(LPVOID)(dwAddr + 0×8),&dwAddr,4,&dwRead)) break;
if(!ReadProcessMemory(hProc,(LPVOID)dwAddr,tcBuf,BUFFER_LEN, &dwRead)) break;
}
_tcsncpy(pCmdLine,tcBuf,dwBufLen); //最好检查一下dwRead和dwBufLen的大小,使用较小的那个
dwRet = 0;
break;
}
}
}
catch(…)
{
dwRet = ERROR_INVALID_ACCESS; //exception
}
CloseHandle(hProc);
return dwRet;
}