//Get the launch arguments from process
public static string GetLaunchArgumentsFromProcess(Process targetProcess, string executablePath)
{
string launchArguments = string.Empty;
try
{
string removeFromArgument = '"' + executablePath + '"';
USER_PROCESS_PARAMETERS processParameter = USER_PROCESS_PARAMETERS.CommandLine;
launchArguments = GetProcessParameterString(targetProcess.Id, processParameter);
launchArguments = AVFunctions.StringReplaceFirst(launchArguments, removeFromArgument, string.Empty, true);
launchArguments = AVFunctions.StringRemoveStart(launchArguments, " ");
}
catch { }
return(launchArguments);
}
/// <summary>
/// 他プロセスのコマンドライン文字列を取得する
/// </summary>
/// <param name="i_Process">プロセスオブジェクト</param>
/// <returns>String コマンドライン文字列</returns>
public static System.String GetRemoteCommandLine(System.Diagnostics.Process i_Process)
{
System.String a_CommandLine = "";
int ReadSize = 0;
System.IntPtr a_hProcess = System.IntPtr.Zero;
System.IntPtr a_Buffer = System.IntPtr.Zero;
// ハンドル取得に失敗したら終了
try
{
a_hProcess = i_Process.Handle;
}
catch (System.Exception)
{
return("");
}
try
{
// Get Process Basic Information
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
NtQueryInformationProcess(
a_hProcess,
PROCESSINFOCLASS.ProcessBasicInformation,
ref pbi,
Memory.SizeOf(pbi),
out ReadSize);
// Read PEB Memory Block
PROCESS_ENVIRONMENT_BLOCK peb = new PROCESS_ENVIRONMENT_BLOCK();
a_Buffer = Marshal.AllocHGlobal(Memory.SizeOf(peb));
ReadProcessMemory(
a_hProcess,
pbi.PebBaseAddress,
a_Buffer,
Memory.SizeOf(peb),
out ReadSize);
peb = (PROCESS_ENVIRONMENT_BLOCK)Marshal.PtrToStructure(a_Buffer, peb.GetType());
Marshal.FreeHGlobal(a_Buffer);
a_Buffer = System.IntPtr.Zero;
// Read User Process Parameters
USER_PROCESS_PARAMETERS upp = new USER_PROCESS_PARAMETERS();
a_Buffer = Marshal.AllocHGlobal(Memory.SizeOf(upp));
ReadProcessMemory(
a_hProcess,
peb.ProcessParameters,
a_Buffer,
Memory.SizeOf(upp),
out ReadSize);
upp = (USER_PROCESS_PARAMETERS)Marshal.PtrToStructure(a_Buffer, upp.GetType());
Marshal.FreeHGlobal(a_Buffer);
a_Buffer = System.IntPtr.Zero;
// CommandLine Option文字列 取得
// コマンドライン文字列はUnicode形式で格納されている?
if (0 < upp.CommandLine.Length)
{
a_Buffer = Marshal.AllocHGlobal(upp.CommandLine.Length);
Memory.ZeroMemory(ref a_Buffer, (System.IntPtr)upp.CommandLine.Length);
ReadProcessMemory(
a_hProcess,
upp.CommandLine.buffer,
a_Buffer,
upp.CommandLine.Length,
out ReadSize);
a_CommandLine = Marshal.PtrToStringUni(a_Buffer, upp.CommandLine.Length / System.Text.UnicodeEncoding.CharSize);
Marshal.FreeHGlobal(a_Buffer);
a_Buffer = System.IntPtr.Zero;
}
}
catch (System.Exception)
{
// 例外発生時は空白文字を返す
a_CommandLine = "";
}
finally
{
if (a_Buffer != System.IntPtr.Zero)
{
Marshal.FreeHGlobal(a_Buffer);
}
a_Buffer = System.IntPtr.Zero;
}
return(a_CommandLine);
}
/// <summary>
/// ���v���Z�X�̃R�}���h���C���������擾����
/// </summary>
/// <param name="i_Process">�v���Z�X�I�u�W�F�N�g</param>
/// <returns>String �R�}���h���C��������</returns>
public static System.String GetRemoteCommandLine( System.Diagnostics.Process i_Process )
{
System.String a_CommandLine = "";
int ReadSize = 0;
System.IntPtr a_hProcess = System.IntPtr.Zero;
System.IntPtr a_Buffer = System.IntPtr.Zero;
// �n���h���擾�Ɏ��s������I��
try
{
a_hProcess = i_Process.Handle;
}
catch( System.Exception )
{
return "";
}
try
{
// Get Process Basic Information
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
NtQueryInformationProcess(
a_hProcess,
PROCESSINFOCLASS.ProcessBasicInformation,
ref pbi,
Memory.SizeOf( pbi ),
out ReadSize );
// Read PEB Memory Block
PROCESS_ENVIRONMENT_BLOCK peb = new PROCESS_ENVIRONMENT_BLOCK();
a_Buffer = Marshal.AllocHGlobal( Memory.SizeOf( peb ) );
ReadProcessMemory(
a_hProcess,
pbi.PebBaseAddress,
a_Buffer,
Memory.SizeOf( peb ),
out ReadSize );
peb = (PROCESS_ENVIRONMENT_BLOCK)Marshal.PtrToStructure( a_Buffer,peb.GetType() );
Marshal.FreeHGlobal( a_Buffer );
a_Buffer = System.IntPtr.Zero;
// Read User Process Parameters
USER_PROCESS_PARAMETERS upp = new USER_PROCESS_PARAMETERS();
a_Buffer = Marshal.AllocHGlobal( Memory.SizeOf( upp ) );
ReadProcessMemory(
a_hProcess,
peb.ProcessParameters,
a_Buffer,
Memory.SizeOf( upp ),
out ReadSize );
upp = (USER_PROCESS_PARAMETERS)Marshal.PtrToStructure( a_Buffer, upp.GetType() );
Marshal.FreeHGlobal( a_Buffer );
a_Buffer = System.IntPtr.Zero;
// CommandLine Option������ �擾
// �R�}���h���C���������Unicode�`���Ŋi�[����Ă���H
if ( 0 < upp.CommandLine.Length )
{
a_Buffer = Marshal.AllocHGlobal( upp.CommandLine.Length );
Memory.ZeroMemory( ref a_Buffer, (System.IntPtr)upp.CommandLine.Length );
ReadProcessMemory(
a_hProcess,
upp.CommandLine.buffer,
a_Buffer,
upp.CommandLine.Length,
out ReadSize );
a_CommandLine = Marshal.PtrToStringUni( a_Buffer, upp.CommandLine.Length / System.Text.UnicodeEncoding.CharSize );
Marshal.FreeHGlobal( a_Buffer );
a_Buffer = System.IntPtr.Zero;
}
}
catch ( System.Exception )
{
// ��O�������͋�����Ԃ�
a_CommandLine = "";
}
finally
{
if ( a_Buffer != System.IntPtr.Zero )
{
Marshal.FreeHGlobal( a_Buffer );
}
a_Buffer = System.IntPtr.Zero;
}
return a_CommandLine;
}
public static string GetProcessParameterString(int processId, USER_PROCESS_PARAMETERS requestedProcessParameter)
{
string Parameterstring = string.Empty;
try
{
//Open the process for reading
IntPtr openProcessHandle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead, false, processId);
if (openProcessHandle == IntPtr.Zero)
{
//Debug.WriteLine("Failed to open the process: " + processId);
return(Parameterstring);
}
//Check if Windows is 64 bit
bool Windows64bits = IntPtr.Size > 4;
//Set the parameter offset
long userParameterOffset = 0;
long processParametersOffset = Windows64bits ? 0x20 : 0x10;
if (requestedProcessParameter == USER_PROCESS_PARAMETERS.CurrentDirectoryPath)
{
userParameterOffset = Windows64bits ? 0x38 : 0x24;
}
else if (requestedProcessParameter == USER_PROCESS_PARAMETERS.ImagePathName)
{
userParameterOffset = Windows64bits ? 0x60 : 0x38;
}
else if (requestedProcessParameter == USER_PROCESS_PARAMETERS.CommandLine)
{
userParameterOffset = Windows64bits ? 0x70 : 0x40;
}
//Read information from process
PROCESS_BASIC_INFORMATION process_basic_information = new PROCESS_BASIC_INFORMATION();
int ntQuery = NtQueryInformationProcess(openProcessHandle, PROCESSINFOCLASS.ProcessBasicInformation, ref process_basic_information, process_basic_information.Size, IntPtr.Zero);
if (ntQuery != 0)
{
Debug.WriteLine("Failed to query information, from process: " + processId);
return(Parameterstring);
}
IntPtr process_parameter = new IntPtr();
long pebBaseAddress = process_basic_information.PebBaseAddress.ToInt64();
if (!ReadProcessMemory(openProcessHandle, new IntPtr(pebBaseAddress + processParametersOffset), ref process_parameter, new IntPtr(Marshal.SizeOf(process_parameter)), IntPtr.Zero))
{
Debug.WriteLine("Failed to read parameter address, from process: " + processId);
return(Parameterstring);
}
UNICODE_string unicode_string = new UNICODE_string();
if (!ReadProcessMemory(openProcessHandle, new IntPtr(process_parameter.ToInt64() + userParameterOffset), ref unicode_string, new IntPtr(unicode_string.Size), IntPtr.Zero))
{
Debug.WriteLine("Failed to read parameter unicode, from process: " + processId);
return(Parameterstring);
}
string converted_string = new string(' ', unicode_string.Length / 2);
if (!ReadProcessMemory(openProcessHandle, unicode_string.Buffer, converted_string, new IntPtr(unicode_string.Length), IntPtr.Zero))
{
Debug.WriteLine("Failed to read parameter string, from process: " + processId);
return(Parameterstring);
}
Parameterstring = converted_string;
CloseHandle(openProcessHandle);
}
catch { }
return(Parameterstring);
}
