获取给定进程的 STARTUPINFO [英] Get STARTUPINFO for given process

问题描述

是否可以获取另一个正在运行的进程的启动信息?我想找出 cmd 行参数，如果它应该运行最小化/最大化，在目录中启动，以管理员身份运行等.

Is it possible to get the startup information of another running process? I want to find out the cmd line arguments, if it should be run minimised/maximised, start in directory, run as admin, etc.

推荐答案

你需要从远程进程读取 RTL_USER_PROCESS_PARAMETERS.可以这样做

you need read RTL_USER_PROCESS_PARAMETERS from remote process. this can be done like this

NTSTATUS GetProcessParameters(PCLIENT_ID pcid, PUNICODE_STRING CommandLine)
{
    HANDLE hProcess;
    NTSTATUS status;

    static OBJECT_ATTRIBUTES zoa = { sizeof(zoa)};

    if (0 <= (status = ZwOpenProcess(&hProcess, PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, &zoa, pcid)))
    {
        PROCESS_BASIC_INFORMATION pbi;
        _RTL_USER_PROCESS_PARAMETERS ProcessParameters, *pv;
        if (0 <= (status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0)))
        {
            if (
                (0 <= (status = ZwReadVirtualMemory(hProcess, (_PEB*)&pbi.PebBaseAddress->ProcessParameters, &pv, sizeof(pv), 0)))
                &&
                (0 <= (status = ZwReadVirtualMemory(hProcess, pv, &ProcessParameters, sizeof(ProcessParameters), 0)))
                )
            {
                if (ProcessParameters.CommandLine.Length)
                {
                    if (CommandLine->Buffer = (PWSTR)LocalAlloc(0, ProcessParameters.CommandLine.Length + sizeof(WCHAR)))
                    {
                        if (0 > (status = ZwReadVirtualMemory(hProcess, ProcessParameters.CommandLine.Buffer, CommandLine->Buffer, ProcessParameters.CommandLine.Length, 0)))
                        {
                            LocalFree(CommandLine->Buffer);
                        }
                        else
                        {
                            CommandLine->MaximumLength = (CommandLine->Length = ProcessParameters.CommandLine.Length) + sizeof(WCHAR);
                            *(PWSTR)RtlOffsetToPointer(CommandLine->Buffer, ProcessParameters.CommandLine.Length) = 0;
                        }
                    }
                    else
                    {
                        status = STATUS_INSUFFICIENT_RESOURCES;
                    }
                }
            }
        }
        ZwClose(hProcess);
    }
    return status;
}
    UNICODE_STRING CommandLine;
    if (0 <= GetProcessParameters(&cid, &CommandLine))
    {
        DbgPrint("CommandLine=%wZ\n", &CommandLine);
        LocalFree(CommandLine.Buffer);
    }

这篇关于获取给定进程的 STARTUPINFO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！