获取其他进程的命令行（ReadProcessMemory其它进程的PPROCESS_PARAMETERS和PEB结构体）

type
  UNICODE_STRING = packed record
    Length: Word;
    MaximumLength: Word;
    Buffer: PWideChar;
  end;
  PUNICODE_STRING = UNICODE_STRING;
type
  PROCESS_PARAMETERS = packed record
    AllocationSize: ULONG;
    ActualSize: ULONG;
    Flags: ULONG;
    Unknown1: ULONG;
    Unknown2: UNICODE_STRING;
    InputHandle: THandle;
    OutputHandle: THandle;
    ErrorHandle: THandle;
    CurrentDirectory: UNICODE_STRING;
    CurrentDirectoryHandle: THandle;
    SearchPaths: UNICODE_STRING;
    ApplicationName: UNICODE_STRING;
    CommandLine: UNICODE_STRING;
    EnvironmentBlock: Pointer;
    Unknown: array[0..9 - 1] of ULONG;
    Unknown3: UNICODE_STRING;
    Unknown4: UNICODE_STRING;
    Unknown5: UNICODE_STRING;
    Unknown6: UNICODE_STRING;
  end;
  PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS;
(*//
type
  _PEB = packed record
    Reserved1: array[0..2 - 1] of Byte;
    BeingDebugged: Byte;
    Reserved2: array[0..229 - 1] of Byte;
    Reserved3: array[0..59 - 1] of Pointer;
    SessionId: ULONG;
  end;
  PEB = _PEB;
  PPEB = ^PEB;
//*)
type
  PEB = packed record
    AllocationSize: ULONG;
    Unknown1: ULONG;
    ProcessHinstance: Longword;
    ListDlls: Pointer;
    ProcessParameters: PPROCESS_PARAMETERS;
    Unknown2: ULONG;
    Heap: THandle;
  end;
  PPEB = ^PEB;

type
  _PROCESS_BASIC_INFORMATION = packed record
    Reserved1: Pointer;
    PebBaseAddress: PPEB;
    Reserved2: array[0..1] of Pointer;
    UniqueProcessId: PULONG;
    Reserved3: Pointer;
  end;

  PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION;
  PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION;
  PROCESSINFOCLASS = (
    ProcessBasicInformation = 0,
    ProcessWow64Information = 26
  );
  NTSTATUS = DWORD;

function NtQueryInformationProcess(
  ProcessHandle: THandle;
  ProcessInformationClass: PROCESSINFOCLASS;
  ProcessInformation: Pointer;
  ProcessInformationLength: ULONG;
  ReturnLength: PULONG
): NTSTATUS; stdcall; external 'ntdll.dll' name 'NtQueryInformationProcess';

function Process_CmdLine(
  mProcessID: THandle
): WideString;
var
  vProcess: THandle;
  vProcessBasicInformation: PROCESS_BASIC_INFORMATION;
  vPEB: PEB;
  vNumberOfBytesRead: Longword;
  vProcessParameters: PROCESS_PARAMETERS;
begin
//设计 Zswang 2006-09-09 wjhu111#21cn.com 尊重作者,转贴请注明出处
  Result := '';
  vProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,
    False, mProcessID);
  if vProcess = 0 then Exit;
  try
    if NtQueryInformationProcess(
      vProcess,
      ProcessBasicInformation,
      @vProcessBasicInformation,
      SizeOf(vProcessBasicInformation),
      nil) <> 0 then Exit;
    if not ReadProcessMemory(vProcess,
      vProcessBasicInformation.PebBaseAddress,
      @vPEB,
      SizeOf(vPEB),
      vNumberOfBytesRead) then Exit;
    if not ReadProcessMemory(vProcess,
      vPEB.ProcessParameters,
      @vProcessParameters,
      SizeOf(vProcessParameters),
      vNumberOfBytesRead) then Exit;
    SetLength(Result, vProcessParameters.CommandLine.Length div 2);
    if not ReadProcessMemory(vProcess,
      vProcessParameters.CommandLine.Buffer,
      @Result[1],
      vProcessParameters.CommandLine.Length,
      vNumberOfBytesRead) then Exit;
  finally
    CloseHandle(vProcess);
  end;
end; { Process_CmdLine }

http://blog.csdn.net/zswang/article/details/1214857