[求助]CommandLine-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
yezhulove 雪币： 1787 活跃值： (340) 能力值： ( LV3，RANK：30 ) 在线值：发帖 12 回帖 303 粉丝 1 关注私信	yezhulove 2 楼 /////////////////////////////////////////////////////////////////////////////// /* from http://msdn.microsoft.com/msdnmag/issues/02/06/debug/ Escape from DLL Hell with Custom Debugging and Instrumentation Tools and Utilities The PEB (Process Environment Block) is an undocumented structure which varies from version to version of Windows. However, WinDbg (from http://www.microsoft.com/whdc/devtools/debugging/default.mspx) provides a command that list the "documented" fields of a structure. dt nt!_PEB dt nt!_RTL_USER_PROCESS_PARAMETERS / typedef struct { DWORD Filler[4]; DWORD InfoBlockAddress; } __PEB; typedef struct { DWORD Filler[17]; DWORD wszCmdLineAddress; } __INFOBLOCK; // NtQueryInformationProcess is declared in winternl.h typedef NTSTATUS (CALLBACK PFN_NTQUERYINFORMATIONPROCESS)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength OPTIONAL ); NTSTATUS _NtQueryInformationProcess( HANDLE hProcess, PROCESSINFOCLASS pic, PVOID pPI, ULONG cbSize, PULONG pLength ) { HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll")); if (hNtDll == NULL) { return(-1); } NTSTATUS lStatus = -1; // error by default. // Note that function name is not UNICODE PFN_NTQUERYINFORMATIONPROCESS pfnNtQIP = (PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress( hNtDll, "NtQueryInformationProcess"); if (pfnNtQIP != NULL) { lStatus = pfnNtQIP(hProcess, pic, pPI, cbSize, pLength); } FreeLibrary(hNtDll); return(lStatus); } BOOL GetProcessCmdLine(HANDLE hProcess, LPTSTR szCmdLine, DWORD Size) { // Sanity checks if ((hProcess == NULL) \|\| (szCmdLine == NULL) \|\| (Size == 0)) return(FALSE); // 0. Get the Process Environment Block address int iReturn = 1; DWORD dwSize; SIZE_T size; PROCESS_BASIC_INFORMATION pbi; // The PEB was supposed to always be at address 0x7ffdf000 in XP... // ... but, here is the "right" way to get it now in Vista. iReturn = _NtQueryInformationProcess( hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &dwSize); // NtQueryInformationProcess returns a negative value if it fails if (iReturn >= 0) { // 1. Find the Process Environment Block __PEB PEB; size = dwSize; if (!ReadProcessMemory(hProcess, pbi.PebBaseAddress, &PEB, sizeof(PEB), &size)) { // Call GetLastError() if you need to know why return(FALSE); } // 2. From this PEB, get the address of the block containing // a pointer to the CmdLine __INFOBLOCK Block; if (!ReadProcessMemory(hProcess, (LPVOID)PEB.InfoBlockAddress, &Block, sizeof(Block), &size)) { // Call GetLastError() if you need to know why return(FALSE); } // 3. Get the CmdLine wchar_t wszCmdLine[MAX_PATH+1]; if (!ReadProcessMemory(hProcess, (LPVOID)Block.wszCmdLineAddress, wszCmdLine, MAX_PATHsizeof(wchar_t), &size)) { // Call GetLastError() if you need to know why return(FALSE); } // 4. Skip the application pathname // it can be empty, "c:\...\app.exe" or c:\...\app.exe wchar_t pPos = wszCmdLine; if (pPos != L'\0') { if (pPos == L'"') { // Find the next " character pPos = wcschr(&pPos[1], L'"'); } else { // Find the next SPACE character pPos = wcschr(&pPos[1], L' '); } // Skip it if (pPos != NULL) pPos++; } // Copy it back if (pPos != NULL) { if (*pPos != L'\0') { #ifdef UNICODE // Both strings are in UNICODE. _tcscpy_s(szCmdLine, Size, pPos); #else // from UNICODE to ANSI MultiByteToWideChar(CP_ACP, 0, szCmdLine, Size, pPos, wcslen(pPos)); #endif } else szCmdLine[0] = TEXT('\0'); } else szCmdLine[0] = TEXT('\0'); } else { return(FALSE); } return(TRUE); } BOOL GetProcessCmdLine(DWORD PID, LPTSTR szCmdLine, DWORD Size) { // Sanity checks if ((PID <= 0) \|\| (szCmdLine == NULL)) return(FALSE); // Check if we can get information for this process HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, PID); if (hProcess == NULL) return(FALSE); BOOL bReturn = GetProcessCmdLine(hProcess, szCmdLine, Size); // Don't forget to release the process handle CloseHandle(hProcess); return(bReturn); } 2015-2-12 12:56 0
iforgiven 雪币： 80 活跃值： (72) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 109 粉丝 0 关注私信	iforgiven 3 楼任务管理器->查看->选择列->命令行 2015-2-12 13:31 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
yezhulove 雪币： 1787 活跃值： (340) 能力值： ( LV3，RANK：30 ) 在线值：发帖 12 回帖 303 粉丝 1 关注私信	yezhulove 2 楼 /////////////////////////////////////////////////////////////////////////////// /* from http://msdn.microsoft.com/msdnmag/issues/02/06/debug/ Escape from DLL Hell with Custom Debugging and Instrumentation Tools and Utilities The PEB (Process Environment Block) is an undocumented structure which varies from version to version of Windows. However, WinDbg (from http://www.microsoft.com/whdc/devtools/debugging/default.mspx) provides a command that list the "documented" fields of a structure. dt nt!_PEB dt nt!_RTL_USER_PROCESS_PARAMETERS / typedef struct { DWORD Filler[4]; DWORD InfoBlockAddress; } __PEB; typedef struct { DWORD Filler[17]; DWORD wszCmdLineAddress; } __INFOBLOCK; // NtQueryInformationProcess is declared in winternl.h typedef NTSTATUS (CALLBACK PFN_NTQUERYINFORMATIONPROCESS)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength OPTIONAL ); NTSTATUS _NtQueryInformationProcess( HANDLE hProcess, PROCESSINFOCLASS pic, PVOID pPI, ULONG cbSize, PULONG pLength ) { HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll")); if (hNtDll == NULL) { return(-1); } NTSTATUS lStatus = -1; // error by default. // Note that function name is not UNICODE PFN_NTQUERYINFORMATIONPROCESS pfnNtQIP = (PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress( hNtDll, "NtQueryInformationProcess"); if (pfnNtQIP != NULL) { lStatus = pfnNtQIP(hProcess, pic, pPI, cbSize, pLength); } FreeLibrary(hNtDll); return(lStatus); } BOOL GetProcessCmdLine(HANDLE hProcess, LPTSTR szCmdLine, DWORD Size) { // Sanity checks if ((hProcess == NULL) \|\| (szCmdLine == NULL) \|\| (Size == 0)) return(FALSE); // 0. Get the Process Environment Block address int iReturn = 1; DWORD dwSize; SIZE_T size; PROCESS_BASIC_INFORMATION pbi; // The PEB was supposed to always be at address 0x7ffdf000 in XP... // ... but, here is the "right" way to get it now in Vista. iReturn = _NtQueryInformationProcess( hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &dwSize); // NtQueryInformationProcess returns a negative value if it fails if (iReturn >= 0) { // 1. Find the Process Environment Block __PEB PEB; size = dwSize; if (!ReadProcessMemory(hProcess, pbi.PebBaseAddress, &PEB, sizeof(PEB), &size)) { // Call GetLastError() if you need to know why return(FALSE); } // 2. From this PEB, get the address of the block containing // a pointer to the CmdLine __INFOBLOCK Block; if (!ReadProcessMemory(hProcess, (LPVOID)PEB.InfoBlockAddress, &Block, sizeof(Block), &size)) { // Call GetLastError() if you need to know why return(FALSE); } // 3. Get the CmdLine wchar_t wszCmdLine[MAX_PATH+1]; if (!ReadProcessMemory(hProcess, (LPVOID)Block.wszCmdLineAddress, wszCmdLine, MAX_PATHsizeof(wchar_t), &size)) { // Call GetLastError() if you need to know why return(FALSE); } // 4. Skip the application pathname // it can be empty, "c:\...\app.exe" or c:\...\app.exe wchar_t pPos = wszCmdLine; if (pPos != L'\0') { if (pPos == L'"') { // Find the next " character pPos = wcschr(&pPos[1], L'"'); } else { // Find the next SPACE character pPos = wcschr(&pPos[1], L' '); } // Skip it if (pPos != NULL) pPos++; } // Copy it back if (pPos != NULL) { if (*pPos != L'\0') { #ifdef UNICODE // Both strings are in UNICODE. _tcscpy_s(szCmdLine, Size, pPos); #else // from UNICODE to ANSI MultiByteToWideChar(CP_ACP, 0, szCmdLine, Size, pPos, wcslen(pPos)); #endif } else szCmdLine[0] = TEXT('\0'); } else szCmdLine[0] = TEXT('\0'); } else { return(FALSE); } return(TRUE); } BOOL GetProcessCmdLine(DWORD PID, LPTSTR szCmdLine, DWORD Size) { // Sanity checks if ((PID <= 0) \|\| (szCmdLine == NULL)) return(FALSE); // Check if we can get information for this process HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, PID); if (hProcess == NULL) return(FALSE); BOOL bReturn = GetProcessCmdLine(hProcess, szCmdLine, Size); // Don't forget to release the process handle CloseHandle(hProcess); return(bReturn); } 2015-2-12 12:56 0
iforgiven 雪币： 80 活跃值： (72) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 109 粉丝 0 关注私信	iforgiven 3 楼任务管理器->查看->选择列->命令行 2015-2-12 13:31 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复