CString GetCmdLine(IN DWORD dwPid)
{
CString ret;
try
{
if (GetCurrentProcessId() == dwPid)
{
return GetCommandLine();
}
PBYTE pFunc = (PBYTE)GetProcAddress(LoadLibrary(_T("kernelBase.dll")), "GetCommandLineW");
if (pFunc && pFunc[0] == 0xA1) /*mov eax, [0x????????]*/
{
HANDLE hProcess = OpenProcess(PROCESS_VM_READ, 0, dwPid);
if (hProcess)
{
DWORD dwAddr = 0;
if (ReadProcessMemory(hProcess, (PVOID)*(DWORD*)(pFunc + 1), &dwAddr, sizeof(DWORD), 0))
{
TCHAR sz[MAX_PATH] = { 0 };
ReadProcessMemory(hProcess, (PVOID)dwAddr, sz, MAX_PATH * sizeof(TCHAR) - sizeof(TCHAR), 0);
ret.Format(_T("%s"), sz);
}
CloseHandle(hProcess);
}
}
}
catch (...)
{
OutputDebugStringA(__FUNCTION__);
}
return ret;
}
#include <iostream>
int main()
{
STARTUPINFO si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };
BOOL b = CreateProcess(_T("C:\\Using\\winmine.exe"), 0, 0, 0, 0, 0, 0, 0, &si, &pi);
HWND h = 0;
if (b)
{
Sleep(1000);
CString str = GetCmdLine(pi.dwProcessId);
wcout.imbue(locale("chs"));
wcout << str.GetString() << endl;
TerminateProcess(OpenProcess(PROCESS_ALL_ACCESS, 0, pi.dwProcessId), 0);
}
return 0;
}
浙公网安备 33010602011771号