Failed to retrieve process arguments in 64 bit Windows
-
I have coded application to retrieve any running process's arguments and worked very well in Win32, but falied in 64 bit Windows(x64). The approache is to use NtQueryInformationProcess to get PROCESS_BASIC_INFORMATION which has the data structure like: typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; and then use ReadProcessMemory() to get dwInfoBlockAddress in PEB2, like struct _PEB2 { DWORD dwFiller[4]; DWORD dwInfoBlockAddress; } PEB2; and so on Here is the partial sample code: NtQueryInformationProcess)(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &dwSize); ReadProcessMemory(hProcess, (LPCVOID)pbi.PebBaseAddress, &PEB2, sizeof(PEB2), &dwSize); ReadProcessMemory(hProcess, (LPCVOID) PEB2.dwInfoBlockAddress, &Block, sizeof(Block), &dwSize); cmdLine = (TCHAR *) malloc (Block.wMaxLength+10); ReadProcessMemory(hProcess, (LPCVOID) Block.dwCmdLineAddress, cmdLine, Block.wMaxLength+10, &dwSize); It failed in getting dwInfoBlockAddress of PEB2. Can any of you provide some hints/helps. Maybe the memory structures/address are totally different between 32 and 64 bit data models....??? The problem is there is no useful documents I could look at. Thanks a lot. Jack Rong