首页
社区
课程
招聘
[求助]CommandLine
发表于: 2015-2-12 11:25 4135

[求助]CommandLine

2015-2-12 11:25
4135
不注入Dll的情况下

直接获取其他程序的CommandLine

有大神能提供点思路吗? 

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 1787
活跃值: (340)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
2
///////////////////////////////////////////////////////////////////////////////

/*
   from  http://msdn.microsoft.com/msdnmag/issues/02/06/debug/
         Escape from DLL Hell with Custom Debugging and
         Instrumentation Tools and Utilities

   The PEB (Process Environment Block) is an undocumented structure
   which varies from version to version of Windows.
   However, WinDbg
   (from http://www.microsoft.com/whdc/devtools/debugging/default.mspx)
   provides a command that list the "documented" fields of a structure.
      dt nt!_PEB
      dt nt!_RTL_USER_PROCESS_PARAMETERS
*/

typedef struct
{
   DWORD Filler[4];
   DWORD InfoBlockAddress;
} __PEB;

typedef struct
{
   DWORD Filler[17];
   DWORD wszCmdLineAddress;
} __INFOBLOCK;

// NtQueryInformationProcess is declared in winternl.h
typedef NTSTATUS (CALLBACK *PFN_NTQUERYINFORMATIONPROCESS)(
   HANDLE ProcessHandle,
   PROCESSINFOCLASS ProcessInformationClass,
   PVOID ProcessInformation,
   ULONG ProcessInformationLength,
   PULONG ReturnLength OPTIONAL
   );

NTSTATUS _NtQueryInformationProcess(
    HANDLE hProcess,
    PROCESSINFOCLASS pic,
    PVOID pPI,
    ULONG cbSize,
    PULONG pLength
    ) {
   
   HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
   if (hNtDll == NULL) {
      return(-1);
   }

   NTSTATUS lStatus = -1;  // error by default.

   // Note that function name is not UNICODE
   PFN_NTQUERYINFORMATIONPROCESS pfnNtQIP =
      (PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress(
         hNtDll, "NtQueryInformationProcess");
   if (pfnNtQIP != NULL) {
      lStatus = pfnNtQIP(hProcess, pic, pPI, cbSize, pLength);
   }   
   
   FreeLibrary(hNtDll);
   return(lStatus);
}

BOOL GetProcessCmdLine(HANDLE hProcess, LPTSTR szCmdLine, DWORD Size) {

   // Sanity checks
   if ((hProcess == NULL) || (szCmdLine == NULL) || (Size == 0))
      return(FALSE);

   // 0. Get the Process Environment Block address
   int   iReturn = 1;
   DWORD dwSize;
   SIZE_T size;

   PROCESS_BASIC_INFORMATION  pbi;
   // The PEB was supposed to always be at address 0x7ffdf000 in XP...
   // ... but, here is the "right" way to get it now in Vista.
   iReturn =
      _NtQueryInformationProcess(
         hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &dwSize);

   // NtQueryInformationProcess returns a negative value if it fails
   if (iReturn >= 0) {
      // 1. Find the Process Environment Block
      __PEB PEB;
          size = dwSize;
      if (!ReadProcessMemory(hProcess, pbi.PebBaseAddress, &PEB,
         sizeof(PEB), &size)) {
         // Call GetLastError() if you need to know why
         return(FALSE);
      }

      // 2. From this PEB, get the address of the block containing
      // a pointer to the CmdLine
      __INFOBLOCK Block;
      if (!ReadProcessMemory(hProcess, (LPVOID)PEB.InfoBlockAddress,
         &Block, sizeof(Block), &size)) {
         // Call GetLastError() if you need to know why
         return(FALSE);
      }

      // 3. Get the CmdLine
      wchar_t wszCmdLine[MAX_PATH+1];
      if (!ReadProcessMemory(hProcess, (LPVOID)Block.wszCmdLineAddress,
         wszCmdLine, MAX_PATH*sizeof(wchar_t), &size)) {
         // Call GetLastError() if you need to know why
         return(FALSE);
      }

      // 4. Skip the application pathname
      //    it can be empty, "c:\...\app.exe" or c:\...\app.exe
      wchar_t* pPos = wszCmdLine;
      if (*pPos != L'\0') {
         if (*pPos == L'"') {
         // Find the next " character
            pPos = wcschr(&pPos[1], L'"');
         } else {
         // Find the next SPACE character
            pPos = wcschr(&pPos[1], L' ');
         }

         // Skip it
         if (pPos != NULL)
            pPos++;
      }

      // Copy it back
      if (pPos != NULL) {
         if (*pPos != L'\0') {
#ifdef UNICODE
            // Both strings are in UNICODE.
            _tcscpy_s(szCmdLine, Size, pPos);   
#else
            // from UNICODE to ANSI
            MultiByteToWideChar(CP_ACP, 0, szCmdLine, Size,
               pPos, wcslen(pPos));
#endif
         }
         else
            szCmdLine[0] = TEXT('\0');
      }
      else
         szCmdLine[0] = TEXT('\0');
   }
   else {
      return(FALSE);
   }

   return(TRUE);
}

BOOL GetProcessCmdLine(DWORD PID, LPTSTR szCmdLine, DWORD Size) {

   // Sanity checks
   if ((PID <= 0) || (szCmdLine == NULL))
      return(FALSE);

   // Check if we can get information for this process
   HANDLE hProcess =
      OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);
   if (hProcess == NULL)
      return(FALSE);

   BOOL bReturn = GetProcessCmdLine(hProcess, szCmdLine, Size);

   // Don't forget to release the process handle
   CloseHandle(hProcess);

   return(bReturn);
}
2015-2-12 12:56
0
雪    币: 80
活跃值: (87)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
任务管理器->查看->选择列->命令行
2015-2-12 13:31
0
游客
登录 | 注册 方可回帖
返回
//