//Get the launch arguments from process public static string GetLaunchArgumentsFromProcess(Process targetProcess, string executablePath) { string launchArguments = string.Empty; try { string removeFromArgument = '"' + executablePath + '"'; USER_PROCESS_PARAMETERS processParameter = USER_PROCESS_PARAMETERS.CommandLine; launchArguments = GetProcessParameterString(targetProcess.Id, processParameter); launchArguments = AVFunctions.StringReplaceFirst(launchArguments, removeFromArgument, string.Empty, true); launchArguments = AVFunctions.StringRemoveStart(launchArguments, " "); } catch { } return(launchArguments); }
/// <summary> /// 他プロセスのコマンドライン文字列を取得する /// </summary> /// <param name="i_Process">プロセスオブジェクト</param> /// <returns>String コマンドライン文字列</returns> public static System.String GetRemoteCommandLine(System.Diagnostics.Process i_Process) { System.String a_CommandLine = ""; int ReadSize = 0; System.IntPtr a_hProcess = System.IntPtr.Zero; System.IntPtr a_Buffer = System.IntPtr.Zero; // ハンドル取得に失敗したら終了 try { a_hProcess = i_Process.Handle; } catch (System.Exception) { return(""); } try { // Get Process Basic Information PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION(); NtQueryInformationProcess( a_hProcess, PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Memory.SizeOf(pbi), out ReadSize); // Read PEB Memory Block PROCESS_ENVIRONMENT_BLOCK peb = new PROCESS_ENVIRONMENT_BLOCK(); a_Buffer = Marshal.AllocHGlobal(Memory.SizeOf(peb)); ReadProcessMemory( a_hProcess, pbi.PebBaseAddress, a_Buffer, Memory.SizeOf(peb), out ReadSize); peb = (PROCESS_ENVIRONMENT_BLOCK)Marshal.PtrToStructure(a_Buffer, peb.GetType()); Marshal.FreeHGlobal(a_Buffer); a_Buffer = System.IntPtr.Zero; // Read User Process Parameters USER_PROCESS_PARAMETERS upp = new USER_PROCESS_PARAMETERS(); a_Buffer = Marshal.AllocHGlobal(Memory.SizeOf(upp)); ReadProcessMemory( a_hProcess, peb.ProcessParameters, a_Buffer, Memory.SizeOf(upp), out ReadSize); upp = (USER_PROCESS_PARAMETERS)Marshal.PtrToStructure(a_Buffer, upp.GetType()); Marshal.FreeHGlobal(a_Buffer); a_Buffer = System.IntPtr.Zero; // CommandLine Option文字列 取得 // コマンドライン文字列はUnicode形式で格納されている? if (0 < upp.CommandLine.Length) { a_Buffer = Marshal.AllocHGlobal(upp.CommandLine.Length); Memory.ZeroMemory(ref a_Buffer, (System.IntPtr)upp.CommandLine.Length); ReadProcessMemory( a_hProcess, upp.CommandLine.buffer, a_Buffer, upp.CommandLine.Length, out ReadSize); a_CommandLine = Marshal.PtrToStringUni(a_Buffer, upp.CommandLine.Length / System.Text.UnicodeEncoding.CharSize); Marshal.FreeHGlobal(a_Buffer); a_Buffer = System.IntPtr.Zero; } } catch (System.Exception) { // 例外発生時は空白文字を返す a_CommandLine = ""; } finally { if (a_Buffer != System.IntPtr.Zero) { Marshal.FreeHGlobal(a_Buffer); } a_Buffer = System.IntPtr.Zero; } return(a_CommandLine); }
/// <summary> /// ���v���Z�X�̃R�}���h���C���������擾���� /// </summary> /// <param name="i_Process">�v���Z�X�I�u�W�F�N�g</param> /// <returns>String �R�}���h���C��������</returns> public static System.String GetRemoteCommandLine( System.Diagnostics.Process i_Process ) { System.String a_CommandLine = ""; int ReadSize = 0; System.IntPtr a_hProcess = System.IntPtr.Zero; System.IntPtr a_Buffer = System.IntPtr.Zero; // �n���h���擾�Ɏ��s������I�� try { a_hProcess = i_Process.Handle; } catch( System.Exception ) { return ""; } try { // Get Process Basic Information PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION(); NtQueryInformationProcess( a_hProcess, PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Memory.SizeOf( pbi ), out ReadSize ); // Read PEB Memory Block PROCESS_ENVIRONMENT_BLOCK peb = new PROCESS_ENVIRONMENT_BLOCK(); a_Buffer = Marshal.AllocHGlobal( Memory.SizeOf( peb ) ); ReadProcessMemory( a_hProcess, pbi.PebBaseAddress, a_Buffer, Memory.SizeOf( peb ), out ReadSize ); peb = (PROCESS_ENVIRONMENT_BLOCK)Marshal.PtrToStructure( a_Buffer,peb.GetType() ); Marshal.FreeHGlobal( a_Buffer ); a_Buffer = System.IntPtr.Zero; // Read User Process Parameters USER_PROCESS_PARAMETERS upp = new USER_PROCESS_PARAMETERS(); a_Buffer = Marshal.AllocHGlobal( Memory.SizeOf( upp ) ); ReadProcessMemory( a_hProcess, peb.ProcessParameters, a_Buffer, Memory.SizeOf( upp ), out ReadSize ); upp = (USER_PROCESS_PARAMETERS)Marshal.PtrToStructure( a_Buffer, upp.GetType() ); Marshal.FreeHGlobal( a_Buffer ); a_Buffer = System.IntPtr.Zero; // CommandLine Option������ �擾 // �R�}���h���C���������Unicode�`���Ŋi�[����Ă���H if ( 0 < upp.CommandLine.Length ) { a_Buffer = Marshal.AllocHGlobal( upp.CommandLine.Length ); Memory.ZeroMemory( ref a_Buffer, (System.IntPtr)upp.CommandLine.Length ); ReadProcessMemory( a_hProcess, upp.CommandLine.buffer, a_Buffer, upp.CommandLine.Length, out ReadSize ); a_CommandLine = Marshal.PtrToStringUni( a_Buffer, upp.CommandLine.Length / System.Text.UnicodeEncoding.CharSize ); Marshal.FreeHGlobal( a_Buffer ); a_Buffer = System.IntPtr.Zero; } } catch ( System.Exception ) { // ��O�������͋�����Ԃ� a_CommandLine = ""; } finally { if ( a_Buffer != System.IntPtr.Zero ) { Marshal.FreeHGlobal( a_Buffer ); } a_Buffer = System.IntPtr.Zero; } return a_CommandLine; }
public static string GetProcessParameterString(int processId, USER_PROCESS_PARAMETERS requestedProcessParameter) { string Parameterstring = string.Empty; try { //Open the process for reading IntPtr openProcessHandle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead, false, processId); if (openProcessHandle == IntPtr.Zero) { //Debug.WriteLine("Failed to open the process: " + processId); return(Parameterstring); } //Check if Windows is 64 bit bool Windows64bits = IntPtr.Size > 4; //Set the parameter offset long userParameterOffset = 0; long processParametersOffset = Windows64bits ? 0x20 : 0x10; if (requestedProcessParameter == USER_PROCESS_PARAMETERS.CurrentDirectoryPath) { userParameterOffset = Windows64bits ? 0x38 : 0x24; } else if (requestedProcessParameter == USER_PROCESS_PARAMETERS.ImagePathName) { userParameterOffset = Windows64bits ? 0x60 : 0x38; } else if (requestedProcessParameter == USER_PROCESS_PARAMETERS.CommandLine) { userParameterOffset = Windows64bits ? 0x70 : 0x40; } //Read information from process PROCESS_BASIC_INFORMATION process_basic_information = new PROCESS_BASIC_INFORMATION(); int ntQuery = NtQueryInformationProcess(openProcessHandle, PROCESSINFOCLASS.ProcessBasicInformation, ref process_basic_information, process_basic_information.Size, IntPtr.Zero); if (ntQuery != 0) { Debug.WriteLine("Failed to query information, from process: " + processId); return(Parameterstring); } IntPtr process_parameter = new IntPtr(); long pebBaseAddress = process_basic_information.PebBaseAddress.ToInt64(); if (!ReadProcessMemory(openProcessHandle, new IntPtr(pebBaseAddress + processParametersOffset), ref process_parameter, new IntPtr(Marshal.SizeOf(process_parameter)), IntPtr.Zero)) { Debug.WriteLine("Failed to read parameter address, from process: " + processId); return(Parameterstring); } UNICODE_string unicode_string = new UNICODE_string(); if (!ReadProcessMemory(openProcessHandle, new IntPtr(process_parameter.ToInt64() + userParameterOffset), ref unicode_string, new IntPtr(unicode_string.Size), IntPtr.Zero)) { Debug.WriteLine("Failed to read parameter unicode, from process: " + processId); return(Parameterstring); } string converted_string = new string(' ', unicode_string.Length / 2); if (!ReadProcessMemory(openProcessHandle, unicode_string.Buffer, converted_string, new IntPtr(unicode_string.Length), IntPtr.Zero)) { Debug.WriteLine("Failed to read parameter string, from process: " + processId); return(Parameterstring); } Parameterstring = converted_string; CloseHandle(openProcessHandle); } catch { } return(Parameterstring); }