-
Notifications
You must be signed in to change notification settings - Fork 0
/
Read-Process-PEB.c
96 lines (83 loc) · 3.16 KB
/
Read-Process-PEB.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
// Define the prototype of NtQueryInformationProcess as it's not available in the standard headers
typedef NTSTATUS(NTAPI* pfnNtQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength);
BOOL ReadRemoteUnicodeString(HANDLE hProcess, UNICODE_STRING* source, WCHAR* dest, SIZE_T destSize) {
if (source->Length + sizeof(WCHAR) > destSize) {
return FALSE; // Ensure buffer is big enough for the string and null terminator
}
SIZE_T bytesRead;
if (!ReadProcessMemory(hProcess, source->Buffer, dest, source->Length, &bytesRead)) {
return FALSE; // Failed to read memory
}
dest[source->Length / sizeof(WCHAR)] = L'\0'; // Null terminate the string
return TRUE;
}
int main(int argc, char* argv[]) {
if (argc != 2) {
printf("Usage: %s <PID>\n", argv[0]);
return 1;
}
DWORD pid = (DWORD)atoi(argv[1]);
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (hProcess == NULL) {
printf("Failed to open process with PID %d\n", pid);
return 1;
}
// Dynamically load NtQueryInformationProcess from ntdll.dll
HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
if (hNtdll == NULL) {
printf("Failed to get a handle on ntdll.dll\n");
CloseHandle(hProcess);
return 1;
}
pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");
if (NtQueryInformationProcess == NULL) {
printf("Failed to get NtQueryInformationProcess address\n");
FreeLibrary(hNtdll);
CloseHandle(hProcess);
return 1;
}
PROCESS_BASIC_INFORMATION pbi;
ULONG returnLength;
NTSTATUS status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &returnLength);
if (!NT_SUCCESS(status)) {
printf("NtQueryInformationProcess failed\n");
FreeLibrary(hNtdll);
CloseHandle(hProcess);
return 1;
}
PEB peb;
if (!ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(peb), NULL)) {
printf("Failed to read PEB\n");
FreeLibrary(hNtdll);
CloseHandle(hProcess);
return 1;
}
RTL_USER_PROCESS_PARAMETERS params;
if (!ReadProcessMemory(hProcess, peb.ProcessParameters, ¶ms, sizeof(params), NULL)) {
printf("Failed to read process parameters\n");
FreeLibrary(hNtdll);
CloseHandle(hProcess);
return 1;
}
WCHAR imagePath[MAX_PATH] = { 0 };
WCHAR commandLine[MAX_PATH] = { 0 };
if (ReadRemoteUnicodeString(hProcess, ¶ms.ImagePathName, imagePath, sizeof(imagePath)) &&
ReadRemoteUnicodeString(hProcess, ¶ms.CommandLine, commandLine, sizeof(commandLine))) {
wprintf(L"Image Path: %s\n", imagePath);
wprintf(L"Command Line: %s\n", commandLine);
}
else {
printf("Failed to read string from process\n");
}
FreeLibrary(hNtdll);
CloseHandle(hProcess);
return 0;
}