Retrieving command line argument of process at driver level

Question

Hello I am writing a minifilter driver for intercepting all the irp packets from a certain process say a.exe .

So , in the driver code it can be done by applying a check on the command line arguments that started the process.

Does anyone know how can i retrieve the command line argument ??

Thanks in advance .

Answer 1

Try using the NtQueryInformationProcess or ZwQueryInformationProcess function with the PROCESSINFOCLASS parameter as ProcessBasicInformation. The output parameter, ProcessInformation, will be a struct of type PROCESS_BASIC_INFORMATION. As Polynomial mentioned, this struct has a pointer to the process's PEB struct, which contains the information you are looking for in its ProcessParameters field.

Answer 2

There's no supported way to do this from within kernel-mode. In fact, trying to access user-mode process information from the kernel is a pain in general. I would suggest firing up a request to a user-mode service, which can then find that information and pass it back down to your kernel component.

However, there an undocumented method to do it. If you can get a handle to an EPROCESS struct for the target process, you can get at a pointer to the PEB (process environment block) struct within it, which then has a pointer to an RTL_USER_PROCESS_PARAMETERS structure, which has a member called CommandLine.

Example:

UNICODE_STRING* commandLine = epProcess->Peb->ProcessParameters->CommandLine;

The downside to this is that EPROCESS is almost entirely opaque and PEB is semi-opaque too, meaning that it may change in future versions of Windows. I certainly wouldn't advocate trying this in production code.