Interceptor.attach(Module.findExportByName(null, 'NtCreateUserProcess'), {
    onEnter: function(args) {
        // Get the base pointer to RTL_USER_PROCESS_PARAMETERS from args[8]
        var paramsBasePtr = args[8];
        
        // Start at the offset 0x4C8 for CommandLine (assuming you've identified this offset)
        var fieldPtr = paramsBasePtr.add(0x4C8);

        try {
            // Read the UNICODE_STRING for CommandLine
            var length = Memory.readU16(fieldPtr);  // Length of the string
            var maxLength = Memory.readU16(fieldPtr.add(2));  // Maximum Length of the string
            var bufferPtr = Memory.readPointer(fieldPtr.add(4));  // Pointer to the buffer containing the string data

            console.log("CommandLine Length: " + length);
            console.log("CommandLine Max Length: " + maxLength);
            console.log("CommandLine Buffer Pointer: 0x" + bufferPtr.toString(16));

            // Now, read the actual string from the buffer pointer
            if (bufferPtr.isNull() === false) {
                var commandLine = Memory.readUtf16String(bufferPtr);
                console.log("CommandLine: " + commandLine);
            } else {
                console.log("CommandLine buffer is null.");
            }
        } catch (e) {
            console.log("Error reading CommandLine at offset 0x" + fieldPtr.toString(16));
        }
    },
    onLeave: function(retval) {
        // Cleanup or any other actions after function returns
    }
});