如何在外部运行进程中更改 PEB 的命令行

Question

Basically I would like to be able to change the PEB of commandline, which I believe is at offset 0x70 . I am trying to do this using WriteProcessMemory which is part of Kernel32.dll .

Current_ImageBase.buffer = pNewAddr;
if (!WriteProcessMemory(hProcess, rtlUserProcParamsAddress + 0x70, (IntPtr)(&Current_ImageBase), Marshal.SizeOf(typeof(UNICODE_STRING)), out intPtrOutput))
{
    Console.WriteLine("ERROR: Failed to reflect change back to PEB.\n");
    return false;
}

This should change the CommandLine of PEB.

Answer 1

There is no guarantee that the PEB will be identical on every version of Windows.

The PEB contains a pointer to a _RTL_USER_PROCESS_PARAMETERS structure named ProcessParameters.

This structure contains a UNICODE_STRING named CommandLine . Inside this structure is a pointer to a buffer which contains the command line arguments.

To externally overwrite these arguments, you must:

1. Call NTQueryProcessInformation to get the ProcessBasicInformation and therefore the PEB address

2. OpenProcess and get write permissions

3. ReadProcessMemory the PEB

4. ReadProcessMemory PEB.ProcessParameters

5. ReadProcessMemory PEB.ProcessParameters.CommandLine

6. WriteProcessMemory PEB.ProcessParameters.CommandLine.Buffer with the correct size pulled from the UNICODE_STRING.Length