| View previous topic :: View next topic |
| Author |
Message |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
 Posted: Tue Nov 27, 2012 10:50 pm Post subject: Getting the PEB for remote process |
 |
|
Does any of you know an alternative way to get the PEB address for a remote process than NtQueryInformationProcess?
for some reason it's not reliable way it's give me a different address every time i call it for the same process :S
and i don't want to get too lower (i also created a driver to get the PEB from the EPROCESS Structure, which is more reliable way)
I want to use it in user mode.
_________________
Stylo
Last edited by Stylo on Thu Nov 29, 2012 7:48 am; edited 1 time in total |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Wed Nov 28, 2012 1:13 am Post subject: |
|
|
Get the segment base address of FS of any thread ( GetThreadSelectorEntry or Wow64GetThreadSelectorEntry if you're in 64-bit) and go to offset 0x30 to get the address of the PEB
Another method i noticed is finding the first entry in the stack of the main thread.. So far all programs i've seen have as first entry the peb pointer
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed Nov 28, 2012 1:26 pm Post subject: |
|
|
yea i'v noticed too that the first entry on every process has PEB pointer in ebx register.
but how would i get there through other process?
and for GetThreadSelectorEntry, how'd i get the thread handle for a remote thread?
_________________
Stylo |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Wed Nov 28, 2012 1:51 pm Post subject: |
|
|
Enumerate the threads, then OpenThread with at least query access
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sat Dec 01, 2012 9:21 am Post subject: |
|
|
So it's basically possible from any thread that i choose... !?
_________________
Stylo |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Sat Dec 01, 2012 9:43 am Post subject: |
|
|
As long as it is a thread that belongs to to game, yes. Even your own created threads using createremotethread
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sat Dec 01, 2012 8:39 pm Post subject: |
|
|
Here's an example using CE:
| Code: |
alloc(chunk,4096)
CREATETHREAD(chunk)
label(peb)
registersymbol(peb)
chunk:
push eax
mov eax, FS:[0x30]
mov [peb], eax
pop eax
ret
peb:
dd 0
|
Add the address 'peb' to your table afterward and it'll be the PEB of the process.
_________________
- Retired. |
|
| Back to top |
|
|
n0 m3rcY
Cheater
![]() Reputation: 0
Joined: 18 Jun 2012
Posts: 42
|
| Posted: Sun Dec 02, 2012 1:51 am Post subject: |
|
|
NtQueryInformationProcess will provide you with the PROCESS_BASIC_INFORMATION struct of an external process, then just access the *PebBaseAddress member to get the PEB.
A Wow64 process will have two PEBs though, a 32 bit and a 64 bit one. The 32 bit one mirrors the 64 bit one on creation however the system uses the 64 bit one.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
