1、微软开源krabsetw库​​​​​​https://github.com/microsoft/krabsetw.githttps://github.com/microsoft/krabsetw.git2、使用例子获取进程路径 命令行 pid等信息// Copyright (c) Microsoft. All rights reserved. // Licensed under the MIT license. See LICENSE file in the project root for full license information. // This example shows how to collect kernel rundown events that capture system state. #include ..\..\krabs\krabs.hpp #include evntrace.h #include iostream #include thread #include Windows.h #include shellapi.h #pragma comment(lib, Shell32.lib) std::wstring GetExePathFromCommandLine(const std::wstring commandLine) { int argc 0; LPWSTR* argv CommandLineToArgvW(commandLine.c_str(), argc); if (!argv || argc 0) return L; std::wstring exe argv[0]; LocalFree(argv); return exe; } void test01() { krabs::kernel_trace trace(LMyKernelTrace); krabs::kernel::process_provider provider; provider.add_on_event_callback( [](const EVENT_RECORD record, const krabs::trace_context context) { auto opcode record.EventHeader.EventDescriptor.Opcode; if (opcode ! 1 opcode ! 2) return; krabs::schema schema( record, context.schema_locator); krabs::parser parser(schema); std::uint32_t pid 0; std::uint32_t ppid 0; for (const auto it : parser.properties()) { std::wcout it.name()\n; } std::string image; std::wstring cmd; try { pid parser.parsestd::uint32_t(LProcessId); ppid parser.parsestd::uint32_t(LParentId); parser.try_parse(LImageFileName, image); } catch (...) { return; } try { cmd parser.parsestd::wstring(LCommandLine); } catch (...) { } std::wstring exe_path GetExePathFromCommandLine(cmd); if (opcode 1) { std::cout [Start] pid image // cmd std::endl; std::wcout L\npath: exe_path std::endl; std::wcoutL\ncmd: cmd std::endl; } else if (opcode 2) { std::cout [Exit ] pid image std::endl; } }); trace.enable(provider); std::thread worker([] { trace.start(); }); getchar(); trace.stop(); worker.join(); }