I want to get the process CommandLine in the kernel
A forum for reverse engineering, OS internals and malware analysis
Good for you. My eyes doesn't see any question mark here.
Seriously OP, are you banned in google? This is one of the most trivial and popular questions with tons of solutions.
EPROCESS = PsLookupProcessByProcessId
KeAttachProcess(EPROCESS)
Peb = PsGetProcessPeb(EPROCESS)
cmdLine = Peb->ProcessParameters->CommandLine;
Do whatever you want
KeDetachProcess(EPROCESS)
ObDereferenceObject(EPROCESS)
Next time use google before asking anything. Both - search and translate services.
Closed.
EPROCESS = PsLookupProcessByProcessId
KeAttachProcess(EPROCESS)
Peb = PsGetProcessPeb(EPROCESS)
cmdLine = Peb->ProcessParameters->CommandLine;
Do whatever you want
KeDetachProcess(EPROCESS)
ObDereferenceObject(EPROCESS)
Next time use google before asking anything. Both - search and translate services.
Closed.
Ring0 - the source of inspiration
