Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed: Retrieving command line and hooking from kernel
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Retrieving command line and hooking from kernel
 Post Reply Post Reply
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Online Status: Offline
Posts: 251 		Post Options Post Options   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Topic: Retrieving command line and hooking from kernel
    Posted: 02 August 2008 at 10:15am
Originally posted by PROROOTECT

KX-Ray , ESET SysInspector , Process Explorer ?
BS



Hi Murugan,

For you task is required to obtain process command line from PEB. This can be done by combination of the KeStackAttachProcess, KeStackDettachProcess and reading PEB->RTL_PROCESS_PARAMETERS block values.

For your second task is required code injection with help of APC (search through this forum for workable solution, I don't remember where I posted it before ).

Originally posted by nanothyll

theoretically, it's impossible.
theoretically, it's possible.

I've no idea what this means.

1==1 because 1 != 1


Edited by Diablo - 02 August 2008 at 10:18am
Back to Top
nanothyll View Drop Down
Newbie
Newbie
Avatar

Joined: 12 May 2008
Location: China
Online Status: Offline
Posts: 28 		Post Options Post Options   Quote nanothyll Quote  Post ReplyReply Direct Link To This Post Posted: 12 June 2008 at 10:33am
yes, i suggest you to use user mode code.

what you want:

theoretically, it's impossible.
theoretically, it's possible.

it means that : yes, you could implement it but it's very hard and should use more difficult tricks!
Walking in the rain, no one knows I am crying.
Back to Top
ring0 View Drop Down
Newbie
Newbie
Avatar

Joined: 09 June 2008
Location: India
Online Status: Offline
Posts: 18 		Post Options Post Options   Quote ring0 Quote  Post ReplyReply Direct Link To This Post Posted: 11 June 2008 at 9:09am
Both requirements can be achieved using a userland hook.
Go thru Advanced Windows programming by Jeffrey Ritcher.
 
Cheers
- Ring0
Back to Top
Murugan View Drop Down
Newbie
Newbie
Avatar

Joined: 11 June 2008
Location: Singapore
Online Status: Offline
Posts: 13 		Post Options Post Options   Quote Murugan Quote  Post ReplyReply Direct Link To This Post Posted: 11 June 2008 at 7:44am
I need samples to achieve both.

Thanks in advance.
Back to Top
PROROOTECT View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Fort Lee, NJ ..
Online Status: Offline
Posts: 559 		Post Options Post Options   Quote PROROOTECT Quote  Post ReplyReply Direct Link To This Post Posted: 11 June 2008 at 7:30am
KX-Ray , ESET SysInspector , Process Explorer ? Thumbs%20Up
Back to Top
Murugan View Drop Down
Newbie
Newbie
Avatar

Joined: 11 June 2008
Location: Singapore
Online Status: Offline
Posts: 13 		Post Options Post Options   Quote Murugan Quote  Post ReplyReply Direct Link To This Post Posted: 11 June 2008 at 7:12am
Can any one help as to how I can obtain

1, retrieving command line of a process
2, hook a DLL to that process

My application is a SSDT based hook driver.

Thanks in advance.
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down