首页 > 代码库 > 获取其他进程的命令行(ReadProcessMemory其它进程的PPROCESS_PARAMETERS和PEB结构体)

获取其他进程的命令行(ReadProcessMemory其它进程的PPROCESS_PARAMETERS和PEB结构体)

type  UNICODE_STRING = packed record    Length: Word;    MaximumLength: Word;    Buffer: PWideChar;  end;  PUNICODE_STRING = UNICODE_STRING;type  PROCESS_PARAMETERS = packed record    AllocationSize: ULONG;    ActualSize: ULONG;    Flags: ULONG;    Unknown1: ULONG;    Unknown2: UNICODE_STRING;    InputHandle: THandle;    OutputHandle: THandle;    ErrorHandle: THandle;    CurrentDirectory: UNICODE_STRING;    CurrentDirectoryHandle: THandle;    SearchPaths: UNICODE_STRING;    ApplicationName: UNICODE_STRING;    CommandLine: UNICODE_STRING;    EnvironmentBlock: Pointer;    Unknown: array[0..9 - 1] of ULONG;    Unknown3: UNICODE_STRING;    Unknown4: UNICODE_STRING;    Unknown5: UNICODE_STRING;    Unknown6: UNICODE_STRING;  end;  PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;(*//type  _PEB = packed record    Reserved1: array[0..2 - 1] of Byte;    BeingDebugged: Byte;    Reserved2: array[0..229 - 1] of Byte;    Reserved3: array[0..59 - 1] of Pointer;    SessionId: ULONG;  end;  PEB = _PEB;  PPEB = ^PEB;//*)type  PEB = packed record    AllocationSize: ULONG;    Unknown1: ULONG;    ProcessHinstance: Longword;    ListDlls: Pointer;    ProcessParameters: PPROCESS_PARAMETERS;    Unknown2: ULONG;    Heap: THandle;  end;  PPEB = ^PEB;type  _PROCESS_BASIC_INFORMATION = packed record    Reserved1: Pointer;    PebBaseAddress: PPEB;    Reserved2: array[0..1] of Pointer;    UniqueProcessId: PULONG;    Reserved3: Pointer;  end;  PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION;  PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;  PROCESSINFOCLASS = (    ProcessBasicInformation = 0,    ProcessWow64Information = 26  );  NTSTATUS = DWORD;function NtQueryInformationProcess(  ProcessHandle: THandle;  ProcessInformationClass: PROCESSINFOCLASS;  ProcessInformation: Pointer;  ProcessInformationLength: ULONG;  ReturnLength: PULONG): NTSTATUS; stdcall; external ‘ntdll.dll‘ name ‘NtQueryInformationProcess‘;function Process_CmdLine(  mProcessID: THandle): WideString;var  vProcess: THandle;  vProcessBasicInformation: PROCESS_BASIC_INFORMATION;  vPEB: PEB;  vNumberOfBytesRead: Longword;  vProcessParameters: PROCESS_PARAMETERS;begin//设计 Zswang 2006-09-09 wjhu111#21cn.com 尊重作者,转贴请注明出处  Result := ‘‘;  vProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,    False, mProcessID);  if vProcess = 0 then Exit;  try    if NtQueryInformationProcess(      vProcess,      ProcessBasicInformation,      @vProcessBasicInformation,      SizeOf(vProcessBasicInformation),      nil) <> 0 then Exit;    if not ReadProcessMemory(vProcess,      vProcessBasicInformation.PebBaseAddress,      @vPEB,      SizeOf(vPEB),      vNumberOfBytesRead) then Exit;    if not ReadProcessMemory(vProcess,      vPEB.ProcessParameters,      @vProcessParameters,      SizeOf(vProcessParameters),      vNumberOfBytesRead) then Exit;    SetLength(Result, vProcessParameters.CommandLine.Length div 2);    if not ReadProcessMemory(vProcess,      vProcessParameters.CommandLine.Buffer,      @Result[1],      vProcessParameters.CommandLine.Length,      vNumberOfBytesRead) then Exit;  finally    CloseHandle(vProcess);  end;end; { Process_CmdLine }

http://blog.csdn.net/zswang/article/details/1214857

获取其他进程的命令行(ReadProcessMemory其它进程的PPROCESS_PARAMETERS和PEB结构体)