获取目标进程的命令行参数。

type
PUNICODESTRING = ^UNICODESTRING;
UNICODESTRING = packed record
    Length: Word;
    MaximumLength: Word;
    Buffer: PWideChar;
end;

PCURRENTDIRECTORY = ^CURRENTDIRECTORY;
CURRENTDIRECTORY = packed record
    DosPath: UNICODESTRING;
    Handle: Cardinal;
end;

PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;
PROCESS_PARAMETERS = packed record
    MaximumLength: Cardinal;
    Length: Cardinal;
    Flags: Cardinal;
    DebugFlags: Cardinal;
    ConsoleHandle: Cardinal;
    ConsoleFlags: Cardinal;
    StandardInput: Cardinal;
    StandardOutput: Cardinal;
    StandardError: Cardinal;
    CurrentDirectory: CURRENTDIRECTORY;
    DllPath: UNICODESTRING;
    ImagePathName: UNICODESTRING;
    CommandLine: UNICODESTRING;
    //pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。
end;

PPEB = ^PEB;
PEB = packed record
    InheritedAddressSpace: Char;
    ReadImageFileExecOptions: Char;
    BeingDebugged: Char;
    SpareBool: Char;
    Mutant: Cardinal;
    ImageBaseAddress: Cardinal;
    Ldr: Cardinal;
    ProcessParameters: PPROCESS_PARAMETERS;
    //pathletboy注:结构申明没有结束,如有需要可自行根据WinDbg进行申明。
end;

PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;
PROCESS_BASIC_INFORMATION = packed record
    ExitStatus: Integer;
    PebBaseAddress: PPEB;
    AffinityMask: Cardinal;
    BasePriority: Integer;
    UniqueProcessId: Cardinal;
    InheritedFromUniqueProcessId: Cardinal;
end;

function GetProcessCmdLine(ProcessId: Cardinal): string;
var
ZwQueryInformationProcess: function(ProcessHandle: Cardinal;
    ProcessInformationClass: Cardinal; var ProcessInfomation:
    PROCESS_BASIC_INFORMATION; ProcessInformationLength: Cardinal;
    var ReturnLength: Cardinal): Cardinal; stdcall;
//pathletboy注:参数2为枚举值

hNtdll: Cardinal;
hProcess: Cardinal;
pbi: PROCESS_BASIC_INFORMATION;
retLen: Cardinal;
xPEB: PEB;
xProcessParam: PROCESS_PARAMETERS;
cmd: array of WideChar;
begin
Result := '';
hNtdll := GetModuleHandle('ntdll.dll');
if hNtdll = 0 then
begin
    Exit;
end;

ZwQueryInformationProcess := GetProcAddress(hNtdll,
    'ZwQueryInformationProcess');
if not Assigned(ZwQueryInformationProcess) then
begin
    Exit;
end;

hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, ProcessId);
if hProcess = 0 then
begin
    Exit;
end;
ZwQueryInformationProcess(hProcess, 0, pbi, SizeOf(pbi), retLen);
ReadProcessMemory(hProcess, pbi.PebBaseAddress, @xPEB, SizeOf(xPEB), retLen);
ReadProcessMemory(hProcess, xPEB.ProcessParameters, @xProcessParam,
    SizeOf(xProcessParam), retLen);
SetLength(cmd, xProcessParam.CommandLine.Length);
ReadProcessMemory(hProcess, xProcessParam.CommandLine.Buffer, cmd,
    xProcessParam.CommandLine.Length, retLen);
CloseHandle(hProcess);
Result := WideCharToString(@cmd[0]);
end;

调用
ShowMessage(GetProcessCmdLine(pid));