获取其他进程命令行参数GetPebCommandLine

#pragma once#define NTAPI __stdcall// NtQueryInformationProcess for pure 32 and 64-bit processestypedef NTSTATUS(NTAPI *_NtQueryInformationProcess)(IN HANDLE ProcessHandle,ULONG ProcessInformationClass,OUT PVOID ProcessInformation,IN ULONG ProcessInformationLength,OUT PULONG ReturnLength OPTIONAL);typedef NTSTATUS(NTAPI *_NtReadVirtualMemory)(IN HANDLE ProcessHandle,IN PVOID BaseAddress,OUT PVOID Buffer,IN SIZE_T Size,OUT PSIZE_T NumberOfBytesRead);// NtQueryInformationProcess for 32-bit process on WOW64typedef NTSTATUS(NTAPI *_NtWow64ReadVirtualMemory64)(IN HANDLE ProcessHandle,IN PVOID64 BaseAddress,OUT PVOID Buffer,IN ULONG64 Size,OUT PULONG64 NumberOfBytesRead);// PROCESS_BASIC_INFORMATION for pure 32 and 64-bit processestypedef struct _PROCESS_BASIC_INFORMATION {PVOID Reserved1;PVOID PebBaseAddress;PVOID Reserved2[2];ULONG_PTR UniqueProcessId;PVOID Reserved3;} PROCESS_BASIC_INFORMATION;// PROCESS_BASIC_INFORMATION for 32-bit process on WOW64// The definition is quite funky, as we just lazily doubled sizes to match offsets...typedef struct _PROCESS_BASIC_INFORMATION_WOW64 {PVOID Reserved1[2];PVOID64 PebBaseAddress;PVOID Reserved2[4];ULONG_PTR UniqueProcessId[2];PVOID Reserved3[2];} PROCESS_BASIC_INFORMATION_WOW64;typedef struct _UNICODE_STRING {USHORT Length;USHORT MaximumLength;PWSTR  Buffer;} UNICODE_STRING;typedef struct _UNICODE_STRING_WOW64 {USHORT Length;USHORT MaximumLength;PVOID64 Buffer;} UNICODE_STRING_WOW64;

#include <windows.h>#include <stdio.h>#include "ProcessParameters.h"#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)wchar_t* GetPebCommandLine(DWORD pId){NTSTATUS status;HANDLE hProcess;SYSTEM_INFO si;BOOL wow64;wchar_t* pCmdLine=NULL;do {hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pId);if (hProcess == NULL)break;GetNativeSystemInfo(&si);IsWow64Process(GetCurrentProcess(), &wow64);DWORD ProcessParametersOffset = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 ? 0x20 : 0x10;DWORD CommandLineOffset = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 ? 0x70 : 0x40;DWORD pebSize = ProcessParametersOffset + 8;DWORD ppSize = CommandLineOffset + 16;PBYTE peb = (PBYTE)new BYTE[pebSize];PBYTE pUserProcessParameters = (PBYTE)new BYTE[ppSize];if (peb == NULL)break;if (pUserProcessParameters == NULL)break;ZeroMemory(pUserProcessParameters, ppSize);ZeroMemory(peb, pebSize);if (wow64){PROCESS_BASIC_INFORMATION_WOW64 pbi;ZeroMemory(&pbi, sizeof(pbi));_NtQueryInformationProcess QueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWow64QueryInformationProcess64");if (QueryInformationProcess == NULL)break;status = QueryInformationProcess(hProcess, 0, &pbi, sizeof(pbi), NULL);if (!NT_SUCCESS(status))break;_NtWow64ReadVirtualMemory64 Wow64ReadVirtualMemory64 = (_NtWow64ReadVirtualMemory64)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWow64ReadVirtualMemory64");if (Wow64ReadVirtualMemory64 == NULL)break;status = Wow64ReadVirtualMemory64(hProcess, pbi.PebBaseAddress, peb, pebSize, NULL);if (!NT_SUCCESS(status))break;// read ProcessParameters from 64-bit address spacePBYTE* parameters = (PBYTE*)*(LPVOID*)(peb + ProcessParametersOffset); // address in remote process adress spacestatus = Wow64ReadVirtualMemory64(hProcess, parameters, pUserProcessParameters, ppSize, NULL);if (!NT_SUCCESS(status))break;// read CommandLineUNICODE_STRING_WOW64* pCommandLine = (UNICODE_STRING_WOW64*)(pUserProcessParameters + CommandLineOffset);pCmdLine = (PWSTR)malloc(pCommandLine->MaximumLength);status = Wow64ReadVirtualMemory64(hProcess, pCommandLine->Buffer, pCmdLine, pCommandLine->MaximumLength, NULL);if (!NT_SUCCESS(status))break;}else{// we're running as a 32-bit process in a 32-bit OS, or as a 64-bit process in a 64-bit OSPROCESS_BASIC_INFORMATION pbi;ZeroMemory(&pbi, sizeof(pbi));// get process information_NtQueryInformationProcess QueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");if (QueryInformationProcess == NULL)break;status = QueryInformationProcess(hProcess, 0, &pbi, sizeof(pbi), NULL);if (!NT_SUCCESS(status))break;// read PEBif (!ReadProcessMemory(hProcess, pbi.PebBaseAddress, peb, pebSize, NULL))break;// read ProcessParametersPBYTE* parameters = (PBYTE*)*(LPVOID*)(peb + ProcessParametersOffset); // address in remote process adress spaceif (!ReadProcessMemory(hProcess, parameters, pUserProcessParameters, ppSize, NULL))break;// read CommandLineUNICODE_STRING* pCommandLine = (UNICODE_STRING*)(pUserProcessParameters + CommandLineOffset);pCmdLine = (PWSTR)new BYTE[pCommandLine->MaximumLength];if (pCmdLine == NULL)break;ZeroMemory(pCmdLine, pCommandLine->MaximumLength);if (!ReadProcessMemory(hProcess, pCommandLine->Buffer, pCmdLine, pCommandLine->MaximumLength, NULL))break;}} while (FALSE);if (hProcess){CloseHandle(hProcess);}return pCmdLine;}int main(void){getchar();getchar();GetPebCommandLine(3400);getchar();getchar();return 0;}