Re: How to Get Command Line Arguments of a Newly Created Process:

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

If you are doing this just for research use something like Detours and do it
in user space, the hacks you have to go through to get the command line can
be large.

--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr



"zaman" <zaman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A6813451-B52B-49B7-8860-90071ACD5E81@xxxxxxxxxxxxxxxx
Thanks for your response. However, I will appreciate if you will
concentrate
on the problem and response with a solution.

I know hooking is not a stable technique and i am not running my
application
on native system. Instead, I am usnig a virtual machine.

My intentions to do this all is just to study the behavior of some
executbales with maximum informations i can get about them.
Thanks


"Alexander Grigoriev" wrote:

Why do you need all that?

"zaman" <fhm2zaman@xxxxxxxxx> wrote in message
news:f3740510-c459-4699-b836-9070a476f3d6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
What i Have Done So Far:
------------------------

I have hooked ZwCreateProcessEx and the control transfers to my code
every time there is a new process launch.


How to Get Parameters:
----------------------
If i call NtQueryInformationProcess() then would it get me to command
line arguments which i know are present in PEB?

I have tried calling this function from hooked ZwCreateProcessEx but
every time it returns a value that seems invalid and is not one of the
standard error codes (a negative value).


My Questions:
-------------
Q1: Can NtQueryInformationProcess be called from kernel level to get
Process basic information? If yes then why its not returning success
status?

The only reason i can think of is perhaps PEB is created when
ZwCreateProcessEx is returned successfully. Please let me know if my
observation is incorrect.


Q2: If hooking is not a possible way to get command line arguments
then is there some other way to get command line parameters of a newly
created process in windows XP?



Other Technique that did not Work for me:
------------------------------------------
- Get Pid of new process from: PsSetCreateProcessNotifyRoutine (Kernel
Land)

- From this Pid get handle of new process using: OpenProcess() (User
Land)
Called with proper privilleges.

- Pass handle to: NtQueryInformationProcess()
To get process basic information.

- Process basic information has PEB which eventually leads to process
startup parameters.


This technique faild under the following scenarios:

SCenario One:
-------------
A process is created and remains alive for some time. The time it
stays active is a few seconds or more.

SCenario Two:
-------------
A process is created and termintes soon after its launch. By the time
an attempt is made to read PEB the process is already terminated and
process related structures are not available. Hence all of the PEB
including command line parameters is lost.

In both the above scenarios, sometimes parameters were retrieved
successfully but mostly they were not obtained. Please keep in mind
that NtQueryInformationProcess() call was successfull every time.

To counter these situations, a delay was introduced (10 milliseconds).
Doing so solved scenario 1 permanently but now scenario 2 occurs
consistently.





.

Relevant Pages