how to get process parameters


I would like to peek at the process parameters (the command line) during
process creation but I understand that the parameters are written to the
process memory *after* it has been created … right?

More specifically, I am hooking NtCreateProcess and the logic I am
implementing requires me to check the process parameters. Nebbet’s book
pseudo-code shows that the process params are created after the call to
xxCreateProcess (by means of RtlCreateProcessParameters) and the stuffed
into the process by means of zwWriteVirtualMemory.

If the parameters are stored in the process PEB … how do I get to them?


System ( S_1_5_18 at )