Working with _RTL_USER_PROCESS_PARAMETERS

Question

I am working with PEB. I have managed to get inside _RTL_USER_PROCESS_PARAMETERS. My Aim-> To know the memory address of argc and argv .( and if possible their values too ) only by using a binary file (.exe file) My current approach-> To access commandline string(which resides inside the struct _RTL_USER_PROCESS_PARAMETERS.

i managed to get inside it by embedding asm inside a c program

mov eax:fs[0x30]
mov [PEBaddress] , eax

mov ebx, [eax+0x10]
mov [ProcessParameters] , ebx

i got the offsets 0x30 and 0x10 by studying the binary under windows debugger

now at the offset of 0x40 from Processparameters address lies the string commandline, which i believe is a buffer,which i further believe is holding the value of argc and argv.

Problem: I want to read that buffer , and get the address values of argc and argv (command line arguments passed to a process) can anyone make this possible by providing me with a code for reading the buffer (as it is Unicode string) and get the required address.

Is there anyother way of doing this job ?(you can suggest me that also ,dont give me the option of printing the address of argc and argv inside main) i want static answers.

This makes no sense. Use the documented GetCommandLine() function. — Hans Passant, Oct 19 '12 at 19:51
@Hans: That doesn't work if you're talking about a different process. — Billy ONeal, Oct 19 '12 at 20:41
i need memory address @HansPassant how will GetCommandLine() help me with that ? — Worlock, Oct 19 '12 at 21:21
@Hans: Ah, I see. If that's the case then Worlock, use the API. That's what its there for. — Billy ONeal, Oct 19 '12 at 22:33

score 2 · Answer 1 · answered Oct 19 '12 at 18:43

2

Windows does not pass argc and argv into a program. It passes the full literal command line, as a string. If the program in question even is a C program, then this parsing is done by the C runtime libraries embedded in that program.

answered Oct 19 '12 at 18:43

Billy ONeal

104,103
58
317
552

can you write me a c code for printing that buffer ? if u know the starting address of the buffer to be cmdbuf(which stores the hex address) and the size of the buffer is 1K – Worlock Oct 19 '12 at 18:56
@Worlock: https://bitbucket.org/BillyONeal/instalog/src/2011fa5baec5b60785ba18262b202089fded3a87/LogCommon/Process.cpp?at=default – Billy ONeal Oct 19 '12 at 20:42
@Worlock: Except the PEB is not a contract between you and Windows. Windows is entirely allowed to change the format completely from version to version, and that will break your code. `GetCommandLine` was created precisely because people needed a method to get the command line in a supported way. – Billy ONeal Oct 22 '12 at 20:15

Working with _RTL_USER_PROCESS_PARAMETERS

1 Answers1