S.l.e!ep.￠%

//?? procmdline.cpp?? (Windows?? NT/2000)??
//??
//?? This?? example?? shows?? how?? to?? get?? the?? command?? line?? for?? almost?? any?? process??
//?? on?? the?? system?? for?? Windows?? NT/2000??
//????
//??
//?? (c)1999?? Ashot?? Oganesyan?? K,?? SmartLine,?? Inc??
//?? mailto:ashot@aha.ru,?? http://www.protect-me.com,?? http://www.codepile.com??

#include?? <windows.h>??
#include?? <stdio.h>??

#define?? ProcessBasicInformation?? 0??

typedef?? struct??
{??
?USHORT?? Length;??
?USHORT?? MaximumLength;??
?PWSTR???? Buffer;??
}?? UNICODE_STRING,?? *PUNICODE_STRING;??

typedef?? struct??
{??
?ULONG???????????????????? AllocationSize;??
?ULONG???????????????????? ActualSize;??
?ULONG???????????????????? Flags;??
?ULONG???????????????????? Unknown1;??
?UNICODE_STRING?? Unknown2;??
?HANDLE?????????????????? InputHandle;??
?HANDLE?????????????????? OutputHandle;??
?HANDLE?????????????????? ErrorHandle;??
?UNICODE_STRING?? CurrentDirectory;??
?HANDLE?????????????????? CurrentDirectoryHandle;??
?UNICODE_STRING?? SearchPaths;??
?UNICODE_STRING?? ApplicationName;??
?UNICODE_STRING?? CommandLine;??
?PVOID???????????????????? EnvironmentBlock;??
?ULONG???????????????????? Unknown[9];??
?UNICODE_STRING?? Unknown3;??
?UNICODE_STRING?? Unknown4;??
?UNICODE_STRING?? Unknown5;??
?UNICODE_STRING?? Unknown6;??
}?? PROCESS_PARAMETERS,?? *PPROCESS_PARAMETERS;??

typedef?? struct??
{??
?ULONG?????????????????????????????? AllocationSize;??
?ULONG?????????????????????????????? Unknown1;??
?HINSTANCE?????????????????????? ProcessHinstance;??
?PVOID?????????????????????????????? ListDlls;??
?PPROCESS_PARAMETERS?? ProcessParameters;??
?ULONG?????????????????????????????? Unknown2;??
?HANDLE???????????????????????????? Heap;??
}?? PEB,?? *PPEB;??

typedef?? struct??
{??
?DWORD?? ExitStatus;??
?PPEB???? PebBaseAddress;??
?DWORD?? AffinityMask;??
?DWORD?? BasePriority;??
?ULONG?? UniqueProcessId;??
?ULONG?? InheritedFromUniqueProcessId;??
}?????? PROCESS_BASIC_INFORMATION;??

//?? ntdll!NtQueryInformationProcess?? (NT?? specific!)??
//??
//?? The?? function?? copies?? the?? process?? information?? of?? the??
//?? specified?? type?? into?? a?? buffer??
//??
//?? NTSYSAPI??
//?? NTSTATUS??
//?? NTAPI??
//?? NtQueryInformationProcess(??
//???????? IN?? HANDLE?? ProcessHandle,???????????????????????????? //?? handle?? to?? process??
//???????? IN?? PROCESSINFOCLASS?? InformationClass,?? //?? information?? type??
//???????? OUT?? PVOID?? ProcessInformation,?????????????????? //?? pointer?? to?? buffer??
//???????? IN?? ULONG?? ProcessInformationLength,???????? //?? buffer?? size?? in?? bytes??
//???????? OUT?? PULONG?? ReturnLength?? OPTIONAL???????????? //?? pointer?? to?? a?? 32-bit??
//???????????????????????????????????????????????????????????????????????????????????? //?? variable?? that?? receives??
//???????????????????????????????????????????????????????????????????????????????????? //?? the?? number?? of?? bytes??
//???????????????????????????????????????????????????????????????????????????????????? //?? written?? to?? the?? buffer????
//?? );??
typedef?? LONG?? (WINAPI?? *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);??

PROCNTQSIP?? NtQueryInformationProcess;??

BOOL?? GetProcessCmdLine(DWORD?? dwId,LPWSTR?? wBuf,DWORD?? dwBufLen);??

void?? main(int?? argc,?? char*?? argv[])??
{??
?if?? (argc<2)??
?{??
??printf("Usage:\n\ncmdline.exe?? ProcId\n");??
??return;??
?}??
?
?
?NtQueryInformationProcess?? =?? (PROCNTQSIP)GetProcAddress(??
??GetModuleHandle("ntdll"),??
??"NtQueryInformationProcess"??
??);??
???
?if?? (!NtQueryInformationProcess)??
??return;??
???
?DWORD?? dwId;??
?sscanf(argv[1],"%lu",&dwId);??
???
?WCHAR?? wstr[255];??
???
?if?? (GetProcessCmdLine(dwId,wstr,sizeof(wstr)))??
??wprintf(L"Command?? line?? for?? process?? %lu?? is:\n %s?? \n", dwId, wstr);??
?else??
??wprintf(L"Could?? not?? get?? command?? line!");??
???
}??

BOOL?? GetProcessCmdLine(DWORD?? dwId,LPWSTR?? wBuf,DWORD?? dwBufLen)??
{??
?LONG???????????????????????????????????????????? status;??
?HANDLE???????????????????????????????????????? hProcess;??
?PROCESS_BASIC_INFORMATION?? pbi;??
?PEB?????????????????????????????????????????????? Peb;??
?PROCESS_PARAMETERS???????????????? ProcParam;??
?DWORD?????????????????????????????????????????? dwDummy;??
?DWORD?????????????????????????????????????????? dwSize;??
?LPVOID???????????????????????????????????????? lpAddress;??
?BOOL???????????????????????????????????????????? bRet?? =?? FALSE;??
???
?//?? Get?? process?? handle??
?hProcess?? =?? OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,dwId);??
?if?? (!hProcess)??
??return?? FALSE;??
???
?//?? Retrieve?? information??
?status?? =?? NtQueryInformationProcess(?? hProcess,??
??ProcessBasicInformation,??
??(PVOID)&pbi,??
??sizeof(PROCESS_BASIC_INFORMATION),??
??NULL??
??);??
???
???
?if?? (status)??
??goto?? cleanup;??
???
?if?? (!ReadProcessMemory(?? hProcess,??
??pbi.PebBaseAddress,??
??&Peb,??
??sizeof(PEB),??
??&dwDummy??
??)??
??)??
??goto?? cleanup;??
???
?if?? (!ReadProcessMemory(?? hProcess,??
??Peb.ProcessParameters,??
??&ProcParam,??
??sizeof(PROCESS_PARAMETERS),??
??&dwDummy??
??)??
??)??
??goto?? cleanup;??
???
?lpAddress?? =?? ProcParam.CommandLine.Buffer;??
?dwSize?? =?? ProcParam.CommandLine.Length;??
???
?if?? (dwBufLen<dwSize)??
??goto?? cleanup;??
???
?if?? (!ReadProcessMemory(?? hProcess,??
??lpAddress,??
??wBuf,??
??dwSize,??
??&dwDummy??
??)??
??)??
??goto?? cleanup;??
???
?
?bRet?? =?? TRUE;??
???
cleanup:??
???
?CloseHandle?? (hProcess);??
???
?
?return?? bRet;??
}