获取进程的命令行参数

最新推荐文章于 2021-10-04 11:13:37 发布

武稀松

最新推荐文章于 2021-10-04 11:13:37 发布

阅读量3.2k

点赞数

文章标签： string basic parameters token query function

本文链接：https://blog.csdn.net/wr960204/article/details/4083209

版权

type

UNICODE_STRING = packed record

Length: Word;

MaximumLength: Word;

Buffer: PWideChar;

end;

PUNICODE_STRING = UNICODE_STRING;

type

PROCESS_PARAMETERS = packed record

AllocationSize: ULONG;

ActualSize: ULONG;

Flags: ULONG;

Unknown1: ULONG;

Unknown2: UNICODE_STRING;

InputHandle: THandle;

OutputHandle: THandle;

ErrorHandle: THandle;

CurrentDirectory: UNICODE_STRING;

CurrentDirectoryHandle: THandle;

SearchPaths: UNICODE_STRING;

ApplicationName: UNICODE_STRING;

CommandLine: UNICODE_STRING;

EnvironmentBlock: Pointer;

Unknown: array[0..9 - 1] of ULONG;

Unknown3: UNICODE_STRING;

Unknown4: UNICODE_STRING;

Unknown5: UNICODE_STRING;

Unknown6: UNICODE_STRING;

end;

PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;

type

PEB = packed record

AllocationSize: ULONG;

Unknown1: ULONG;

ProcessHinstance: Longword;

ListDlls: Pointer;

ProcessParameters: PPROCESS_PARAMETERS;

Unknown2: ULONG;

Heap: THandle;

end;

PPEB = ^PEB;

type

_PROCESS_BASIC_INFORMATION = packed record

Reserved1: Pointer;

PebBaseAddress: PPEB;

Reserved2: array[0..1] of Pointer;

UniqueProcessId: PULONG;

Reserved3: Pointer;

end;

PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION;

PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;

PROCESSINFOCLASS = (

ProcessBasicInformation = 0,

ProcessWow64Information = 26

);

NTSTATUS = DWORD;

function NtQueryInformationProcess(

ProcessHandle: THandle;

ProcessInformationClass: PROCESSINFOCLASS;

ProcessInformation: Pointer;

ProcessInformationLength: ULONG;

ReturnLength: PULONG

): NTSTATUS; stdcall; external 'ntdll.dll' name 'NtQueryInformationProcess';

function Process_CmdLine(

mProcessID: THandle

): WideString;

var

vProcess: THandle;

vProcessBasicInformation: PROCESS_BASIC_INFORMATION;

vPEB: PEB;

vNumberOfBytesRead: Longword;

vProcessParameters: PROCESS_PARAMETERS;

begin

//设计 Zswang 2006-09-09 wjhu111#21cn.com 尊重作者,转贴请注明出处

Result := '';

vProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,

False, mProcessID);

if vProcess = 0 then Exit;

try

if NtQueryInformationProcess(

vProcess,

ProcessBasicInformation,

@vProcessBasicInformation,

SizeOf(vProcessBasicInformation),

nil) <> 0 then Exit;

if not ReadProcessMemory(vProcess,

vProcessBasicInformation.PebBaseAddress,

@vPEB,

SizeOf(vPEB),

vNumberOfBytesRead) then Exit;

if not ReadProcessMemory(vProcess,

vPEB.ProcessParameters,

@vProcessParameters,

SizeOf(vProcessParameters),

vNumberOfBytesRead) then Exit;

SetLength(Result, vProcessParameters.CommandLine.Length div 2);

if not ReadProcessMemory(vProcess,

vProcessParameters.CommandLine.Buffer,

@Result[1],

vProcessParameters.CommandLine.Length,

vNumberOfBytesRead) then Exit;

finally

CloseHandle(vProcess);

end;

end; { Process_CmdLine }

procedure EnableDebug();
var
    VerInfo:TOSVersionInfo;
    hToken:THANDLE;
    tkp:TOKEN_PRIVILEGES;
    Nothing:Cardinal;
begin
    VerInfo.dwOSVersionInfoSize:=SizeOf(VerInfo);
    GetVersionEx(VerInfo);
    if VerInfo.dwPlatformId=VER_PLATFORM_WIN32_NT then
    Begin
        OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,hToken);
        LookupPrivilegeValue(nil,'SeDebugPrivilege',tkp.Privileges[0].Luid);
        tkp.PrivilegeCount:= 1;
        tkp.Privileges[0].Attributes:= SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, FALSE, tkp, 0,nil, Nothing);

CloseHandle(hToken);
end;
end;