wintenl.h 下載地址
#include "stdafx.h"
#include "winternl.h"
typedef NTSTATUS (WINAPI *NtQueryInformationProcessFake)(HANDLE, DWORD, PVOID, ULONG, PULONG);
NtQueryInformationProcessFake ntQ = NULL;
void getProcCMD(DWORD pid) {
HANDLE hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid );
if (INVALID_HANDLE_VALUE != hproc){
HANDLE hnewdup = NULL;
PEB peb;
RTL_USER_PROCESS_PARAMETERS upps;
WCHAR buffer[MAX_PATH] = {NULL};
HMODULE hm = LoadLibrary(_T("Ntdll.dll"));
ntQ = (NtQueryInformationProcessFake)GetProcAddress(hm, "NtQueryInformationProcess");
if ( DuplicateHandle(GetCurrentProcess(), hproc, GetCurrentProcess(), &hnewdup, 0, FALSE, DUPLICATE_SAME_ACCESS) ) {
PROCESS_BASIC_INFORMATION pbi;
NTSTATUS isok = ntQ(hnewdup, 0/*ProcessBasicInformation*/, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), 0);
if (BCRYPT_SUCCESS(isok)) {
if ( ReadProcessMemory(hnewdup, pbi.PebBaseAddress, &peb, sizeof(PEB), 0) )
if ( ReadProcessMemory(hnewdup, peb.ProcessParameters, &upps, sizeof(RTL_USER_PROCESS_PARAMETERS), 0) ) {
WCHAR *buffer = new WCHAR[upps.CommandLine.Length + 1];
ZeroMemory(buffer, (upps.CommandLine.Length + 1) * sizeof(WCHAR));
ReadProcessMemory(hnewdup, upps.CommandLine.Buffer, buffer, upps.CommandLine.Length, 0);
delete buffer;
}
}
CloseHandle(hnewdup);
}
CloseHandle(hproc);
}
}