getcl.cpp

Cracker终结者——提供最优秀的软件保护技术

// Prints "current" command line of given process.
// "Current" means that original command line could be changed by
// some of Target's threads (parsing, etc...). For example, strings
// returned by GetCommandLineA and GetCommandLineW may differ.

//#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>

//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>


VOID _tmain(int argc, TCHAR** argv) {
  if(argc != 2) 
    _tprintf(_T("Usage: %s <ProcessName>"), argv[0]);
  else {
    TCHAR ProcessName[MAX_PATH];
    ExpandEnvironmentStrings(argv[1], ProcessName, MAX_PATH);

    //AH 3.8+ don't enable debug privilege explicitly
    //It is needed for PrcWorks when ProcessName contains PathTo
    //and for OpenProcess used in this example.
    HINSTANCE hntdll;
    BYTE  WasEn;
    typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
    TRAP  RAP;
    if(hntdll = GetModuleHandle(_T("NTDLL.DLL")))
      if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
        RAP(20, TRUE, 0, &WasEn);

    DWORD PID = ProcessName2PID(ProcessName);
    if((PID != PW_SESERROR) && (PID != PW_PIDERROR) && (PID != PW_MEMERROR)) {

// GetCommandLine is the API which can be called by LoadAndCall

      #define DLLName _T("KERNEL32.DLL")
      #ifdef WLINE
        #define APIName _T("GetCommandLineW")
        #define XCHAR WCHAR
        #define putsign putwchar
      #else
        #define APIName _T("GetCommandLineA")
        #define XCHAR CHAR
        #define putsign putchar
      #endif

      //because 9x Win32 process mayn't contain KERNEL32.dll:
      #define OneTime 1

      DWORD CLAddress = LoadAndCall(NULL, DLLName, PID, INFINITE, OneTime, APIName, 0, NULL);
      if( CLAddress && (CLAddress <  ErrorAHMin) && 
//If GetCommandLineX can't be found in KERNEL32.DLL, CLAddress contains
//K32's base, which is the same in every process.
          (CLAddress != (DWORD)GetModuleHandle(DLLName)) ) {
        HANDLE hProc; 
        if((hProc = OpenProcess(PROCESS_VM_READ, FALSE, PID))) {
          _tprintf(_T("Command line for %s:\n"), argv[1]);
          int i;
          XCHAR CLChar;
          for(i=0; ReadProcessMemory(hProc, (XCHAR*)CLAddress+i, &CLChar, sizeof(CLChar), NULL); i++) {
            if(CLChar != '\0')
              putsign(CLChar);
            else
              break; 
          }
          CloseHandle(hProc);
        }
        else
          _tprintf(_T("can't be read!"));
      }
      else
        _tprintf(_T("Can't get command line!"));
    }
    else
      _tprintf(_T("Can't find %s!"), argv[1]);
  }
  getch();
}