如何清除进程命令行？ [英] How to clear a process command line?

问题描述

我想从内部清除我的进程的命令行。例如，当在任务管理器/进程浏览器中查看我的进程时，命令行条目将为空。

I would like to clear the command line of my process from within. For example, when viewing my process in Task Manager/Process Explorer, the command line entry would be empty.

我想在当前运行的进程中这样做，

I would like to do this within the currently running process rather than restarting the process if possible.

推荐答案

我想你必须修改 RTL_USER_PROCESS_PARAMETERS （参见 PEB =nofollow noreferrer> http://en.wikipedia.org/wiki/Process_Environment_Block ，例如 http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html ）。您可以尝试使用 NtQueryInformationProcess 来获取< a href =http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx =nofollow noreferrer> PEB 。然后可以修改 ProcessParameters.CommandLine 。

I suppose you have to modify the RTL_USER_PROCESS_PARAMETERS part of the PEB of your process (see http://en.wikipedia.org/wiki/Process_Environment_Block for example and http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html). You can try to use NtQueryInformationProcess to get PEB. Then you can modify ProcessParameters.CommandLine. I hope it will work.

UPDATED ：我验证了我的建议。有用。以下测试程序证明了这一点：

UPDATED: I verified my suggestion. It works. The following test program demonstrate this:

#include <Windows.h>
#include <Winternl.h> // for PROCESS_BASIC_INFORMATION and ProcessBasicInformation
#include <stdio.h>
#include <tchar.h>

typedef NTSTATUS (NTAPI *PFN_NT_QUERY_INFORMATION_PROCESS) (
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID ProcessInformation,
    IN ULONG ProcessInformationLength,
    OUT PULONG ReturnLength OPTIONAL);

int main()
{
    HANDLE hProcess = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
                                   FALSE, GetCurrentProcessId());
    PROCESS_BASIC_INFORMATION pbi;
    ULONG ReturnLength;
    PFN_NT_QUERY_INFORMATION_PROCESS pfnNtQueryInformationProcess =
        (PFN_NT_QUERY_INFORMATION_PROCESS) GetProcAddress (
            GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationProcess");
    NTSTATUS status = pfnNtQueryInformationProcess (
        hProcess, ProcessBasicInformation,
        (PVOID)&pbi, sizeof(pbi), &ReturnLength);
    // remove full information about my command line
    pbi.PebBaseAddress->ProcessParameters->CommandLine.Length = 0;

    getchar(); // wait till we can verify the results
    return 0;
}

如果我们用一些参数启动程序，我们将看到

If we start the program with some parameters we will see

而不是之前见过的

这篇关于如何清除进程命令行？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！