type
UNICODE_STRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
PUNICODE_STRING = UNICODE_STRING;
type
PROCESS_PARAMETERS = packed record
AllocationSize: ULONG;
ActualSize: ULONG;
Flags: ULONG;
Unknown1: ULONG;
Unknown2: UNICODE_STRING;
InputHandle: THandle;
OutputHandle: THandle;
ErrorHandle: THandle;
CurrentDirectory: UNICODE_STRING;
CurrentDirectoryHandle: THandle;
SearchPaths: UNICODE_STRING;
ApplicationName: UNICODE_STRING;
CommandLine: UNICODE_STRING;
EnvironmentBlock: Pointer;
Unknown: array[0..9 - 1] of ULONG;
Unknown3: UNICODE_STRING;
Unknown4: UNICODE_STRING;
Unknown5: UNICODE_STRING;
Unknown6: UNICODE_STRING;
end;
PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;
type
PEB = packed record
AllocationSize: ULONG;
Unknown1: ULONG;
ProcessHinstance: Longword;
ListDlls: Pointer;
ProcessParameters: PPROCESS_PARAMETERS;
Unknown2: ULONG;
Heap: THandle;
end;
PPEB = ^PEB;
type
_PROCESS_BASIC_INFORMATION = packed record
Reserved1: Pointer;
PebBaseAddress: PPEB;
Reserved2: array[0..1] of Pointer;
UniqueProcessId: PULONG;
Reserved3: Pointer;
end;
PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION;
PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;
PROCESSINFOCLASS = (
ProcessBasicInformation = 0,
ProcessWow64Information = 26
);
NTSTATUS = DWORD;
function NtQueryInformationProcess(
ProcessHandle: THandle;
ProcessInformationClass: PROCESSINFOCLASS;
ProcessInformation: Pointer;
ProcessInformationLength: ULONG;
ReturnLength: PULONG
): NTSTATUS; stdcall; external 'ntdll.dll' name 'NtQueryInformationProcess';
function Process_CmdLine(
mProcessID: THandle
): WideString;
var
vProcess: THandle;
vProcessBasicInformation: PROCESS_BASIC_INFORMATION;
vPEB: PEB;
vNumberOfBytesRead: Longword;
vProcessParameters: PROCESS_PARAMETERS;
begin
Result := '';
vProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,
False, mProcessID);
if vProcess = 0 then Exit;
try
if NtQueryInformationProcess(
vProcess,
ProcessBasicInformation,
@vProcessBasicInformation,
SizeOf(vProcessBasicInformation),
nil) <> 0 then Exit;
if not ReadProcessMemory(vProcess,
vProcessBasicInformation.PebBaseAddress,
@vPEB,
SizeOf(vPEB),
vNumberOfBytesRead) then Exit;
if not ReadProcessMemory(vProcess,
vPEB.ProcessParameters,
@vProcessParameters,
SizeOf(vProcessParameters),
vNumberOfBytesRead) then Exit;
SetLength(Result, vProcessParameters.CommandLine.Length div 2);
if not ReadProcessMemory(vProcess,
vProcessParameters.CommandLine.Buffer,
@Result[1],
vProcessParameters.CommandLine.Length,
vNumberOfBytesRead) then Exit;
finally
CloseHandle(vProcess);
end;
end; { Process_CmdLine }
procedure EnableDebug();
var
VerInfo:TOSVersionInfo;
hToken:THANDLE;
tkp:TOKEN_PRIVILEGES;
Nothing:Cardinal;
begin
VerInfo.dwOSVersionInfoSize:=SizeOf(VerInfo);
GetVersionEx(VerInfo);
if VerInfo.dwPlatformId=VER_PLATFORM_WIN32_NT then
Begin
OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,hToken);
LookupPrivilegeValue(nil,'SeDebugPrivilege',tkp.Privileges[0].Luid);
tkp.PrivilegeCount:= 1;
tkp.Privileges[0].Attributes:= SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, tkp, 0,nil, Nothing);
end;
end;
