Working with _RTL_USER_PROCESS_PARAMETERS

1.2k views Asked by At

I am working with PEB. I have managed to get inside _RTL_USER_PROCESS_PARAMETERS. My Aim-> To know the memory address of argc and argv .( and if possible their values too ) only by using a binary file (.exe file) My current approach-> To access commandline string(which resides inside the struct _RTL_USER_PROCESS_PARAMETERS.

i managed to get inside it by embedding asm inside a c program

mov eax:fs[0x30]
mov [PEBaddress] , eax

mov ebx, [eax+0x10]
mov [ProcessParameters] , ebx

i got the offsets 0x30 and 0x10 by studying the binary under windows debugger

now at the offset of 0x40 from Processparameters address lies the string commandline, which i believe is a buffer,which i further believe is holding the value of argc and argv.

Problem: I want to read that buffer , and get the address values of argc and argv (command line arguments passed to a process) can anyone make this possible by providing me with a code for reading the buffer (as it is Unicode string) and get the required address.

Is there anyother way of doing this job ?(you can suggest me that also ,dont give me the option of printing the address of argc and argv inside main) i want static answers.

1

There are 1 answers

3
Billy ONeal On

Windows does not pass argc and argv into a program. It passes the full literal command line, as a string. If the program in question even is a C program, then this parsing is done by the C runtime libraries embedded in that program.