发表新帖
发表新帖

How to clear a process command line?

后端 未结
关注
3 1849
南方客
南方客 2020-12-10 15:48

I would like to clear the command line of my process from within. For example, when viewing my process in Task Manager/Process Explorer, the command line entry would be empt

相关标签:
3条回答
  • 广开言路
    2020-12-10 16:32

    I suppose you have to modify the RTL_USER_PROCESS_PARAMETERS part of the PEB of your process (see http://en.wikipedia.org/wiki/Process_Environment_Block for example and http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html). You can try to use NtQueryInformationProcess to get PEB. Then you can modify ProcessParameters.CommandLine. I hope it will work.

    UPDATED: I verified my suggestion. It works. The following test program demonstrate this:

    #include <Windows.h>
#include <Winternl.h> // for PROCESS_BASIC_INFORMATION and ProcessBasicInformation
#include <stdio.h>
#include <tchar.h>

typedef NTSTATUS (NTAPI *PFN_NT_QUERY_INFORMATION_PROCESS) (
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID ProcessInformation,
    IN ULONG ProcessInformationLength,
    OUT PULONG ReturnLength OPTIONAL);

int main()
{
    HANDLE hProcess = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
                                   FALSE, GetCurrentProcessId());
    PROCESS_BASIC_INFORMATION pbi;
    ULONG ReturnLength;
    PFN_NT_QUERY_INFORMATION_PROCESS pfnNtQueryInformationProcess =
        (PFN_NT_QUERY_INFORMATION_PROCESS) GetProcAddress (
            GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationProcess");
    NTSTATUS status = pfnNtQueryInformationProcess (
        hProcess, ProcessBasicInformation,
        (PVOID)&pbi, sizeof(pbi), &ReturnLength);
    // remove full information about my command line
    pbi.PebBaseAddress->ProcessParameters->CommandLine.Length = 0;

    getchar(); // wait till we can verify the results
    return 0;
}

    If we start the program with some parameters we will see

    alt text

    instead of the following seen before

    alt text

    0 讨论(0)
  • 梦谈多话
    2020-12-10 16:43

    You might try calling the GetCommandLine API function and then setting the first byte to 0. That is:

    LPTSTR cmdline = GetCommandLine();
*cmdline = '\0';

    I honestly don't know if that'll work or what the possible ramifications are, but it might be worth a shot.

    0 讨论(0)
  • 梦毁少年i
    2020-12-10 16:50

    Based on your comment above, you may wish to consider passing the secret key via an environment variable. If you set the key in the parent process environment, it will be inherited by the child process and won't be visible to outsiders quite as easily as the command line.

    0 讨论(0)
 看不清?
提交回复
热议问题