-
-
[原创]一段获取其它进程命令行的代码
-
发表于:
2013-8-10 17:00
9030
-
winxp,win7,win8测试有效
#include <Windows.h>
#include <Stdio.h>
#include <Tchar.h>
//获取进程命令行
BOOL GetProcessCommandLine(HANDLE hProcess, LPTSTR pszCmdLine, DWORD cchCmdLine)
{
BOOL bRet;
DWORD dwPos;
LPBYTE lpAddr;
DWORD_PTR dwRetLen;
bRet = FALSE;
dwPos = 0;
lpAddr = (LPBYTE)GetCommandLine;
Win7:
if(lpAddr[dwPos] == 0xeb && lpAddr[dwPos + 1] == 0x05)
{
dwPos += 2;
dwPos += 5;
Win8:
if(lpAddr[dwPos] == 0xff && lpAddr[dwPos + 1] == 0x25)
{
dwPos += 2;
lpAddr = *(LPBYTE*)(lpAddr + dwPos);
dwPos = 0;
lpAddr = *(LPBYTE*)lpAddr;
WinXp:
if(lpAddr[dwPos] == 0xa1)
{
dwPos += 1;
lpAddr = *(LPBYTE*)(lpAddr + dwPos);
bRet = ReadProcessMemory(hProcess,
lpAddr,
&lpAddr,
sizeof(LPBYTE),
&dwRetLen);
if(bRet)
{
bRet = ReadProcessMemory(hProcess,
lpAddr,
pszCmdLine,
cchCmdLine,
&dwRetLen);
}
}
}
else
{
goto WinXp;
}
}
else
{
goto Win8;
}
return bRet;
}
int _tmain(int argc, TCHAR *argv[])
{
TCHAR szPath[1024];
HANDLE hProcess;
if(argc != 2)//参数一是进程PID
return 1;
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, _tcstoul(argv[1], NULL, 10));
if(hProcess)
{
if(GetProcessCommandLine(hProcess, szPath, 1024))
{
printf("%s\n", szPath);
}
CloseHandle(hProcess);
}
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课