Retriving Command-Line

Amit_Kulkarni-2 · July 28, 2009, 6:43am

Hi All,

I want to get arguments that are passed to another process. For that I am using
NtQueryInformationProcess API and PEB structure. The code works well for all
32 bit OS (2K Onwords), But it does not work for 64 bit OS. I think this problem
is due to change of PEB structure.

Currently I am using structure as…
typedef struct _MYPEB
{
//
// Undoc
//
UCHAR Reserved1[4];
PVOID Reserved2;
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved3[312];
/*PPS_POST_PROCESS_INIT_ROUTINE*/
void * PostProcessInitRoutine;
BYTE Reserved4[132];
ULONG SessionId;

} MYPEB, *PMYPEB;

What changes I have to do sothat it will work on 64 bit OS?

Thanks & Regards,
Amit.

Pavel_A1 · July 28, 2009, 6:57am

Here are PEB definitions for both x86 and x64:

http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx

–pa

xxxxx@yahoo.com wrote:

Hi All,

I want to get arguments that are passed to another process. For that I am using
NtQueryInformationProcess API and PEB structure. The code works well for all
32 bit OS (2K Onwords), But it does not work for 64 bit OS. I think this problem
is due to change of PEB structure.

Currently I am using structure as…
typedef struct _MYPEB
{
//
// Undoc
//
UCHAR Reserved1[4];
PVOID Reserved2;
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved3[312];
/*PPS_POST_PROCESS_INIT_ROUTINE*/
void * PostProcessInitRoutine;
BYTE Reserved4[132];
ULONG SessionId;

} MYPEB, *PMYPEB;

What changes I have to do sothat it will work on 64 bit OS?

Thanks & Regards,
Amit.

Amit_Kulkarni-2 · July 28, 2009, 7:22am

Yes, Actually I have tryed this strecture for 64 bit but it is giving me
ProcessParameters Address which is likely invalid.

Crispin_Wright · July 28, 2009, 7:46am

http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx

Using the PEB as a reference for anything in production code can be flaky
(unless your os version is guaranteed…, or you implement every single
variant) because of its changes between OS’s, although having said that, I
did really like the quote that I think it was Pavel made the other day, “One
just can’t come with a sane and clean solution when requirements are insane”

crispin.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 28 July 2009 11:44
To: Windows System Software Devs Interest List
Subject: [ntdev] Retriving Command-Line

Hi All,

I want to get arguments that are passed to another process. For that I am
using
NtQueryInformationProcess API and PEB structure. The code works well for all
32 bit OS (2K Onwords), But it does not work for 64 bit OS. I think this
problem
is due to change of PEB structure.

Currently I am using structure as…
typedef struct _MYPEB
{
//
// Undoc
//
UCHAR
Reserved1[4];
PVOID Reserved2;
PVOID
ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE
Reserved3[312];
/*PPS_POST_PROCESS_INIT_ROUTINE*/
void *
PostProcessInitRoutine;
BYTE
Reserved4[132];
ULONG SessionId;

} MYPEB, *PMYPEB;

What changes I have to do sothat it will work on 64 bit OS?

Thanks & Regards,
Amit.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4284 (20090728) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4284 (20090728) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Peter_Viscarola_OSR · July 28, 2009, 9:04am

I’m considering making that the NTDEV motto.

Peter
OSR

Amit_Kulkarni-2 · July 28, 2009, 9:26am

I require it in folowing senario…

We are using a thiredparty exe. Our exe is allready running in the system. Thiredparty exe instances runs with different args as and when required. Our exe requires to monitor the
input given to them.

OSR_Community_User · July 28, 2009, 9:30am

> Using the PEB as a reference for anything in production code can be flaky

(unless your os version is guaranteed…, or you implement every single
variant)
If OP is not lazy, [s]he can go to UM through an inverted call, get cmd line
params there [not easy but doable, given that the UM component has enough
rights. I can find a link to how it’s done, if OP wants] and return them to
the driver.

No per-version games in this case, but gosh, it is heavy, heavy both on OP
and performance-wise.

----- Original Message -----
From: “Crispin Wright”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, July 28, 2009 7:44 AM
Subject: RE: [ntdev] Retriving Command-Line

> http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx
>
>
> Using the PEB as a reference for anything in production code can be flaky
> (unless your os version is guaranteed…, or you implement every single
> variant) because of its changes between OS’s, although having said that, I
> did really like the quote that I think it was Pavel made the other day,
> “One
> just can’t come with a sane and clean solution when requirements are
> insane”
>
> crispin.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: 28 July 2009 11:44
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Retriving Command-Line
>
> Hi All,
>
> I want to get arguments that are passed to another process. For that I am
> using
> NtQueryInformationProcess API and PEB structure. The code works well for
> all
> 32 bit OS (2K Onwords), But it does not work for 64 bit OS. I think this
> problem
> is due to change of PEB structure.
>
> Currently I am using structure as…
> typedef struct _MYPEB
> {
> //
> // Undoc
> //
> UCHAR
> Reserved1[4];
> PVOID Reserved2;
> PVOID
> ImageBaseAddress;
> PPEB_LDR_DATA LoaderData;
> PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
> BYTE
> Reserved3[312];
> /PPS_POST_PROCESS_INIT_ROUTINE/
> void *
> PostProcessInitRoutine;
> BYTE
> Reserved4[132];
> ULONG SessionId;
>
> } MYPEB, *PMYPEB;
>
> What changes I have to do sothat it will work on 64 bit OS?
>
>
> Thanks & Regards,
> Amit.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> Information from ESET NOD32 Antivirus, version of virus
> signature
> database 4284 (20090728)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature
> database 4284 (20090728)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Amit_Kulkarni-2 · July 28, 2009, 9:57am

Yes I want it in ser mode. Currently also I am not doing it in kernel mode.