< go > Get command line for other processes

#include <windows.h>#include<stdio.h>#defineProcessbasicinformation 0typedefstruct{USHORT Length;    USHORT MaximumLength; Pwstr Buffer;} Unicode_string,*Punicode_string;typedefstruct{ULONG allocationsize;    ULONG ActualSize;    ULONG Flags;    ULONG Unknown1;    Unicode_string Unknown2;    HANDLE Inputhandle;    HANDLE Outputhandle;    HANDLE Errorhandle;    Unicode_string CurrentDirectory;    HANDLE Currentdirectoryhandle;    Unicode_string searchpaths;    Unicode_string ApplicationName;    Unicode_string CommandLine;    PVOID Environmentblock; ULONG unknown[9];    Unicode_string Unknown3;    Unicode_string Unknown4;    Unicode_string Unknown5; Unicode_string Unknown6;} Process_parameters,*Pprocess_parameters;typedefstruct{ULONG allocationsize;    ULONG Unknown1;    HINSTANCE processhinstance;    PVOID ListDlls;    Pprocess_parameters processparameters;    ULONG Unknown2; HANDLE Heap;} PEB,*Ppeb;typedefstruct{DWORD exitstatus;    Ppeb pebbaseaddress;    DWORD Affinitymask;    DWORD basepriority;    ULONG Uniqueprocessid;   ULONG Inheritedfromuniqueprocessid;} process_basic_information;//ntdll! Ntqueryinformationprocess (NT specific!)////The function copies the process information of the//specified type into a buffer////Ntsysapi//NTSTATUS//Ntapi//ntqueryinformationprocess (//in HANDLE ProcessHandle,//Handle to process//in Processinfoclass Informationclass,//Information Type//Out PVOID processinformation,//Pointer to buffer//in ULONG processinformationlength,//buffer size in bytes//Out pulong returnlength OPTIONAL//Pointer to a 32-bit//                                          //variable that receives//                                          //The number of bytes//                                          //written to the buffer// );typedef LONG (WINAPI *Procntqsip) (Handle,uint,pvoid,ulong,pulong); Procntqsip ntqueryinformationprocess; BOOL getprocesscmdline (DWORD dwid,lpwstr wbuf,dword dwbuflen);voidMainintargcChar*argv[]) {    if(argc<2) {printf ("Usage:\n\ncmdline.exe procid\n"); return; } ntqueryinformationprocess=(PROCNTQSIP) GetProcAddress (Getmodulehandlea ("Ntdll"),        "ntqueryinformationprocess"        ); if(!ntqueryinformationprocess)return;    DWORD dwId; SSCANF (argv[1],"%lu",&dwId); WCHAR wstr[255] = {0}; if(Getprocesscmdline (DWID,WSTR,sizeof(WSTR))) wprintf (L"Command line for process%lu is:\n%s\n", DWID,WSTR); Elsewprintf (L"Could not get command line!"); System ("Pause");}    BOOL getprocesscmdline (DWORD dwid,lpwstr wbuf,dword dwbuflen) {LONG status;    HANDLE hprocess;    Process_basic_information PBI;    PEB PEB;    Process_parameters Procparam;    DWORD Dwdummy;    DWORD dwsize;    LPVOID lpaddress; BOOL BRet=FALSE; //Get Process Handlehprocess = OpenProcess (process_query_information|Process_vm_read,false,dwid); if(!hprocess)returnFALSE; //Retrieve InformationStatus =ntqueryinformationprocess (hprocess, Processbasicinformation, (PVOID)&PBI,sizeof(process_basic_information), NULL); if(status)Gotocleanup; if(!readprocessmemory (hprocess, PBI. Pebbaseaddress,&Peb,sizeof(PEB),&dwdummy)) Gotocleanup; if(!readprocessmemory (hprocess, Peb.processparameters,&Procparam,sizeof(process_parameters),&dwdummy)) Gotocleanup; Lpaddress=ProcParam.CommandLine.Buffer; dwsize=ProcParam.CommandLine.Length; if(dwbuflen<dwsize)Gotocleanup; if(!readprocessmemory (hprocess, lpaddress, Wbuf, dwsize,&dwdummy)) Gotocleanup; BRet=True;cleanup:closehandle (hprocess); returnBRet; } 

Translated from: http://blog.donews.com/zwell/archive/2004/09/30/114988.aspx

< go > Get command line for other processes