Results 1 to 3 of 3

Thread: MS's description of the RTL_USER_PROCESS_PARAMETERS structure is wrong

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Oct 2008

    MS's description of the RTL_USER_PROCESS_PARAMETERS structure is wrong

    I was using NtQueryProcessInformation to get the PEB of a process, and then using its pointer to the RTL_USER_PROCESS_PARAMETERS to find the command line of the process. But I discovered something, the MSDN description of the RTL_USER_PROCESS_PARAMETERS structure is wrong. It indicates you need to skip the first 16 bytes, and then the next 10 dwords (56 bytes total) to get to the strings in question. There's 2 things wrong with this though. First, you actually need to skip 60 bytes (16 bytes, and then 11 dwords), in order to get to the info you want. But unlike the description on you actually don't get to those values directly in the structure. Instead, you get to a pointer. And it isn't 2 pointers (one for each string). Instead there's one pointer that points to the first string, and then there's a null character separator between the 2 strings (and a null character as the terminator after the second string).

  2. #2

    Thread Starter
    Frenzied Member
    Join Date
    Oct 2008

    Re: MS's description of the RTL_USER_PROCESS_PARAMETERS structure is wrong

    Actually it appears I misunderstood what UNICODE_STRING was. It's not literally a unicode string, it's a struct that includes info about the string, including the size and a pointer to the string. Given that, it seems that it may actually be that the MSDN description of the RTL_USER_PROCESS_PARAMETERS structure is correct.

  3. #3
    Join Date
    Jul 2010

    Re: MS's description of the RTL_USER_PROCESS_PARAMETERS structure is wrong

    Old thread but since there's relevant info missing... MSDNs description is incorrect in that despite the full structure being known forever, they still refuse to properly document it. Same for PEB... Here's the full definitions for Vista (can't be used earlier without removing new members):

        Flags As Integer
        Length As Integer
        TimeStamp As Long
        DosPath As UNICODE_STRING
    End Type
    Private Type CURDIR
        Handle As LongPtr
    End Type
    Private Type LIST_ENTRY
        Flink As LongPtr
        Blink As LongPtr
    End Type
        MaximumLength As Long
        Length As Long
        Flags As Long
        DebugFlags As Long
        ConsoleHandle As LongPtr
        ConsoleFlags As Long
        StdInputHandle As LongPtr
        StdOutputHandle As LongPtr
        StdErrorHandle As LongPtr
        CurrentDirectory As CURDIR
        DllPath As UNICODE_STRING
        ImagePathName As UNICODE_STRING
        CommandLine As UNICODE_STRING
        Environment As LongPtr
        StartingPositionLeft As Long
        StartingPositionTop As Long
        Width As Long
        Height As Long
        CharWidth As Long
        CharHeight As Long
        ConsoleTextAttributes As Long
        WindowFlags As Long
        ShowWindowFlags As Long
        WindowTitle As UNICODE_STRING
        DesktopName As UNICODE_STRING
        ShellInfo As UNICODE_STRING
        RuntimeData As UNICODE_STRING
        DLCurrentDirectory(31) As RTL_DRIVE_LETTER_CURDIR
        EnvironmentSize As LongLong
        'Windows Vista stops here, so we will as well as that's our compatibility target.
    End Type
    Private Type PEB
        InheritedAddressSpace As Byte
        ReadImageFileExecOptions As Byte
        BeingDebugged As Byte
        BitField As Byte
        Mutant As LongPtr
        ImageBaseAddress As LongPtr
        Ldr As LongPtr
        ProcessParameters As LongPtr 'RTL_USER_PROCESS_PARAMETERS, what we're primarily interested in.
        SubSystemData As LongPtr
        ProcessHeap As LongPtr
        FastPebLock As LongPtr
        AtlThinkSListPtr As LongPtr
        IFEOKey As LongPtr
        CrossProcessFlags As Long
        CBTableOrInfoPtr As LongPtr
        SystemReserved(0) As Long
        AtlThinkSListPtr32 As Long
        ApiSetMap As LongPtr
        TlsExpansionCounter As Long
        TlsBitmap As LongPtr
        TlsBitmaps(1) As Long
        ReadOnlySharedMemoryBase As LongPtr
        HotpatchInformation As LongPtr
        ReadOnlyStaticServerData As LongPtr
        AnsiCodePageData As LongPtr
        OemCodePageData As LongPtr
        UnicodeCaseTableData As LongPtr
        NumberOfProcessors As Long
        NtGlobalFlag As Long
        CriticalSectionTimeout As LARGE_INTEGER
        HeapSegmentReserve As LongLong
        HeapSegmentCommit As LongLong
        HeapDeCommitTotalFreeThreshold As LongLong
        HeapDeCommitFreeBlockThreshold As LongLong
        NumberOfHeaps As Long
        MaximumNumberOfHeaps As Long
        ProcessHeaps As LongPtr
        GdiSharedHandleTable As LongPtr
        ProcessStarterHelper As LongPtr
        GdiDCAttributeList As Long
        LoaderLock As LongPtr
        OSMajorVersion As Long
        OSMinorVersion As Long
        OSBuildNumber As Integer
        OSCSDVersion As Integer
        OSPlatformId As Long
        ImageSubsystem As Long
        ImageSubsystemMajorVersion As Long
        ImageSubsystemMinorVersion As Long
        ImageProcessAffinityMask As LongLong
        GdiHandleBuffer(59) As Long
        PostProcessInitRoutine As LongPtr
        TlsExpansionBitmap As LongPtr
        TlsExpansionBitmapBits(31) As Long
        SessionId As Long
        AppCompatFlags As LARGE_INTEGER
        AppCompatFlagUser As LARGE_INTEGER
        pShimData As LongPtr
        AppCompatInfo As LongPtr
        CSDVersion As UNICODE_STRING
        ActivationContextData As LongPtr
        ProcessAssemblyStorageMap As LongPtr
        SystemDefaultActivationContextData As LongPtr
        SystemAssemblyStorageMap As LongPtr
        MinimumStackCommit As Long
        FlsCallback As LongPtr
        FlsListHead As LIST_ENTRY
        FlsBitmap As LongPtr
        FlsBitmapBits(3) As Long
        FlsHighIndex As Long
        WerRegistrationData As LongPtr
        WerShipAssertPtr As LongPtr
        'Believe it or not, future OS' have *even more* members. But Vista stops here, so we will too. 
    End Type
    Note that if reading this from a 64bit process under WOW64 you need to use a 64bit version with NtWow64ReadVirtualMemory64

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Click Here to Expand Forum to Full Width