public static string GetProcessParameterString(int processId, USER_PROCESS_PARAMETERS requestedProcessParameter) { string Parameterstring = string.Empty; try { //Open the process for reading IntPtr openProcessHandle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead, false, processId); if (openProcessHandle == IntPtr.Zero) { //Debug.WriteLine("Failed to open the process: " + processId); return(Parameterstring); } //Check if Windows is 64 bit bool Windows64bits = IntPtr.Size > 4; //Set the parameter offset long userParameterOffset = 0; long processParametersOffset = Windows64bits ? 0x20 : 0x10; if (requestedProcessParameter == USER_PROCESS_PARAMETERS.CurrentDirectoryPath) { userParameterOffset = Windows64bits ? 0x38 : 0x24; } else if (requestedProcessParameter == USER_PROCESS_PARAMETERS.ImagePathName) { userParameterOffset = Windows64bits ? 0x60 : 0x38; } else if (requestedProcessParameter == USER_PROCESS_PARAMETERS.CommandLine) { userParameterOffset = Windows64bits ? 0x70 : 0x40; } //Read information from process PROCESS_BASIC_INFORMATION process_basic_information = new PROCESS_BASIC_INFORMATION(); int ntQuery = NtQueryInformationProcess(openProcessHandle, PROCESSINFOCLASS.ProcessBasicInformation, ref process_basic_information, process_basic_information.Size, IntPtr.Zero); if (ntQuery != 0) { Debug.WriteLine("Failed to query information, from process: " + processId); return(Parameterstring); } IntPtr process_parameter = new IntPtr(); long pebBaseAddress = process_basic_information.PebBaseAddress.ToInt64(); if (!ReadProcessMemory(openProcessHandle, new IntPtr(pebBaseAddress + processParametersOffset), ref process_parameter, new IntPtr(Marshal.SizeOf(process_parameter)), IntPtr.Zero)) { Debug.WriteLine("Failed to read parameter address, from process: " + processId); return(Parameterstring); } UNICODE_string unicode_string = new UNICODE_string(); if (!ReadProcessMemory(openProcessHandle, new IntPtr(process_parameter.ToInt64() + userParameterOffset), ref unicode_string, new IntPtr(unicode_string.Size), IntPtr.Zero)) { Debug.WriteLine("Failed to read parameter unicode, from process: " + processId); return(Parameterstring); } string converted_string = new string(' ', unicode_string.Length / 2); if (!ReadProcessMemory(openProcessHandle, unicode_string.Buffer, converted_string, new IntPtr(unicode_string.Length), IntPtr.Zero)) { Debug.WriteLine("Failed to read parameter string, from process: " + processId); return(Parameterstring); } Parameterstring = converted_string; CloseHandle(openProcessHandle); } catch { } return(Parameterstring); }
private static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, ref UNICODE_string lpBuffer, IntPtr dwSize, IntPtr lpNumberOfBytesRead);