Delphi 获取进程路径及命令行参数, 但有的进程获取时会报错,不知为啥

type

  PVOID64 = UINT64;

  _UNICODE_STRING = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Buffer : PWideChar;

  end;

  UNICODE_STRING = _UNICODE_STRING;

  PUNICODE_STRING =^_UNICODE_STRING;

  _UNICODE_STRING64 = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Fill : DWORD;

    Buffer : PVOID64;

  end;

  UNICODE_STRING64 = _UNICODE_STRING64;

  PUNICODE_STRING64 =^_UNICODE_STRING64;

  __PEB = packed record

    Filler : array [..] of DWORD;

    ProcessParameters : DWORD;

  end;

  __PEB64 = packed record

    Filler : array [..] of PVOID64;

    ProcessParameters : PVOID64;

  end;

  _CURDIR = packed record

    DosPath : UNICODE_STRING;

    Handle : THANDLE;

  end;

  _CURDIR64 = packed record

    DosPath : UNICODE_STRING64;

    Handle : PVOID64;

  end;

  _RTL_USER_PROCESS_PARAMETERS = packed record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :THandle;

    ConsoleFlags    :DWORD;

    StandardInput   :THandle;

    StandardOutput  :THandle;

    StandardError   :THandle;

    //////////////////////////

    DosPath         :UNICODE_STRING;    //CurrentDirectory

    Handle          :THANDLE;

    //////////////////////////

    DllPath         :UNICODE_STRING;

    ImagePathName   :UNICODE_STRING;

    CmdLine         :UNICODE_STRING;

  end;

  _RTL_USER_PROCESS_PARAMETERS64 = record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :PVOID64;

    ConsoleFlags    :DWORD;

    StandardInput   :PVOID64;

    StandardOutput  :PVOID64;

    StandardError   :PVOID64;

    //////////////////////////

    CurrentDirectory:_CURDIR64;

    //////////////////////////

    DllPath         :UNICODE_STRING64;

    ImagePathName   :UNICODE_STRING64;

    CmdLine         :UNICODE_STRING64;

  end;

  _PROCESS_BASIC_INFORMATION = packed record

    Reserved1       :PVOID;

    PebBaseAddress  :PVOID;

    Reserved2       :Array [..] of PVOID;

    UniqueProcessId :PVOID;

    Reserved3       :PVOID;

  end;

  PROCESS_BASIC_INFORMATION  =_PROCESS_BASIC_INFORMATION;

  PPROCESS_BASIC_INFORMATION =^_PROCESS_BASIC_INFORMATION;

  _PROCESS_BASIC_INFORMATION64 = packed record

    Reserved1       :PVOID64;

    PebBaseAddress  :PVOID64;

    Reserved2       :Array [..] of PVOID64;

    UniqueProcessId :PVOID64;

    Reserved3       :PVOID64;

  end;

  PROCESS_BASIC_INFORMATION64  =_PROCESS_BASIC_INFORMATION64;

  PPROCESS_BASIC_INFORMATION64 =^_PROCESS_BASIC_INFORMATION64;

  TNtQueryInformationProcess = function(a:THANDLE;b:UINT;c:PVOID;d:ULONG;e:PULONG):LONG; stdcall;

  TNtReadVirtualMemory = function(ProcessHandle:THANDLE; BaseAddress:PVOID; Buffer:PVOID; NumberOfBytesToRead:ULONG; NumberOfBytesReaded:PULONG):LONG; stdcall;

  TNtReadVirtualMemory64 = function(ProcessHandle:THANDLE; BaseAddress:PVOID64; Buffer:PVOID; NumberOfBytesToRead:UINT64; NumberOfBytesReaded:PUINT64):LONG; stdcall;

  TISWOW64PROCESS = function(hProcess:THANDLE; var Wow64Process:BOOL):BOOL; stdcall;

  function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

implementation

function GetProcessImagePathAndCmdLine32(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory;

  dwSize:DWORD;

  size:SIZE_T;

  iReturn:Integer;

  pAddrPEB:PVOID;

  PEB:__PEB;

  stBlock:_RTL_USER_PROCESS_PARAMETERS;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtQueryInformationProcess');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtReadVirtualMemory');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := nil;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),@dwSize);

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PULONG(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PVOID(PEB.ProcessParameters), @stBlock, sizeof(stBlock), PULONG(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      if (stBlock.ImagePathName.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

        FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

        if (stBlock.ImagePathName.MaximumLength <= ) and ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.ImagePathName.Buffer), PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

        // . Get the CmdLine

      if (stBlock.CmdLine.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

        FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

        if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.CmdLine.Buffer), PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

    end;

  end;

end;

function GetProcessImagePathAndCmdLine64(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION64;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory64;

  dwSize:DWORD;

  size:UINT64;

  iReturn:Integer;

  pAddrPEB:PVOID64;

  PEB:__PEB64;

  stBlock:_RTL_USER_PROCESS_PARAMETERS64;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64QueryInformationProcess64');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64ReadVirtualMemory64');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := ;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),PULONG(@dwSize));

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PUINT64(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PEB.ProcessParameters, @stBlock, sizeof(stBlock), PUINT64(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

      FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.ImagePathName.Buffer, PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

        Result := True;

      end;

      // . Get the CmdLine

      FreeMemory(PathBuffer);

      PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

      FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.CmdLine.Buffer, PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

        Result := True;

      end;

      FreeMemory(PathBuffer);

    end;

  end;

end;

function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  fn:TISWOW64PROCESS;

begin

  Result := False;

  try

    fn := GetProcAddress(GetModuleHandle('kernel32'),'IsWow64Process');

    if Assigned(fn) then

    begin

      Result := GetProcessImagePathAndCmdLine64(hProcess,ImagePath,CmdLine);

    end else

    begin

      Result := GetProcessImagePathAndCmdLine32(hProcess,ImagePath,CmdLine);

    end;

  Except

  end;

end;

Delphi 获取进程路径及命令行参数的更多相关文章

  1. PED结构获取进程路径和命令行地址

    1.FS寄存器 2.进入FS寄存器地址,7FFDD000 3.偏移30为PED结构 4.偏移地址10 3C,44偏移:路径地址,命令行地址 // 通过PEB结构去查找所有进程模块 void *PEB ...

  2. Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    特殊变量列表 变量 含义 $0 当前脚本的文件名 $n 传递给脚本或函数的参数.n 是一个数字,表示第几个参数.例如,第一个参数是$1,第二个参数是$2. $# 传递给脚本或函数的参数个数. $* 传 ...

  3. 【Shell脚本学习8】Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  4. 【转】shell 教程——07 Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  5. linux bash Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    在linux下配置shell参数说明 前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid ...

  6. UE4命令行参数解析

    转自:https://blog.csdn.net/u012999985/article/details/53544389 一 .命令行参数简述命令行参数是一连串的关键字字符串,当运行可执行文件时可以通 ...

  7. C#中如何获取其他进程的命令行参数 ( How to get other processes's command line argument )

    Subject: C#中如何获取其他进程的命令行参数 ( How to get other processes&apos;s command line argument )From: jian ...

  8. Linux进程-命令行参数和环境列表

    命令行参数 在C中,main函数有很多的变种,比如 main(), int main(), int main(int argc, char *argv[]), int main(int argc, c ...

  9. .NET 命令行参数包含应用程序路径吗?

    如果你关注过命令行参数,也许发现有时你会在命令行参数的第一个参数中中看到应用程序的路径,有时又不会.那么什么情况下有路径呢? 其实是否有路径只是取决于获取命令行参数的时候用的是什么方法.而这是 Win ...

随机推荐

  1. C#中的强制类型转换与as转换的区别

    C#中的强制类型转换 例如有ClassA与ClassB两个类创建两个类的对象进行转换 1 2 ClassA a = new ClassA();  ClassB b = new ClassB(); 如果 ...

  2. Linux下升级python版本

    转载自:http://lovebeyond.iteye.com/blog/1770476 CentOS下的Python版本一般都比较低,很多应用都需要升级python来完成.我装的centOS的默认的 ...

  3. swift 个人笔记

    swift是现代编程语言的综合体,灵活而强大. //http://www.cocoachina.com/newbie/basic/2014/0604/8675.html //语法var 变量,let ...

  4. UVa 112 Tree Summing

    题意: 计算从根到叶节点的累加值,看看是否等于指定值.是输出yes,否则no.注意叶节点判断条件是没有左右子节点. 思路: 建树过程中计算根到叶节点的sum. 注意: cin读取失败后要调用clear ...

  5. Codeforces Round #327 (Div. 2) C. Median Smoothing 找规律

    C. Median Smoothing Time Limit: 20 Sec Memory Limit: 256 MB 题目连接 http://codeforces.com/contest/591/p ...

  6. HDU 4348 To the moon 可持久化线段树,有时间戳的区间更新,区间求和

    To the moonTime Limit: 20 Sec Memory Limit: 256 MB 题目连接 http://acm.hust.edu.cn/vjudge/contest/view.a ...

  7. python选择排序

    def select_sort(list): for i in range(len(list)): position = i for j in range(i,len(list)): if list[ ...

  8. android Camera 数据流程分析

    这篇文章主要针对其数据流程进行分析.Camera一般用于图像浏览.拍照和视频录制.这里先对图像浏览和拍照的数据流进行分析,后面再对视频电话部分进行分析. 1.针对HAL层对摄像头数据处理补充一下 Li ...

  9. iOS开发——混编Swift篇&OC移植为swift

    将Ojective-C代码移植转换为Swift代码 2015-03-09 15:07发布:yuhang浏览:201   相比于Objective-C,Swift语言更加简练.有时我们需要把原来写的一些 ...

  10. PXC的原理

    http://www.blogs8.cn/posts/AWif6E4 mariadb的集群也是抄percona的,原理跟PXC一样maridb-cluster就是PXC,原理是一样的.codeship ...