CODEWITHSUNDEEP
c++winapivisual-c++
Neo Mosaid
Neo Mosaid

Reputation: 419

running process command line

I am trying to get the command line of running processes in Windows using the code below: But I only get the command line of IDman.exe like this:

But I know there are many other processes with command lines.

Give any idea what's wrong with my code.

PVOID GetPebAddress(HANDLE ProcessHandle )
{
    _NtQueryInformationProcess NtQueryInformationProcess =
             (_NtQueryInformationProcess)GetProcAddress(
             GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
    PROCESS_BASIC_INFORMATION pbi;

    NtQueryInformationProcess(ProcessHandle, 0, &pbi, sizeof(pbi), NULL);

   return pbi.PebBaseAddress;
}

void get_process_cmd_line(DWORD pID)
     {

       HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
                                     PROCESS_VM_READ |
                                     PROCESS_TERMINATE,
                                     FALSE, pID);
       PPEB ppeb = (PPEB) GetPebAddress(hProcess);
       PPEB ppebCopy = (PPEB)malloc(sizeof(PEB));
       BOOL result = ReadProcessMemory(hProcess,
                                       ppeb,
                                       ppebCopy,
                                       sizeof(PEB),
                                       NULL);
       if(!result){std::cout<<"Er. adress";return;}
       PRTL_USER_PROCESS_PARAMETERS pRtlProcParam = ppebCopy->ProcessParameters;
       PRTL_USER_PROCESS_PARAMETERS pRtlProcParamCopy =
          (PRTL_USER_PROCESS_PARAMETERS)malloc(sizeof(RTL_USER_PROCESS_PARAMETERS));
       result = ReadProcessMemory(hProcess,
                                  pRtlProcParam,
                                  pRtlProcParamCopy,
                                  sizeof(RTL_USER_PROCESS_PARAMETERS),
                                  NULL);
       if(!result){std::cout<<"Er. ";return;}
       PWSTR wBuffer = pRtlProcParamCopy->CommandLine.Buffer;
       USHORT len = pRtlProcParamCopy->CommandLine.Length;
       PWSTR wBufferCopy = (PWSTR)malloc(len);
       result = ReadProcessMemory(hProcess,
                                  wBuffer,
                                  wBufferCopy, 
                                  len,NULL);
       if(!result){std::cout<<"Er. cmdLine";return;}
       std::wcout<<wBufferCopy;
       return;
}

Upvotes: 0

Views: 1548

Answers (2)

Ajay
Ajay

Reputation: 18451

It is unclear what you want to achieve, and why this way. Why can't you use GetCommandLine instead?

Whatsoever the motive, and approach, I suggest you to do thorough checking for failure with each function call (starting from OpenProcess). Read the documentation on what a particular function returns on failure, or success. Always use GetLastError to determine the exact reason (or any other relevant function mentioned in MSDN).

Are you running, or willing to run your program as a service? If not, why can't you do step-by-step debugging?

Upvotes: 2

rioki
rioki

Reputation: 6128

Your current process has probably not enough rights to read other's process memory. Try running the process as administrator.

The code itself looks basically OK.

Upvotes: 0

Related Questions