function GetSysFuncAddr(AFunc: Pointer): Integer;
begin
asm
mov eax, AFunc
add eax, 2
mov eax, [eax]
mov eax, [eax]
mov Result, eax
end;
end;
procedure GetRemoteCommandLine(ABuf: PChar; APID: Integer);
var
dwAddr, dwRead: DWORD;
hProc: THandle;
begin
dwAddr := GetSysFuncAddr(@GetCommandLine) + 7;
dwAddr := $7dd75178 - dwAddr;
dwAddr := $7dd70d2c - dwAddr;
asm
mov eax, dwAddr
mov eax, [eax]
add eax, 1
mov eax, [eax]
mov dwAddr, eax
end;
hProc := OpenProcess(PROCESS_VM_READ, False, APID);
ReadProcessMemory(hProc, Pointer(dwAddr), @dwAddr, 4, dwRead);
ReadProcessMemory(hProc, Pointer(dwAddr), ABuf, MAX_PATH, dwRead);
End;
procedure test;
var
buf: array [0..MAX_PATH] of Char;
begin
GetRemoteCommandLine(@buf, 3556);
End;
浙公网安备 33010602011771号