Interceptor.attach(Module.findExportByName('ntdll.dll', 'NtCreateUserProcess'), {
    onEnter: function (args) {
        // Check if arg[8] is the pointer to PRTL_USER_PROCESS_PARAMETERS
        var paramsPtr = args[8];
        console.log('paramsPtr: ' + paramsPtr);

        // Iterate through possible offsets (assuming 32-bit structure)
        for (var offset = 0x00; offset < 0x100; offset += 4) {
            try {
                // Read the UNICODE_STRING at each offset (adjust as necessary)
                var commandLinePtr = paramsPtr.add(offset);

                // Read CommandLine Length (first 2 bytes)
                var commandLineLength = Memory.readU16(commandLinePtr);
                // Read MaxLength (next 2 bytes)
                var commandLineMaxLength = Memory.readU16(commandLinePtr.add(2));

                console.log('Trying offset 0x' + offset.toString(16));
                console.log('CommandLine Length: ' + commandLineLength);
                console.log('CommandLine MaxLength: ' + commandLineMaxLength);

                // If commandLineLength is valid, attempt to read the buffer (skip the first 4 bytes for UNICODE_STRING pointer)
                if (commandLineLength > 0) {
                    var commandLineBufferPtr = commandLinePtr.add(4);
                    var commandLine = Memory.readUtf16String(commandLineBufferPtr);
                    console.log('CommandLine: ' + commandLine);
                    break; // Exit after finding a valid CommandLine
                }
            } catch (e) {
                // Ignore errors for invalid offsets
                console.log('Error at offset 0x' + offset.toString(16) + ': ' + e);
            }
        }
    },
    onLeave: function (retval) {
        // Modify retval if necessary
    }
});