Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Hello I am writing a minifilter driver for intercepting all the irp packets from a certain process say a.exe .
So , in the driver code it can be done by applying a check on the command line arguments that started the process.
Does anyone know how can i retrieve the command line argument ??
Thanks in advance .
There’s no supported way to do this from within kernel-mode. In fact, trying to access user-mode process information from the kernel is a pain in general. I would suggest firing up a request to a user-mode service, which can then find that information and pass it back down to your kernel component.
However, there an undocumented method to do it. If you can get a handle to an
EPROCESSstruct for the target process, you can get at a pointer to thePEB(process environment block) struct within it, which then has a pointer to anRTL_USER_PROCESS_PARAMETERSstructure, which has a member calledCommandLine.Example:
The downside to this is that
EPROCESSis almost entirely opaque andPEBis semi-opaque too, meaning that it may change in future versions of Windows. I certainly wouldn’t advocate trying this in production code.