获取给定流程的STARTUPINFO

您需要从远程进程读取RTL_USER_PROCESS_PARAMETERS。 这可以这样做

 NTSTATUS GetProcessParameters(PCLIENT_ID pcid, PUNICODE_STRING CommandLine) { HANDLE hProcess; NTSTATUS status; static OBJECT_ATTRIBUTES zoa = { sizeof(zoa)}; if (0 <= (status = ZwOpenProcess(&hProcess, PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, &zoa, pcid))) { PROCESS_BASIC_INFORMATION pbi; _RTL_USER_PROCESS_PARAMETERS ProcessParameters, *pv; if (0 <= (status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0))) { if ( (0 <= (status = ZwReadVirtualMemory(hProcess, (_PEB*)&pbi.PebBaseAddress->ProcessParameters, &pv, sizeof(pv), 0))) && (0 <= (status = ZwReadVirtualMemory(hProcess, pv, &ProcessParameters, sizeof(ProcessParameters), 0))) ) { if (ProcessParameters.CommandLine.Length) { if (CommandLine->Buffer = (PWSTR)LocalAlloc(0, ProcessParameters.CommandLine.Length + sizeof(WCHAR))) { if (0 > (status = ZwReadVirtualMemory(hProcess, ProcessParameters.CommandLine.Buffer, CommandLine->Buffer, ProcessParameters.CommandLine.Length, 0))) { LocalFree(CommandLine->Buffer); } else { CommandLine->MaximumLength = (CommandLine->Length = ProcessParameters.CommandLine.Length) + sizeof(WCHAR); *(PWSTR)RtlOffsetToPointer(CommandLine->Buffer, ProcessParameters.CommandLine.Length) = 0; } } else { status = STATUS_INSUFFICIENT_RESOURCES; } } } } ZwClose(hProcess); } return status; } UNICODE_STRING CommandLine; if (0 <= GetProcessParameters(&cid, &CommandLine)) { DbgPrint("CommandLine=%wZ\n", &CommandLine); LocalFree(CommandLine.Buffer); }