Command line of specified process

[TJNweb]

Does anybody can help me to get command line of the specified process or give any idea how to do this?

Thanks in advance

 

[eequalsmc2plus1]

Dont know if this what you want, think it is.

Just say :
xxx = Command()
msgbox xxx

Then if you make an exe, called ....... myexe.exe
and if you run it like this
myexe 1122334455

It will make xxx = "1122334455"

 

[TJNweb]

I mean I want to get pointer to command line arguments of specific process like ''GetCommandLineA'', but only for defined process (for example: ''c:\program files\office2000\winword.exe c:\mydocuments\mydoc.doc'' - what I need)

 

[strongm]

I'm working on a potential solution...

 

[TJNweb]

I really hope that you will able to do this.
My 3 days research was failed

 

[strongm]

Oh, it's definitely not easy. You have to play some silly games, and I'm beginning to think it may not be possible without resorting to small C++ DLL. Essentially, you need to poke some code, including the GetCommandLine call, into the address space of the target process...

 

[TJNweb]

I have already tried to combine CreateToolhelp32Snapshot + Toolhelp32ReadProcessMemory - no results...
I feel how I am loosing faith that it is possible...

 

[strongm]

No, those won't particularly help. You need to (theoretically) inject code from a DLL into the process's address space.

Now KERNEL32.DLL is a DLL (and happens to actually be already injected into all Windows applications' address space), and it happens to contain (and export) GetCommandLine, so there ought to be a line of attack here. I just haven't figured out the necessary tactics.

If anyone else would like to jump into this thread, feel welcome...

 

[vb5prgrmr]

Have you ever heard of a program called watchdog? A friend was telling me that he could set a "watch" on object within the system and be notified when they were loaded. I believe he also said that the program would tell him who called the process and what the command was.

Here is a link that I found and searched for. This API if I understand correctly (quick browse) is for accessing an addin board. I am not sure that this will be any help (due to the prices if I read them correctly), but it may give you a lead of what you need to do.

http://www.quancom.de/quancom/quanc...tp://www.quancom.de/qprod01/eng/pb/pwdog1.htm

Good Luck

 

[vb5prgrmr]

Also this might be of help to you thread713-424231

Good Luck

 

[TJNweb]

I understand that windows keeps our data (CMD) in special table and our target it is determine the structure of this table and CopyMemory.. Is it possible?
I have application wich can show CMD for all processes (we can see all import functions of this program and guess how does it works) Program's name is ''TaskInfo''
vb5prgrmr sad good think because TaskInfo will give us who called the process as well. It is mean that principle is the same...

 

[strongm]

Yes, the idea of just copying the processes memory might be a valid (if inelegant) approach.

 

[TJNweb]

But question, how to find that table? ...
It is still question...

 

[strongm]

OK, I have a program that reads the entire process memory - but I think the DLL injection route is going to be easier. More testing to go...

 

[TJNweb]

But what principle of DLL injection into the process?
I bought the book (WIN32 API programming) and there a few words about this process, but no concrete examples...
I understand, that we can set up global hook (windows inject DLL automatically) and after we can AllocMemory in target process to put there necessary data (returtn from GetCommandLineA), but how to do this?
We can simply set up hook, but what next?