I’m attempting to read the command line early on in the process creation.
Currently my driver registers for image load notifications which run in the
context of the first thread created in the new process.
I was hoping to read the command line from the PEB, however dumping the
PEB::ProcessParameters shows that the PEB hasn’t been fully initialized this
early on the process creation and many members, including
RTL_USER_PROCESS_PARAMETERS::CommandLine are invalid.
However, if I dump the PEB using the !peb command, the command line is
shown. In fact everything is shown with the exception of Ldr information,
even the Environment.
How is WinDbg doing this?
I’m not sure if this should be in the windbg list, I’ll move the discussion
there if preferred?
For XP/2003 systems: during the creation of process field RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer contains a relative offset from start address of RTL_USER_PROCESS_PARAMETERS
For XP/2003 systems: during the creation of process field
RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer contains a relative offset
from start address of RTL_USER_PROCESS_PARAMETERS
“Ged” wrote in message news:xxxxx@ntdev… > Wow, so it is! > Is this documented at all? > Is it safe to use?
No, the PEB is undocumented and not supposed to be touched by drivers. Also, remember that the PEB is in user space so the application can modify it while you’re walking it, leading to the introduction of security and/or stability issues.
“Ged” wrote in message news:xxxxx@ntdev… > Wow, so it is! > Is this documented at all? > Is it safe to use? > > I haven’t tested my driver on NT6 yet. Is there something similar for NT6 > or > is the PEB available earlier for this? > > Thanks, > Ged. > > > -----Original Message----- > From: xxxxx@lists.osr.com > [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@rambler.ru > Sent: 21 July 2010 12:13 > To: Windows System Software Devs Interest List > Subject: RE:[ntdev] How does WinDbg get the command line? > > For XP/2003 systems: during the creation of process field > RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer contains a relative offset > from start address of RTL_USER_PROCESS_PARAMETERS > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer > >
> Is there something similar for NT6 or is the PEB available earlier for this?
On WLH and later RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer contains real address in user mode memory.
No, the PEB is undocumented and not supposed to be touched by drivers
Absolutely agree with you: access to field of PEB in driver is a bad practices, but getting process command line can not be solved otherwise. Or you know another way (without gate to user mode)?
wrote in message news:xxxxx@ntdev… >Absolutely agree with you: access to field of PEB in driver is a bad >practices, but getting process command line can not be solved >otherwise. >Or you know another way (without gate to user mode)?
I think you’re pretty much out of luck on older platforms in terms of a better solution (hopefully someone will correct me). PsSetCreateProcessNotifyRoutineEx was added to Vista SP1 and later to address this issue for current releases.
wrote in message news:xxxxx@ntdev… >> Is there something similar for NT6 or is the PEB available earlier for >> this? > On WLH and later RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer contains > real address in user mode memory. > >> No, the PEB is undocumented and not supposed to be touched by drivers > Absolutely agree with you: access to field of PEB in driver is a bad > practices, but getting process command line can not be solved otherwise. > Or you know another way (without gate to user mode)? >
> On WLH and later RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer contains real
address in user mode memory.
The same was in XP SP2 and SP3 I think, at least the full EXE pathname was there (and GetModuleFileNameEx was reading exactly the RTL_USER_PROCESS_PARAMETERS).