Delphi 获取进程路径及命令行参数, 但有的进程获取时会报错,不知为啥

type

  PVOID64 = UINT64;

  _UNICODE_STRING = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Buffer : PWideChar;

  end;

  UNICODE_STRING = _UNICODE_STRING;

  PUNICODE_STRING =^_UNICODE_STRING;

  _UNICODE_STRING64 = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Fill : DWORD;

    Buffer : PVOID64;

  end;

  UNICODE_STRING64 = _UNICODE_STRING64;

  PUNICODE_STRING64 =^_UNICODE_STRING64;

  __PEB = packed record

    Filler : array [..] of DWORD;

    ProcessParameters : DWORD;

  end;

  __PEB64 = packed record

    Filler : array [..] of PVOID64;

    ProcessParameters : PVOID64;

  end;

  _CURDIR = packed record

    DosPath : UNICODE_STRING;

    Handle : THANDLE;

  end;

  _CURDIR64 = packed record

    DosPath : UNICODE_STRING64;

    Handle : PVOID64;

  end;

  _RTL_USER_PROCESS_PARAMETERS = packed record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :THandle;

    ConsoleFlags    :DWORD;

    StandardInput   :THandle;

    StandardOutput  :THandle;

    StandardError   :THandle;

    //////////////////////////

    DosPath         :UNICODE_STRING;    //CurrentDirectory

    Handle          :THANDLE;

    //////////////////////////

    DllPath         :UNICODE_STRING;

    ImagePathName   :UNICODE_STRING;

    CmdLine         :UNICODE_STRING;

  end;

  _RTL_USER_PROCESS_PARAMETERS64 = record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :PVOID64;

    ConsoleFlags    :DWORD;

    StandardInput   :PVOID64;

    StandardOutput  :PVOID64;

    StandardError   :PVOID64;

    //////////////////////////

    CurrentDirectory:_CURDIR64;

    //////////////////////////

    DllPath         :UNICODE_STRING64;

    ImagePathName   :UNICODE_STRING64;

    CmdLine         :UNICODE_STRING64;

  end;

  _PROCESS_BASIC_INFORMATION = packed record

    Reserved1       :PVOID;

    PebBaseAddress  :PVOID;

    Reserved2       :Array [..] of PVOID;

    UniqueProcessId :PVOID;

    Reserved3       :PVOID;

  end;

  PROCESS_BASIC_INFORMATION  =_PROCESS_BASIC_INFORMATION;

  PPROCESS_BASIC_INFORMATION =^_PROCESS_BASIC_INFORMATION;

  _PROCESS_BASIC_INFORMATION64 = packed record

    Reserved1       :PVOID64;

    PebBaseAddress  :PVOID64;

    Reserved2       :Array [..] of PVOID64;

    UniqueProcessId :PVOID64;

    Reserved3       :PVOID64;

  end;

  PROCESS_BASIC_INFORMATION64  =_PROCESS_BASIC_INFORMATION64;

  PPROCESS_BASIC_INFORMATION64 =^_PROCESS_BASIC_INFORMATION64;

  TNtQueryInformationProcess = function(a:THANDLE;b:UINT;c:PVOID;d:ULONG;e:PULONG):LONG; stdcall;

  TNtReadVirtualMemory = function(ProcessHandle:THANDLE; BaseAddress:PVOID; Buffer:PVOID; NumberOfBytesToRead:ULONG; NumberOfBytesReaded:PULONG):LONG; stdcall;

  TNtReadVirtualMemory64 = function(ProcessHandle:THANDLE; BaseAddress:PVOID64; Buffer:PVOID; NumberOfBytesToRead:UINT64; NumberOfBytesReaded:PUINT64):LONG; stdcall;

  TISWOW64PROCESS = function(hProcess:THANDLE; var Wow64Process:BOOL):BOOL; stdcall;

  function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

implementation

function GetProcessImagePathAndCmdLine32(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory;

  dwSize:DWORD;

  size:SIZE_T;

  iReturn:Integer;

  pAddrPEB:PVOID;

  PEB:__PEB;

  stBlock:_RTL_USER_PROCESS_PARAMETERS;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtQueryInformationProcess');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtReadVirtualMemory');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := nil;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),@dwSize);

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PULONG(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PVOID(PEB.ProcessParameters), @stBlock, sizeof(stBlock), PULONG(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      if (stBlock.ImagePathName.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

        FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

        if (stBlock.ImagePathName.MaximumLength <= ) and ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.ImagePathName.Buffer), PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

        // . Get the CmdLine

      if (stBlock.CmdLine.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

        FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

        if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.CmdLine.Buffer), PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

    end;

  end;

end;

function GetProcessImagePathAndCmdLine64(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION64;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory64;

  dwSize:DWORD;

  size:UINT64;

  iReturn:Integer;

  pAddrPEB:PVOID64;

  PEB:__PEB64;

  stBlock:_RTL_USER_PROCESS_PARAMETERS64;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64QueryInformationProcess64');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64ReadVirtualMemory64');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := ;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),PULONG(@dwSize));

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PUINT64(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PEB.ProcessParameters, @stBlock, sizeof(stBlock), PUINT64(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

      FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.ImagePathName.Buffer, PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

        Result := True;

      end;

      // . Get the CmdLine

      FreeMemory(PathBuffer);

      PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

      FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.CmdLine.Buffer, PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

        Result := True;

      end;

      FreeMemory(PathBuffer);

    end;

  end;

end;

function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  fn:TISWOW64PROCESS;

begin

  Result := False;

  try

    fn := GetProcAddress(GetModuleHandle('kernel32'),'IsWow64Process');

    if Assigned(fn) then

    begin

      Result := GetProcessImagePathAndCmdLine64(hProcess,ImagePath,CmdLine);

    end else

    begin

      Result := GetProcessImagePathAndCmdLine32(hProcess,ImagePath,CmdLine);

    end;

  Except

  end;

end;

Delphi 获取进程路径及命令行参数的更多相关文章

  1. PED结构获取进程路径和命令行地址

    1.FS寄存器 2.进入FS寄存器地址,7FFDD000 3.偏移30为PED结构 4.偏移地址10 3C,44偏移:路径地址,命令行地址 // 通过PEB结构去查找所有进程模块 void *PEB ...

  2. Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    特殊变量列表 变量 含义 $0 当前脚本的文件名 $n 传递给脚本或函数的参数.n 是一个数字,表示第几个参数.例如,第一个参数是$1,第二个参数是$2. $# 传递给脚本或函数的参数个数. $* 传 ...

  3. 【Shell脚本学习8】Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  4. 【转】shell 教程——07 Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  5. linux bash Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    在linux下配置shell参数说明 前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid ...

  6. UE4命令行参数解析

    转自:https://blog.csdn.net/u012999985/article/details/53544389 一 .命令行参数简述命令行参数是一连串的关键字字符串,当运行可执行文件时可以通 ...

  7. C#中如何获取其他进程的命令行参数 ( How to get other processes's command line argument )

    Subject: C#中如何获取其他进程的命令行参数 ( How to get other processes&apos;s command line argument )From: jian ...

  8. Linux进程-命令行参数和环境列表

    命令行参数 在C中,main函数有很多的变种,比如 main(), int main(), int main(int argc, char *argv[]), int main(int argc, c ...

  9. .NET 命令行参数包含应用程序路径吗?

    如果你关注过命令行参数,也许发现有时你会在命令行参数的第一个参数中中看到应用程序的路径,有时又不会.那么什么情况下有路径呢? 其实是否有路径只是取决于获取命令行参数的时候用的是什么方法.而这是 Win ...

随机推荐

  1. Unity3D之移植学习笔记:移植到Android平台

    首先,我们需要一台已经配置好可以开发Android应用的计算机,这里我使用的是Windows系统+Eclipse+ADT的开发环境,当然也可以使用Android Studio或者使用Mac系统都可以. ...

  2. Centos6.3 jekyll环境安装

    yum install ruby yum install rubygems yum install ruby-devel gem install rdiscount yum install pytho ...

  3. Hadoop on Mac with IntelliJ IDEA - 4 制作jar包

    本文讲述使用IntelliJ IDEA打包Project的过程,即,打jar包. 环境:Mac OS X 10.9.5, IntelliJ IDEA 13.1.4, Hadoop 1.2.1 Hado ...

  4. zookeeper的C#Client

    最近在搭一套soa,  服务使用java/scala 的finagle 协议使用thrift 然后 finagle默认服务端会是使用zookeeper作为节点存储.. 所以想要访问具体服务,需要先通过 ...

  5. 图的深度优先搜索算法DFS

    1.问题描写叙述与理解 深度优先搜索(Depth First Search.DFS)所遵循的策略.如同其名称所云.是在图中尽可能"更深"地进行搜索. 在深度优先搜索中,对最新发现的 ...

  6. C++技术问题总结-第12篇 设计模式原则

    设计模式六大原则,參见http://www.uml.org.cn/sjms/201211023.asp. 1. 单一职责原则 定义:不要存在多于一个导致类变更的原因.通俗的说,即一个类仅仅负责一项职责 ...

  7. [Angular-Scaled Web] 8. Using $http to load JSON data

    Using the $http service to make requests to remote servers. categories-model.js: angular.module('egg ...

  8. javascript常用方法整理--数组篇

    1. arrayObject.slice(start,end) 从已有的数组中返回选定的元素 参数 描述 start 必需.规定从何处开始选取.如果是负数,那么它规定从数组尾部开始算起的位置.也就是说 ...

  9. Linux守护进程(init.d和xinetd)

    http://www.cnblogs.com/itech/archive/2010/12/27/1914846.html

  10. mysql高效获取两张表共同字段的交集数据

    例如下面两站表A,B.A表和B表分别有5-10w数据.A表结构如下:id bid name title publisher extraB表结构如下id bid name title publisher ...