在Windows中获取另一个进程命令行 [英] Getting another process command line in Windows
问题描述
我想获得另一个进程命令行(在WinXP 32位)。
我执行以下操作:
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_TERMINATE,FALSE,ProcList.proc_id_as_numbers [i ]);
BytesNeeded = sizeof(PROCESS_BASIC_INFORMATION);
ZwQueryInformationProcess(hProcess,ProcessBasicInformation,UserPool,sizeof(PROCESS_BASIC_INFORMATION),& BytesNeeded);
pbi =(PPROCESS_BASIC_INFORMATION)UserPool;
BytesNeeded = sizeof(PEB);
res = ZwReadVirtualMemory(hProcess,pbi-> PebBaseAddress,UserPool,sizeof(PEB),& BytesNeeded);
/ *返回零值* /
peb =(PPEB)UserPool;
BytesNeeded = sizeof(RTL_USER_PROCESS_PARAMETERS);
res = ZwReadVirtualMemory(hProcess,peb-> ProcessParameters,UserPool,sizeof(RTL_USER_PROCESS_PARAMETERS),& BytesNeeded);
ProcParam =(PRTL_USER_PROCESS_PARAMETERS)UserPool
第一次调用pbi.UniqueProcessID后,
但是在调用ZwReadVirtualMemory之后,我获得了进程的命令行,而不是请求一个。
我也使用ReadProcessMemore&
这里http://forum.sysinternals.com/get-commandline-of-running-processes_topic6510_page1.html 据说这段代码工作。
重复的如何查询正在运行的进程的参数列表? (windows,C ++),所以我只需要从这里复制我的答案:
你不能 / em> 获取该信息。有各种各样的技巧来尝试和检索它,但不能保证目标进程还没有破坏那部分内存。 Raymond Chen已经在旧新事物 a>。
I am trying to get another process commandline (on WinXP 32bit). I do the following:
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_TERMINATE, FALSE, ProcList.proc_id_as_numbers[i]);
BytesNeeded = sizeof(PROCESS_BASIC_INFORMATION);
ZwQueryInformationProcess(hProcess, ProcessBasicInformation, UserPool, sizeof(PROCESS_BASIC_INFORMATION), &BytesNeeded);
pbi = (PPROCESS_BASIC_INFORMATION)UserPool;
BytesNeeded = sizeof(PEB);
res = ZwReadVirtualMemory(hProcess, pbi->PebBaseAddress, UserPool, sizeof(PEB), &BytesNeeded);
/* zero value returned */
peb = (PPEB)UserPool;
BytesNeeded = sizeof(RTL_USER_PROCESS_PARAMETERS);
res = ZwReadVirtualMemory(hProcess, peb->ProcessParameters, UserPool, sizeof(RTL_USER_PROCESS_PARAMETERS), &BytesNeeded);
ProcParam = (PRTL_USER_PROCESS_PARAMETERS)UserPool;
After first call pbi.UniqueProcessID is correct. But after calling ZwReadVirtualMemory I get command line for my process, not requested one.
I also used ReadProcessMemore & NtQueryInformationProcess, but get the same result.
Can anybody help?
Here http://forum.sysinternals.com/get-commandline-of-running-processes_topic6510_page1.html is being said that this code works. Unfortunately, I do not have access to post on this forum to ask themselves.
Duplicate of How to query a running process for it's parameters list? (windows, C++) , so I'll just copy my answer from there over here:
You can't reliably get that information. There are various tricks to try and retrieve it, but there's no guarantee that the target process hasn't already mangled that section of memory. Raymond Chen discussed this awhile back on The Old New Thing.
这篇关于在Windows中获取另一个进程命令行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
