none
how to get command line that is used to execute process in user mode? RRS feed

  • Question

  • hi there!

    i know that in kernel mode i can get command line that is used to execute process this way:

    i call PsSetCreateProcessNotifyRoutineEx that gets as parameter my CreateProcessNotifyEx

    and inside CreateProcessNotifyEx  i get the command line that executed that process from 

    PS_CREATE_NOTIFY_INFO.

    is there any way to get the same data in user mode?

    Thursday, May 29, 2014 3:32 PM

Answers

All replies

  • Take a look at the PEB http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx  You will need debugging privledges to access the data.  Using the structure and the calls linked to on the page to get the structures address will get you the data.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, May 29, 2014 8:36 PM
  • thank you!
    Wednesday, June 11, 2014 5:45 AM
  • hi again!

    I'm trying to get the data the way you said also in kernel mode, i found that i can access it using ReadProcessMemory. (in user mode)

    i tried to use it in kernel mode and when i compiled i had an error "the function  is unidentified"

    do you know any other fun' that does the same in kernel mode?

    Sunday, June 15, 2014 2:17 PM
  • The best way to do this is use PsSetCreateProcessNotifyEx, the callback will have the command line in the PS_CREATE_NOTIFY structure.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Sunday, June 15, 2014 2:38 PM
  • thank you again! I really appreciate your help!

    i need it to Windows XP OS and PsSetCreateProcessNotifyRoutineEx is only available starting with Windows Vista with SP1 and Windows Server 2008.

    (as well as PS_CREATE_NOTIFY_INFO  that is available in Windows Vista and later versions of the Windows operating system.)

    do you have any other idea how do i get it (command line) in kernel mode for xp?

    i'm also looking for _RTL_USER_PROCESS_PARAMETERS structure offsets so i can get to the command line field in it using ReadProcessMemory in user mode, have any ideas?


    Monday, June 16, 2014 8:32 AM
  • There is no approved way of doing this for XP.  What I would do is for an XP only driver investigate the undocumented function:

    NTKERNELAPI PPEB NTAPI PsGetProcessPeb(PEPROCESS Process);

    This function was present in XP, but as with all undocumented functions it is something you should use at your own risk.  If this is a commercial product be sure the people you are developing it for understand that you have stepped far outside the "blessed API".   Also, if you are supporting versions of Windows later than XP definitely use PsSetCreateProcessNotifyRoutineEx even though it means two drivers.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Monday, June 16, 2014 12:02 PM