64位环境下32位进程获取64位进程的命令行参数和当前目录

shuchang · 发表于 2018-1-2 14:15:26

BOOL GetProcessCurDir(HANDLE hProcess,mystring&strCurDir)
{
BOOL bSuccess = FALSE;
PROCESS_BASIC_INFORMATION pbi;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtQueryInformationProcess");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtReadVirtualMemory");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
SIZE_T size;
int iReturn;
PVOID pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi,sizeof(pbi),&dwSize);
pAddrPEB = pbi.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS stBlock;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &stBlock, sizeof(stBlock), &size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 3. Get the CurDir
wchar_t wszCurDir[MAX_PATH+1];
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)stBlock.DosPath.Buffer,
wszCurDir, stBlock.DosPath.Length*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
#ifdef UNICODE
// Both strings are in UNICODE.
strCurDir.assign(wszCurDir);
#else
CHAR szCurDir[MAX_PATH+1];
WideCharToMultiByte(CP_ACP,0,wszCurDir,size/sizeof(wchar_t),szCurDir,MAX_PATH,NULL,NULL);
strCurDir.assign(szCurDir);
#endif
bSuccess = TRUE;
}
}
return bSuccess;
}
BOOL GetProcessCurDir64(HANDLE hProcess,mystring&strCurDir)
{
BOOL bSuccess = FALSE;
PROCESS_BASIC_INFORMATION64 pbi64;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory64 pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64QueryInformationProcess64");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory64)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64ReadVirtualMemory64");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
UINT64 size;
int iReturn;
PVOID64 pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi64,sizeof(pbi64),&dwSize);
pAddrPEB = pbi64.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB64 PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS64 stBlock;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, PEB.ProcessParameters, &stBlock, sizeof(stBlock),&size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 3. Get the CurDir
wchar_t wszCurDir[MAX_PATH+1];
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, stBlock.DosPath.Buffer,
wszCurDir, stBlock.DosPath.Length*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return bSuccess;
}
#ifdef UNICODE
// Both strings are in UNICODE.
strCurDir.assign(wszCurDir);
#else
CHAR szCurDir[MAX_PATH+1];
WideCharToMultiByte(CP_ACP,0,wszCurDir,size/sizeof(wchar_t),szCurDir,MAX_PATH,NULL,NULL);
strCurDir.assign(szCurDir);
#endif
bSuccess = TRUE;
}
}
return bSuccess;
}
BOOL GetProcessCmdLine(HANDLE hProcess,mystring&strCmdLine)
{
BOOL bSuccess = FALSE;
PROCESS_BASIC_INFORMATION pbi;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtQueryInformationProcess");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtReadVirtualMemory");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
SIZE_T size;
int iReturn;
PVOID pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi,sizeof(pbi),&dwSize);
pAddrPEB = pbi.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS Block;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &Block, sizeof(Block), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 3. Get the CmdLine
wchar_t wszCmdLine[MAX_PATH+1] = {0};
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)Block.CmdLine.Buffer,
wszCmdLine, MAX_PATH*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 4. Skip the application pathname
// it can be empty, "c:\...\app.exe" or c:\...\app.exe
wchar_t* pPos = wszCmdLine;
if (*pPos != L'\0') {
if (*pPos == L'"') {
// Find the next " character
pPos = wcschr(&pPos[1], L'"');
} else {
// Find the next SPACE character
pPos = wcschr(&pPos[1], L'');
}
// Skip it
if (pPos != NULL)
pPos++;
}
// Copy it back
if (pPos != NULL) {
if (*pPos != L'\0') {
#ifdef UNICODE
// Both strings are in UNICODE.
strCmdLine.assign(wszCmdLine);
#else
CHAR szCmdLine[MAX_PATH+1] = {0};
WideCharToMultiByte(CP_ACP,0,wszCmdLine,size/sizeof(wchar_t),szCmdLine,MAX_PATH,NULL,NULL);
strCmdLine = szCmdLine;
#endif
bSuccess = TRUE;
}
}
}
}
return bSuccess;
}
BOOL GetProcessCmdLine64(HANDLE hProcess,mystring&strCmdLine)
{
BOOL bSuccess = FALSE;
PROCESS_BASIC_INFORMATION64 pbi64;
TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
TNtReadVirtualMemory64 pfnNtReadVirtualMemory = NULL;
pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64QueryInformationProcess64");
pfnNtReadVirtualMemory = (TNtReadVirtualMemory64)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64ReadVirtualMemory64");
if ( pfnNtQueryInformationProcess!=NULL ){
DWORD dwSize;
UINT64 size;
int iReturn;
PVOID64 pAddrPEB = NULL;
iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi64,sizeof(pbi64),&dwSize);
pAddrPEB = pbi64.PebBaseAddress;
// NtQueryInformationProcess returns a negative value if it fails
if (iReturn >= 0) {
// 1. Find the Process Environment Block
__PEB64 PEB;
size = dwSize;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
// Call GetLastError() if you need to know why
return bSuccess;
}
// 2. From this PEB, get the address of the block containing
// a pointer to the CmdLine
_RTL_USER_PROCESS_PARAMETERS64 stBlock;
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &stBlock, sizeof(stBlock), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 3. Get the CmdLine
wchar_t wszCmdLine[MAX_PATH+1] = {0};
if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)stBlock.CmdLine.Buffer,
wszCmdLine, MAX_PATH*sizeof(wchar_t), &size)) {
// Call GetLastError() if you need to know why
return(FALSE);
}
// 4. Skip the application pathname
// it can be empty, "c:\...\app.exe" or c:\...\app.exe
wchar_t* pPos = wszCmdLine;
if (*pPos != L'\0') {
if (*pPos == L'"') {
// Find the next " character
pPos = wcschr(&pPos[1], L'"');
} else {
// Find the next SPACE character
pPos = wcschr(&pPos[1], L'');
}
// Skip it
if (pPos != NULL)
pPos++;
}
// Copy it back
if (pPos != NULL) {
if (*pPos != L'\0') {
#ifdef UNICODE
// Both strings are in UNICODE.
strCmdLine.assign(wszCmdLine);
#else
CHAR szCmdLine[MAX_PATH+1] = {0};
WideCharToMultiByte(CP_ACP,0,wszCmdLine,size/sizeof(wchar_t),szCmdLine,MAX_PATH,NULL,NULL);
strCmdLine.assign(szCmdLine);
#endif
bSuccess = TRUE;
}
}
}
}
return bSuccess;
}
#include <TlHelp32.h>
#include <winternl.h> // for Windows internal declarations.
#include "Toolhelp/Toolhelp.h"
//////////////////////////////////////////////////////////////////////////
#define WOW64
#ifdef _UNICODE
#define mystring wstring
#else
#define mystring string
#endif
typedef struct
{
DWORD Filler[4];
DWORD ProcessParameters;
} __PEB;
typedef struct
{
PVOID64 Filler[4];
PVOID64 ProcessParameters;
} __PEB64;
//
// Current Directory Structures
//
typedef struct
{
UNICODE_STRING DosPath;
HANDLE Handle;
}_CURDIR;
typedef struct _UNICODE_STRING64 {
SHORT Length;
SHORT MaximumLength;
DWORD Fill;
PVOID64 Buffer;
} UNICODE_STRING64;
typedef struct
{
DWORD MaximumLength;
DWORD Length;
DWORD Flags;
DWORD DebugFlags;
PVOID ConsoleHandle;
DWORD ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
//////////////////////////
UNICODE_STRING DosPath; //CurrentDirectory
HANDLE Handle;
//////////////////////////
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CmdLine;
//……
}_RTL_USER_PROCESS_PARAMETERS;
typedef struct
{
DWORD MaximumLength;
DWORD Length;
DWORD Flags;
DWORD DebugFlags;
PVOID64 ConsoleHandle;
DWORD ConsoleFlags;
PVOID64 StandardInput;
PVOID64 StandardOutput;
PVOID64 StandardError;
//////////////////////////
UNICODE_STRING64 DosPath;//CurrentDirectory
HANDLE Handle;
//////////////////////////
UNICODE_STRING64 DllPath;
UNICODE_STRING64 ImagePathName;
UNICODE_STRING64 CmdLine;
//……
}_RTL_USER_PROCESS_PARAMETERS64;
// end_ntddk end_ntifs
typedef struct _PROCESS_BASIC_INFORMATION64 {
PVOID64 Reserved1;
PVOID64 PebBaseAddress;
PVOID64 Reserved2[2];
PVOID64 UniqueProcessId;
PVOID64 Reserved3;
} PROCESS_BASIC_INFORMATION64,*PPROCESS_BASIC_INFORMATION64;
typedef LONG (WINAPI *TNtQueryInformationProcess)(HANDLE,UINT,PVOID,ULONG,PULONG);
typedef LONG (WINAPI *TNtReadVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
typedef LONG (WINAPI *TNtReadVirtualMemory64)(HANDLE ProcessHandle, PVOID64 BaseAddress, PVOID Buffer, UINT64 NumberOfBytesToRead, PUINT64 NumberOfBytesReaded);
//////////////////////////////////////////////////////////////////////////
typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
BOOL IsWow64()
{
BOOL bIsWow64 = FALSE;
LPFN_ISWOW64PROCESS
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(
GetModuleHandle("kernel32"),"IsWow64Process");
if (NULL != fnIsWow64Process)
{
if (!fnIsWow64Process(GetCurrentProcess(),&bIsWow64))
{
// handle error
}
}
return bIsWow64;
}

复制代码

		自动登录	找回密码
密码			点击注册

VIP会员办理QQ: 8643245 【请先加好友，然后到好友列表双击联系客服，办理VIP会员。】	【基础篇】易语言辅助入门基础教程
VIP模块办理QQ: 7189694 办理正版魔鬼作坊VIP模块	【基础篇】OD与CE入门基础教程
办理【终身VIP会员】“秒杀价” 仅需 RMB278.00元…	【基础篇】零基础绝密汇编语言入门课程 (共26课已完成)…
办理VIP详情…猛击这里查看详情	【基础篇】VIP辅助入门基础教程-新手必学已发布10课 ……
VIP教程免费试看章节…猛击下载	【第1款】制作“辅助挂”教程目录查看(共107+16_x64下更新课已完成)…
亲爱的VIP学员，请到此写下你学习的感受与发布作品截图…	【第2款】制作“任务挂”教程目录查看(共77+1_x64下更新课已完成)…
卍解吧！不用bp send类封包断点找CALL的各种通杀思路	【第3款】驱动过保护技术课程(共38课已完成)…
【绝密教程】VIP绝密教程系列---注意：随时会更新！	【第4款】VIP邪恶二叉树辅助课程 (共31+17_x64下更新课已完成)…
【精品第13款】3D射击游戏与页游透视智辅课程已完成17课…	【第5款】零基础易语言按键辅助教程 (30课已完成)…
【精品第14款】变态功能辅助是如何炼成的已完成36课…	【第6款】从零开始学习封包辅助技术教程(20课已完成) …
【精品第15款】DNF商业变态辅助的修炼之路已完成27课…	【第7款】大杀特杀分析来源与CALL吸血鬼课程 (56课已完成)
【精品第16款】中控台多线程多开自动化商业辅助课程已完成66课…	【第8款】完全零基础网页辅助课程(40课已完成)
【全新精品第17款】检测原理与过游戏内存检测技术课程已发布9课…	【第9款】自动登录与操控LUA技术课程 (共46+8_x64下更新课已完成)…
【全新精品第18款】手游全自动化任务脚本辅助课程已发布25课……	【第10款】网页辅助封包脱机进阶课程已完成30课…
【全新精品第19款】D3D方框骨骼透视与自瞄辅助课程进阶篇已发布34课……	【第11款】VC++ Lua脚本辅助课程已完成112课…
【全新精品第20款】 X64模拟器吃鸡游戏方框透视自瞄辅助课程发布中...	【第12款】网游脱机封包智辅课程已完成35课…