#include <windows.h>
#include <winternl.h>

typedef DWORD(*pNtQueryInformationProcess) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

int _tmain(int argc, _TCHAR* argv[])
{
	DWORD dwProcessID;
	HANDLE hProcess;

	PROCESS_BASIC_INFORMATION pbi = { 0 };
	ULONG dwReturnLen;
	ULONG dwData = sizeof(PROCESS_BASIC_INFORMATION);
	dwProcessID = 1720;

	hProcess = OpenProcess(PROCESS_VM_READ |
		PROCESS_QUERY_INFORMATION |
		PROCESS_VM_WRITE |
		PROCESS_VM_OPERATION, FALSE, dwProcessID);

	HMODULE hModule = LoadLibraryA("Ntdll.dll");
	pNtQueryInformationProcess NtQueryInformationProcess = (pNtQueryInformationProcess)GetProcAddress(hModule, "NtQueryInformationProcess");
	NTSTATUS status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, (PVOID)&pbi, dwData, &dwReturnLen);
	//PEB Address
	printf("Remote PEB Address: %x \\n", pbi.PebBaseAddress);
	printf("PEB size: %d \\n", sizeof(_PEB));
	PPEB peb_info = (PPEB)malloc(sizeof(_PEB));
	bool bRet = ReadProcessMemory(hProcess, pbi.PebBaseAddress,peb_info,sizeof(_PEB),NULL);
	if (bRet){
		printf("Read info success! \\n");
	}
	else{
		printf("Read info failed! \\n");
		return 0;
	}
	printf("RTL_USER_PROCESS_PARAMETERS size: %d \\n", sizeof(_RTL_USER_PROCESS_PARAMETERS));
	printf("Remote ProcessParameters: %x \\n",peb_info->ProcessParameters);
	printf("Read remote _RTL_USER_PROCESS_PARAMETERS \\n");
	PRTL_USER_PROCESS_PARAMETERS pProcessParameters = (PRTL_USER_PROCESS_PARAMETERS)malloc(sizeof(_RTL_USER_PROCESS_PARAMETERS));
	bRet = ReadProcessMemory(hProcess, peb_info->ProcessParameters, pProcessParameters, sizeof(_RTL_USER_PROCESS_PARAMETERS), NULL);
	if (bRet){
		printf("Read info success! \\n");
	}
	else{
		printf("Read info failed! \\n");
		return 0;
	}
	wchar_t command_line[MAX_PATH] = {0};
	ReadProcessMemory(hProcess, pProcessParameters->CommandLine.Buffer, command_line, pProcessParameters->CommandLine.Length, NULL);
	wprintf(L"%s\\n", command_line);
	free(peb_info);
	free(pProcessParameters);
	system("pause");
	return 0;
}