获得进程启动参数的代码
以前那位仁兄的代码我调试了半天,实在调不起来,所以找来这段代码,发现很好用,特别放在这里,大家共享吧.type
UNICODE_STRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
PUNICODE_STRING = UNICODE_STRING;
type
PROCESS_PARAMETERS = packed record
AllocationSize: ULONG;
ActualSize: ULONG;
Flags: ULONG;
Unknown1: ULONG;
Unknown2: UNICODE_STRING;
InputHandle: THandle;
OutputHandle: THandle;
ErrorHandle: THandle;
CurrentDirectory: UNICODE_STRING;
CurrentDirectoryHandle: THandle;
SearchPaths: UNICODE_STRING;
ApplicationName: UNICODE_STRING;
CommandLine: UNICODE_STRING;
EnvironmentBlock: Pointer;
Unknown: array of ULONG;
Unknown3: UNICODE_STRING;
Unknown4: UNICODE_STRING;
Unknown5: UNICODE_STRING;
Unknown6: UNICODE_STRING;
end;
PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;
type
PEB = packed record
AllocationSize: ULONG;
Unknown1: ULONG;
ProcessHinstance: Longword;
ListDlls: Pointer;
ProcessParameters: PPROCESS_PARAMETERS;
Unknown2: ULONG;
Heap: THandle;
end;
PPEB = ^PEB;
type
_PROCESS_BASIC_INFORMATION = packed record
Reserved1: Pointer;
PebBaseAddress: PPEB;
Reserved2: array of Pointer;
UniqueProcessId: PULONG;
Reserved3: Pointer;
end;
PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION;
PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;
PROCESSINFOCLASS = (
ProcessBasicInformation = 0,
ProcessWow64Information = 26
);
NTSTATUS = DWORD;
function NtQueryInformationProcess(
ProcessHandle: THandle;
ProcessInformationClass: PROCESSINFOCLASS;
ProcessInformation: Pointer;
ProcessInformationLength: ULONG;
ReturnLength: PULONG
): NTSTATUS; stdcall; external 'ntdll.dll' name 'NtQueryInformationProcess';
function Process_CmdLine(mProcessID: THandle): WideString;
var
vProcess: THandle;
vProcessBasicInformation: PROCESS_BASIC_INFORMATION;
vPEB: PEB;
vNumberOfBytesRead: Longword;
vProcessParameters: PROCESS_PARAMETERS;
begin
Result := '';
vProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,
False, mProcessID);
if vProcess = 0 then Exit;
try
if NtQueryInformationProcess(
vProcess,
ProcessBasicInformation,
@vProcessBasicInformation,
SizeOf(vProcessBasicInformation),
nil) <> 0 then Exit;
if not ReadProcessMemory(vProcess,
vProcessBasicInformation.PebBaseAddress,
@vPEB,
SizeOf(vPEB),
vNumberOfBytesRead) then Exit;
if not ReadProcessMemory(vProcess,
vPEB.ProcessParameters,
@vProcessParameters,
SizeOf(vProcessParameters),
vNumberOfBytesRead) then Exit;
SetLength(Result, vProcessParameters.CommandLine.Length div 2);
if not ReadProcessMemory(vProcess,
vProcessParameters.CommandLine.Buffer,
@Result,
vProcessParameters.CommandLine.Length,
vNumberOfBytesRead) then Exit;
finally
CloseHandle(vProcess);
end;
end;
页:
[1]