Hello,
I would like to retrieve the Process Parameter. From the process that is started from the CreateProcessNotification CB.
I am able to get the image path without problem using the ZwQueryInformationProcess call. But I haven’t found a way to get the commandline using this call.
I I try to locate the PEB and get the Process Parameters through this I am able to do this for the parent process but not for the process that is created.
Does anyone know a clean way to get to this information?
Thanks for your suggestions
> I am able to get the image path without problem using the
ZwQueryInformationProcess call.
Are you? Inside CreateProcess-callback? At least this shouldn’t work with
NtCurrentProcess(), because the CreateProcess-callback is called in the
context of the parent process (thread that created the new process).
Hello Frank,
You are right, it doesn’t work with the current process but since the new process ID is passed in as well this can be used to get to the information even though the call is made in the context of the parent.
By doing this an a StackAttach to the new process I can get to a lot of information but not to the process parameters.
I see.
Well, all I can say that in my driver I defer determination of process
command line until “ThreadCreate Callback” or “ImageLoad Callback” is
happening where
ZwQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation…
works for the new process.
wrote News:xxxxx@ntfsd…
> Hello Frank,
>
> You are right, it doesn’t work with the current process but since the new
> process ID is passed in as well this can be used to get to the information
> even though the call is made in the context of the parent.
>
> By doing this an a StackAttach to the new process I can get to a lot of
> information but not to the process parameters.
>
>
>
Hello Frank,
Thanks for the feedback. I was hoping for something better but if it’s not possible it’s not possible and I have to do this as well and take my actions a little bit later.
Thanks