Use VC to obtain command line parameters of other programs

---- A Lot Of reposts, unable to find the original source ----

 

As we all know, it is very easy to get the command line parameters in the program. The winmain function will be passed to us in the form of parameters, or you can call the API getcommandline
. However, the getcommandline function does not accept parameters. All it obtains is the command line parameters of its own program. What should we do if we want to obtain the command line parameters of other applications?

Some people say that since getcommandline can only obtain the command line parameters of this program, We can insert a DLL in other processes and call the getcommandline function in the address space of that process, and pass it back. It seems unfriendly. Let's think there is no other way.

We thought that since our command line parameters can be obtained at any time, there must be a place to store them in the process. So where? Let's take a look at the disassembly code of the getcommandline function. We found that the world is so beautiful!

The getcommandline function disassembly code of WINXP is as follows:

. Text: 7c812c8d getcommandlinea proc near <br/>. text: 7c812c8d mov eax, dword_7c8835f4 // dword_7c8835f4 is the address of the command line parameter string <br/> // the machine code of this command is A1 F4 35 88 7C, the four bytes starting from 2nd bytes are the addresses we want <br/>. text: 7c812c92 retn <br/>. text: 7c812c92 getcommandlinea endp

Now that we know where it is, we can take it ourselves. Because the address of the getcommandline function is the same in each process, you can directly use the address in our process.
The Win2000/XP system is very simple. It is a little troublesome in 98 and requires some simple computing.
The following is the compilation code of the getcommandline function in Win98:

. Text: bff8c907 getcommandlinea proc near <br/>. text: bff8c907 mov eax, dword_bffcade4 <br/>. text: bff8c90c mov ECx, [eax] <br/>. text: bff8c90e mov eax, [ECx + 0c0h] <br/>. text: bff8c914 test eax, eax <br/>. text: bff8c916 jnz short locret_bff8c91e <br/>. text: bff8c918 mov eax, [ECx + 40 h] <br/>. text: bff8c91b mov eax, [eax + 8] // The address we want. <br/>. text: bff8c91e <br/>. text: bff8c91e locret_bff8c91e:; Code xref: getcommandlinea + F. <br/>. text: bff8c91e retn

In this way, we can call the OpenProcess function to open other processes, and then use readprocessmemory to read the corresponding data. Sample Code:

// Obtain command lines from other processes <br/> DWORD g_get1_line (DWORD dwpid, tchar * pcmdline, DWORD dwbuflen) <br/>{< br/> // reading buffer for the CommandLine <br/> # define buffer_len 512 </P> <p> handle hproc = OpenProcess (process_vm_read, false, dwpid); <br/> If (hproc = NULL) <br/>{< br/> return getlasterror (); <br/>}</P> <p> DWORD dwret =-1; <br/> // The address we want to read starting from the first 2nd bytes <br/> DWORD dwaddr = * (DWORD *) (DWORD) getcommandline + 1 ); <br/> T Char tcbuf [buffer_len] = {0}; <br/> DWORD dwread = 0; </P> <p> // judgment platform <br/> DWORD dwver = getversion (); <br/> try <br/> {<br/> // Windows NT/2000/XP <br/> If (dwver <0x80000000) <br/>{< br/> If (readprocessmemory (hproc, (lpvoid) dwaddr, & dwaddr, 4, & dwread )) <br/>{< br/> If (readprocessmemory (hproc, (lpvoid) dwaddr, tcbuf, buffer_len, & dwread )) <br/> {<br/> // check the size of dwread and dwbuflen. Use a smaller one <br/> _ tcsncpy (pcmdline, tcbuf, Dwbuflen); <br/> dwret = 0; <br/>}< br/> else // Windows 95/98/Me And win32s <br/>{< br/> while (true) // while is used to easily jump out of the loop when an error occurs <br/>{< br/> If (! Readprocessmemory (hproc, (lpvoid) dwaddr, & dwaddr, 4, & dwread) break; <br/> If (! Readprocessmemory (hproc, (lpvoid) dwaddr, & dwaddr, 4, & dwread) break; </P> <p> If (! Readprocessmemory (hproc, (lpvoid) (dwaddr + 0xc0), tcbuf, buffer_len, & dwread) break; <br/> If (* tcbuf = 0) <br/>{< br/> If (! Readprocessmemory (hproc, (lpvoid) (dwaddr + 0x40), & dwaddr, 4, & dwread) break; <br/> If (! Readprocessmemory (hproc, (lpvoid) (dwaddr + 0x8), & dwaddr, 4, & dwread) break; <br/> If (! Readprocessmemory (hproc, (lpvoid) dwaddr, tcbuf, buffer_len, & dwread) break; <br/>}< br/> _ tcsncpy (pcmdline, tcbuf, dwbuflen ); // check the size of dwread and dwbuflen. Use a smaller value <br/> dwret = 0; <br/> break; <br/>}< br/> catch (...) <br/>{< br/> dwret = error_invalid_access; // exception <br/>}< br/> closehandle (hproc); <br/> return dwret; <br/>}