获取其他进程的命令行（ReadProcessMemory其它进程的PPROCESS_PARAMETERS和PEB结构体）

type
UNICODE_STRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
PUNICODE_STRING = UNICODE_STRING;
type
PROCESS_PARAMETERS = packed record
AllocationSize: ULONG;
ActualSize: ULONG;
Flags: ULONG;
Unknown1: ULONG;
Unknown2: UNICODE_STRING;
InputHandle: THandle;
OutputHandle: THandle;
ErrorHandle: THandle;
CurrentDirectory: UNICODE_STRING;
CurrentDirectoryHandle: THandle;
SearchPaths: UNICODE_STRING;
ApplicationName: UNICODE_STRING;
CommandLine: UNICODE_STRING;
EnvironmentBlock: Pointer;
Unknown: array[0..9 - 1] of ULONG;
Unknown3: UNICODE_STRING;
Unknown4: UNICODE_STRING;
Unknown5: UNICODE_STRING;
Unknown6: UNICODE_STRING;
end;
PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;
(*//
type
_PEB = packed record
Reserved1: array[0..2 - 1] of Byte;
BeingDebugged: Byte;
Reserved2: array[0..229 - 1] of Byte;
Reserved3: array[0..59 - 1] of Pointer;
SessionId: ULONG;
end;
PEB = _PEB;
PPEB = ^PEB;
//*)
type
PEB = packed record
AllocationSize: ULONG;
Unknown1: ULONG;
ProcessHinstance: Longword;
ListDlls: Pointer;
ProcessParameters: PPROCESS_PARAMETERS;
Unknown2: ULONG;
Heap: THandle;
end;
PPEB = ^PEB;

type
_PROCESS_BASIC_INFORMATION = packed record
Reserved1: Pointer;
PebBaseAddress: PPEB;
Reserved2: array[0..1] of Pointer;
UniqueProcessId: PULONG;
Reserved3: Pointer;
end;

PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION;
PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;
PROCESSINFOCLASS = (
ProcessBasicInformation = 0,
ProcessWow64Information = 26
);
NTSTATUS = DWORD;

function NtQueryInformationProcess(
ProcessHandle: THandle;
ProcessInformationClass: PROCESSINFOCLASS;
ProcessInformation: Pointer;
ProcessInformationLength: ULONG;
ReturnLength: PULONG
): NTSTATUS; stdcall; external 'ntdll.dll' name 'NtQueryInformationProcess';

function Process_CmdLine(
mProcessID: THandle
): WideString;
var
vProcess: THandle;
vProcessBasicInformation: PROCESS_BASIC_INFORMATION;
vPEB: PEB;
vNumberOfBytesRead: Longword;
vProcessParameters: PROCESS_PARAMETERS;
begin
//设计 Zswang 2006-09-09 wjhu111#21cn.com 尊重作者,转贴请注明出处
Result := '';
vProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,
False, mProcessID);
if vProcess = 0 then Exit;
try
if NtQueryInformationProcess(
vProcess,
ProcessBasicInformation,
@vProcessBasicInformation,
SizeOf(vProcessBasicInformation),
nil) <> 0 then Exit;
if not ReadProcessMemory(vProcess,
vProcessBasicInformation.PebBaseAddress,
@vPEB,
SizeOf(vPEB),
vNumberOfBytesRead) then Exit;
if not ReadProcessMemory(vProcess,
vPEB.ProcessParameters,
@vProcessParameters,
SizeOf(vProcessParameters),
vNumberOfBytesRead) then Exit;
SetLength(Result, vProcessParameters.CommandLine.Length div 2);
if not ReadProcessMemory(vProcess,
vProcessParameters.CommandLine.Buffer,
@Result[1],
vProcessParameters.CommandLine.Length,
vNumberOfBytesRead) then Exit;
finally
CloseHandle(vProcess);
end;
end; { Process_CmdLine }