Delphi 获取进程路径及命令行参数, 但有的进程获取时会报错,不知为啥

type

  PVOID64 = UINT64;

  _UNICODE_STRING = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Buffer : PWideChar;

  end;

  UNICODE_STRING = _UNICODE_STRING;

  PUNICODE_STRING =^_UNICODE_STRING;

  _UNICODE_STRING64 = packed record

    Length : USHORT;

    MaximumLength : USHORT;

    Fill : DWORD;

    Buffer : PVOID64;

  end;

  UNICODE_STRING64 = _UNICODE_STRING64;

  PUNICODE_STRING64 =^_UNICODE_STRING64;

  __PEB = packed record

    Filler : array [..] of DWORD;

    ProcessParameters : DWORD;

  end;

  __PEB64 = packed record

    Filler : array [..] of PVOID64;

    ProcessParameters : PVOID64;

  end;

  _CURDIR = packed record

    DosPath : UNICODE_STRING;

    Handle : THANDLE;

  end;

  _CURDIR64 = packed record

    DosPath : UNICODE_STRING64;

    Handle : PVOID64;

  end;

  _RTL_USER_PROCESS_PARAMETERS = packed record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :THandle;

    ConsoleFlags    :DWORD;

    StandardInput   :THandle;

    StandardOutput  :THandle;

    StandardError   :THandle;

    //////////////////////////

    DosPath         :UNICODE_STRING;    //CurrentDirectory

    Handle          :THANDLE;

    //////////////////////////

    DllPath         :UNICODE_STRING;

    ImagePathName   :UNICODE_STRING;

    CmdLine         :UNICODE_STRING;

  end;

  _RTL_USER_PROCESS_PARAMETERS64 = record

    MaximumLength   :DWORD;

    Length          :DWORD;

    Flags           :DWORD;

    DebugFlags      :DWORD;

    ConsoleHandle   :PVOID64;

    ConsoleFlags    :DWORD;

    StandardInput   :PVOID64;

    StandardOutput  :PVOID64;

    StandardError   :PVOID64;

    //////////////////////////

    CurrentDirectory:_CURDIR64;

    //////////////////////////

    DllPath         :UNICODE_STRING64;

    ImagePathName   :UNICODE_STRING64;

    CmdLine         :UNICODE_STRING64;

  end;

  _PROCESS_BASIC_INFORMATION = packed record

    Reserved1       :PVOID;

    PebBaseAddress  :PVOID;

    Reserved2       :Array [..] of PVOID;

    UniqueProcessId :PVOID;

    Reserved3       :PVOID;

  end;

  PROCESS_BASIC_INFORMATION  =_PROCESS_BASIC_INFORMATION;

  PPROCESS_BASIC_INFORMATION =^_PROCESS_BASIC_INFORMATION;

  _PROCESS_BASIC_INFORMATION64 = packed record

    Reserved1       :PVOID64;

    PebBaseAddress  :PVOID64;

    Reserved2       :Array [..] of PVOID64;

    UniqueProcessId :PVOID64;

    Reserved3       :PVOID64;

  end;

  PROCESS_BASIC_INFORMATION64  =_PROCESS_BASIC_INFORMATION64;

  PPROCESS_BASIC_INFORMATION64 =^_PROCESS_BASIC_INFORMATION64;

  TNtQueryInformationProcess = function(a:THANDLE;b:UINT;c:PVOID;d:ULONG;e:PULONG):LONG; stdcall;

  TNtReadVirtualMemory = function(ProcessHandle:THANDLE; BaseAddress:PVOID; Buffer:PVOID; NumberOfBytesToRead:ULONG; NumberOfBytesReaded:PULONG):LONG; stdcall;

  TNtReadVirtualMemory64 = function(ProcessHandle:THANDLE; BaseAddress:PVOID64; Buffer:PVOID; NumberOfBytesToRead:UINT64; NumberOfBytesReaded:PUINT64):LONG; stdcall;

  TISWOW64PROCESS = function(hProcess:THANDLE; var Wow64Process:BOOL):BOOL; stdcall;

  function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

implementation

function GetProcessImagePathAndCmdLine32(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory;

  dwSize:DWORD;

  size:SIZE_T;

  iReturn:Integer;

  pAddrPEB:PVOID;

  PEB:__PEB;

  stBlock:_RTL_USER_PROCESS_PARAMETERS;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtQueryInformationProcess');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtReadVirtualMemory');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := nil;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),@dwSize);

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PULONG(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PVOID(PEB.ProcessParameters), @stBlock, sizeof(stBlock), PULONG(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      if (stBlock.ImagePathName.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

        FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

        if (stBlock.ImagePathName.MaximumLength <= ) and ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.ImagePathName.Buffer), PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

        // . Get the CmdLine

      if (stBlock.CmdLine.MaximumLength <= ) then

      begin

        PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

        FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

        if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, PVOID(stBlock.CmdLine.Buffer), PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PULONG(@size))) then

        begin    // Call GetLastError() if you need to know why

          SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

          Result := True;

        end;

        FreeMemory(PathBuffer);

      end;

    end;

  end;

end;

function GetProcessImagePathAndCmdLine64(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  pbi : PROCESS_BASIC_INFORMATION64;

  pfnNtQueryInformationProcess : TNtQueryInformationProcess;

  pfnNtReadVirtualMemory : TNtReadVirtualMemory64;

  dwSize:DWORD;

  size:UINT64;

  iReturn:Integer;

  pAddrPEB:PVOID64;

  PEB:__PEB64;

  stBlock:_RTL_USER_PROCESS_PARAMETERS64;

  PathBuffer : PByte;

begin

  Result := False;

  @pfnNtQueryInformationProcess := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64QueryInformationProcess64');

  @pfnNtReadVirtualMemory := GetProcAddress(GetModuleHandle('ntdll.dll'),'NtWow64ReadVirtualMemory64');

  if ( Assigned(pfnNtQueryInformationProcess) ) then

  begin

    pAddrPEB := ;

    iReturn := pfnNtQueryInformationProcess(hProcess,,@pbi,sizeof(pbi),PULONG(@dwSize));

    pAddrPEB := pbi.PebBaseAddress;

    // NtQueryInformationProcess returns a negative value if it fails

    if (iReturn >= ) then

    begin

      // . Find the Process Environment Block

      size := dwSize;

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, pAddrPEB, @PEB, sizeof(PEB), PUINT64(@size)) ) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . From this PEB, get the address of the block containing

      // a pointer to the CmdLine

      if ( ERROR_SUCCESS <> pfnNtReadVirtualMemory(hProcess, PEB.ProcessParameters, @stBlock, sizeof(stBlock), PUINT64(@size))) then

      begin

        // Call GetLastError() if you need to know why

        Exit;

      end;

      // . Get the ImagePathName

      PathBuffer := GetMemory(stBlock.ImagePathName.MaximumLength);

      FillChar(PathBuffer^,stBlock.ImagePathName.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.ImagePathName.Buffer, PVOID(PathBuffer), stBlock.ImagePathName.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(ImagePath,PChar(PathBuffer),stBlock.ImagePathName.Length div );

        Result := True;

      end;

      // . Get the CmdLine

      FreeMemory(PathBuffer);

      PathBuffer := GetMemory(stBlock.CmdLine.MaximumLength);

      FillChar(PathBuffer^,stBlock.CmdLine.MaximumLength,);

      if ( ERROR_SUCCESS = pfnNtReadVirtualMemory(hProcess, stBlock.CmdLine.Buffer, PVOID(PathBuffer), stBlock.CmdLine.Length*sizeof(Char), PUINT64(@size))) then

      begin    // Call GetLastError() if you need to know why

        SetString(CmdLine,PChar(PathBuffer),stBlock.CmdLine.Length div );

        Result := True;

      end;

      FreeMemory(PathBuffer);

    end;

  end;

end;

function GetProcessImagePathAndCmdLine(hProcess:THandle; var ImagePath:string; var CmdLine:string):Boolean;

var

  fn:TISWOW64PROCESS;

begin

  Result := False;

  try

    fn := GetProcAddress(GetModuleHandle('kernel32'),'IsWow64Process');

    if Assigned(fn) then

    begin

      Result := GetProcessImagePathAndCmdLine64(hProcess,ImagePath,CmdLine);

    end else

    begin

      Result := GetProcessImagePathAndCmdLine32(hProcess,ImagePath,CmdLine);

    end;

  Except

  end;

end;

Delphi 获取进程路径及命令行参数的更多相关文章

  1. PED结构获取进程路径和命令行地址

    1.FS寄存器 2.进入FS寄存器地址,7FFDD000 3.偏移30为PED结构 4.偏移地址10 3C,44偏移:路径地址,命令行地址 // 通过PEB结构去查找所有进程模块 void *PEB ...

  2. Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    特殊变量列表 变量 含义 $0 当前脚本的文件名 $n 传递给脚本或函数的参数.n 是一个数字,表示第几个参数.例如,第一个参数是$1,第二个参数是$2. $# 传递给脚本或函数的参数个数. $* 传 ...

  3. 【Shell脚本学习8】Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  4. 【转】shell 教程——07 Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid,看下面的代码: $echo $$ 运 ...

  5. linux bash Shell特殊变量:Shell $0, $#, $*, $@, $?, $$和命令行参数

    在linux下配置shell参数说明 前面已经讲到,变量名只能包含数字.字母和下划线,因为某些包含其他字符的变量有特殊含义,这样的变量被称为特殊变量. 例如,$ 表示当前Shell进程的ID,即pid ...

  6. UE4命令行参数解析

    转自:https://blog.csdn.net/u012999985/article/details/53544389 一 .命令行参数简述命令行参数是一连串的关键字字符串,当运行可执行文件时可以通 ...

  7. C#中如何获取其他进程的命令行参数 ( How to get other processes's command line argument )

    Subject: C#中如何获取其他进程的命令行参数 ( How to get other processes&apos;s command line argument )From: jian ...

  8. Linux进程-命令行参数和环境列表

    命令行参数 在C中,main函数有很多的变种,比如 main(), int main(), int main(int argc, char *argv[]), int main(int argc, c ...

  9. .NET 命令行参数包含应用程序路径吗?

    如果你关注过命令行参数,也许发现有时你会在命令行参数的第一个参数中中看到应用程序的路径,有时又不会.那么什么情况下有路径呢? 其实是否有路径只是取决于获取命令行参数的时候用的是什么方法.而这是 Win ...

随机推荐

  1. Excel DNA学习笔记一

    由于各种原因,被迫学习Excel DNA这个开源项目的使用方法,最后希望可以在其中,调用xll进行编码. 由此整理一下,这期间使用到的一些资料. 1.下载Excel DNA,目前最新的是0.30版 h ...

  2. hdu 5745 La Vie en rose DP + bitset优化

    http://acm.hdu.edu.cn/showproblem.php?pid=5745 这题好劲爆啊.dp容易想,但是要bitset优化,就想不到了. 先放一个tle的dp.复杂度O(n * m ...

  3. Elasticsearch和mysql数据同步(elasticsearch-jdbc)

    1.介绍 对mysql.oracle等数据库数据进行同步到ES有三种做法:一个是通过elasticsearch提供的API进行增删改查,一个就是通过中间件进行数据全量.增量的数据同步,另一个是通过收集 ...

  4. 【转】Android 实现ListView的滑动删除效果

    http://www.cnblogs.com/weixiao870428/p/3524055.html http://download.csdn.net/download/love_javc_you/ ...

  5. Struts2内建校验器(基于校验框架的文件校验)

    位于xwork-2.0.4.jar压缩包中( com.opensymphony.xwork2.validator.validators)有个文件default.xml ,该文件中定义了Struts2框 ...

  6. Codeforces Round #327 (Div. 2) B. Rebranding 水题

    B. Rebranding Time Limit: 20 Sec Memory Limit: 256 MB 题目连接 http://codeforces.com/contest/591/problem ...

  7. 【转】Dancing Links精确覆盖问题

    原文链接:http://sqybi.com/works/dlxcn/ (只转载过来一部分,全文请看原文,感觉讲得很好~)正文    精确覆盖问题    解决精确覆盖问题    舞蹈步骤    效率分析 ...

  8. Asp.Net下载页面,并弹出下载提示框

    Asp.Net下载页面,并弹出下载提示框.在删除按钮里调用以下方法.

  9. 1020. Tree Traversals (25)

    the problem is from pat,which website is http://pat.zju.edu.cn/contests/pat-a-practise/1020 and the ...

  10. 解决iphone横屏时字体变大问题或者内容大小不一样等

    在样式表中增加: @media screen and (max-device-width: 320px){body{-webkit-text-size-adjust:none}} @media scr ...