I'm using a minifilter driver to intercept process creation and am trying to get the information about the Working Folder where the aplication is starting for.
For this, I got the ProcessParameters from the PEB, and the Internet is saying that there should be an undocumented property for CurrentDirectory.
Can this information actually be found there? How should I get it? Is there somewhere else I can find this information?