windows核心编程-如何获取进程命令行信息
来源:互联网 发布:记录销售app软件 编辑:程序博客网 时间:2024/04/30 16:50
如何获取其他进程命令行信息
每一个进程都有一个PEB数据块(PEB:Process Environment Block),这个进程环境块信息(如下结构体),
每个PEB中有_RTL_USER_PROCESS_PARAMETERS 结构体,是一个指针,指向一个结构体,这个结构体里面有一个CommandLine
命令行参数。所以要获得其他进程的命令行参数CommandLine,首先要获得其他进程的PEB结构体,通过_RTL_USER_PROCESS_PARAMETERS
得到它的结构体,结构体里面有CommandLine;
#include<Winternl.h>
typedef struct _PEB {//PEB结构 BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId;} PEB, *PPEB;
ntdll!_PEB+0x000InheritedAddressSpace : ??
+0x001ReadImageFileExecOptions : ??
+0x002BeingDebugged : ??
+0x003SpareBool : ??
+0x004Mutant : ????
+0x008ImageBaseAddress : ????
+0x00cLdr : ????
+0x010ProcessParameters : _RTL_USER_PROCESS_PARAMETERS(如下)
+0x014SubSystemData : ????
+0x018ProcessHeap : ????
+0x01cFastPebLock : ????
+0x020FastPebLockRoutine : ????+0x024 FastPebUnlockRoutine : ????+0x028 EnvironmentUpdateCount : ??+0x02c KernelCallbackTable : ????+0x030 SystemReserved : [1] ??+0x034 AtlThunkSListPtr32 : ??+0x038 FreeList : ????+0x03c TlsExpansionCounter : ??+0x040 TlsBitmap : ????+0x044 TlsBitmapBits : [2] ??+0x04c ReadOnlySharedMemoryBase : ????+0x050 ReadOnlySharedMemoryHeap : ????+0x054 ReadOnlyStaticServerData : ????+0x058 AnsiCodePageData : ????+0x05c OemCodePageData : ????+0x060 UnicodeCaseTableData : ????+0x064 NumberOfProcessors : ??+0x068 NtGlobalFlag : ??+0x070 CriticalSectionTimeout : _LARGE_INTEGER+0x078 HeapSegmentReserve : ??+0x07c HeapSegmentCommit : ??+0x080 HeapDeCommitTotalFreeThreshold : ??+0x084 HeapDeCommitFreeBlockThreshold : ??+0x088 NumberOfHeaps : ??+0x08c MaximumNumberOfHeaps : ??+0x090 ProcessHeaps : ????+0x094 GdiSharedHandleTable : ????+0x098 ProcessStarterHelper : ????+0x09c GdiDCAttributeList : ??+0x0a0 LoaderLock : ????+0x0a4 OSMajorVersion : ??+0x0a8 OSMinorVersion : ??+0x0ac OSBuildNumber : ??+0x0ae OSCSDVersion : ??+0x0b0 OSPlatformId : ??+0x0b4 ImageSubsystem : ??+0x0b8 ImageSubsystemMajorVersion : ??+0x0bc ImageSubsystemMinorVersion : ??+0x0c0 ImageProcessAffinityMask : ??+0x0c4 GdiHandleBuffer : [34] ??+0x14c PostProcessInitRoutine : ????+0x150 TlsExpansionBitmap : ????+0x154 TlsExpansionBitmapBits : [32] ??+0x1d4 SessionId : ??+0x1d8 AppCompatFlags : _ULARGE_INTEGER+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER+0x1e8 pShimData : ????+0x1ec AppCompatInfo : ????+0x1f0 CSDVersion : _UNICODE_STRING+0x1f8 ActivationContextData : ????+0x1fc ProcessAssemblyStorageMap : ????+0x200 SystemDefaultActivationContextData : ????+0x204 SystemAssemblyStorageMap : ????+0x208 MinimumStackCommit : ??
struct RTL_USER_PROCESS_PARAMETERS
typedef struct _RTL_USER_PROCESS_PARAMETERS{ ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; PVOID ConsoleHandle; ULONG ConsoleFlags; PVOID StandardInput; PVOID StandardOutput; PVOID StandardError; CURDIR CurrentDirectory; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PVOID Environment; ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; ULONG EnvironmentSize;} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
NtQueryInformationProcess
NTSTATUS WINAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, //进程句柄 _In_ PROCESSINFOCLASS ProcessInformationClass,//ProcessBasicInformation _Out_ PVOID ProcessInformation, //PROCESS_BASIC_INFORMATION结构体 _In_ ULONG ProcessInformationLength, //前面结构体的大小 _Out_opt_ PULONG ReturnLength //返回值的大小);
#include<windows.h>#include<tchar.h>#include<Winternl.h>typedef NTSTATUS (WINAPI *QT)(HANDLE,PROCESSINFOCLASS,PVOID,ULONG,PULONG);//NtQueryInformationProcess/*写成一个函数,来获得所有的PEB结构体信息*/TCHAR* GetProcessCommandLine(HANDLE hProcess){HMODULE hModule = 0;QT NtQuery = { 0 };hModule = LoadLibrary(L"Ntdll.dll"); //加载动态链接if (hModule){NtQuery = (QT)GetProcAddress(hModule, "NtQueryInformationProcess");if (NtQuery == NULL)return 0;}elsereturn 0;PROCESS_BASIC_INFORMATION pi = { 0 };NTSTATUS re = NtQuery(hProcess,ProcessBasicInformation, &pi, sizeof(pi), NULL);/*在pi中,pi.PebBaseAddress指向PEB,那么这个指针指向的地址是哪个地址呢?这个指针指向的地址,是word进程的地址*/if (!NT_SUCCESS(re)){//_tprintf(L"OK\n");return 0;}PEB peb;RTL_USER_PROCESS_PARAMETERS para;ReadProcessMemory(hProcess, pi.PebBaseAddress, &peb, sizeof(peb), NULL); //将pi.PebBaseAddress的信息读取到peb中ReadProcessMemory(hProcess, peb.ProcessParameters, ¶, sizeof(para), NULL);TCHAR* CommandLine=(TCHAR*)malloc(sizeof(TCHAR)*1024);ReadProcessMemory(hProcess, para.CommandLine.Buffer, CommandLine, 1024 * 2, NULL);//_tprintf(L"%s\n", CommandLine);//MessageBox(NULL, CommandLine, L"ok", MB_OK);CloseHandle(hProcess);FreeLibrary(hModule);return CommandLine;}int _tmain(int argc,TCHAR* argv[]){HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2144);TCHAR *str = GetProcessCommandLine(hProcess);MessageBox(NULL,str,L"OK",MB_OK);free(str);return 0;}/*int _tmain(int argc,TCHAR* argv[]){ HMODULE hModule = 0;QT NtQuery = {0};hModule = LoadLibrary(L"Ntdll.dll"); //如果不写,就会报无法动态装入的错误,所以在头部加上typedef NTSTATUS结构体信息if (hModule){NtQuery = (QT)GetProcAddress(hModule,"NtQueryInformationProcess");//第二个参数不能加L,因为是ASCII类型的}HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,2144);PROCESS_BASIC_INFORMATION pi = {0}; //初始化NTSTATUS re = NtQuery(hProcess,ProcessBasicInformation,&pi,sizeof(pi),NULL);//在pi中,pi.PebBaseAddress指向PEB,那么这个指针指向的地址是哪个地址呢?//这个指针指向的地址,是word进程的地址if (NT_SUCCESS(re)) //是一个宏,来判断NTSTATUS返回类型是否成功{//_tprintf(L"OK\n");}PEB peb;RTL_USER_PROCESS_PARAMETERS para;//这个函数用来读取其他进程中的内存地址ReadProcessMemory(hProcess,pi.PebBaseAddress,&peb,sizeof(peb),NULL);ReadProcessMemory(hProcess,peb.ProcessParameters,¶,sizeof(para),NULL);TCHAR CommandLine[1024];ReadProcessMemory(hProcess,para.CommandLine.Buffer,CommandLine,1024*2,NULL);//*2是UNICODE字符_tprintf(L"%s\n", CommandLine);MessageBox(NULL,CommandLine,L"ok",MB_OK);_gettchar();CloseHandle(hProcess);FreeLibrary(hModule);return 0;}*/
0 0
- windows核心编程-如何获取进程命令行信息
- windows核心编程-获取系统中进程的信息
- Windows-核心编程-04-进程-获取进程 线程 模块(DLL)信息
- windows核心编程-获取进程当前目录
- windows程序如何获取进程的命令行
- windows核心编程-如何关闭进程
- windows核心编程--进程
- windows核心编程--进程
- Windows核心编程:进程
- windows 核心编程(进程)
- 《Windows核心编程》进程
- Windows核心编程 - 进程
- windows核心编程-进程
- windows核心编程---进程
- 【Windows 核心编程】Windows 核心编程 -- 进程
- windows核心编程学习体会1:获取进程实例句柄
- windows核心编程-获取进程中堆的分配情况
- windows核心编程-进程的句柄和如何获得
- python magic文档
- 输入一个字符串 在输入帧头 帧尾 取合法帧 (标志位的使用)
- js知识点总结
- JDK中rmi包下的类
- js判断数组或对象中的key是否存在
- windows核心编程-如何获取进程命令行信息
- phpcms model.class.php分析
- 关于Ecshop小京东,手机管理后台,增加楼层右边分类不显示的问题
- 每天一个linux命令(6):rmdir 命令
- sync同步命令
- UI布局
- 关于字符设备驱动注册的常用办法
- char如何计算溢出值
- 数据库实例自动crash并报ORA-27157、ORA-27300等错误