Get the latest tech news

Why bother with argv[0]?

The first argument of a program’s command line, typically reflecting the program’s name/path and often referred to as argv[0], can in most cases be set to an arbitrary value without affecting the process’ flow. Making the case against argv[0], this post demonstrates how it can be used to deceive security analysts, bypass detections and break defensive software, across all main operating systems.

Some will answer this with a straight “no”, whereas others argue single-word commands enhance user experience, and (especially a few decades ago) can offer cross-platform/backwards syntax compatibility using a shared code base. Windows’ pre-installed security software, Microsoft Defender Antivirus [ 13], prevents certutil executions if it sees command-line arguments that suggest a file download is being attempted. EDR platforms should also consider leaving out argv[0] when reporting on command-line arguments, as this will eliminate nearly ever problem highlighted in this post; its forensic value is often minimal to none, or can be more reliably sourced from other process aspects.

Get the Android app