- 注册时间
- 2010-8-21
- 最后登录
- 2017-5-30
- 在线时间
- 3 小时
编程入门
- 魔鬼币
- 515
|
- BOOL GetProcessCurDir(HANDLE hProcess,mystring&strCurDir)
- {
- BOOL bSuccess = FALSE;
- PROCESS_BASIC_INFORMATION pbi;
- TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
- TNtReadVirtualMemory pfnNtReadVirtualMemory = NULL;
- pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtQueryInformationProcess");
- pfnNtReadVirtualMemory = (TNtReadVirtualMemory)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtReadVirtualMemory");
- if ( pfnNtQueryInformationProcess!=NULL ){
- DWORD dwSize;
- SIZE_T size;
- int iReturn;
- PVOID pAddrPEB = NULL;
- iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi,sizeof(pbi),&dwSize);
- pAddrPEB = pbi.PebBaseAddress;
- // NtQueryInformationProcess returns a negative value if it fails
- if (iReturn >= 0) {
- // 1. Find the Process Environment Block
- __PEB PEB;
- size = dwSize;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- // 2. From this PEB, get the address of the block containing
- // a pointer to the CmdLine
- _RTL_USER_PROCESS_PARAMETERS stBlock;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &stBlock, sizeof(stBlock), &size)) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- // 3. Get the CurDir
- wchar_t wszCurDir[MAX_PATH+1];
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)stBlock.DosPath.Buffer,
- wszCurDir, stBlock.DosPath.Length*sizeof(wchar_t), &size)) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- #ifdef UNICODE
- // Both strings are in UNICODE.
- strCurDir.assign(wszCurDir);
- #else
- CHAR szCurDir[MAX_PATH+1];
- WideCharToMultiByte(CP_ACP,0,wszCurDir,size/sizeof(wchar_t),szCurDir,MAX_PATH,NULL,NULL);
- strCurDir.assign(szCurDir);
- #endif
- bSuccess = TRUE;
- }
- }
- return bSuccess;
- }
- BOOL GetProcessCurDir64(HANDLE hProcess,mystring&strCurDir)
- {
- BOOL bSuccess = FALSE;
- PROCESS_BASIC_INFORMATION64 pbi64;
- TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
- TNtReadVirtualMemory64 pfnNtReadVirtualMemory = NULL;
- pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64QueryInformationProcess64");
- pfnNtReadVirtualMemory = (TNtReadVirtualMemory64)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64ReadVirtualMemory64");
- if ( pfnNtQueryInformationProcess!=NULL ){
- DWORD dwSize;
- UINT64 size;
- int iReturn;
- PVOID64 pAddrPEB = NULL;
-
- iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi64,sizeof(pbi64),&dwSize);
- pAddrPEB = pbi64.PebBaseAddress;
- // NtQueryInformationProcess returns a negative value if it fails
- if (iReturn >= 0) {
- // 1. Find the Process Environment Block
- __PEB64 PEB;
- size = dwSize;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- // 2. From this PEB, get the address of the block containing
- // a pointer to the CmdLine
- _RTL_USER_PROCESS_PARAMETERS64 stBlock;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, PEB.ProcessParameters, &stBlock, sizeof(stBlock),&size)) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- // 3. Get the CurDir
- wchar_t wszCurDir[MAX_PATH+1];
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, stBlock.DosPath.Buffer,
- wszCurDir, stBlock.DosPath.Length*sizeof(wchar_t), &size)) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- #ifdef UNICODE
- // Both strings are in UNICODE.
- strCurDir.assign(wszCurDir);
- #else
- CHAR szCurDir[MAX_PATH+1];
- WideCharToMultiByte(CP_ACP,0,wszCurDir,size/sizeof(wchar_t),szCurDir,MAX_PATH,NULL,NULL);
- strCurDir.assign(szCurDir);
- #endif
- bSuccess = TRUE;
- }
- }
- return bSuccess;
- }
- BOOL GetProcessCmdLine(HANDLE hProcess,mystring&strCmdLine)
- {
- BOOL bSuccess = FALSE;
- PROCESS_BASIC_INFORMATION pbi;
- TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
- TNtReadVirtualMemory pfnNtReadVirtualMemory = NULL;
- pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtQueryInformationProcess");
- pfnNtReadVirtualMemory = (TNtReadVirtualMemory)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtReadVirtualMemory");
- if ( pfnNtQueryInformationProcess!=NULL ){
- DWORD dwSize;
- SIZE_T size;
- int iReturn;
- PVOID pAddrPEB = NULL;
- iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi,sizeof(pbi),&dwSize);
- pAddrPEB = pbi.PebBaseAddress;
- // NtQueryInformationProcess returns a negative value if it fails
- if (iReturn >= 0) {
- // 1. Find the Process Environment Block
- __PEB PEB;
- size = dwSize;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- // 2. From this PEB, get the address of the block containing
- // a pointer to the CmdLine
- _RTL_USER_PROCESS_PARAMETERS Block;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &Block, sizeof(Block), &size)) {
- // Call GetLastError() if you need to know why
- return(FALSE);
- }
- // 3. Get the CmdLine
- wchar_t wszCmdLine[MAX_PATH+1] = {0};
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)Block.CmdLine.Buffer,
- wszCmdLine, MAX_PATH*sizeof(wchar_t), &size)) {
- // Call GetLastError() if you need to know why
- return(FALSE);
- }
- // 4. Skip the application pathname
- // it can be empty, "c:\...\app.exe" or c:\...\app.exe
- wchar_t* pPos = wszCmdLine;
- if (*pPos != L'\0') {
- if (*pPos == L'"') {
- // Find the next " character
- pPos = wcschr(&pPos[1], L'"');
- } else {
- // Find the next SPACE character
- pPos = wcschr(&pPos[1], L'');
- }
- // Skip it
- if (pPos != NULL)
- pPos++;
- }
- // Copy it back
- if (pPos != NULL) {
- if (*pPos != L'\0') {
- #ifdef UNICODE
- // Both strings are in UNICODE.
- strCmdLine.assign(wszCmdLine);
- #else
- CHAR szCmdLine[MAX_PATH+1] = {0};
- WideCharToMultiByte(CP_ACP,0,wszCmdLine,size/sizeof(wchar_t),szCmdLine,MAX_PATH,NULL,NULL);
- strCmdLine = szCmdLine;
- #endif
- bSuccess = TRUE;
- }
- }
- }
- }
- return bSuccess;
- }
- BOOL GetProcessCmdLine64(HANDLE hProcess,mystring&strCmdLine)
- {
- BOOL bSuccess = FALSE;
- PROCESS_BASIC_INFORMATION64 pbi64;
- TNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
- TNtReadVirtualMemory64 pfnNtReadVirtualMemory = NULL;
- pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64QueryInformationProcess64");
- pfnNtReadVirtualMemory = (TNtReadVirtualMemory64)GetProcAddress(GetModuleHandle(_T("ntdll.dll")),"NtWow64ReadVirtualMemory64");
- if ( pfnNtQueryInformationProcess!=NULL ){
- DWORD dwSize;
- UINT64 size;
- int iReturn;
- PVOID64 pAddrPEB = NULL;
- iReturn = pfnNtQueryInformationProcess( hProcess,ProcessBasicInformation,&pbi64,sizeof(pbi64),&dwSize);
- pAddrPEB = pbi64.PebBaseAddress;
- // NtQueryInformationProcess returns a negative value if it fails
- if (iReturn >= 0) {
- // 1. Find the Process Environment Block
- __PEB64 PEB;
- size = dwSize;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, pAddrPEB, &PEB, sizeof(PEB), &size) ) {
- // Call GetLastError() if you need to know why
- return bSuccess;
- }
- // 2. From this PEB, get the address of the block containing
- // a pointer to the CmdLine
- _RTL_USER_PROCESS_PARAMETERS64 stBlock;
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)PEB.ProcessParameters, &stBlock, sizeof(stBlock), &size)) {
- // Call GetLastError() if you need to know why
- return(FALSE);
- }
- // 3. Get the CmdLine
- wchar_t wszCmdLine[MAX_PATH+1] = {0};
- if ( ERROR_SUCCESS != pfnNtReadVirtualMemory(hProcess, (LPVOID)stBlock.CmdLine.Buffer,
- wszCmdLine, MAX_PATH*sizeof(wchar_t), &size)) {
- // Call GetLastError() if you need to know why
- return(FALSE);
- }
- // 4. Skip the application pathname
- // it can be empty, "c:\...\app.exe" or c:\...\app.exe
- wchar_t* pPos = wszCmdLine;
- if (*pPos != L'\0') {
- if (*pPos == L'"') {
- // Find the next " character
- pPos = wcschr(&pPos[1], L'"');
- } else {
- // Find the next SPACE character
- pPos = wcschr(&pPos[1], L'');
- }
- // Skip it
- if (pPos != NULL)
- pPos++;
- }
- // Copy it back
- if (pPos != NULL) {
- if (*pPos != L'\0') {
- #ifdef UNICODE
- // Both strings are in UNICODE.
- strCmdLine.assign(wszCmdLine);
- #else
- CHAR szCmdLine[MAX_PATH+1] = {0};
- WideCharToMultiByte(CP_ACP,0,wszCmdLine,size/sizeof(wchar_t),szCmdLine,MAX_PATH,NULL,NULL);
- strCmdLine.assign(szCmdLine);
- #endif
- bSuccess = TRUE;
- }
- }
- }
- }
- return bSuccess;
- }
- #include <TlHelp32.h>
- #include <winternl.h> // for Windows internal declarations.
- #include "Toolhelp/Toolhelp.h"
- //////////////////////////////////////////////////////////////////////////
- #define WOW64
- #ifdef _UNICODE
- #define mystring wstring
- #else
- #define mystring string
- #endif
- typedef struct
- {
- DWORD Filler[4];
- DWORD ProcessParameters;
- } __PEB;
- typedef struct
- {
- PVOID64 Filler[4];
- PVOID64 ProcessParameters;
- } __PEB64;
- //
- // Current Directory Structures
- //
- typedef struct
- {
- UNICODE_STRING DosPath;
- HANDLE Handle;
- }_CURDIR;
- typedef struct _UNICODE_STRING64 {
- SHORT Length;
- SHORT MaximumLength;
- DWORD Fill;
- PVOID64 Buffer;
- } UNICODE_STRING64;
- typedef struct
- {
- DWORD MaximumLength;
- DWORD Length;
- DWORD Flags;
- DWORD DebugFlags;
- PVOID ConsoleHandle;
- DWORD ConsoleFlags;
- PVOID StandardInput;
- PVOID StandardOutput;
- PVOID StandardError;
- //////////////////////////
- UNICODE_STRING DosPath; //CurrentDirectory
- HANDLE Handle;
- //////////////////////////
- UNICODE_STRING DllPath;
- UNICODE_STRING ImagePathName;
- UNICODE_STRING CmdLine;
- //……
- }_RTL_USER_PROCESS_PARAMETERS;
- typedef struct
- {
- DWORD MaximumLength;
- DWORD Length;
- DWORD Flags;
- DWORD DebugFlags;
- PVOID64 ConsoleHandle;
- DWORD ConsoleFlags;
- PVOID64 StandardInput;
- PVOID64 StandardOutput;
- PVOID64 StandardError;
- //////////////////////////
- UNICODE_STRING64 DosPath;//CurrentDirectory
- HANDLE Handle;
- //////////////////////////
- UNICODE_STRING64 DllPath;
- UNICODE_STRING64 ImagePathName;
- UNICODE_STRING64 CmdLine;
- //……
- }_RTL_USER_PROCESS_PARAMETERS64;
- // end_ntddk end_ntifs
- typedef struct _PROCESS_BASIC_INFORMATION64 {
- PVOID64 Reserved1;
- PVOID64 PebBaseAddress;
- PVOID64 Reserved2[2];
- PVOID64 UniqueProcessId;
- PVOID64 Reserved3;
- } PROCESS_BASIC_INFORMATION64,*PPROCESS_BASIC_INFORMATION64;
- typedef LONG (WINAPI *TNtQueryInformationProcess)(HANDLE,UINT,PVOID,ULONG,PULONG);
- typedef LONG (WINAPI *TNtReadVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
- typedef LONG (WINAPI *TNtReadVirtualMemory64)(HANDLE ProcessHandle, PVOID64 BaseAddress, PVOID Buffer, UINT64 NumberOfBytesToRead, PUINT64 NumberOfBytesReaded);
- //////////////////////////////////////////////////////////////////////////
- typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
- BOOL IsWow64()
- {
- BOOL bIsWow64 = FALSE;
- LPFN_ISWOW64PROCESS
- fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(
- GetModuleHandle("kernel32"),"IsWow64Process");
- if (NULL != fnIsWow64Process)
- {
- if (!fnIsWow64Process(GetCurrentProcess(),&bIsWow64))
- {
- // handle error
- }
- }
- return bIsWow64;
- }
复制代码 |
|