Menu
Is it possible to get the startup information of another running process? I want to find out the cmd line arguments, if it should be run minimised/maximised, start in directory, run as admin, etc.
670
you need read RTL_USER_PROCESS_PARAMETERS from remote process. this can be done like this
NTSTATUS GetProcessParameters(PCLIENT_ID pcid, PUNICODE_STRING CommandLine)
{
HANDLE hProcess;
NTSTATUS status;
static OBJECT_ATTRIBUTES zoa = { sizeof(zoa)};
if (0 <= (status = ZwOpenProcess(&hProcess, PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, &zoa, pcid)))
{
PROCESS_BASIC_INFORMATION pbi;
_RTL_USER_PROCESS_PARAMETERS ProcessParameters, *pv;
if (0 <= (status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0)))
{
if (
(0 <= (status = ZwReadVirtualMemory(hProcess, (_PEB*)&pbi.PebBaseAddress->ProcessParameters, &pv, sizeof(pv), 0)))
&&
(0 <= (status = ZwReadVirtualMemory(hProcess, pv, &ProcessParameters, sizeof(ProcessParameters), 0)))
)
{
if (ProcessParameters.CommandLine.Length)
{
if (CommandLine->Buffer = (PWSTR)LocalAlloc(0, ProcessParameters.CommandLine.Length + sizeof(WCHAR)))
{
if (0 > (status = ZwReadVirtualMemory(hProcess, ProcessParameters.CommandLine.Buffer, CommandLine->Buffer, ProcessParameters.CommandLine.Length, 0)))
{
LocalFree(CommandLine->Buffer);
}
else
{
CommandLine->MaximumLength = (CommandLine->Length = ProcessParameters.CommandLine.Length) + sizeof(WCHAR);
*(PWSTR)RtlOffsetToPointer(CommandLine->Buffer, ProcessParameters.CommandLine.Length) = 0;
}
}
else
{
status = STATUS_INSUFFICIENT_RESOURCES;
}
}
}
}
ZwClose(hProcess);
}
return status;
}
UNICODE_STRING CommandLine;
if (0 <= GetProcessParameters(&cid, &CommandLine))
{
DbgPrint("CommandLine=%wZ\n", &CommandLine);
LocalFree(CommandLine.Buffer);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
