Modifying command line of process

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Hello,

I'm trying to modify the commandline of the current process so that a call to GetCommandLine() will return a modified commandline. I tried changing the commandline information in the PEB of the process but that doesn't affect the result of GetCommandLine. Do you have any suggestions how this can best be done?

Here's what I tried so far:

peb.c

#include "peb.h"

NTFUNC NtDllCall( LPCSTR lpFunc ) {
    return (NTFUNC)GetProcAddress(LoadLibrary("NTDLL"),
        lpFunc);
}

BOOL SetCommandLine( LPTSTR lpCmdLine ) {
    PROCESS_BASIC_INFORMATION pbi;

    NtDllCall("NtQueryInformationProcess")(GetCurrentProcess(),
        ProcessBasicInformation, &pbi, sizeof(pbi), 0);

    /* test */
    pbi.PebBaseAddress->ProcessParameters->CommandLine.Buffer[1] = 'Z';

    NtDllCall("NtSetInformationProcess")(GetCurrentProcess(),
        ProcessBasicInformation, &pbi, sizeof(pbi));

    memset(&pbi, 0, sizeof(pbi));
    NtDllCall("NtQueryInformationProcess")(GetCurrentProcess(),
        ProcessBasicInformation, &pbi, sizeof(pbi), 0);
    printf("%ws\n", pbi.PebBaseAddress->ProcessParameters->CommandLine.Buffer);
    return TRUE;
}

int main(int argc, char *argv[]) {
    SetCommandLine("O:\\TEST.EXE");

    printf("%s\n", GetCommandLine());
    return 0;
}

peb.h
#ifndef _PEB_H_
#define _PEB_H_

#include <Windows.h>
#include <stdio.h>

typedef LPVOID (WINAPI *NTFUNC)();

#define ProcessBasicInformation    0x00

typedef struct _UNICODE_STRING {
    USHORT    Length;
    USHORT    MaximumLength;
    PWSTR    Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PEB_LDR_DATA {
    BYTE        Reserved1[8];
    PVOID        Reserved2[3];
    LIST_ENTRY    InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _RTL_USER_PROCESS_PARAMETERS {
    BYTE            Reserved1[16];
    PVOID            Reserved2[10];
    UNICODE_STRING    ImagePathName;
    UNICODE_STRING    CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB {
    BYTE Reserved1[2];
    BYTE BeingDebugged;
    BYTE Reserved2[1];
    PVOID Reserved3[2];
    PPEB_LDR_DATA Ldr;
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    BYTE Reserved4[104];
    PVOID Reserved5[52];
/*    PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;*/
    PVOID PostProcessInitRoutine;

    BYTE Reserved6[128];
    PVOID Reserved7[1];
    ULONG SessionId;
} PEB, *PPEB;

typedef struct _PROCESS_BASIC_INFORMATION {
    PVOID    Reserved1;
    PPEB    PebBaseAddress;
    PVOID    Reserved2[2];
    PULONG    UniqueProcessId;
    PVOID    Reserved3;
} PROCESS_BASIC_INFORMATION;

#endif /* _PEB_H_ */

Thanks,
totti1000