--- In [email protected], "Wai" <chunwaih...@...> wrote:
>
> --- In [email protected], "Sheri" <sherip99@> wrote:
> >
> > --- In [email protected], "Wai" <chunwaihome@> wrote:
> > >
> > > --- In [email protected], "brucexs" <bswitzer@> wrote:
> > > >
> > > > --- In [email protected], "Wai" <chunwaihome@> wrote:
> > >
> > >
> I have tested a litle, it work wonderful.thx
> It is worthy adding this function to file plugin.
I came across a faster method to get a process commandline in one of the dll
plugin sample scripts. You can compare them by changing the value of the test
variable:
local test=0
local cmdln
if (test == 0) do
cmdln=EnumProcesses(win.handle("under").getprocessid)
else
cmdln=wmic(win.handle("under").getprocessid)
endif
win.debugshow(cmdln)
quit
Function wmic(approcess)
;sheri
local clipcontent=clip.get
clip.clear
if (approcess=="")
appprocess=win.handle("under").getprocessid
local wmicmd= ;;+
?"/c wmic /output:clipboard process "++approcess++" GET commandline"
file.runwait(0, env("COMSPEC"), wmicmd, "", "hide")
local commandline=regex.pcrereplace(?"^CommandLine\x20+",clip.get,"")
clip.set(clipcontent)
quit(commandline)
Function EnumProcesses(approcess)
;sean and allan
;slight mod by sheri to return commandline for input approcess
local result
local allpids,npids,pid,pgcl,acl,sExeName,sCmdLine
local hProc,hToken,tp,luidDbg,retSize, dll_status
;default, just in case someone's set up config ini file
static st_ibase = dll.get_base()
dll.set_base(1)
dll.call("advapi32|LookupPrivilegeValueA|ui s h* b",0,;;+
"SeDebugPrivilege","luidDbg")
tp=dll.create_struct("ui h ui",1,"luidDbg",2)
dll.call("advapi32|OpenProcessToken|ui ui ui* b",;;+
dll.call("GetCurrentProcess|ui"),0x20|0x8,"hToken")
dll.call("advapi32|AdjustTokenPrivileges|ui i t* ui t* ui* b",;;+
hToken,0,tp,tp.get_size,tp,"retSize")
allpids=dll.create_array(1024,"ui")
dll.call("psapi|EnumProcesses|a* ui ui* b",;;+
allpids,allpids.get_size,"npids")
pgcl=dll.call("GetProcAddress|ui s ui",;;+
dll.call("GetModuleHandle|s ui","kernel32.dll"),"GetCommandLineA")
acl=dll.create_array(1,"ui")
for(local i=1;i<=npids/4;i++)
pid=allpids[i]
hProc=dll.call("OpenProcess|ui i ui",0x400|0x10,0,pid)
if(hProc)do
dll.call("psapi|GetModuleFileNameExA|ui ui s ui",;;+
hProc,0,"sExeName",272)
if(dll.call("ReadProcessMemory|ui ui a* ui ui",hProc,pgcl+1,acl,4,0))do
dll.call("ReadProcessMemory|ui ui a* ui ui",;;+
hProc,acl[1],acl,4,0)
dll.call("ReadProcessMemory|ui ui s ui ui",;;+
hProc,acl[1],"sCmdLine",272,0)
endif
dll.call("CloseHandle|ui",hProc)
endif
if (approcess=="") ;;no argument so debug all processes
win.debug(pid,"EXE="++sExeName,"CL="++sCmdLine)
if (pid == approcess)
result=sCmdLine
sExeName=""
sCmdLine=""
endfor
if(tp[1])
dll.call("advapi32|AdjustTokenPrivileges|ui i t* ui ui ui", ;;+
hToken,0,tp,0,0,0)
dll.call("CloseHandle|ui",hToken)
if (st_ibase eq 0)
dll.set_base(st_ibase)
if (result !== "")
quit(result)
quit
