How do I find commandline/parameter of an unknown exe via debugger tools?

Question

Suppose I have a compiled exe, and I want to find the parameter or command line argument of the exe, how do I do it using a debugger? I think this topic enters into category of reverse engineering, but I can't seem to find a guide of how to achieve this trick.

The closest that I could get is to use a debugger on the exe, and set breakpoints on CreateProcess. However, how do I find the CreateProcess function inside the debugger?

Answer 1

Run the exe with some command line parameter, like "target.exe -whateverabc" Then when your debugger loads the exe, search the memory for -whateverabc and set a read breakpoint on that memory location and possible duplicates. Hopefully when the breakpoint triggers you'll be inside the function that checks the command line parameters in that exe.

To set a breakpoint on CreateProcess you can type 'bpx CreateProcess" in some debuggers. Or write a small app that uses LoadLibrary on kernel32.dll or w/e dll that contains your function and then GetProcAddress w/ the name of the function to get its address. Then you set a breakpoint on execution on that address;

Answer 2

Some debuggers allow you to call an arbitrary function in the context of debuggee, so if yours supports that, you can call the GetCommandLine() function.

Another option is to go via semi-documented TEB and PEB structures. You would need to go to fs:30h (PEB), then ProcessParameters, and examine the CommandLine field there.