#include <windows.h>#include<stdio.h>#defineProcessbasicinformation 0typedefstruct{USHORT Length; USHORT MaximumLength; Pwstr Buffer;} Unicode_string,*Punicode_string;typedefstruct{ULONG allocationsize; ULONG ActualSize; ULONG Flags; ULONG Unknown1; Unicode_string Unknown2; HANDLE Inputhandle; HANDLE Outputhandle; HANDLE Errorhandle; Unicode_string CurrentDirectory; HANDLE Currentdirectoryhandle; Unicode_string searchpaths; Unicode_string ApplicationName; Unicode_string CommandLine; PVOID Environmentblock; ULONG unknown[9]; Unicode_string Unknown3; Unicode_string Unknown4; Unicode_string Unknown5; Unicode_string Unknown6;} Process_parameters,*Pprocess_parameters;typedefstruct{ULONG allocationsize; ULONG Unknown1; HINSTANCE processhinstance; PVOID ListDlls; Pprocess_parameters processparameters; ULONG Unknown2; HANDLE Heap;} PEB,*Ppeb;typedefstruct{DWORD exitstatus; Ppeb pebbaseaddress; DWORD Affinitymask; DWORD basepriority; ULONG Uniqueprocessid; ULONG Inheritedfromuniqueprocessid;} process_basic_information;//ntdll! Ntqueryinformationprocess (NT specific!)////The function copies the process information of the//specified type into a buffer////Ntsysapi//NTSTATUS//Ntapi//ntqueryinformationprocess (//in HANDLE ProcessHandle,//Handle to process//in Processinfoclass Informationclass,//Information Type//Out PVOID processinformation,//Pointer to buffer//in ULONG processinformationlength,//buffer size in bytes//Out pulong returnlength OPTIONAL//Pointer to a 32-bit// //variable that receives// //The number of bytes// //written to the buffer// );typedef LONG (WINAPI *Procntqsip) (Handle,uint,pvoid,ulong,pulong); Procntqsip ntqueryinformationprocess; BOOL getprocesscmdline (DWORD dwid,lpwstr wbuf,dword dwbuflen);voidMainintargcChar*argv[]) { if(argc<2) {printf ("Usage:\n\ncmdline.exe procid\n"); return; } ntqueryinformationprocess=(PROCNTQSIP) GetProcAddress (Getmodulehandlea ("Ntdll"), "ntqueryinformationprocess" ); if(!ntqueryinformationprocess)return; DWORD dwId; SSCANF (argv[1],"%lu",&dwId); WCHAR wstr[255] = {0}; if(Getprocesscmdline (DWID,WSTR,sizeof(WSTR))) wprintf (L"Command line for process%lu is:\n%s\n", DWID,WSTR); Elsewprintf (L"Could not get command line!"); System ("Pause");} BOOL getprocesscmdline (DWORD dwid,lpwstr wbuf,dword dwbuflen) {LONG status; HANDLE hprocess; Process_basic_information PBI; PEB PEB; Process_parameters Procparam; DWORD Dwdummy; DWORD dwsize; LPVOID lpaddress; BOOL BRet=FALSE; //Get Process Handlehprocess = OpenProcess (process_query_information|Process_vm_read,false,dwid); if(!hprocess)returnFALSE; //Retrieve InformationStatus =ntqueryinformationprocess (hprocess, Processbasicinformation, (PVOID)&PBI,sizeof(process_basic_information), NULL); if(status)Gotocleanup; if(!readprocessmemory (hprocess, PBI. Pebbaseaddress,&Peb,sizeof(PEB),&dwdummy)) Gotocleanup; if(!readprocessmemory (hprocess, Peb.processparameters,&Procparam,sizeof(process_parameters),&dwdummy)) Gotocleanup; Lpaddress=ProcParam.CommandLine.Buffer; dwsize=ProcParam.CommandLine.Length; if(dwbuflen<dwsize)Gotocleanup; if(!readprocessmemory (hprocess, lpaddress, Wbuf, dwsize,&dwdummy)) Gotocleanup; BRet=True;cleanup:closehandle (hprocess); returnBRet; }
Translated from: http://blog.donews.com/zwell/archive/2004/09/30/114988.aspx
< go > Get command line for other processes