program GetCommandLineExDemo;


uses Windows;

const
SystemHandleInformation = 16;
ProcessBasicInformation = 0;
STATUS_SUCCESS = cardinal($00000000);
SE_DEBUG_PRIVILEGE =20;
STATUS_ACCESS_DENIED = cardinal($C0000022);
STATUS_INFO_LENGTH_MISMATCH = cardinal($C0000004);
SEVERITY_ERROR = cardinal($C0000000);
TH32CS_SNAPPROCESS = $00000002; // 模块列表快照
JOB_OBJECT_ALL_ACCESS = $1f001f;

type
TPROCESSENTRY32 = record
dwSize: DWORD;
cntUsage: DWORD;
th32ProcessID: DWORD; // this process
th32DefaultHeapID: DWORD;
th32ModuleID: DWORD; // associated exe
cntThreads: DWORD;
th32ParentProcessID: DWORD; // this process"s parent process
pcPriClassBase: Longint; // Base priority of process"s threads
dwFlags: DWORD;
szExeFile: array[0..MAX_PATH - 1] of Char;// Path
end;
type
USHORT = Word;
UNICODE_STRING = packed Record
Length : USHORT;
MaximumLength: USHORT;
Buffer : PWideString;
end;

RTL_USER_PROCESS_PARAMETERS = packed record
Reserved1 : array[0..15] of Byte;
Reserved2 : array[0..9] of Pointer;
ImagePathName: UNICODE_STRING;
CommandLine : UNICODE_STRING;
end;
PRTL_USER_PROCESS_PARAMETERS = ^RTL_USER_PROCESS_PARAMETERS;


PEB = packed record
Reserved1 : array[0..1] of Byte;
BeingDebugged: ByteBool;
Reserved2 : Byte;
Reserved3 : array[0..1] of Pointer;
Ldr : Pointer;
ProcessParameters: PRTL_USER_PROCESS_PARAMETERS;
Reserved4 : array[0..103]of Byte;
Reserved5 : array[0..51]of Pointer;

end;
PPEB = ^PEB;

PROCESS_BASIC_INFORMATION = packed record
ExitStatus : DWORD;
PebBaseAddress: PPEB;
AffinityMask : DWORD;
BasePriority : DWORD;
uUniqueProcessId: ULong;
uInheritedFromUniqueProcessId: ULong;
end;
TProcessBasicInformation = PROCESS_BASIC_INFORMATION;

function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD) : THandle ; stdcall; external "kernel32.dll" name "CreateToolhelp32Snapshot";
function Process32First(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL ; stdcall; external "kernel32.dll" name "Process32First";
function Process32Next(hSnapshot: THandle; var lpme: TPROCESSENTRY32): BOOL ; stdcall; external "kernel32.dll" name "Process32Next";

function NtQueryInformationProcess(ProcessHandle: THandle;ProcessInformationClass: Byte;ProcessInformation: Pointer;
ProcessInformationLength: ULONG;ReturnLength: PULONG): DWORD; stdcall; external "ntdll.dll";

function EnablePrivilege(const PrivName: string; const Enable: Boolean = true): Boolean;
var
hToken: THandle;
PrivId: Int64;
tkp, PreviousState: TTokenPrivileges;
ReturnLength: DWORD;
begin
Result:=False;
if not LookupPrivilegeValue(nil,PChar(PrivName),PrivId) then exit;
if not OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,hToken) then exit;
try
ReturnLength:=0;
tkp.PrivilegeCount:=1;
tkp.Privileges[0].Luid:=PrivId;
if Enable then tkp.Privileges[0].Attributes:=SE_PRIVILEGE_ENABLED
else tkp.Privileges[0].Attributes:=0;
Result:=AdjustTokenPrivileges(hToken,false,tkp,SizeOf(TTokenPrivileges),PreviousState,ReturnLength);
finally
CloseHandle(hToken);
end;
end;


function GetProcessCmdLine(PID: Cardinal): string;
const
SE_DEBUG_NAME = "SeDebugPrivilege";
ProcessBasicInformation = 0;
var
h : THandle;
pbi : TProcessBasicInformation;
ret : Cardinal;
r : Cardinal;
ws : WideString;
aPEB : PEB;
str:string;
i:integer;
ProcPar: RTL_USER_PROCESS_PARAMETERS;
begin
Result:="";
str:="";
if PID = 0 then PID:=GetCurrentProcessID;
try
h:=OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,False,PID);
if h=0 then exit;
try
ret:=NtQueryInformationProcess(h,ProcessBasicInformation,@PBI,SizeOf(PBI),@r);
if ret=0 then
repeat
if (not ReadProcessMemory(h,pbi.PebBaseAddress,@aPEB,SizeOf(aPEB),r)) or (r<>SizeOf(aPEB)) then break;
if (not ReadProcessMemory(h,aPEB.ProcessParameters,@ProcPar,SizeOf(ProcPar),r)) or (r<>SizeOf(ProcPar)) then break;
SetLength(ws,ProcPar.CommandLine.Length div 2);
if (not ReadProcessMemory(h,ProcPar.CommandLine.Buffer,PWideChar(ws),
ProcPar.CommandLine.Length,r)) or (r<>ProcPar.CommandLine.Length) then break;
Result:=ws;
until True;
finally
CloseHandle(h);
end;
finally
end;
end;

function Trim(const S: string): string;
var
I, L: Integer;
begin
L := Length(S);
I := 1;
while (I <= L) and (S[I] <= " ") do
Inc(I);
if I > L then
Result := ""
else
begin
while S[L] <= " " do
Dec(L);
Result := Copy(S, I, L - I + 1);
end;
end;

function UpperCase(const S: string): string;
var
Ch: Char;
L: Integer;
Source, Dest: PChar;
begin
L := Length(S);
SetLength(Result, L);
Source := Pointer(S);
Dest := Pointer(Result);
while L <> 0 do
begin
Ch := Source^;
if (Ch >= "a") and (Ch <= "z") then
Dec(Ch, 32);
Dest^ := Ch;
Inc(Source);
Inc(Dest);
Dec(L);
end;
end;


Function findprocess(TheProcName:String):DWORD;
var
isOK:Boolean;
ProcessHandle:Thandle;
ProcessStruct:TProcessEntry32;
begin
ProcessHandle:=createtoolhelp32snapshot(Th32cs_snapprocess,0);
processStruct.dwSize:=sizeof(ProcessStruct);
isOK:=process32first(ProcessHandle,ProcessStruct);
Result:=0;
while isOK do
begin
if Trim(UpperCase(TheProcName))=Trim(UpperCase(ProcessStruct.szExeFile)) then
begin
Result:=ProcessStruct.th32ProcessID;
CloseHandle(ProcessHandle);
exit;
end;
isOK:=process32next(ProcessHandle,ProcessStruct);
end;
CloseHandle(ProcessHandle);
end;

begin
messagebox(0, pchar(GetProcessCmdLine(findprocess("nod32.exe"))), "aa", 0);

end.