任务管理器如何获取进程的命令行可执行路径? [英] How does Task Manager gets command line executable path for processes?
问题描述
我正在查看任务管理器的进程列表,并启用查看">选择列">命令行"以查看包含 exe 路径 &命令行参数.
I'm looking at Task Manager's list of processes, and enabled View > Select columns > Command line to see include exe path & command line arguments.
我尝试使用 GetModuleFileNameEx 使同样的事情正常工作,但存在一些问题;首先,结果不包含任何参数,并且对于某些进程也会失败,例如 WinRar.exe 或 Opera.exe.
I tried to get the same thing working using GetModuleFileNameEx but there's some problems; first, the result doesn't include any arguments and it also fails for some processes, as basic as WinRar.exe or Opera.exe.
我知道任务管理器使用 WMI 来获取其中的一些数据(我尝试关闭该服务,但它以我的脚本所做的方式失败,对于相同的进程),但我想知道是什么使进程的路径不可获取"?
I know that Task Manager uses WMI to get some of this data (I tried shutting down the service and it failed just the way my script did, for the same processes), but I wonder, what makes a process's path "ungettable"?
推荐答案
任务管理器使用进程的 PEB 结构来访问命令行参数(除其他外).如果您有目标进程的 HANDLE(以及访问其内存的足够权限),则可以访问 PEB 使用 NtQueryInformationProcess() 函数(将其 ProcessInformationClass 参数设置为 ProcessBasicInformation接收 PROCESS_BASIC_INFORMATION 结构)以获取 PEB 在目标进程的地址空间内(除其他外).然后您可以使用 ReadProcessMemory() 读取 PEB 根据需要添加到您应用的地址空间中.命令行参数通过使用 PEB::ProcessParameters 字段来定位,该字段是一个指向 RTL_USER_PROCESS_PARAMETERS 结构,其中包含 UNICODE_STRING.
Task Manager uses the process's PEB structure to access the command-line arguments (amongst other things). If you have a HANDLE to the target process (and sufficient rights to access its memory), you can access the PEB using the NtQueryInformationProcess() function (set its ProcessInformationClass parameter to ProcessBasicInformation to receive a PROCESS_BASIC_INFORMATION structure) to obtain the memory address of the PEB within the target process's address space (amongst other things). You can then use ReadProcessMemory() to read the contents of the PEB into your app's address space as needed. The command-line parameters are located by using the PEB::ProcessParameters field, which is a pointer to a RTL_USER_PROCESS_PARAMETERS structure, which contains a CommandLine field of type UNICODE_STRING.
如果您是 32 位进程访问 64 位进程的 PEB,事情会变得有点棘手,反之亦然.您必须考虑不同大小的指针(32 位中的 4 个,64 位中的 8 个),这会影响结构大小和偏移量.
Things get a little trickier if you are a 32-bit process accessing the PEB of a 64-bit process, or vice versa. You have to take into account the different sizes of pointers (4 of 32-bit, 8 for 64-bit), which affects structure sizes and offsets.
但这就是它的要点.
这篇关于任务管理器如何获取进程的命令行可执行路径?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
