如何得到其它进程的启动命令行参数

如何得到其它进程的启动命令行参数 ILSY:
这个程序可以得到其他进程的命令行参数。
// procmdline.cpp (Windows NT/2000)
//
// This example shows how to get the command line for almost any process
// on the system for Windows NT/2000
//
//
// (c)1999 Ashot Oganesyan K, SmartLine, Inc
// mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com

#include <windows.h>
#include <stdio.h>

#define ProcessBasicInformation 0

typedef struct
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct
{
ULONG AllocationSize;
ULONG ActualSize;
ULONG Flags;
ULONG Unknown1;
UNICODE_STRING Unknown2;
HANDLE InputHandle;
HANDLE OutputHandle;
HANDLE ErrorHandle;
UNICODE_STRING CurrentDirectory;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING SearchPaths;
UNICODE_STRING ApplicationName;
UNICODE_STRING CommandLine;
PVOID EnvironmentBlock;
ULONG Unknown[9];
UNICODE_STRING Unknown3;
UNICODE_STRING Unknown4;
UNICODE_STRING Unknown5;
UNICODE_STRING Unknown6;
} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;

typedef struct
{
ULONG AllocationSize;
ULONG Unknown1;
HINSTANCE ProcessHinstance;
PVOID ListDlls;
PPROCESS_PARAMETERS ProcessParameters;
ULONG Unknown2;
HANDLE Heap;
} PEB, *PPEB;

typedef struct
{
DWORD ExitStatus;
PPEB PebBaseAddress;
DWORD AffinityMask;
DWORD BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;

// ntdll!NtQueryInformationProcess (NT specific!)
//
// The function copies the process information of the
// specified type into a buffer
//
// NTSYSAPI
// NTSTATUS
// NTAPI
// NtQueryInformationProcess(
// IN HANDLE ProcessHandle, // handle to process
// IN PROCESSINFOCLASS InformationClass, // information type
// OUT PVOID ProcessInformation, // pointer to buffer
// IN ULONG ProcessInformationLength, // buffer size in bytes
// OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit
// // variable that receives
// // the number of bytes
// // written to the buffer
// );
typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);

PROCNTQSIP NtQueryInformationProcess;

BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen);

void main(int argc, char* argv[])
{
if (argc<2)
{
printf("Usage:/n/ncmdline.exe ProcId/n");
return;
}

NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(
GetModuleHandle("ntdll"),
"NtQueryInformationProcess"
);

if (!NtQueryInformationProcess)
return;

DWORD dwId;
sscanf(argv[1],"%lu",&dwId);

WCHAR wstr[255];

if (GetProcessCmdLine(dwId,wstr,sizeof(wstr)))
wprintf(L"Command line for process %lu is:/n%s/n",dwId,wstr);
else
wprintf(L"Could not get command line!");

}

BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen)
{
LONG status;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
PEB Peb;
PROCESS_PARAMETERS ProcParam;
DWORD dwDummy;
DWORD dwSize;
LPVOID lpAddress;
BOOL bRet = FALSE;

// Get process handle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,dwId);
if (!hProcess)
return FALSE;

// Retrieve information
status = NtQueryInformationProcess( hProcess,
ProcessBasicInformation,
(PVOID)&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
NULL
);

if (status)
goto cleanup;

if (!ReadProcessMemory( hProcess,
pbi.PebBaseAddress,
&Peb,
sizeof(PEB),
&dwDummy
)
)
goto cleanup;

if (!ReadProcessMemory( hProcess,
Peb.ProcessParameters,
&ProcParam,
sizeof(PROCESS_PARAMETERS),
&dwDummy
)
)
goto cleanup;

lpAddress = ProcParam.CommandLine.Buffer;
dwSize = ProcParam.CommandLine.Length;

if (dwBufLen<dwSize)
goto cleanup;

if (!ReadProcessMemory( hProcess,
lpAddress,
wBuf,
dwSize,
&dwDummy
)
)
goto cleanup;

bRet = TRUE;

cleanup:

CloseHandle (hProcess);


return bRet;
}
---

tombkeeper:
PEB结构中的ProcessParameters->CommandLine是个UNICODE_STRING，就是命令行。用ReadProcessMemory()读取就可以了。

1、从 fs:0定位PEB
2、PEB偏移0x10是ProcessParameters
3、ProcessParameters偏移0x40是CommandLine

tombkeeper:
不同版本的NT，PEB结构未必相同，可能需要区别对待。
还是ILSY的办法比较堂堂正正一点。