64位环境下32位进程获取64位进程的命令行参数和当前目录
2011-11-18 15:54
1446 查看
BOOL GetProcessCurDir(HANDLE hProcess,mystring&strCurDir)
{
BOOL bSuccess = FALSE;
//
PROCESS_BASIC_INFORMATION pbi;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtQueryInformationProcess");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtReadVirtualMemory");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
SIZE_T size;
int iReturn;
PVOID pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi,sizeof(pbi),&dwSize);
pAddrPEB = pbi.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS stBlock;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &stBlock, sizeof(stBlock), &size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 3. Get the CurDir
wchar_t wszCurDir[MAX_PATH+1];
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)stBlock.DosPath.Buffer,
wszCurDir, stBlock.DosPath.Length*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
#ifdef UNICODE
// Both strings are in UNICODE.
strCurDir.assign(wszCurDir);
#else
CHAR szCurDir[MAX_PATH+1];
WideCharToMultiByte(CP_ACP,0,wszCurDir,size/sizeof(wchar_t),szCurDir,MAX_PATH,NULL,NULL);
strCurDir.assign(szCurDir);
#endif
bSuccess = TRUE;
}
}
return bSuccess;
}
BOOL GetProcessCurDir64(HANDLE hProcess,mystring&strCurDir)
{
BOOL bSuccess = FALSE;
//
PROCESS_BASIC_INFORMATION64 pbi64;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory64 pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64QueryInformationProcess64");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory64)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64ReadVirtualMemory64");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
UINT64 size;
int iReturn;
PVOID64 pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi64,sizeof(pbi64),&dwSize);
pAddrPEB = pbi64.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB64 PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS64 stBlock;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, PEB.ProcessParameters, &stBlock, sizeof(stBlock),&size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 3. Get the CurDir
wchar_t wszCurDir[MAX_PATH+1];
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, stBlock.DosPath.Buffer,
wszCurDir, stBlock.DosPath.Length*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
#ifdef UNICODE
// Both strings are in UNICODE.
strCurDir.assign(wszCurDir);
#else
CHAR szCurDir[MAX_PATH+1];
WideCharToMultiByte(CP_ACP,0,wszCurDir,size/sizeof(wchar_t),szCurDir,MAX_PATH,NULL,NULL);
strCurDir.assign(szCurDir);
#endif
bSuccess = TRUE;
}
}
return bSuccess;
}
BOOL GetProcessCmdLine(HANDLE hProcess,mystring&strCmdLine)
{
BOOL bSuccess = FALSE;
//
PROCESS_BASIC_INFORMATION pbi;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtQueryInformationProcess");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtReadVirtualMemory");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
SIZE_T size;
int iReturn;
PVOID pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi,sizeof(pbi),&dwSize);
pAddrPEB = pbi.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS Block;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &Block, sizeof(Block), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 3. Get the CmdLine
wchar_t wszCmdLine[MAX_PATH+1] = {0};
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)Block.CmdLine.Buffer,
wszCmdLine, MAX_PATH*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 4. Skip the application pathname
// it can be empty, "c:\...\app.exe" or c:\...\app.exe
wchar_t* pPos = wszCmdLine;
if (*pPos != L'\0') {
if (*pPos == L'"') {
// Find the next " character
pPos = wcschr(&pPos[1], L'"');
} else {
// Find the next SPACE character
pPos = wcschr(&pPos[1], L'');
}
// Skip it
if (pPos != NULL)
pPos++;
}
// Copy it back
if (pPos != NULL) {
if (*pPos != L'\0') {
#ifdef UNICODE
// Both strings are in UNICODE.
strCmdLine.assign(wszCmdLine);
#else
CHAR szCmdLine[MAX_PATH+1] = {0};
WideCharToMultiByte(CP_ACP,0,wszCmdLine,size/sizeof(wchar_t),szCmdLine,MAX_PATH,NULL,NULL);
strCmdLine = szCmdLine;
#endif
bSuccess = TRUE;
}
}
}
}
return bSuccess;
}
BOOL GetProcessCmdLine64(HANDLE hProcess,mystring&strCmdLine)
{
BOOL bSuccess = FALSE;
//
PROCESS_BASIC_INFORMATION64 pbi64;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory64 pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64QueryInformationProcess64");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory64)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64ReadVirtualMemory64");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
UINT64 size;
int iReturn;
PVOID64 pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi64,sizeof(pbi64),&dwSize);
pAddrPEB = pbi64.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB64 PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS64 stBlock;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &stBlock, sizeof(stBlock), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 3. Get the CmdLine
wchar_t wszCmdLine[MAX_PATH+1] = {0};
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)stBlock.CmdLine.Buffer,
wszCmdLine, MAX_PATH*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 4. Skip the application pathname
// it can be empty, "c:\...\app.exe" or c:\...\app.exe
wchar_t* pPos = wszCmdLine;
if (*pPos != L'\0') {
if (*pPos == L'"') {
// Find the next " character
pPos = wcschr(&pPos[1], L'"');
} else {
// Find the next SPACE character
pPos = wcschr(&pPos[1], L'');
}
// Skip it
if (pPos != NULL)
pPos++;
}
// Copy it back
if (pPos != NULL) {
if (*pPos != L'\0') {
#ifdef UNICODE
// Both strings are in UNICODE.
strCmdLine.assign(wszCmdLine);
#else
CHAR szCmdLine[MAX_PATH+1] = {0};
WideCharToMultiByte(CP_ACP,0,wszCmdLine,size/sizeof(wchar_t),szCmdLine,MAX_PATH,NULL,NULL);
strCmdLine.assign(szCmdLine);
#endif
bSuccess = TRUE;
}
}
}
}
return bSuccess;
}#include <TlHelp32.h> #include <winternl.h> // for Windows internal declarations. #include "Toolhelp/Toolhelp.h"
//////////////////////////////////////////////////////////////////////////
#define WOW64
#ifdef _UNICODE
#define mystring wstring
#else
#define mystring string
#endif
typedef struct
{
DWORD Filler[4];
DWORD ProcessParameters;
} __PEB;
typedef struct
{
PVOID64 Filler[4];
PVOID64 ProcessParameters;
} __PEB64;
//
// Current Directory Structures
//
typedef struct
{
UNICODE_STRING DosPath;
HANDLE Handle;
}_CURDIR;
typedef struct _UNICODE_STRING64 {
SHORT Length;
SHORT MaximumLength;
DWORD Fill;
PVOID64 Buffer;
} UNICODE_STRING64;
typedef struct
{
DWORD MaximumLength;
DWORD Length;
DWORD Flags;
DWORD DebugFlags;
PVOID ConsoleHandle;
DWORD ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
//////////////////////////
UNICODE_STRING DosPath; //CurrentDirectory
HANDLE Handle;
//////////////////////////
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CmdLine;
//……
}_RTL_USER_PROCESS_PARAMETERS;
typedef struct
{
DWORD MaximumLength;
DWORD Length;
DWORD Flags;
DWORD DebugFlags;
PVOID64 ConsoleHandle;
DWORD ConsoleFlags;
PVOID64 StandardInput;
PVOID64 StandardOutput;
PVOID64 StandardError;
//////////////////////////
UNICODE_STRING64 DosPath;//CurrentDirectory
HANDLE Handle;
//////////////////////////
UNICODE_STRING64 DllPath;
UNICODE_STRING64 ImagePathName;
UNICODE_STRING64 CmdLine;
//……
}_RTL_USER_PROCESS_PARAMETERS64;
// end_ntddk end_ntifs
typedef struct _PROCESS_BASIC_INFORMATION64 {
PVOID64 Reserved1;
PVOID64 PebBaseAddress;
PVOID64 Reserved2[2];
PVOID64 UniqueProcessId;
PVOID64 Reserved3;
} PROCESS_BASIC_INFORMATION64,*PPROCESS_BASIC_INFORMATION64;
typedef LONG (WINAPI *TNtQueryInformationProcess)(HANDLE,UINT,PVOID,ULONG,PULONG);
typedef LONG (WINAPI *TNtReadVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
typedef LONG (WINAPI *TNtReadVirtualMemory64)(HANDLE ProcessHandle, PVOID64 BaseAddress, PVOID Buffer, UINT64 NumberOfBytesToRead, PUINT64 NumberOfBytesReaded);
//////////////////////////////////////////////////////////////////////////typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
BOOL IsWow64()
{
BOOL bIsWow64 = FALSE;
LPFN_ISWOW64PROCESS
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(
GetModuleHandle("kernel32"),"IsWow64Process");
if (NULL != fnIsWow64Process)
{
if (!fnIsWow64Process(GetCurrentProcess(),&bIsWow64))
{
// handle error
}
}
return bIsWow64;
}以上代码部分摘自windows核心编程第四章源码以及:http://processhacker.sourceforge.net/forums/viewtopic.php?f=15&t=181。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Windows命令行获取当前bat文件所在目录,添加永久系统环境变量的方法
- 如何判断当前进程是在32位/64位系统上运行
- Linux下获取当前进程的执行文件的绝对路径和所在目录(通过/proc/self/exe链接)
- 获取进程的当前目录
- C#获取当前操作系统是32位还是64位
- C++ 获取当前进程运行目录(visual studio 调试状态下)
- 如何获取当前进程所在目录的方法
- 线程共享的环境包括:进程代码段、进程的公有数据(利用这些共享的数据,线程很容易的实现相互之间的通讯)、进程打开的文件描述符、信号的处理器、进程的当前目录和进程用户ID与进程组ID。 进程拥有这
- Windows命令行获取当前bat文件所在目录,添加永久系统环境变量的方法
- 获取指定进程的路径-支持32位和64位
- linux 获取当前进程的可执行文件所在的目录
- 获取当前进程文件所在目录,用于替代GetCurrentDirectory
- 获取当前进程目录 GetCurrentDirectory() 及 获取当前运行模块路径名GetModuleFileName()
- windows核心编程-获取进程当前目录
- 进程的入口函数、环境变量和当前目录
- Windows命令行获取当前bat文件所在目录,添加永久系统环境变量的方法
- 64位系统上32位进程拷贝文件到System32目录时的重定向
- C# 获取当前操作系统是32位还是64位
- 64位系统下C++获取当前所有进程的完整路径
- Windows命令行获取当前bat文件所在目录,添加永久系统环境变量的方法