在Windows中获取另一个进程命令行

Question

我想获得另一个进程命令行(在WinXP 32bit上).我做以下事情:

  hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_TERMINATE, FALSE, ProcList.proc_id_as_numbers[i]);

  BytesNeeded = sizeof(PROCESS_BASIC_INFORMATION);
  ZwQueryInformationProcess(hProcess, ProcessBasicInformation, UserPool, sizeof(PROCESS_BASIC_INFORMATION), &BytesNeeded);
  pbi = (PPROCESS_BASIC_INFORMATION)UserPool;

  BytesNeeded = sizeof(PEB);
  res = ZwReadVirtualMemory(hProcess, pbi->PebBaseAddress, UserPool, sizeof(PEB), &BytesNeeded);
  /* zero value returned */
  peb = (PPEB)UserPool;

  BytesNeeded = sizeof(RTL_USER_PROCESS_PARAMETERS);
  res = ZwReadVirtualMemory(hProcess, peb->ProcessParameters, UserPool, sizeof(RTL_USER_PROCESS_PARAMETERS), &BytesNeeded);
  ProcParam = (PRTL_USER_PROCESS_PARAMETERS)UserPool;

首次调用pbi.UniqueProcessID后是正确的.但在调用ZwReadVirtualMemory之后,我得到了我的进程的命令行,而没有请求.

我还使用了ReadProcessMemore和NtQueryInformationProcess,但得到了相同的结果.

有人可以帮忙吗？

这里有http://forum.sysinternals.com/get-commandline-of-running-processes_topic6510_page1.html说这个代码有效.不幸的是,我没有权限在这个论坛上发帖问自己.

Answer 1

看起来ZwReadVirtualMemory只被调用一次.这还不够.必须为每个级别的指针间接调用它.换句话说,当您检索指针时,它指向其他进程的地址空间.你不能直接阅读它.你必须再次调用ZwReadVirtualMemory.对于那些数据结构的情况,ZwReadVirtualMemory必须被调用3次:一次读取PEB(这是上面的代码所做的),一次读取RTL_USER_PROCESS_PARAMETERS,一次读取UNICODE_STRING的缓冲区.以下代码片段对我有用(为清楚起见省略了错误处理,我使用了文档化的ReadProcessMemory API而不是ZwReadVirtualMemory):

        LONG status = NtQueryInformationProcess(hProcess,
                                                0,
                                                pinfo,
                                                sizeof(PVOID)*6,
                                                NULL);
        PPEB ppeb = (PPEB)((PVOID*)pinfo)[1];
        PPEB ppebCopy = (PPEB)malloc(sizeof(PEB));
        BOOL result = ReadProcessMemory(hProcess,
                                        ppeb,
                                        ppebCopy,
                                        sizeof(PEB),
                                        NULL);

        PRTL_USER_PROCESS_PARAMETERS pRtlProcParam = ppebCopy->ProcessParameters;
        PRTL_USER_PROCESS_PARAMETERS pRtlProcParamCopy =
            (PRTL_USER_PROCESS_PARAMETERS)malloc(sizeof(RTL_USER_PROCESS_PARAMETERS));
        result = ReadProcessMemory(hProcess,
                                   pRtlProcParam,
                                   pRtlProcParamCopy,
                                   sizeof(RTL_USER_PROCESS_PARAMETERS),
                                   NULL);
        PWSTR wBuffer = pRtlProcParamCopy->CommandLine.Buffer;
        USHORT len =  pRtlProcParamCopy->CommandLine.Length;
        PWSTR wBufferCopy = (PWSTR)malloc(len);
        result = ReadProcessMemory(hProcess,
                                   wBuffer,
                                   wBufferCopy, // command line goes here
                                   len,
                                   NULL);

为什么我们看到我们自己的进程的命令行？这是因为流程以类似的方式布局.命令行和PEB相关的结构可能具有相同的地址.因此,如果您错过了ReadProcessMemory,您最终会完全使用本地进程的命令行.

Answer 2

我试图用mingw和Qt做同样的事情.我遇到了"对CLSID_WbemLocator的未定义引用"的问题.经过一些研究,似乎我的mingw版本中包含的libwbemuuid.a版本只定义了IID_IWbemLocator而不是CLSID_WbemLocator.

我发现手动定义CLSID_WbemLocator有效(尽管它可能不是"正确"的做事方式).

最终的工作代码:

#include <QDebug>
#include <QString>
#include <QDir>
#include <QProcess>
#define _WIN32_DCOM
#include <windows.h>
#include "TlHelp32.h"
#include <stdio.h>
#include <tchar.h>
#include <wbemidl.h>
#include <comutil.h>

const GUID CLSID_WbemLocator = { 0x4590F811,0x1D3A,0x11D0,{ 0x89,0x1F,0x00,0xAA,0x00,0x4B,0x2E,0x24 } }; //for some reason CLSID_WbemLocator isn't declared in libwbemuuid.a (although it probably should be).

int getProcessInfo(DWORD pid, QString *commandLine, QString *executable)
{
    HRESULT hr = 0;
    IWbemLocator         *WbemLocator  = NULL;
    IWbemServices        *WbemServices = NULL;
    IEnumWbemClassObject *EnumWbem  = NULL;

    //initializate the Windows security
    hr = CoInitializeEx(0, COINIT_MULTITHREADED);
    hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
    hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &WbemLocator);

    //connect to the WMI
    hr = WbemLocator->ConnectServer(L"ROOT\\CIMV2", NULL, NULL, NULL, 0, NULL, NULL, &WbemServices);
    //Run the WQL Query
    hr = WbemServices->ExecQuery(L"WQL", L"SELECT ProcessId,CommandLine,ExecutablePath FROM Win32_Process", WBEM_FLAG_FORWARD_ONLY, NULL, &EnumWbem);

    qDebug() << "Got here." << (void*)hr;
    // Iterate over the enumerator
    if (EnumWbem != NULL) {
        IWbemClassObject *result = NULL;
        ULONG returnedCount = 0;

        while((hr = EnumWbem->Next(WBEM_INFINITE, 1, &result, &returnedCount)) == S_OK) {
            VARIANT ProcessId;
            VARIANT CommandLine;
            VARIANT ExecutablePath;

            // access the properties
            hr = result->Get(L"ProcessId", 0, &ProcessId, 0, 0);
            hr = result->Get(L"CommandLine", 0, &CommandLine, 0, 0);
            hr = result->Get(L"ExecutablePath", 0, &ExecutablePath, 0, 0);

            if (ProcessId.uintVal == pid)
            {
                *commandLine = QString::fromUtf16((ushort*)(long)CommandLine.bstrVal);// + sizeof(int)); //bstrs have their length as an integer.
                *executable = QString::fromUtf16((ushort*)(long)ExecutablePath.bstrVal);// + sizeof(int)); //bstrs have their length as an integer.

                qDebug() << *commandLine << *executable;
            }

            result->Release();
        }
    }

    // Release the resources
    EnumWbem->Release();
    WbemServices->Release();
    WbemLocator->Release();

    CoUninitialize();
    //getchar();

    return(0);
}

在我的Qt项目文件(.pro)中,我链接到以下库:

LIBS += -lole32 -lwbemuuid

Answer 3

重复如何查询正在运行的进程的参数列表？(windows, C++)，所以我会从那里复制我的答案：

您无法可靠地获取该信息。有各种技巧可以尝试检索它，但不能保证目标进程尚未损坏该部分内存。Raymond Chen 曾在The Old New Thing上讨论过这个问题。