|
|
获取进程命令行的代码- Private Type CLIENT_ID
- UniqueProcess As Long
- UniqueThread As Long
- End Type
- Private Const SYNCHRONIZE As Long = &H100000
- Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
- Private Declare Function NtOpenProcess Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, _
- ByVal AccessMask As Long, _
- ByRef ObjectAttributes As OBJECT_ATTRIBUTES, _
- ByRef ClientID As CLIENT_ID) As Long
- Private Type OBJECT_ATTRIBUTES
- Length As Long
- RootDirectory As Long
- ObjectName As Long
- Attributes As Long
- SecurityDescriptor As Long
- SecurityQualityOfService As Long
- End Type
- Private Const PROCESS_VM_READ = &H10
- Private Const PROCESS_CREATE_THREAD = &H2
- Private Const PROCESS_VM_OPERATION = &H8
- Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
- Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
- Private Const PROCESS_DUP_HANDLE As Long = (&H40)
- Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
- Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
- Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
- Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
- Private Declare Function NtClose Lib "NTDLL.DLL" (ByVal ObjectHandle As Long) As Long
- Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByRef Destination As Any, _
- ByRef Source As Any, _
- ByVal Length As Long)
- Private Function GetProcessCommandLine(ByVal dwProcessId As Long) As String
- Dim objCid As CLIENT_ID
- Dim objOa As OBJECT_ATTRIBUTES
- Dim ntStatus As Long, hKernel As Long, strName As String
- Dim hProcess As Long, dwAddr As Long, dwRead As Long
- objOa.Length = Len(objOa)
- objCid.UniqueProcess = dwProcessId
- ntStatus = NtOpenProcess(hProcess, &H10, objOa, objCid)
- If hProcess = 0 Then
- GetProcessCommandLine = ""
- Exit Function
- End If
- hKernel = LoadLibrary("kernel32")
- dwAddr = GetProcAddress(hKernel, "GetCommandLineA")
- CopyMemory dwAddr, ByVal dwAddr + 1, 4
- If ReadProcessMemory(hProcess, ByVal dwAddr, dwAddr, 4, dwRead) Then
- strName = String(260, Chr(0))
- If ReadProcessMemory(hProcess, ByVal dwAddr, ByVal strName, 260, dwRead) Then
- strName = Left(strName, InStr(strName, Chr(0)) - 1)
- NtClose hProcess
- GetProcessCommandLine = strName
- Exit Function
- End If
- End If
- NtClose hProcess
- End Function
- 本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/chenhui530/archive/2007/12/10/1928409.aspx
CopyMemory dwAddr, ByVal dwAddr + 1, 4 这句不懂,为什么要dwAddr + 1,为什么要复制4个字节
ReadProcessMemory为什么要调用2次,这2次分别是什么作用。 |
|
发表于 2009-11-26 00:16:18
发表于 2009-11-26 02:05:54
