读取其他进程启动参数? Delphi 怎么读取其他进程的命名参数,就是启动参数啊?比如有个进程是 a.exe /b (/b是参数)要怎么读取啊? 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 Open:=OpenProcess(Process_Query_InforMation or Process_VM_Read,true,Strtoint(Edit1.Text));hKernel:=LoadLibrary('kernel32.dll');dwAddr := integer(GetProcAddress(hKernel, 'GetCommandLineA'));showmessage(inttohex(dwaddr+1,0));If ReadProcessMemory(open, pointer(dwAddr), pointer(tepAddr),4, dwRead) ThenReadProcessMemory(open, pointer(tepAddr),pointer(@(p[0])),512, dwRead);读不出来啊 type PUNICODESTRING = ^UNICODESTRING; UNICODESTRING = packed record Length: Word; MaximumLength: Word; Buffer: PWideChar; end; PCURRENTDIRECTORY = ^CURRENTDIRECTORY; CURRENTDIRECTORY = packed record DosPath: UNICODESTRING; Handle: Cardinal; end; PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS; PROCESS_PARAMETERS = packed record MaximumLength: Cardinal; Length: Cardinal; Flags: Cardinal; DebugFlags: Cardinal; ConsoleHandle: Cardinal; ConsoleFlags: Cardinal; StandardInput: Cardinal; StandardOutput: Cardinal; StandardError: Cardinal; CurrentDirectory: CURRENTDIRECTORY; DllPath: UNICODESTRING; ImagePathName: UNICODESTRING; CommandLine: UNICODESTRING; //pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。 end; PPEB = ^PEB; PEB = packed record InheritedAddressSpace: Char; ReadImageFileExecOptions: Char; BeingDebugged: Char; SpareBool: Char; Mutant: Cardinal; ImageBaseAddress: Cardinal; Ldr: Cardinal; ProcessParameters: PPROCESS_PARAMETERS; //pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。 end; PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION; PROCESS_BASIC_INFORMATION = packed record ExitStatus: Integer; PebBaseAddress: PPEB; AffinityMask: Cardinal; BasePriority: Integer; UniqueProcessId: Cardinal; InheritedFromUniqueProcessId: Cardinal; end;function GetProcessCmdLine(ProcessId: Cardinal): string;var ZwQueryInformationProcess: function(ProcessHandle: Cardinal; ProcessInformationClass: Cardinal; var ProcessInfomation: PROCESS_BASIC_INFORMATION; ProcessInformationLength: Cardinal; var ReturnLength: Cardinal): Cardinal; stdcall; //pathletboy注:参数2为枚举值 hNtdll: Cardinal; hProcess: Cardinal; pbi: PROCESS_BASIC_INFORMATION; retLen: Cardinal; xPEB: PEB; xProcessParam: PROCESS_PARAMETERS; cmd: array of WideChar;begin Result := ''; hNtdll := GetModuleHandle('ntdll.dll'); if hNtdll = 0 then begin Exit; end; ZwQueryInformationProcess := GetProcAddress(hNtdll, 'ZwQueryInformationProcess'); if not Assigned(ZwQueryInformationProcess) then begin Exit; end; hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, ProcessId); if hProcess = 0 then begin Exit; end; ZwQueryInformationProcess(hProcess, 0, pbi, SizeOf(pbi), retLen); ReadProcessMemory(hProcess, pbi.PebBaseAddress, @xPEB, SizeOf(xPEB), retLen); ReadProcessMemory(hProcess, xPEB.ProcessParameters, @xProcessParam, SizeOf(xProcessParam), retLen); SetLength(cmd, xProcessParam.CommandLine.Length); ReadProcessMemory(hProcess, xProcessParam.CommandLine.Buffer, cmd, xProcessParam.CommandLine.Length, retLen); Result := WideCharToString(@cmd[0]);end;调用ShowMessage(GetProcessCmdLine(pid)); 但是我还有个问题请教一下啊,就是我觉的可以用ReadProcessMemory读出来,你知道要怎么读啊,我读出来是乱码啊,能帮我看看吗? procedure TForm1.Button1Click(Sender: TObject); var open:Thandle; hKernel:cardinal; dwAddr:integer; tepAddr:integer; dwRead:cardinal; p:pointer; s:Pchar; begin Open:=OpenProcess( Process_VM_Read,false,992); hKernel:=LoadLibrary(Pchar('kernel32.dll')); dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1; If ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead) Then showmessage(Pchar(dwAddr)); if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) then showmessage(Pchar(p)); CloseHandle(Open); end; procedure TForm1.Btn1Click(Sender: TObject);varopen:Thandle;hKernel:cardinal;dwAddr:integer;tepAddr:integer;dwRead:cardinal;p:pointer;s:Pchar;beginOpen:=OpenProcess( Process_VM_Read,false,992);hKernel:=LoadLibrary(Pchar('kernel32.dll'));dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1;ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);GetMem(p, 512);if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) thenshowmessage(Pchar(p));FreeMem(p);CloseHandle(Open);end; siliemor 2009年04月14日 15点52分26秒 说:我还想请教一下,就是你给我的代码我看了,成功了!但是这里为什么要读两次啊siliemor 2009年04月14日 15点54分59秒 说:怎么要加1呢 第一次read是读取指针所在的地址第二次read是读取指针所指向的地址第三次read则是读取指针所指向地址上的值。至于+1你得去看GetCommandLineA函数。需要反汇编,看了就明白了。 那是不是函数都是这样的啊,都要加一,第一次read是读取指针所在的地址 第二次read是读取指针所指向的地址 第三次read则是读取指针所指向地址上的值。 如何(控制)循环开启线程 ? 一个我搞不定的问题 如何迁移DELPHI环境至另一台机 请教一个Sql语句的写法! 我在窗口中加了“RadioGroup”和“Label”两个组件,把“Label”至顶,还是被“RadioGroup”盖住了,怎么办? 紧急关于一个类同时有多个实例的问题? 在ADOQquery中,如果我想将SQL查询出的这些记录,再进行一些统计应该怎么做? 请教一个问题:基于因特网的连锁店系统数据交换 delphi 与 excel 编程!(急!!!!!!!!!!!) 关于DataModule的问题 注册表数据导出问题 高手们帮帮忙?
hKernel:=LoadLibrary('kernel32.dll');
dwAddr := integer(GetProcAddress(hKernel, 'GetCommandLineA'));
showmessage(inttohex(dwaddr+1,0));
If ReadProcessMemory(open, pointer(dwAddr), pointer(tepAddr),4, dwRead) Then
ReadProcessMemory(open, pointer(tepAddr),pointer(@(p[0])),512, dwRead);读不出来啊
PUNICODESTRING = ^UNICODESTRING;
UNICODESTRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end; PCURRENTDIRECTORY = ^CURRENTDIRECTORY;
CURRENTDIRECTORY = packed record
DosPath: UNICODESTRING;
Handle: Cardinal;
end; PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;
PROCESS_PARAMETERS = packed record
MaximumLength: Cardinal;
Length: Cardinal;
Flags: Cardinal;
DebugFlags: Cardinal;
ConsoleHandle: Cardinal;
ConsoleFlags: Cardinal;
StandardInput: Cardinal;
StandardOutput: Cardinal;
StandardError: Cardinal;
CurrentDirectory: CURRENTDIRECTORY;
DllPath: UNICODESTRING;
ImagePathName: UNICODESTRING;
CommandLine: UNICODESTRING;
//pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。
end; PPEB = ^PEB;
PEB = packed record
InheritedAddressSpace: Char;
ReadImageFileExecOptions: Char;
BeingDebugged: Char;
SpareBool: Char;
Mutant: Cardinal;
ImageBaseAddress: Cardinal;
Ldr: Cardinal;
ProcessParameters: PPROCESS_PARAMETERS;
//pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。
end; PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;
PROCESS_BASIC_INFORMATION = packed record
ExitStatus: Integer;
PebBaseAddress: PPEB;
AffinityMask: Cardinal;
BasePriority: Integer;
UniqueProcessId: Cardinal;
InheritedFromUniqueProcessId: Cardinal;
end;function GetProcessCmdLine(ProcessId: Cardinal): string;
var
ZwQueryInformationProcess: function(ProcessHandle: Cardinal;
ProcessInformationClass: Cardinal; var ProcessInfomation:
PROCESS_BASIC_INFORMATION; ProcessInformationLength: Cardinal;
var ReturnLength: Cardinal): Cardinal; stdcall;
//pathletboy注:参数2为枚举值 hNtdll: Cardinal;
hProcess: Cardinal;
pbi: PROCESS_BASIC_INFORMATION;
retLen: Cardinal;
xPEB: PEB;
xProcessParam: PROCESS_PARAMETERS;
cmd: array of WideChar;
begin
Result := '';
hNtdll := GetModuleHandle('ntdll.dll');
if hNtdll = 0 then
begin
Exit;
end; ZwQueryInformationProcess := GetProcAddress(hNtdll,
'ZwQueryInformationProcess');
if not Assigned(ZwQueryInformationProcess) then
begin
Exit;
end; hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, ProcessId);
if hProcess = 0 then
begin
Exit;
end;
ZwQueryInformationProcess(hProcess, 0, pbi, SizeOf(pbi), retLen);
ReadProcessMemory(hProcess, pbi.PebBaseAddress, @xPEB, SizeOf(xPEB), retLen);
ReadProcessMemory(hProcess, xPEB.ProcessParameters, @xProcessParam,
SizeOf(xProcessParam), retLen);
SetLength(cmd, xProcessParam.CommandLine.Length);
ReadProcessMemory(hProcess, xProcessParam.CommandLine.Buffer, cmd,
xProcessParam.CommandLine.Length, retLen);
Result := WideCharToString(@cmd[0]);
end;调用
ShowMessage(GetProcessCmdLine(pid));
procedure TForm1.Button1Click(Sender: TObject);
var
open:Thandle;
hKernel:cardinal;
dwAddr:integer;
tepAddr:integer;
dwRead:cardinal;
p:pointer;
s:Pchar;
begin
Open:=OpenProcess( Process_VM_Read,false,992);
hKernel:=LoadLibrary(Pchar('kernel32.dll'));
dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1;
If ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead) Then
showmessage(Pchar(dwAddr));
if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) then
showmessage(Pchar(p));
CloseHandle(Open);
end;
var
open:Thandle;
hKernel:cardinal;
dwAddr:integer;
tepAddr:integer;
dwRead:cardinal;
p:pointer;
s:Pchar;
begin
Open:=OpenProcess( Process_VM_Read,false,992);
hKernel:=LoadLibrary(Pchar('kernel32.dll'));
dwAddr := integer(GetProcAddress(hKernel, Pchar('GetCommandLineA')))+1;
ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);
ReadProcessMemory(open, pointer(dwAddr),@dwAddr,4, dwRead);
GetMem(p, 512);
if ReadProcessMemory(open, pointer(dwAddr),p,512, dwRead) then
showmessage(Pchar(p));
FreeMem(p);
CloseHandle(Open);
end;
我还想请教一下,就是你给我的代码我看了,成功了!但是这里为什么要读两次啊
siliemor 2009年04月14日 15点54分59秒 说:
怎么要加1呢
第二次read是读取指针所指向的地址
第三次read则是读取指针所指向地址上的值。至于+1你得去看GetCommandLineA函数。需要反汇编,看了就明白了。
第二次read是读取指针所指向的地址
第三次read则是读取指针所指向地址上的值。