atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Mon Sep 11, 2017 1:58 am Post subject: |
|
|
NtQueryInformationThread is the main thing that is important with this. The class object used would be 'ThreadBasicInformation' and then from the returned object, you would need to use the 'TebBaseAddress' field.
You can also use inline asm or intrustic functions to pull the information.
You can pull this via intrustic functions like this:
32bit:
Code: | auto teb = (TEB32*)__readfsdword(0x18) |
64bit:
Code: | auto teb = (TEB64*)__readgsqword(0x30); |
Keep in mind these are only for the current process, so you would either need to inject this into the target or have it running from the target process in the first place.
Also, keep in mind if you are in a WOW64 process, you need to account for that. When that is the case, you use the 32bit method and subtract 0x2000 from the original entry. A WOW64 process has both a 32bit and 64bit TEB block to account for. _________________
- Retired. |
|