在执行快照的快照之后,如何获取所有进程的完整命令行?
[英]How can I get the full command line of all the processes after doing a process walk of the snapshot?
问题描述
So, my goal is to get the full command line of all the currently running processes. 
因此,我的目标是获取所有当前正在运行的进程的完整命令行。 Towards that what I do is take a snapshot of processes using the CreateToolhelp32Snapshot API and then do a process walk to store the PROCESSENTRY32 type processes in an array called process_list : 为此,我要做的是使用CreateToolhelp32Snapshot API CreateToolhelp32Snapshot流程的快照,然后执行流程遍历以将PROCESSENTRY32类型的流程存储在名为process_list的数组中:
BOOL GetProcessList( FILE *f, PROCESSENTRY32* process_list, int process_count)
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
return( FALSE );
}
// Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 );
// Retrieve information about the first process,
// and exit if unsuccessful
if( !Process32First( hProcessSnap, &pe32 ) )
{
CloseHandle( hProcessSnap ); // clean the snapshot object
return( FALSE );
}
// Now walk the snapshot of processes, and
// display information about each process in turn
int i = 0;
do
{
// Retrieve the priority class.
dwPriorityClass = 0;
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, pe32.th32ProcessID );
if( hProcess == NULL ) { }
else
{
dwPriorityClass = GetPriorityClass( hProcess );
if( !dwPriorityClass )
CloseHandle( hProcess );
}
process_list[i] = pe32;
i++;
} while( Process32Next( hProcessSnap, &pe32 ) && i <= process_count);
CloseHandle( hProcessSnap );
return( TRUE );
}
Now, is it possible to traverse this array of processes and gather the full command line of each of the processes? 现在,是否可以遍历此进程数组并收集每个进程的完整命令行? How can I do that? 我怎样才能做到这一点?
If it is important, I will be compiling the code as a 64bit process and would need the full command line for all the processes running on the host machine. 如果重要的话,我会将代码编译为64位进程,并且需要主机上运行的所有进程的完整命令行。
2 个解决方案
解决方案1
4 已采纳 2014-02-22 03:09:06
For each Process ID: 对于每个进程ID:
use
OpenProcess()to get aHANDLEto the process.使用OpenProcess()获取处理的HANDLE。then use
QueryFullProcessImageName(),GetProcessImageFileName(), orGetModuleFileNameExto get the path and filename of the process.然后使用QueryFullProcessImageName(),GetProcessImageFileName()或GetModuleFileNameEx来获取进程的路径和文件名。then use
NtQueryInformationProcess()to retrieve the address of the process'sPEBstructure, which contains aProcessParametersmember containing the command-line arguments for the process (you can also get the image path from thePEBas well).然后使用NtQueryInformationProcess()来检索进程的PEB结构的地址,该地址包含一个ProcessParameters成员,该成员包含该进程的命令行参数(您也可以从PEB获取图像路径)。 UseReadProcessMemory()to read the contents of thePEB.使用ReadProcessMemory()读取PEB的内容。
Have a look at the following article for more details: 请查看以下文章以了解更多详细信息:
Get Process Info with NtQueryInformationProcess 使用NtQueryInformationProcess获取流程信息
解决方案2
0 2019-09-19 15:50:38
There are some good examples of how to do this with NtQueryInformationProcess(), but it's ugly. 关于如何使用NtQueryInformationProcess()做到这一点,有一些很好的例子,但这很丑陋。 WMI can be slow, but it's as simple as this: WMI可能很慢,但是它很简单:
string cmdLine = string.Empty;
try
{
// Searcher.Get() throws an exception if process is protected or has exited already, so this is inside a try-catch
var searcher = new ManagementObjectSearcher("SELECT CommandLine FROM Win32_Process WHERE ProcessId = " + processId.ToString());
ManagementObjectCollection moc = searcher.Get();
searcher.Dispose();
foreach (ManagementObject item in moc) // should only be one item
{
cmdLine = item["CommandLine"].ToString();
}
}
catch
{
// write an error
}
return cmdLine;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.