可以使用 WMI 获取指定进程的输入命令行。
代码示例:
bool SelectQuerySQL(LPCWSTR SQL, LPCWSTR Key, OUT char* outBuf, IN size_t bufSize)
{
HRESULT hRes;
CoUninitialize();
hRes = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hRes))
{
return false;
}
hRes = CoInitializeSecurity(0, -1, 0, 0, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, 0, EOAC_NONE, 0);
if (FAILED(hRes))
{
CoUninitialize();
return false;
}
IWbemLocator* pLoc = NULL;
hRes = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, reinterpret_cast<LPVOID*>(&pLoc));
if (FAILED(hRes))
{
CoUninitialize();
return false;
}
IWbemServices* pSvc = NULL;
hRes = pLoc->ConnectServer(_bstr_t(L"ROOT\\CIMV2"), 0, 0, 0, 0, 0, 0, &pSvc);
if (FAILED(hRes))
{
pLoc->Release();
CoUninitialize();
return false;
}
hRes = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
if (FAILED(hRes))
{
pSvc->Release();
pLoc->Release();
CoUninitialize();
return false;
}
IEnumWbemClassObject* pEnumerator = NULL;
// 执行WSQL语句
hRes = pSvc->ExecQuery(bstr_t("WQL"), bstr_t(SQL), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator);
if (FAILED(hRes))
{
pSvc->Release();
pLoc->Release();
CoUninitialize();
return false;
}
IWbemClassObject* pclsObj;
ULONG uReturn = 0;
while (pEnumerator)
{
HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
if (0 == uReturn)
{
break;
}
VARIANT vtProp;
hr = pclsObj->Get(Key, 0, &vtProp, 0, 0);
wcstombs_s(NULL, outBuf, bufSize, vtProp.bstrVal, bufSize);
VariantClear(&vtProp);
pclsObj->Release();
}
pSvc->Release();
pLoc->Release();
pEnumerator->Release();
CoUninitialize();
return true;
}
使用方法:
std::string commandLine;
commandLine.resize(1024);
SelectQuerySQL(std::format(L"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {}", pid).c_str(), L"CommandLine", commandLine.data(), commandLine.size());
Comments