根据进程名获取启动参数
2018-02-07 10:09
405 查看
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef enum { ObjectNameInformation = 1 } OBJECT_INFORMATION_CLASS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING ObjectName;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
typedef NTSTATUS(WINAPI *NTQUERYOBJECT)
(IN HANDLE Handle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength);
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS;
typedef NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
OPTIONAL
);
BOOL GetProcessCmdLine(const DWORD dwPID, std::wstring &strCmdLine)
{
typedef ULONG PPS_POST_PROCESS_INIT_ROUTINE;
// Used in PEB struct
typedef struct _smPEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
#define MAX_UNICODE_PATH 32767L
// Used in PEB struct
typedef struct _smRTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _smPEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} smPEB, *smPPEB;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _smPROCESS_BASIC_INFORMATION {
LONG ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
LONG BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} smPROCESS_BASIC_INFORMATION, *smPPROCESS_BASIC_INFORMATION;
RTL_USER_PROCESS_PARAMETERS peb_upp = { 0 };
smPEB peb = { 0 };
HANDLE hProcess = NULL;
smPPROCESS_BASIC_INFORMATION pbi = NULL;
BOOL bRet = FALSE;
WCHAR *pwszBuffer = NULL;
TCHAR szCmdLine[MAX_UNICODE_PATH] = { 0 };
HMODULE hNtDll = LoadLibraryW(L"ntdll.dll");
if (!hNtDll)
return FALSE;
pfnNtQueryInformationProcess func = (pfnNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess");
if (func == NULL)
return FALSE;
do
{
try
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID);
if (hProcess == INVALID_HANDLE_VALUE)
break;
DWORD dwSize = sizeof(smPROCESS_BASIC_INFORMATION);
pbi = (smPPROCESS_BASIC_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize);
// Did we successfully allocate memory
if (!pbi)
break;
DWORD dwSizeNeeded = 0;
NTSTATUS dwStatus = func(hProcess, ProcessBasicInformation,
pbi, dwSize, &dwSizeNeeded);
if (dwStatus >= 0 && dwSize < dwSizeNeeded)
{
if (pbi)
HeapFree(GetProcessHeap(), 0, pbi);
pbi = (smPPROCESS_BASIC_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSizeNeeded);
if (!pbi)
break;
dwStatus = func(hProcess, ProcessBasicInformation,
pbi, dwSizeNeeded, &dwSizeNeeded);
}
if (NULL == pbi->PebBaseAddress)
break;
DWORD dwBytesRead = 0;
if (!ReadProcessMemory(hProcess, pbi->PebBaseAddress, &peb, sizeof(peb), (SIZE_T*)&dwBytesRead))
break;
dwBytesRead = 0;
if (!ReadProcessMemory(hProcess, peb.ProcessParameters, &peb_upp,
sizeof(RTL_USER_PROCESS_PARAMETERS), (SIZE_T*)&dwBytesRead))
break;
if (peb_upp.CommandLine.Length <= 0)
break;
pwszBuffer = (WCHAR *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, peb_upp.CommandLine.Length);
if (NULL == pwszBuffer)
break;
if (!ReadProcessMemory(hProcess,
peb_upp.CommandLine.Buffer,
pwszBuffer,
peb_upp.CommandLine.Length,
(SIZE_T*)&dwBytesRead))
break;
// if commandline is larger than our variable, truncate
DWORD dwBufferSize = 0;
if (peb_upp.CommandLine.Length >= sizeof(szCmdLine))
dwBufferSize = sizeof(szCmdLine) - sizeof(TCHAR);
else
dwBufferSize = peb_upp.CommandLine.Length;
// Copy CommandLine to our structure variable
#if defined(UNICODE) || (_UNICODE)
StringCbCopyN(szCmdLine, sizeof(szCmdLine),
pwszBuffer, dwBufferSize);
#else
WideCharToMultiByte(CP_ACP, 0, pwszBuffer,
(int)(dwBufferSize / sizeof(WCHAR)),
szCmdLine, sizeof(szCmdLine),
NULL, NULL);
#endif
bRet = TRUE;
strCmdLine = szCmdLine;
}
catch (...)
{
}
} while (FALSE);
if (hProcess)
CloseHandle(hProcess);
hProcess = NULL;
if (pbi)
HeapFree(GetProcessHeap(), 0, pbi);
pbi = NULL;
if (pwszBuffer)
HeapFree(GetProcessHeap(), 0, pwszBuffer);
pwszBuffer = NULL;
return bRet;
}
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef enum { ObjectNameInformation = 1 } OBJECT_INFORMATION_CLASS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING ObjectName;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
typedef NTSTATUS(WINAPI *NTQUERYOBJECT)
(IN HANDLE Handle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength);
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS;
typedef NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
OPTIONAL
);
BOOL GetProcessCmdLine(const DWORD dwPID, std::wstring &strCmdLine)
{
typedef ULONG PPS_POST_PROCESS_INIT_ROUTINE;
// Used in PEB struct
typedef struct _smPEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
#define MAX_UNICODE_PATH 32767L
// Used in PEB struct
typedef struct _smRTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _smPEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} smPEB, *smPPEB;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _smPROCESS_BASIC_INFORMATION {
LONG ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
LONG BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} smPROCESS_BASIC_INFORMATION, *smPPROCESS_BASIC_INFORMATION;
RTL_USER_PROCESS_PARAMETERS peb_upp = { 0 };
smPEB peb = { 0 };
HANDLE hProcess = NULL;
smPPROCESS_BASIC_INFORMATION pbi = NULL;
BOOL bRet = FALSE;
WCHAR *pwszBuffer = NULL;
TCHAR szCmdLine[MAX_UNICODE_PATH] = { 0 };
HMODULE hNtDll = LoadLibraryW(L"ntdll.dll");
if (!hNtDll)
return FALSE;
pfnNtQueryInformationProcess func = (pfnNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess");
if (func == NULL)
return FALSE;
do
{
try
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID);
if (hProcess == INVALID_HANDLE_VALUE)
break;
DWORD dwSize = sizeof(smPROCESS_BASIC_INFORMATION);
pbi = (smPPROCESS_BASIC_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize);
// Did we successfully allocate memory
if (!pbi)
break;
DWORD dwSizeNeeded = 0;
NTSTATUS dwStatus = func(hProcess, ProcessBasicInformation,
pbi, dwSize, &dwSizeNeeded);
if (dwStatus >= 0 && dwSize < dwSizeNeeded)
{
if (pbi)
HeapFree(GetProcessHeap(), 0, pbi);
pbi = (smPPROCESS_BASIC_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSizeNeeded);
if (!pbi)
break;
dwStatus = func(hProcess, ProcessBasicInformation,
pbi, dwSizeNeeded, &dwSizeNeeded);
}
if (NULL == pbi->PebBaseAddress)
break;
DWORD dwBytesRead = 0;
if (!ReadProcessMemory(hProcess, pbi->PebBaseAddress, &peb, sizeof(peb), (SIZE_T*)&dwBytesRead))
break;
dwBytesRead = 0;
if (!ReadProcessMemory(hProcess, peb.ProcessParameters, &peb_upp,
sizeof(RTL_USER_PROCESS_PARAMETERS), (SIZE_T*)&dwBytesRead))
break;
if (peb_upp.CommandLine.Length <= 0)
break;
pwszBuffer = (WCHAR *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, peb_upp.CommandLine.Length);
if (NULL == pwszBuffer)
break;
if (!ReadProcessMemory(hProcess,
peb_upp.CommandLine.Buffer,
pwszBuffer,
peb_upp.CommandLine.Length,
(SIZE_T*)&dwBytesRead))
break;
// if commandline is larger than our variable, truncate
DWORD dwBufferSize = 0;
if (peb_upp.CommandLine.Length >= sizeof(szCmdLine))
dwBufferSize = sizeof(szCmdLine) - sizeof(TCHAR);
else
dwBufferSize = peb_upp.CommandLine.Length;
// Copy CommandLine to our structure variable
#if defined(UNICODE) || (_UNICODE)
StringCbCopyN(szCmdLine, sizeof(szCmdLine),
pwszBuffer, dwBufferSize);
#else
WideCharToMultiByte(CP_ACP, 0, pwszBuffer,
(int)(dwBufferSize / sizeof(WCHAR)),
szCmdLine, sizeof(szCmdLine),
NULL, NULL);
#endif
bRet = TRUE;
strCmdLine = szCmdLine;
}
catch (...)
{
}
} while (FALSE);
if (hProcess)
CloseHandle(hProcess);
hProcess = NULL;
if (pbi)
HeapFree(GetProcessHeap(), 0, pbi);
pbi = NULL;
if (pwszBuffer)
HeapFree(GetProcessHeap(), 0, pwszBuffer);
pwszBuffer = NULL;
return bRet;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- EVC进程获取启动参数
- 根据进程名称或者服务名称用WMI获取执行路径和参数
- 基于visual c++之windows核心编程代码分析(52)使用WMI 获取进程启动参数
- MFC启动其他MFC进程,并传递参数,同时获取参数
- 基于visual c++之windows核心编程代码分析(52)使用WMI 获取进程启动参数
- C++获取进程启动参数
- 根据名称获取对应进程名的ID
- WorldWind学习总结【二】-程序启动时的相关参数获取方法
- 如何根据进程id获取该进程的主窗口句柄
- VC获取进程启动和结束时间
- Windows 下 根据进程名获取进程ID 以及该进程下所有窗口的句柄
- 关于附加调试办法,成功利用取到进程启动参数
- VB6 根据进程ID(PID)获取窗体句柄
- puppet 管理tomcat时 根据服务器的内存来设置Xms等jvm启动参数
- JS根据key值获取URL中的参数值,以及把URL的参数转换成json对象
- JS根据key值获取URL中的参数值及把URL的参数转换成json对象
- python 获取启动参数
- Linux中获取某个进程的系统调用以及参数(故障排查案例)
- linux根据pid获取进程名和获取进程pid(c语言获取pid)
- Python语言实现获取主机名根据端口杀死进程