hi,

does anyone know how i can get a process's arguments.

I mean, I have a handle to a process and i want to get the arguments in the time of creation.

I think that it is impossible!

but anyone know any other way, for example hooking a function in kernel-mode, or anything which can get the arguments when the process get created????!!!

thanx alot

Grab the PEB from the process. Then read the PROCESS_PARAMETERS. The command line is a UNICODE_STRING contained within.

Thanks mick,

everything is ok!

for those who may also look for this answer I paste some data here.

use ZwQueryInformationProcess with ProcessBasicInformation as the second param to get a buffer containing PROCESS_BASIC_INFORMATION.


typedef struct
{
ULONG AllocationSize;
ULONG ActualSize;
ULONG Flags;
ULONG Unknown1;
UNICODE_STRING Unknown2;
HANDLE InputHandle;
HANDLE OutputHandle;
HANDLE ErrorHandle;
UNICODE_STRING CurrentDirectory;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING SearchPaths;
UNICODE_STRING ApplicationName;
UNICODE_STRING CommandLine;
PVOID EnvironmentBlock;
ULONG Unknown[9];
UNICODE_STRING Unknown3;
UNICODE_STRING Unknown4;
UNICODE_STRING Unknown5;
UNICODE_STRING Unknown6;
} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;

typedef struct
{
ULONG AllocationSize;
ULONG Unknown1;
HINSTANCE ProcessHinstance;
PVOID ListDlls;
PPROCESS_PARAMETERS ProcessParameters;
ULONG Unknown2;
HANDLE Heap;
} PEB, *PPEB;

typedef struct
{
DWORD ExitStatus;
PPEB PebBaseAddress;
DWORD AffinityMask;
DWORD BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;



in this forum I get many answers, I really thank you all,

I will tell anyone about this great forum when my project get finished, in my press conference in may '04.

thanks all

A little more filler


typedef struct
{
ULONG AllocationSize;
ULONG Size;
ULONG Flags;
ULONG Reserved;
LONG Console;
ULONG ProcessGroup;
HANDLE hStdInput;
HANDLE hStdOutput;
HANDLE hStdError;
UNICODE_STRING CurrentDir;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING LoadSearchPath;
UNICODE_STRING ImageName;
UNICODE_STRING CommandLine;
PWSTR Enviroment;
ULONG dwX;
ULONG dwY;
ULONG dwXSize;
ULONG dwYSize;
ULONG dwXCountChars;
ULONG dwYCountChars;
ULONG dwFillAttributes;
ULONG dwFlags;
ULONG wShowWindow;
UNICODE_STRING WindowTitle;
UNICODE_STRING Desktop;
UNICODE_STRING Reserved1;
UNICODE_STRING Reserved2;
} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;



typedef struct
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BYTE b003;
DWORD d004;
PVOID SectionBaseAddress;
PPROCESS_MODULE_INFO ProcessModuleInfo;
PPROCESS_PARAMETERS ProcessParameters;
DWORD SubSystemData;
HANDLE ProcessHeap;
PCRITICAL_SECTION FastPebLock;
PVOID AcquireFastPebLock;
PVOID ReleaseFastPebLock;
DWORD d028;
PPVOID User32Dispatch;
DWORD d030;
DWORD d034;
DWORD d038;
DWORD TlsBitMapSize;
PRTL_BITMAP TlsBitMap;
DWORD TlsBitMapData [2];
PVOID p04C;
PVOID p050;
PTEXT_INFO TextInfo;
PVOID InitAnsiCodePageData;
PVOID InitOemCodePageData;
PVOID InitUnicodeCaseTableData;
DWORD KeNumberProcessors;
DWORD NtGlobalFlag;
DWORD d6C;
LARGE_INTEGER MmCriticalSectionTimeout;
DWORD MmHeapSegmentReserve;
DWORD MmHeapSegmentCommit;
DWORD MmHeapDeCommitTotalFreeThreshold;
DWORD MmHeapDeCommitFreeBlockThreshold;
DWORD NumberOfHeaps;
DWORD AvailableHeaps;
PHANDLE ProcessHeapsListBuffer;
DWORD d094;
DWORD d098;
DWORD d09C;
PCRITICAL_SECTION LoaderLock;
DWORD NtMajorVersion;
DWORD NtMinorVersion;
WORD NtBuildNumber;
WORD CmNtCSDVersion;
DWORD PlatformId;
DWORD Subsystem;
DWORD MajorSubsystemVersion;
DWORD MinorSubsystemVersion;
KAFFINITY AffinityMask;
DWORD ad0C4 [35];
PVOID p150;
DWORD ad154 [32];
HANDLE Win32WindowStation;
DWORD d1D8;
DWORD d1DC;
PWORD CSDVersion;
DWORD d1E4;
} PEB,*PPEB;