开发者

Find command line of program with PEB?

开发者 https://www.devze.com 2023-01-25 07:01 出处:网络
I need find the command line of program with PEB. I use FS:[0x30] to find PEB int wmain(int argc, WCHAR *argv[])

I need find the command line of program with PEB.

I use FS:[0x30] to find PEB

     int wmain(int argc, WCHAR *argv[])
{

 PVOID pebAddress =( void * ) __readfsdword( 0x30 ); /* get the PEB address */
PVOID rtlUserProcParamsAddress;

ReadProcessMemory(GetCurrentProcess(),(PCHAR)pebAddress+ 0x10,
    &rtlUserProcParamsAddress, /* we'll just read directly into our variable */
    sizeof(PVOID),
    NULL
    );

UNICODE_STRING commandLine;

 ReadProcessMemory(GetCurrentProcess(), (PCHAR)rtlUserProcParamsAddress + 0x40,&commandLine, sizeof(c开发者_如何学JAVAommandLine), NULL);

 WCHAR * commandLineContents;

 commandLineContents = (WCHAR *)malloc(commandLine.Length);

 ReadProcessMemory(GetCurrentProcess(), commandLine.Buffer,commandLineContents, commandLine.Length, NULL);

 printf("%.*S\n", commandLine.Length / 2, commandLineContents);


}

but it does not work. I need use only PEB not GetCommandLine(void);


Works fine for me on Windows 7 with VC2010. printf might be defined as wprintf which treats %S as ANSI string. It's a long shot as that would also cause it to complain about the format string being non-Unicode. Try outputting the string using MessageBoxW to be sure you're treating everything as Unicode.

BTW, you don't need to use ReadProcessMemory when you're reading from your own process.


Why would you need to use the PEB? Have you looked at the contents of argv at all?

And what's the (to me) scary looking commandLine.Length / 2 for in your code...?

0

精彩评论

暂无评论...
验证码 换一张
取 消