读取其他进程启动参数? Delphi 怎么读取其他进程的命名参数,就是启动参数啊?比如有个进程是 a.exe /b (/b是参数)要怎么读取啊? 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 Open:=OpenProcess(Process_Query_InforMation or Process_VM_Read,true,Strtoint(Edit1.Text));hKernel:=LoadLibrary('kernel32.dll');dwAddr := integer(GetProcAddress(hKernel, 'GetCommandLineA'));showmessage(inttohex(dwaddr+1,0));If ReadProcessMemory(open, pointer(dwAddr), pointer(tepAddr),4, dwRead) ThenReadProcessMemory(open, pointer(tepAddr),pointer(@(p[0])),512, dwRead);读不出来啊 type PUNICODESTRING = ^UNICODESTRING; UNICODESTRING = packed record Length: Word; MaximumLength: Word; Buffer: PWideChar; end; PCURRENTDIRECTORY = ^CURRENTDIRECTORY; CURRENTDIRECTORY = packed record DosPath: UNICODESTRING; Handle: Cardinal; end; PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS; PROCESS_PARAMETERS = packed record MaximumLength: Cardinal; Length: Cardinal; Flags: Cardinal; DebugFlags: Cardinal; ConsoleHandle: Cardinal; ConsoleFlags: Cardinal; StandardInput: Cardinal; StandardOutput: Cardinal; StandardError: Cardinal; CurrentDirectory: CURRENTDIRECTORY; DllPath: UNICODESTRING; ImagePathName: UNICODESTRING; CommandLine: UNICODESTRING; //pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。 end; PPEB = ^PEB; PEB = packed record InheritedAddressSpace: Char; ReadImageFileExecOptions: Char; BeingDebugged: Char; SpareBool: Char; Mutant: Cardinal; ImageBaseAddress: Cardinal; Ldr: Cardinal; ProcessParameters: PPROCESS_PARAMETERS; //pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。 end; PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION; PROCESS_BASIC_INFORMATION = packed record ExitStatus: Integer; PebBaseAddress: PPEB; AffinityMask: Cardinal; BasePriority: Integer; UniqueProcessId: Cardinal; InheritedFromUniqueProcessId: Cardinal; end;function GetProcessCmdLine(ProcessId: Cardinal): string;var ZwQueryInformationProcess: function(ProcessHandle: Cardinal; ProcessInformationClass: Cardinal; var ProcessInfomation: PROCESS_BASIC_INFORMATION; ProcessInformationLength: Cardinal; var ReturnLength: Cardinal): Cardinal; stdcall; //pathletboy注:参数2为枚举值 hNtdll: Cardinal; hProcess: Cardinal; pbi: PROCESS_BASIC_INFORMATION; retLen: Cardinal; xPEB: PEB; xProcessParam: PROCESS_PARAMETERS; cmd: array of WideChar;begin Result := ''; hNtdll := GetModuleHandle('ntdll.dll'); if hNtdll = 0 then begin Exit; end; ZwQueryInformationProcess := GetProcAddress(hNtdll, 'ZwQueryInformationProcess'); if not Assigned(ZwQueryInformationProcess) then begin Exit; end; hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, ProcessId); if hProcess = 0 then begin Exit; end; ZwQueryInformationProcess(hProcess, 0, pbi, SizeOf(pbi), retLen); ReadProcessMemory(hProcess, pbi.PebBaseAddress, @xPEB, SizeOf(xPEB), retLen); ReadProcessMemory(hProcess, xPEB.ProcessParameters, @xProcessParam, SizeOf(xProcessParam), retLen); SetLength(cmd, xProcessParam.CommandLine.Length); ReadProcessMemory(hProcess, xProcessParam.CommandLine.Buffer, cmd, xProcessParam.CommandLine.Length, retLen); Result := WideCharToString(@cmd[0]);end;调用ShowMessage(GetProcessCmdLine(pid)); 但是我还有个问题请教一下啊,就是我觉的可以用ReadProcessMemory读出来,你知道要怎么读啊,我读出来是乱码啊,能帮我看看吗? procedure TForm1.Button1Click(Sender: TObject); var open:Thandle; hKernel:cardinal; dwAddr:integer; tepAddr:integer; dwRead:cardinal; p:pointer; s:Pchar; begin Open:=OpenProcess( Process_VM_Read,false,992); hKernel:=LoadLibrary(Pchar('kernel32.dll')); dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1; If ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead) Then showmessage(Pchar(dwAddr)); if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) then showmessage(Pchar(p)); CloseHandle(Open); end; procedure TForm1.Btn1Click(Sender: TObject);varopen:Thandle;hKernel:cardinal;dwAddr:integer;tepAddr:integer;dwRead:cardinal;p:pointer;s:Pchar;beginOpen:=OpenProcess( Process_VM_Read,false,992);hKernel:=LoadLibrary(Pchar('kernel32.dll'));dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1;ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);GetMem(p, 512);if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) thenshowmessage(Pchar(p));FreeMem(p);CloseHandle(Open);end; siliemor 2009年04月14日 15点52分26秒 说:我还想请教一下,就是你给我的代码我看了,成功了!但是这里为什么要读两次啊siliemor 2009年04月14日 15点54分59秒 说:怎么要加1呢 第一次read是读取指针所在的地址第二次read是读取指针所指向的地址第三次read则是读取指针所指向地址上的值。至于+1你得去看GetCommandLineA函数。需要反汇编,看了就明白了。 那是不是函数都是这样的啊,都要加一,第一次read是读取指针所在的地址 第二次read是读取指针所指向的地址 第三次read则是读取指针所指向地址上的值。 怎样把listbox中显示的歌曲名按照顺序或循环播放? 我用fastRepot3.0為什麼,文件會這麼大? 没有安装Access的机子上,如何在程序中访问mdb库? 在下从来没有接触过delphi,给me一些经验好吗????!!! 如何用treeview完成这个要求 TO WWWWA(aaaa)请进来加分 关于dll调用ado时初始化和善后问题,折磨我几天了。请高手帮我解决。 控件中消息如何写?解决就结贴,最迟明天 能否可以介绍WEBSNAP的书籍 请问数据库中索引和关键字的区别? 注册表数据导出问题 高手们帮帮忙?
hKernel:=LoadLibrary('kernel32.dll');
dwAddr := integer(GetProcAddress(hKernel, 'GetCommandLineA'));
showmessage(inttohex(dwaddr+1,0));
If ReadProcessMemory(open, pointer(dwAddr), pointer(tepAddr),4, dwRead) Then
ReadProcessMemory(open, pointer(tepAddr),pointer(@(p[0])),512, dwRead);读不出来啊
PUNICODESTRING = ^UNICODESTRING;
UNICODESTRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end; PCURRENTDIRECTORY = ^CURRENTDIRECTORY;
CURRENTDIRECTORY = packed record
DosPath: UNICODESTRING;
Handle: Cardinal;
end; PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;
PROCESS_PARAMETERS = packed record
MaximumLength: Cardinal;
Length: Cardinal;
Flags: Cardinal;
DebugFlags: Cardinal;
ConsoleHandle: Cardinal;
ConsoleFlags: Cardinal;
StandardInput: Cardinal;
StandardOutput: Cardinal;
StandardError: Cardinal;
CurrentDirectory: CURRENTDIRECTORY;
DllPath: UNICODESTRING;
ImagePathName: UNICODESTRING;
CommandLine: UNICODESTRING;
//pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。
end; PPEB = ^PEB;
PEB = packed record
InheritedAddressSpace: Char;
ReadImageFileExecOptions: Char;
BeingDebugged: Char;
SpareBool: Char;
Mutant: Cardinal;
ImageBaseAddress: Cardinal;
Ldr: Cardinal;
ProcessParameters: PPROCESS_PARAMETERS;
//pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。
end; PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;
PROCESS_BASIC_INFORMATION = packed record
ExitStatus: Integer;
PebBaseAddress: PPEB;
AffinityMask: Cardinal;
BasePriority: Integer;
UniqueProcessId: Cardinal;
InheritedFromUniqueProcessId: Cardinal;
end;function GetProcessCmdLine(ProcessId: Cardinal): string;
var
ZwQueryInformationProcess: function(ProcessHandle: Cardinal;
ProcessInformationClass: Cardinal; var ProcessInfomation:
PROCESS_BASIC_INFORMATION; ProcessInformationLength: Cardinal;
var ReturnLength: Cardinal): Cardinal; stdcall;
//pathletboy注:参数2为枚举值 hNtdll: Cardinal;
hProcess: Cardinal;
pbi: PROCESS_BASIC_INFORMATION;
retLen: Cardinal;
xPEB: PEB;
xProcessParam: PROCESS_PARAMETERS;
cmd: array of WideChar;
begin
Result := '';
hNtdll := GetModuleHandle('ntdll.dll');
if hNtdll = 0 then
begin
Exit;
end; ZwQueryInformationProcess := GetProcAddress(hNtdll,
'ZwQueryInformationProcess');
if not Assigned(ZwQueryInformationProcess) then
begin
Exit;
end; hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, ProcessId);
if hProcess = 0 then
begin
Exit;
end;
ZwQueryInformationProcess(hProcess, 0, pbi, SizeOf(pbi), retLen);
ReadProcessMemory(hProcess, pbi.PebBaseAddress, @xPEB, SizeOf(xPEB), retLen);
ReadProcessMemory(hProcess, xPEB.ProcessParameters, @xProcessParam,
SizeOf(xProcessParam), retLen);
SetLength(cmd, xProcessParam.CommandLine.Length);
ReadProcessMemory(hProcess, xProcessParam.CommandLine.Buffer, cmd,
xProcessParam.CommandLine.Length, retLen);
Result := WideCharToString(@cmd[0]);
end;调用
ShowMessage(GetProcessCmdLine(pid));
procedure TForm1.Button1Click(Sender: TObject);
var
open:Thandle;
hKernel:cardinal;
dwAddr:integer;
tepAddr:integer;
dwRead:cardinal;
p:pointer;
s:Pchar;
begin
Open:=OpenProcess( Process_VM_Read,false,992);
hKernel:=LoadLibrary(Pchar('kernel32.dll'));
dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1;
If ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead) Then
showmessage(Pchar(dwAddr));
if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) then
showmessage(Pchar(p));
CloseHandle(Open);
end;
var
open:Thandle;
hKernel:cardinal;
dwAddr:integer;
tepAddr:integer;
dwRead:cardinal;
p:pointer;
s:Pchar;
begin
Open:=OpenProcess( Process_VM_Read,false,992);
hKernel:=LoadLibrary(Pchar('kernel32.dll'));
dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1;
ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);
ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);
GetMem(p, 512);
if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) then
showmessage(Pchar(p));
FreeMem(p);
CloseHandle(Open);
end;
我还想请教一下,就是你给我的代码我看了,成功了!但是这里为什么要读两次啊
siliemor 2009年04月14日 15点54分59秒 说:
怎么要加1呢
第二次read是读取指针所指向的地址
第三次read则是读取指针所指向地址上的值。至于+1你得去看GetCommandLineA函数。需要反汇编,看了就明白了。
第二次read是读取指针所指向的地址
第三次read则是读取指针所指向地址上的值。