Windows C++ 根据进程id 获取命令行参数

原创已于 2024-08-21 15:09:50 修改 · 702 阅读

6 ·

CC 4.0 BY-SA版权

文章标签：

#windows #c++

于 2024-08-21 15:07:14 首次发布

#include <windows.h>
#include <iostream>
#include <string>

#include <Winternl.h>
#pragma comment(lib, "ntdll.lib")

BOOL GetCmdLine(DWORD pid, std::wstring& cmdline) {

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (INVALID_HANDLE_VALUE == hProcess) {
return FALSE;
}

PROCESS_BASIC_INFORMATION pbi;
NTSTATUS status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), 0);
if (!NT_SUCCESS(status)) {
return FALSE;
}

PEB peb;
BOOL ret = ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(PEB), 0);
if (FALSE == ret) {
return FALSE;
}

RTL_USER_PROCESS_PARAMETERS upps;
ret = ReadProcessMemory(hProcess, peb.ProcessParameters, &upps, sizeof(RTL_USER_PROCESS_PARAMETERS), 0);
if (FALSE == ret) {
return FALSE;
}

USHORT ByteLength = upps.CommandLine.Length + 1;
WCHAR* buffer = new WCHAR[ByteLength];
ZeroMemory(buffer, ByteLength * sizeof(WCHAR));
if (ReadProcessMemory(hProcess, upps.CommandLine.Buffer, buffer, upps.CommandLine.Length, 0)) {
cmdline = std::wstring(buffer);
delete[] buffer;
return TRUE;
}

delete[] buffer;
return FALSE;
}

需要注意32位程序和64位程序一致性。