-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCommandLine.cpp
113 lines (88 loc) · 3.41 KB
/
CommandLine.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
/**
* \file CommandLine.cpp
* \brief
*/
//-------------------------------------------------------------------------------------------------
#include <string>
#include <iostream>
#include <assert.h>
#include <stdio.h>
#include <windows.h>
#include <Winternl.h>
#include <memory>
//-------------------------------------------------------------------------------------------------
typedef NTSTATUS (NTAPI *_NtQueryInformationProcess)
(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
DWORD ProcessInformationLength,
PDWORD ReturnLength
);
//-------------------------------------------------------------------------------------------------
PVOID
_GetPebAddress(const HANDLE &ProcessHandle)
{
PVOID pvRv = NULL;
HMODULE hModule = ::GetModuleHandleA("ntdll.dll");
assert(NULL != hModule);
_NtQueryInformationProcess
NtQueryInformationProcess = (_NtQueryInformationProcess)::GetProcAddress(hModule, "NtQueryInformationProcess");
assert(NULL != NtQueryInformationProcess);
PROCESS_BASIC_INFORMATION pbi;
PROCESSINFOCLASS picInfo86 = ProcessBasicInformation;
PROCESSINFOCLASS picInfo64 = ProcessWow64Information;
NTSTATUS nsRv = NtQueryInformationProcess(ProcessHandle, picInfo86, &pbi, sizeof(pbi), NULL);
assert(NT_SUCCESS(nsRv));
pvRv = pbi.PebBaseAddress;
assert(NULL != pvRv);
return pvRv;
}
//-------------------------------------------------------------------------------------------------
std::string
sCommandLine(
const DWORD &a_ciPid
)
{
std::string sRv;
BOOL blRv = FALSE;
HANDLE processHandle;
processHandle = ::OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, a_ciPid);
assert(NULL != processHandle);
PVOID pebAddress = _GetPebAddress(processHandle);
PVOID rtlUserProcParamsAddress = NULL;
// get the address of ProcessParameters
blRv = ::ReadProcessMemory(processHandle, (PCHAR)pebAddress + 0x10, &rtlUserProcParamsAddress, sizeof(PVOID), NULL);
assert(FALSE != blRv);
// read the usCommandLine UNICODE_STRING structure
UNICODE_STRING usCommandLine = {0};
blRv = ::ReadProcessMemory(processHandle, (PCHAR)rtlUserProcParamsAddress + 0x40, &usCommandLine, sizeof(usCommandLine), NULL);
assert(FALSE != blRv);
// allocate memory to hold the command line
{
WCHAR *pCommandLineContents = (WCHAR *)::malloc(usCommandLine.Length);
// read the command line
blRv = ::ReadProcessMemory(processHandle, usCommandLine.Buffer, pCommandLineContents, usCommandLine.Length, NULL);
assert(FALSE != blRv);
// length specifier is in characters, but commandLine.Length is in bytes a WCHAR is 2 bytes
//printf("%.*S\n", usCommandLine.Length / 2, pCommandLineContents);
std::wstring wsRv;
wsRv.assign(pCommandLineContents, usCommandLine.Length / 2);
sRv.assign(wsRv.begin(), wsRv.end());
::CloseHandle(processHandle);
::free(pCommandLineContents);
}
return sRv;
}
//---------------------------------------------------------------------------
int main(int, char **)
{
DWORD dwPid = 2088;
std::string sCmd = sCommandLine(dwPid);
std::cout << "sCmd: " << sCmd << std::endl;
return EXIT_SUCCESS;
}
//---------------------------------------------------------------------------
#if OUTPUT
sCmd: "D:\Soft\Antivirus\AnVir\AnVir.exe" Minimized
#endif