-
Apr 30th, 2022, 06:21 AM
#1
Thread Starter
Frenzied Member
MS's description of the RTL_USER_PROCESS_PARAMETERS structure is wrong
I was using NtQueryProcessInformation to get the PEB of a process, and then using its pointer to the RTL_USER_PROCESS_PARAMETERS to find the command line of the process. But I discovered something, the MSDN description of the RTL_USER_PROCESS_PARAMETERS structure is wrong. It indicates you need to skip the first 16 bytes, and then the next 10 dwords (56 bytes total) to get to the strings in question. There's 2 things wrong with this though. First, you actually need to skip 60 bytes (16 bytes, and then 11 dwords), in order to get to the info you want. But unlike the description on https://docs.microsoft.com/en-us/win...ess_parameters you actually don't get to those values directly in the structure. Instead, you get to a pointer. And it isn't 2 pointers (one for each string). Instead there's one pointer that points to the first string, and then there's a null character separator between the 2 strings (and a null character as the terminator after the second string).
-
Apr 30th, 2022, 06:47 AM
#2
Thread Starter
Frenzied Member
Re: MS's description of the RTL_USER_PROCESS_PARAMETERS structure is wrong
Actually it appears I misunderstood what UNICODE_STRING was. It's not literally a unicode string, it's a struct that includes info about the string, including the size and a pointer to the string. Given that, it seems that it may actually be that the MSDN description of the RTL_USER_PROCESS_PARAMETERS structure is correct.
-
Nov 23rd, 2022, 03:26 AM
#3
Re: MS's description of the RTL_USER_PROCESS_PARAMETERS structure is wrong
Old thread but since there's relevant info missing... MSDNs description is incorrect in that despite the full structure being known forever, they still refuse to properly document it. Same for PEB... Here's the full definitions for Vista (can't be used earlier without removing new members):
Code:
Private Type RTL_DRIVE_LETTER_CURDIR
Flags As Integer
Length As Integer
TimeStamp As Long
DosPath As UNICODE_STRING
End Type
Private Type CURDIR
DosPath As UNICODE_STRING
Handle As LongPtr
End Type
Private Type LIST_ENTRY
Flink As LongPtr
Blink As LongPtr
End Type
Private Type RTL_USER_PROCESS_PARAMETERS
MaximumLength As Long
Length As Long
Flags As Long
DebugFlags As Long
ConsoleHandle As LongPtr
ConsoleFlags As Long
StdInputHandle As LongPtr
StdOutputHandle As LongPtr
StdErrorHandle As LongPtr
CurrentDirectory As CURDIR
DllPath As UNICODE_STRING
ImagePathName As UNICODE_STRING
CommandLine As UNICODE_STRING
Environment As LongPtr
StartingPositionLeft As Long
StartingPositionTop As Long
Width As Long
Height As Long
CharWidth As Long
CharHeight As Long
ConsoleTextAttributes As Long
WindowFlags As Long
ShowWindowFlags As Long
WindowTitle As UNICODE_STRING
DesktopName As UNICODE_STRING
ShellInfo As UNICODE_STRING
RuntimeData As UNICODE_STRING
DLCurrentDirectory(31) As RTL_DRIVE_LETTER_CURDIR
EnvironmentSize As LongLong
'Windows Vista stops here, so we will as well as that's our compatibility target.
End Type
Private Type PEB
InheritedAddressSpace As Byte
ReadImageFileExecOptions As Byte
BeingDebugged As Byte
BitField As Byte
Mutant As LongPtr
ImageBaseAddress As LongPtr
Ldr As LongPtr
ProcessParameters As LongPtr 'RTL_USER_PROCESS_PARAMETERS, what we're primarily interested in.
SubSystemData As LongPtr
ProcessHeap As LongPtr
FastPebLock As LongPtr
AtlThinkSListPtr As LongPtr
IFEOKey As LongPtr
CrossProcessFlags As Long
CBTableOrInfoPtr As LongPtr
SystemReserved(0) As Long
AtlThinkSListPtr32 As Long
ApiSetMap As LongPtr
TlsExpansionCounter As Long
TlsBitmap As LongPtr
TlsBitmaps(1) As Long
ReadOnlySharedMemoryBase As LongPtr
HotpatchInformation As LongPtr
ReadOnlyStaticServerData As LongPtr
AnsiCodePageData As LongPtr
OemCodePageData As LongPtr
UnicodeCaseTableData As LongPtr
NumberOfProcessors As Long
NtGlobalFlag As Long
CriticalSectionTimeout As LARGE_INTEGER
HeapSegmentReserve As LongLong
HeapSegmentCommit As LongLong
HeapDeCommitTotalFreeThreshold As LongLong
HeapDeCommitFreeBlockThreshold As LongLong
NumberOfHeaps As Long
MaximumNumberOfHeaps As Long
ProcessHeaps As LongPtr
GdiSharedHandleTable As LongPtr
ProcessStarterHelper As LongPtr
GdiDCAttributeList As Long
LoaderLock As LongPtr
OSMajorVersion As Long
OSMinorVersion As Long
OSBuildNumber As Integer
OSCSDVersion As Integer
OSPlatformId As Long
ImageSubsystem As Long
ImageSubsystemMajorVersion As Long
ImageSubsystemMinorVersion As Long
ImageProcessAffinityMask As LongLong
GdiHandleBuffer(59) As Long
PostProcessInitRoutine As LongPtr
TlsExpansionBitmap As LongPtr
TlsExpansionBitmapBits(31) As Long
SessionId As Long
AppCompatFlags As LARGE_INTEGER
AppCompatFlagUser As LARGE_INTEGER
pShimData As LongPtr
AppCompatInfo As LongPtr
CSDVersion As UNICODE_STRING
ActivationContextData As LongPtr
ProcessAssemblyStorageMap As LongPtr
SystemDefaultActivationContextData As LongPtr
SystemAssemblyStorageMap As LongPtr
MinimumStackCommit As Long
FlsCallback As LongPtr
FlsListHead As LIST_ENTRY
FlsBitmap As LongPtr
FlsBitmapBits(3) As Long
FlsHighIndex As Long
WerRegistrationData As LongPtr
WerShipAssertPtr As LongPtr
'Believe it or not, future OS' have *even more* members. But Vista stops here, so we will too.
End Type
Note that if reading this from a 64bit process under WOW64 you need to use a 64bit version with NtWow64ReadVirtualMemory64
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|