使用PowerShell直接从PEB读取指定进程的命令行时遇到问题。我正在使用NtQueryInformationProcess获取PROCESS_BASIC_INFORMATION数据。
# $proc - process handle
if ($NtQueryInformationProcess(
$proc, 0, $PROCESS_BASIC_INFORMATION, [Runtime.InteropServices.Marshal]::SizeOf(
$PROCESS_BASIC_INFORMATION
), [IntPtr]::Zero
))) -eq 0) {
# pointer to RTL_USER_PROCESS_PARAMETERS
$ptr = [Runtime.InteropServices.Marshal]::ReadIntPtr($PROCESS_BASIC_INFORMATION.PebBaseAddress, 0x10)
# pointer to CommandLine field of structure above
$ptr = [Runtime.InteropServices.Marshal]::ReadIntPtr($ptr, 0x40)
# how to get CommandLine field (UNICODE_STRING structure)?
}
所有指针都是正确的,但我不知道如何读取Marshal类型的CommandLine字段。有什么想法吗?
即使标题上写着"没有WMI",我仍然建议使用WMI,因为它更容易使用。例如,使用Win32_Process WMI类。
Get-WmiObject -Class Win32_Process -Filter "ProcessID = '10708'" | Format-List ProcessID, Name, Path, Commandline
ProcessID : 10708
Name : powershell.exe
Path : C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe
Commandline : "C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe" -version 2