Командная строка по Handle процесса

[newerow1989]

Здравствуйте!

Как на Delphi по индентификатору процесса узнать командную строку с ее параметрами? К примеру:
"C:\Windows\Notepad.exe" C:\1.txt
GetCommandLine в Delphi работает только для текущего процесса. Как узнать командную строку для любого процесса?

Заранее спасибо!

[Аватар]

OpenProcess
NtQueryInformationProcess
ReadProcessMemory

[min@y™]

Народ советует инжект. Говорят, что Process Explorer работает именно так (я не проверял).

100508.jpg

[newerow1989]

То, что Аватар посоветовал, работает не полностью: несколько процессов показывает полные пути. Я проверял не только на Windows 7, но и на Windows XP - там и там не все процессы. А я хочу узнать командную строку для любого процесса!

На всякий случай выложу проект, может кто-нибудь подскажет верно!

Код:

uses TLHelp32;

type
  USHORT = WORD;
  NTSTATUS = Longint;
  PVOID = Pointer;
  KSPIN_LOCK = ULONG;
  KAFFINITY = ULONG;
  KPRIORITY = Integer;
   
  _UNICODE_STRING = record
    Length: WORD;
    MaximumLength: WORD;
    Buffer:PWideChar;
  end;
  UNICODE_STRING = _UNICODE_STRING;

  _CURDIR = record
    DosPath: UNICODE_STRING;
    Handle: THandle;
  end;
  CURDIR = _CURDIR;

  PLIST_ENTRY = ^_LIST_ENTRY;
  _LIST_ENTRY = record
    Flink: PLIST_ENTRY;
    Blink: PLIST_ENTRY;
  end;
  LIST_ENTRY = _LIST_ENTRY;
  
  _PEB_LDR_DATA = record
    Length: ULONG;
    Initialized: BOOLEAN;
    SsHandle: PVOID;
    InLoadOrderModuleList: LIST_ENTRY;
    InMemoryOrderModuleList: LIST_ENTRY;
    InInitializationOrderModuleList: LIST_ENTRY;
  end;
  PPEB_LDR_DATA = ^_PEB_LDR_DATA; 

  _RTL_DRIVE_LETTER_CURDIR = record
    Flags: WORD;
    Length: WORD;
    TimeStamp: DWORD;
    DosPath: UNICODE_STRING;
  end;
  RTL_DRIVE_LETTER_CURDIR = _RTL_DRIVE_LETTER_CURDIR;
   
  _PROCESS_PARAMETERS = record
    MaximumLength: ULONG;
    Length: ULONG;
    Flags: ULONG;
    DebugFlags: ULONG;
    ConsoleHandle: THANDLE;
    ConsoleFlags: ULONG;
    StandardInput: THANDLE;
    StandardOutput: THANDLE;
    StandardError: THANDLE;
    CurrentDirectory: CURDIR;
    DllPath: UNICODE_STRING;
    ImagePathName: UNICODE_STRING;
    CommandLine: UNICODE_STRING;
    Environment: PWideChar;
    StartingX: ULONG;
    StartingY: ULONG;
    CountX: ULONG;
    CountY: ULONG;
    CountCharsX: ULONG;
    CountCharsY: ULONG;
    FillAttribute: ULONG;
    WindowFlags: ULONG;
    ShowWindowFlags: ULONG;
    WindowTitle: UNICODE_STRING;
    Desktop: UNICODE_STRING;
    ShellInfo: UNICODE_STRING;
    RuntimeInfo: UNICODE_STRING;
    CurrentDirectores: array[0..31] of RTL_DRIVE_LETTER_CURDIR;
  end;
  PROCESS_PARAMETERS = _PROCESS_PARAMETERS;
  PPROCESS_PARAMETERS = ^_PROCESS_PARAMETERS;

  PPEBLOCKROUTINE = procedure; stdcall;

  PPEB_FREE_BLOCK = ^_PEB_FREE_BLOCK;
  _PEB_FREE_BLOCK = record
    Next: PPEB_FREE_BLOCK;
    Size: ULONG;
  end;

  _RTL_BITMAP = record
    SizeOfBitMap: DWORD;
    Buffer: PDWORD;
  end;
  PRTL_BITMAP = ^_RTL_BITMAP;

  _SYSTEM_STRINGS = record
    SystemRoot: UNICODE_STRING;
    System32Root: UNICODE_STRING;
    BaseNamedObjects: UNICODE_STRING;
  end;
  PSYSTEM_STRINGS = ^_SYSTEM_STRINGS;
   
  _TEXT_INFO = record
    Reserved: PVOID;
    SystemStrings: PSYSTEM_STRINGS;
  end;
  PTEXT_INFO = ^_TEXT_INFO;
     
  _PEB = record
    InheritedAddressSpace: UCHAR;
    ReadImageFileExecOptions: UCHAR;
    BeingDebugged: UCHAR;
    SpareBool: BYTE;
    Mutant: PVOID;
    ImageBaseAddress: PVOID;
    Ldr: PPEB_LDR_DATA;
    ProcessParameters: PPROCESS_PARAMETERS;
    SubSystemData: PVOID;
    ProcessHeap: PVOID;
    FastPebLock: KSPIN_LOCK;
    FastPebLockRoutine: PPEBLOCKROUTINE;
    FastPebUnlockRoutine: PPEBLOCKROUTINE;
    EnvironmentUpdateCount: ULONG;
    KernelCallbackTable: PPOINTER;
    EventLogSection: PVOID;
    EventLog: PVOID;
    FreeList: PPEB_FREE_BLOCK;
    TlsExpansionCounter: ULONG;
    TlsBitmap: PRTL_BITMAP;
    TlsBitmapData: array[0..1] of ULONG;
    ReadOnlySharedMemoryBase: PVOID;
    ReadOnlySharedMemoryHeap: PVOID;
    ReadOnlyStaticServerData: PTEXT_INFO;
    InitAnsiCodePageData: PVOID;
    InitOemCodePageData: PVOID;
    InitUnicodeCaseTableData: PVOID;
    KeNumberProcessors: ULONG;
    NtGlobalFlag: ULONG;
    d6C: DWORD;
    MmCriticalSectionTimeout: Int64;
    MmHeapSegmentReserve: ULONG;
    MmHeapSegmentCommit: ULONG;
    MmHeapDeCommitTotalFreeThreshold: ULONG;
    MmHeapDeCommitFreeBlockThreshold: ULONG;
    NumberOfHeaps: ULONG;
    AvailableHeaps: ULONG;
    ProcessHeapsListBuffer: PHANDLE;
    GdiSharedHandleTable: PVOID;
    ProcessStarterHelper: PVOID;
    GdiDCAttributeList: PVOID;
    LoaderLock: KSPIN_LOCK;
    NtMajorVersion: ULONG;
    NtMinorVersion: ULONG;
    NtBuildNumber: USHORT;
    NtCSDVersion: USHORT;
    PlatformId: ULONG;
    Subsystem: ULONG;
    MajorSubsystemVersion: ULONG;
    MinorSubsystemVersion: ULONG;
    AffinityMask: KAFFINITY;
    GdiHandleBuffer: array[0..33] of ULONG;
    PostProcessInitRoutine: ULONG;
    TlsExpansionBitmap: ULONG;
    TlsExpansionBitmapBits: array[0..127] of UCHAR;
    SessionId: ULONG;
    AppCompatFlags: Int64;
    CSDVersion: PWORD;
  end;
  PEB = _PEB;
  PPEB = ^_PEB;
  
  _PROCESS_BASIC_INFORMATION = record
    ExitStatus: NTSTATUS;
    PebBaseAddress: PPEB;
    AffinityMask: KAFFINITY;
    BasePriority: KPRIORITY;
    UniqueProcessId: ULONG;
    InheritedFromUniqueProcessId: ULONG;
  end;
  PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION;

  PROCESSINFOCLASS = (
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers,
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
    ProcessImageFileName,
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination,
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    ProcessIoPriority,
    ProcessExecuteFlags,
    ProcessResourceManagement,
    ProcessCookie,
    ProcessImageInformation,
    MaxProcessInfoClass);

function NtQueryInformationProcess(ProcessHandle: THANDLE;
   ProcessInformationClass: PROCESSINFOCLASS; ProcessInformation: pointer;
   ProcessInformationLength: ULONG; ReturnLength: PDWORD): DWORD; stdcall;
   external 'NTDLL.DLL';

function GetProcessCmdLine(PID:DWORD):string;
var
  hProcess:THandle;
  pProcBasicInfo:PROCESS_BASIC_INFORMATION;
  ReturnLength:DWORD;
  prb:PEB;
  ProcessParameters:PROCESS_PARAMETERS;
  cb:cardinal;
  ws:WideString;
begin
   Result:='';
   hProcess:=OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,false,PID);
   If hProcess<>0 then
   try
   If NtQueryInformationProcess(hProcess,ProcessBasicInformation,
      @pProcBasicInfo,sizeof(PROCESS_BASIC_INFORMATION),@ReturnLength)=0 then
      begin
         If ReadProcessMemory(hProcess,pProcBasicInfo.PebBaseAddress,@prb,
            sizeof(PEB),cb) then
            If ReadProcessMemory(hProcess,prb.ProcessParameters,
               @ProcessParameters,sizeof(PROCESS_PARAMETERS),cb) then
               begin
                  SetLength(ws,(ProcessParameters.CommandLine.Length div 2));
                  If ReadProcessMemory(hProcess,ProcessParameters.CommandLine.Buffer,
                     PWideChar(ws),ProcessParameters.CommandLine.Length,cb) then
                     Result:=string(ws);
               end;
      end;
   finally
      CloseHandle(hProcess);
   end;
end;

[newerow1989]

Похоже, посмотрели мою программу и не могут подсказать...