登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

VB爱好者

vb学习的好地方

 
 
 

日志

 
 

取得指定进程命令行参数  

2009-12-09 10:01:33|  分类: vb进程 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

'*************************************************************************
'**模 块 名:ModGetRemoteCmdLine
'**说    明:取得某进程的命令行
'**创 建 人:马大哈 http://www.m5home.com/
'**日    期:2007年6月19日
'**版    本:V1.0
'*************************************************************************
Option Explicit

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, _
                                                                                                                    lpNumberOfBytesWritten As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32.dll" Alias "LoadLibraryW" (ByVal lpLibFileName As Long) As Long
Private Declare Function FreeLibrary Lib "kernel32.dll" (ByVal hLibModule As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32.dll" (ByVal hModule As Long, ByVal lpProcName As String) As Long

Private Const PROCESS_VM_READ As Long = (&H10)
Private Const kernel32 As String = "kernel32.dll"

Public Function GetRemoteCmdLine(ByVal hPId As Long) As String
    '返回指定进程的命令行
    'hPId - 目标进程PID
    '返回值:
    '           成功返回命令行,失败返回空字符串
    Dim hDll As Long, hProcess As Long, APIPtr As Long, CmdLinePtr As Long, lRet As Long, lRet2 As Long
    Dim CmdLineStr As String, CmdLineByte(511) As Byte
   
    GetRemoteCmdLine = ""
   
    hDll = LoadLibrary(StrPtr(kernel32)):                 Debug.Assert hDll

    APIPtr = GetProcAddress(hDll, "GetCommandLineA") + 1    '取得GetCommandLineA地址 + 1
                                                            'kernel32.dll中的反汇编代码(Win2003版):
                                                            'mov eax,dword ptr [7C88B5D4]
                                                            '机器码:
                                                            'A1D4B5887C
                                                            '+1跳过mov指令,后面4个字节就是指向命令行的指针
                                                            '这个地址在每个进程里都是一样的,可以直接使用
                                                           
    Call FreeLibrary(hDll)

    hProcess = OpenProcess(PROCESS_VM_READ, 0, hPId)        '打开进程
    If hProcess = 0 Then Exit Function
   
    lRet = ReadProcessMemory(hProcess, APIPtr, CmdLinePtr, 4, lRet2)    '得到7C88B5D4
    If lRet <> 1 Then Exit Function
   
    lRet = ReadProcessMemory(hProcess, CmdLinePtr, CmdLinePtr, 4, lRet2)    '再取个指针(竟是两个指针-_-!)
    If lRet <> 1 Then Exit Function
   
    lRet = ReadProcessMemory(hProcess, CmdLinePtr, CmdLineByte(0), 512, lRet2)  '拉一块内存过来
    If lRet <> 1 Then Exit Function
   
    CmdLineStr = StrConv(CmdLineByte, vbUnicode)        '处理一下,可以输出了
    CmdLineStr = Mid(CmdLineStr, 1, InStr(1, CmdLineStr, Chr(0), vbTextCompare) - 1)
    Debug.Print CmdLineStr
    GetRemoteCmdLine = CmdLineStr
End Function
'调用:

'Debug.Print GetRemoteCmdLine([PID])

 

  评论这张
 
阅读(595)| 评论(0)

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018