How to hide command line arguments

Question

We have a structure of calling helper exes and passing them command line arguments to control their execution. Since command line arguments can be seen and hence can be passed by other applications. We want our exes to be called only by us. How can we achieve this with minimum change and keep the current structure of passing command line arguments intact?

Edit 1

Can the caller be identified? e.g. call helper exe as child and identify parent

Answer 1

You can use a hack to clear the command line parameters in memory after the application has started, by writing to the address returned from GetCommandLineW(), but that won't stop anything reading it in the mean time, or anything that hooks the process creation.

You could try creating shared memory and passing pointers, but this does little more than obscure the data.

The simple fact is that you can not hide data from anything running as the same user and execution level. Whatever effort you can put into hiding it, can be put into unhiding it. Even encryption means the keys and methods will be in memory and can be read. If you want to stop random users trying to run your executables, then don't give them to random users :)

Answer 2

You simply can not hide command line arguments. You may wish to check How to clear a process command line? question and see answers and comments there.

If you want to stick with passing command line arguments, Raymond Chen has a very good post on how to do it gracefully: http://blogs.msdn.com/b/oldnewthing/archive/2003/12/11/56043.aspx. Basic idea is to use anonymous shared memory block for storing actual data to be passed between processes, and passing numeric value of the handle to it.

A heavy weight alternative might be to encrypt/decrypt data passed via command line. Or append some generated "secret word" so the callee can validate whether it is called by one of your applications.

I'd suggest that choice of an approach (and associated costs/benefits) depends on the risks: who/why/when is going to manipulate your helper applications?