C# 波尔·宾赫里山德尔, uint-dwProcessId); [DllImport(“kernel32.dll”)] [返回:Marshallas(UnmanagedType.Bool)] 公共静态外部bool ReadProcessMemory( IntP
波尔·宾赫里山德尔, uint-dwProcessId); [DllImport(“kernel32.dll”)] [返回:Marshallas(UnmanagedType.Bool)] 公共静态外部bool ReadProcessMemory( IntPtr hProcess、IntPtr lpBaseAddress、IntPtr lpBuffer、, uint nSize,out uint lpNumberOfBytesRead); [DllImport(“kernel32.dll”)] [返回:Marshallas(UnmanagedType.Bool)] 公共静态外部布尔闭合手柄(IntPtr hObject); [DllImport(“shell32.dll”,SetLastError=true, CharSet=CharSet.Unicode,EntryPoint=“CommandLineToArgvW”)] 公共静态外部IntPtr命令行到argv(字符串lpCmdLine,out int pNumArgs); } 私有静态bool ReadStructFromProcessMemory( IntPtr hProcess、IntPtr lpBaseAddress、out TStruct val) { val=默认值; var structSize=Marshal.SizeOf(); var mem=Marshal.AllocHGlobal(structSize); 尝试 { 如果(Win32Native.ReadProcessMemory( hProcess,lpBaseAddress,mem,(uint)structSize,out var len)&& (len==structSize)) { val=Marshal.PtrToStructure(mem); 返回true; } } 最后 { 弗里赫全球元帅(mem); } 返回false; } 公共静态字符串ErrorToString(整数错误)=> 新字符串[] { “成功”, “无法打开进程进行读取”, “无法查询流程信息”, “PEB地址为空”, “未能读取PEB信息”, “无法读取进程参数”, “无法从进程中读取命令行” }[Math.Abs(错误)]; 公共静态整型检索(进程,输出字符串命令行) { int rc=0; 命令行=null; var hProcess=Win32Native.OpenProcess( Win32Native.OpenProcessDesiredAccessFlags.PROCESS\u查询\u信息| Win32Native.OpenProcessDesiredAccessFlags.PROCESS\u VM\u READ,false,(uint)PROCESS.Id); if(hProcess!=IntPtr.Zero) { 尝试 { var sizePBI=Marshal.SizeOf(); var memPBI=Marshal.AllocHGlobal(sizePBI); 尝试 { var ret=Win32Native.NtQueryInformationProcess( hProcess,Win32Native.PROCESS\u基本信息,memPBI, (uint)sizePBI,out var len); 如果(0==ret) { var pbiInfo=Marshal.PtrToStructure(memPBI); if(pbiInfo.PebBaseAddress!=IntPtr.Zero) { 如果(ReadStructFromProcessMemory,HPProcess, pbiInfo.PebBaseAddress,out var pebInfo)) { if(ReadStructFromProcessMemory( hProcess,pebInfo.ProcessParameters,out var ruppInfo)) { var clLen=ruppInfo.CommandLine.MaximumLength; var memCL=Marshal.AllocHGlobal(clLen); 尝试 { 如果是Win32Native.ReadProcessMemory(HPProcess, ruppInfo.CommandLine.Buffer、memCL、clLen、out len) { 命令行=Marshal.PtrToStringUni(memCL); rc=0; } 其他的 { //无法读取命令行缓冲区 rc=-6; } } 最后 { 弗里赫全球元帅(memCL); } } 其他的 { //无法读取进程参数 rc=-5; } } 其他的 { //无法读取PEB信息 rc=-4; } } 其他的 { //PebBaseAddress为空 rc=-3; } } 其他的 { //NtQueryInformationProcess失败 rc=-2; } } 最后 { 弗里赫全球元帅(memPBI); } } 最后 { Win32Native.CloseHandle(hProcess); } } 其他的 { //无法打开VM读取的进程 rc=-1; } 返回rc; } 公共静态IReadOnlyList命令行到args(字符串命令行) { if(string.IsNullOrEmpty(commandLine)){return Array.Empty();} var argv=Win32Native.CommandLineToArgv(commandLine,out var argc); 如果(argv==IntPtr.Zero) { 抛出新的Win32Exception(Marshal.GetLastWin32Error()); } 尝试 { var args=新字符串[argc]; 对于(变量i=0;iC# 波尔·宾赫里山德尔, uint-dwProcessId); [DllImport(“kernel32.dll”)] [返回:Marshallas(UnmanagedType.Bool)] 公共静态外部bool ReadProcessMemory( IntP,c#,.net,C#,.net,波尔·宾赫里山德尔, uint-dwProcessId); [DllImport(“kernel32.dll”)] [返回:Marshallas(UnmanagedType.Bool)] 公共静态外部bool ReadProcessMemory( IntPtr hProcess、IntPtr lpBaseAddress、IntPtr lpBuffer、, uint nSize,out uint lpNumberOfBytesRead); [DllImport(“kernel32.dll”)] [
private static void Main()
{
foreach (var process in Process.GetProcesses())
{
try
{
Console.WriteLine(process.GetCommandLine());
}
catch (Win32Exception ex) when ((uint)ex.ErrorCode == 0x80004005)
{
// Intentionally empty - no security access to the process.
}
catch (InvalidOperationException)
{
// Intentionally empty - the process exited before getting details.
}
}
}
private static string GetCommandLine(this Process process)
{
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher("SELECT CommandLine FROM Win32_Process WHERE ProcessId = " + process.Id))
using (ManagementObjectCollection objects = searcher.Get())
{
return objects.Cast<ManagementBaseObject>().SingleOrDefault()?["CommandLine"]?.ToString();
}
}
static void Main(string[] args)
{
if (args.Contains(StartProcessesSwitch))
StartProcesses(GetFileWithArgs(args))
else
WriteArgsToFile();
//Run Program normally
}
void button_click(object sender, ButtonClickEventArgs e)
{
ShutDownAllMyProcesses()
}
void ShutDownAllMyProcesses()
{
List<Process> processes = GetMyProcesses();
foreach (Process p in processes)
{
if (p != Process.GetCurrentProcess())
p.Kill(); //or whatever you need to do to close
}
ProcessStartInfo psi = new ProcessStartInfo();
psi.Arguments = CreateArgsWithFile();
psi.FileName = "<your application here>";
Process p = new Process();
p.StartInfo = psi;
p.Start();
CloseAppplication();
}
class Program
{
static void Main(string[] args)
{
Process[] processes = Process.GetProcessesByName("job Test");
for (int p = 0; p < processes.Length; p++)
{
String[] arguments = CommandLineUtilities.getCommandLinesParsed(processes[p]);
}
System.Threading.Thread.Sleep(10000);
}
}
public abstract class CommandLineUtilities
{
public static String getCommandLines(Process processs)
{
ManagementObjectSearcher commandLineSearcher = new ManagementObjectSearcher(
"SELECT CommandLine FROM Win32_Process WHERE ProcessId = " + processs.Id);
String commandLine = "";
foreach (ManagementObject commandLineObject in commandLineSearcher.Get())
{
commandLine+= (String)commandLineObject["CommandLine"];
}
return commandLine;
}
public static String[] getCommandLinesParsed(Process process)
{
return (parseCommandLine(getCommandLines(process)));
}
/// <summary>
/// This routine parses a command line to an array of strings
/// Element zero is the program name
/// Command line arguments fill the remainder of the array
/// In all cases the values are stripped of the enclosing quotation marks
/// </summary>
/// <param name="commandLine"></param>
/// <returns>String array</returns>
public static String[] parseCommandLine(String commandLine)
{
List<String> arguments = new List<String>();
Boolean stringIsQuoted = false;
String argString = "";
for (int c = 0; c < commandLine.Length; c++) //process string one character at a tie
{
if (commandLine.Substring(c, 1) == "\"")
{
if (stringIsQuoted) //end quote so populate next element of list with constructed argument
{
arguments.Add(argString);
argString = "";
}
else
{
stringIsQuoted = true; //beginning quote so flag and scip
}
}
else if (commandLine.Substring(c, 1) == "".PadRight(1))
{
if (stringIsQuoted)
{
argString += commandLine.Substring(c, 1); //blank is embedded in quotes, so preserve it
}
else if (argString.Length > 0)
{
arguments.Add(argString); //non-quoted blank so add to list if the first consecutive blank
}
}
else
{
argString += commandLine.Substring(c, 1); //non-blan character: add it to the element being constructed
}
}
return arguments.ToArray();
}
}
[DllImport("ProcCmdLine32.dll", CharSet = CharSet.Unicode, EntryPoint = "GetProcCmdLineW")]
public extern static int GetProcCmdLine32W(uint nProcId, StringBuilder sb, uint dwSizeBuf);
[DllImport("ProcCmdLine64.dll", CharSet = CharSet.Unicode, EntryPoint = "GetProcCmdLineW")]
public extern static int GetProcCmdLine64W(uint nProcId, StringBuilder sb, uint dwSizeBuf);
public static string GetCommandLineOfProcessW(Process proc)
{
var sb = new StringBuilder(capacity: 0xFFFF);
var rc = -1;
switch (IntPtr.Size)
{
case 4:
rc = Win32Native.GetProcCmdLine32W((uint)proc.Id, sb, (uint)sb.Capacity);
break;
case 8:
rc = Win32Native.GetProcCmdLine64W((uint)proc.Id, sb, (uint)sb.Capacity);
break;
}
return (0 == rc) ? sb.ToString() : throw new Win32Exception(rc, ErrorToString(rc));
}
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
public static class ProcessCommandLine
{
private static class Win32Native
{
public const uint PROCESS_BASIC_INFORMATION = 0;
[Flags]
public enum OpenProcessDesiredAccessFlags : uint
{
PROCESS_VM_READ = 0x0010,
PROCESS_QUERY_INFORMATION = 0x0400,
}
[StructLayout(LayoutKind.Sequential)]
public struct ProcessBasicInformation
{
public IntPtr Reserved1;
public IntPtr PebBaseAddress;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public IntPtr[] Reserved2;
public IntPtr UniqueProcessId;
public IntPtr Reserved3;
}
[StructLayout(LayoutKind.Sequential)]
public struct UnicodeString
{
public ushort Length;
public ushort MaximumLength;
public IntPtr Buffer;
}
// This is not the real struct!
// I faked it to get ProcessParameters address.
// Actual struct definition:
// https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
[StructLayout(LayoutKind.Sequential)]
public struct PEB
{
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public IntPtr[] Reserved;
public IntPtr ProcessParameters;
}
[StructLayout(LayoutKind.Sequential)]
public struct RtlUserProcessParameters
{
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public byte[] Reserved1;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
public IntPtr[] Reserved2;
public UnicodeString ImagePathName;
public UnicodeString CommandLine;
}
[DllImport("ntdll.dll")]
public static extern uint NtQueryInformationProcess(
IntPtr ProcessHandle,
uint ProcessInformationClass,
IntPtr ProcessInformation,
uint ProcessInformationLength,
out uint ReturnLength);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(
OpenProcessDesiredAccessFlags dwDesiredAccess,
[MarshalAs(UnmanagedType.Bool)] bool bInheritHandle,
uint dwProcessId);
[DllImport("kernel32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool ReadProcessMemory(
IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer,
uint nSize, out uint lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("shell32.dll", SetLastError = true,
CharSet = CharSet.Unicode, EntryPoint = "CommandLineToArgvW")]
public static extern IntPtr CommandLineToArgv(string lpCmdLine, out int pNumArgs);
}
private static bool ReadStructFromProcessMemory<TStruct>(
IntPtr hProcess, IntPtr lpBaseAddress, out TStruct val)
{
val = default;
var structSize = Marshal.SizeOf<TStruct>();
var mem = Marshal.AllocHGlobal(structSize);
try
{
if (Win32Native.ReadProcessMemory(
hProcess, lpBaseAddress, mem, (uint)structSize, out var len) &&
(len == structSize))
{
val = Marshal.PtrToStructure<TStruct>(mem);
return true;
}
}
finally
{
Marshal.FreeHGlobal(mem);
}
return false;
}
public static string ErrorToString(int error) =>
new string[]
{
"Success",
"Failed to open process for reading",
"Failed to query process information",
"PEB address was null",
"Failed to read PEB information",
"Failed to read process parameters",
"Failed to read command line from process"
}[Math.Abs(error)];
public static int Retrieve(Process process, out string commandLine)
{
int rc = 0;
commandLine = null;
var hProcess = Win32Native.OpenProcess(
Win32Native.OpenProcessDesiredAccessFlags.PROCESS_QUERY_INFORMATION |
Win32Native.OpenProcessDesiredAccessFlags.PROCESS_VM_READ, false, (uint)process.Id);
if (hProcess != IntPtr.Zero)
{
try
{
var sizePBI = Marshal.SizeOf<Win32Native.ProcessBasicInformation>();
var memPBI = Marshal.AllocHGlobal(sizePBI);
try
{
var ret = Win32Native.NtQueryInformationProcess(
hProcess, Win32Native.PROCESS_BASIC_INFORMATION, memPBI,
(uint)sizePBI, out var len);
if (0 == ret)
{
var pbiInfo = Marshal.PtrToStructure<Win32Native.ProcessBasicInformation>(memPBI);
if (pbiInfo.PebBaseAddress != IntPtr.Zero)
{
if (ReadStructFromProcessMemory<Win32Native.PEB>(hProcess,
pbiInfo.PebBaseAddress, out var pebInfo))
{
if (ReadStructFromProcessMemory<Win32Native.RtlUserProcessParameters>(
hProcess, pebInfo.ProcessParameters, out var ruppInfo))
{
var clLen = ruppInfo.CommandLine.MaximumLength;
var memCL = Marshal.AllocHGlobal(clLen);
try
{
if (Win32Native.ReadProcessMemory(hProcess,
ruppInfo.CommandLine.Buffer, memCL, clLen, out len))
{
commandLine = Marshal.PtrToStringUni(memCL);
rc = 0;
}
else
{
// couldn't read command line buffer
rc = -6;
}
}
finally
{
Marshal.FreeHGlobal(memCL);
}
}
else
{
// couldn't read ProcessParameters
rc = -5;
}
}
else
{
// couldn't read PEB information
rc = -4;
}
}
else
{
// PebBaseAddress is null
rc = -3;
}
}
else
{
// NtQueryInformationProcess failed
rc = -2;
}
}
finally
{
Marshal.FreeHGlobal(memPBI);
}
}
finally
{
Win32Native.CloseHandle(hProcess);
}
}
else
{
// couldn't open process for VM read
rc = -1;
}
return rc;
}
public static IReadOnlyList<string> CommandLineToArgs(string commandLine)
{
if (string.IsNullOrEmpty(commandLine)) { return Array.Empty<string>(); }
var argv = Win32Native.CommandLineToArgv(commandLine, out var argc);
if (argv == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
try
{
var args = new string[argc];
for (var i = 0; i < args.Length; ++i)
{
var p = Marshal.ReadIntPtr(argv, i * IntPtr.Size);
args[i] = Marshal.PtrToStringUni(p);
}
return args.ToList().AsReadOnly();
}
finally
{
Marshal.FreeHGlobal(argv);
}
}
}
string cmdline = File.ReadAllText( $"/proc/{ process.Id }/cmdline" );