Delphi 获取进程路径及命令行参数, 但有的进程获取时会报错,不知为啥

type

  PVOID64 = UINT64;

  _UNICODE_STRING = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Buffer : PWideChar;

  end;

  UNICODE_STRING = _UNICODE_STRING;

  PUNICODE_STRING =^_UNICODE_STRING;

  _UNICODE_STRING64 = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Fill : DWORD;

    Buffer : PVOID64;

  end;

  UNICODE_STRING64 = _UNICODE_STRING64;

  PUNICODE_STRING64 =^_UNICODE_STRING64;

  __PEB = packed record

    Filler : array [..] of DWORD;

    ProcessParameters : DWORD;

  end;

  __PEB64 = packed record

    Filler : array [..] of PVOID64;

    ProcessParameters : PVOID64;

  end;

  _CURDIR = packed record

    DosPath : UNICODE_STRING;

    Handle : THANDLE;

  end;

  _CURDIR64 = packed record

    DosPath : UNICODE_STRING64;

    Handle : PVOID64;

  end;

  _RTL_USER_PROCESS_PARAMETERS = packed record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :THandle;

    ConsoleFlags    :DWORD;

    StandardInput   :THandle;

    StandardOutput  :THandle;

    StandardError   :THandle;

    //////////////////////////

    DosPath         :UNICODE_STRING;    //CurrentDirectory

    Handle          :THANDLE;

    //////////////////////////

    DllPath         :UNICODE_STRING;

    ImagePathName   :UNICODE_STRING;

    CmdLine         :UNICODE_STRING;

  end;

  _RTL_USER_PROCESS_PARAMETERS64 = record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :PVOID64;

    ConsoleFlags    :DWORD;

    StandardInput   :PVOID64;

    StandardOutput  :PVOID64;

    StandardError   :PVOID64;

    //////////////////////////

    CurrentDirectory:_CURDIR64;

    //////////////////////////

    DllPath         :UNICODE_STRING64;

    ImagePathName   :UNICODE_STRING64;

    CmdLine         :UNICODE_STRING64;

  end;

  _PROCESS_BASIC_INFORMATION = packed record

    Reserved1       :PVOID;

    PebBaseAddress  :PVOID;

    Reserved2       :Array [..] of PVOID;

    UniqueProcessId :PVOID;

    Reserved3       :PVOID;

  end;

  PROCESS_BASIC_INFORMATION  =_PROCESS_BASIC_INFORMATION;

  PPROCESS_BASIC_INFORMATION =^_PROCESS_BASIC_INFORMATION;

  _PROCESS_BASIC_INFORMATION64 = packed record

    Reserved1       :PVOID64;

    PebBaseAddress  :PVOID64;

    Reserved2       :Array [..] of PVOID64;

    UniqueProcessId :PVOID64;

    Reserved3       :PVOID64;

  end;

  PROCESS_BASIC_INFORMATION64  =_PROCESS_BASIC_INFORMATION64;

  PPROCESS_BASIC_INFORMATION64 =^_PROCESS_BASIC_INFORMATION64;

  TNtQueryInformationProcess = function(a:THANDLE;b:UINT;c:PVOID;d:ULONG;e:PULONG):LONG; stdcall;

  TNtReadVirtualMemory = function(ProcessHandle:THANDLE; BaseAddress:PVOID; Buffer:PVOID; NumberOfBytesToRead:ULONG; NumberOfBytesReaded:PULONG):LONG; stdcall;

  TNtReadVirtualMemory64 = function(ProcessHandle:THANDLE; BaseAddress:PVOID64; Buffer:PVOID; NumberOfBytesToRead:UINT64; NumberOfBytesReaded:PUINT64):LONG; stdcall;

  TISWOW64PROCESS = function(hProcess:THANDLE; var Wow64Process:BOOL):BOOL; stdcall;

  function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

implementation

function GetProcessImagePathAndCmdLine32(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory;

  dwSize:DWORD;

  size:SIZE_T;

  iReturn:Integer;

  pAddrPEB:PVOID;

  PEB:__PEB;

  stBlock:_RTL_USER_PROCESS_PARAMETERS;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtQueryInformationProcess');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtReadVirtualMemory');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := nil;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),@dwSize);

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PULONG(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PVOID(PEB.ProcessParameters), @stBlock, sizeof(stBlock), PULONG(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      if (stBlock.ImagePathName.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

        FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

        if (stBlock.ImagePathName.MaximumLength <= ) and ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.ImagePathName.Buffer), PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

        // . Get the CmdLine

      if (stBlock.CmdLine.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

        FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

        if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.CmdLine.Buffer), PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

    end;

  end;

end;

function GetProcessImagePathAndCmdLine64(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION64;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory64;

  dwSize:DWORD;

  size:UINT64;

  iReturn:Integer;

  pAddrPEB:PVOID64;

  PEB:__PEB64;

  stBlock:_RTL_USER_PROCESS_PARAMETERS64;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64QueryInformationProcess64');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64ReadVirtualMemory64');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := ;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),PULONG(@dwSize));

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PUINT64(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PEB.ProcessParameters, @stBlock, sizeof(stBlock), PUINT64(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

      FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.ImagePathName.Buffer, PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

        Result := True;

      end;

      // . Get the CmdLine

      FreeMemory(PathBuffer);

      PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

      FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.CmdLine.Buffer, PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

        Result := True;

      end;

      FreeMemory(PathBuffer);

    end;

  end;

end;

function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  fn:TISWOW64PROCESS;

begin

  Result := False;

  try

    fn := GetProcAddress(GetModuleHandle('kernel32'),'IsWow64Process');

    if Assigned(fn) then

    begin

      Result := GetProcessImagePathAndCmdLine64(hProcess,ImagePath,CmdLine);

    end else

    begin

      Result := GetProcessImagePathAndCmdLine32(hProcess,ImagePath,CmdLine);

    end;

  Except

  end;

end;

Delphi 获取进程路径及命令行参数的更多相关文章

  1. PED结构获取进程路径和命令行地址

    1.FS寄存器 2.进入FS寄存器地址,7FFDD000 3.偏移30为PED结构 4.偏移地址10 3C,44偏移:路径地址,命令行地址 // 通过PEB结构去查找所有进程模块 void *PEB ...

  2. Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    特殊变量列表 变量 含义 $0 当前脚本的文件名 $n 传递给脚本或函数的参数.n 是一个数字,表示第几个参数.例如,第一个参数是$1,第二个参数是$2. $# 传递给脚本或函数的参数个数. $* 传 ...

  3. 【Shell脚本学习8】Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  4. 【转】shell 教程——07 Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  5. linux bash Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    在linux下配置shell参数说明 前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid ...

  6. UE4命令行参数解析

    转自:https://blog.csdn.net/u012999985/article/details/53544389 一 .命令行参数简述命令行参数是一连串的关键字字符串,当运行可执行文件时可以通 ...

  7. C#中如何获取其他进程的命令行参数 ( How to get other processes's command line argument )

    Subject: C#中如何获取其他进程的命令行参数 ( How to get other processes&apos;s command line argument )From: jian ...

  8. Linux进程-命令行参数和环境列表

    命令行参数 在C中,main函数有很多的变种,比如 main(), int main(), int main(int argc, char *argv[]), int main(int argc, c ...

  9. .NET 命令行参数包含应用程序路径吗?

    如果你关注过命令行参数,也许发现有时你会在命令行参数的第一个参数中中看到应用程序的路径,有时又不会.那么什么情况下有路径呢? 其实是否有路径只是取决于获取命令行参数的时候用的是什么方法.而这是 Win ...

随机推荐

  1. linux 查看当前所在目录的全路径

    有时候,使用linux的shell的时候需要查看当前位置的全路径,可以使用 pwd命令 当然,知道了该命令就可以通过man pwd来查看该命令的全部帮助手册.

  2. 普通Jquery的ajax判断重复和formvalidator的ajaxValidator区别

    示例:1.ajax版: $("#txtTitle").blur(function () {                 $.ajax({                     ...

  3. iOS开发笔记系列-基础5(分类和协议)

    分类 在Objective-C中,除了通过新建子类的方式来向类添加新方法外,还可以通过分类的方式.分类提供了一种简单的方式,将类的定义模块化到相关方法的组或分类中,它还提供了扩展现有类定义的简便方式, ...

  4. android.content.res.Resources$NotFoundException:String resource ID #ffffffff

    无语,搞了半天,只能去插这个错误代号,结果就找到了这个结果. scoreTextView.setText(score+""); 这个一定要自己手动转换..不科学啊..关键是在ecl ...

  5. ural 1993 This cheeseburger you don't need

    顺次存到{} [] () 遇到逗号就处理下,最后处理逗号之后的 #include <iostream> #include <cstring> #include <stri ...

  6. [AngularJS] ngAnimate angular way !!

    Idea is set up javascript  as an api, then just change html to control the behavor. var app = angula ...

  7. 互联网常见Open API文档资源

    原文地址:http://blog.sina.com.cn/s/blog_4d8713560100y272.html 所谓的开放API(OpenAPI)是服务型网站常见的一种应用,网站的服务商将自己的网 ...

  8. 【ZZ】Java : 一个帝国的诞生 & 假如时光能够倒流, 我会这么学习Java

    Java : 一个帝国的诞生 http://dy.qq.com/article.htm?id=20160523A06XFS00 写的很有意思,一下子了解了JAVA的历史. 假如时光能够倒流, 我会这么 ...

  9. sizeWithFont 不是线程安全。

    在ios开发中经常使用用sizeWithFont 方法来计算UILabel 的frame, 例如动态计算UITableViewCell 的高度,在主线程处理没有问题,但是在子线程用此方法来计算就会出现 ...

  10. K-means Algorithm

    在监督学习中,有标签信息协助机器学习同类样本之间存在的共性,在预测时只需判定给定样本与哪个类别的训练样本最相似即可.在非监督学习中,不再有标签信息的指导,遇到一维或二维数据的划分问题,人用肉眼就很容易 ...