finding the peb of other process in xp-sp2
 anonymouse <any_anonymouse yahoo com> |
Thursday, September 8 2005 08:36.04 CDT |
well till w2k the peb was at constant address wiz 0x7ff######
everyone could find that easily by just # defining a constant or getting fs:[30]
but things changed a little with xp-sp2
all the hardcoded peb programs were starting to fail because xp-sp2 was not mapping it to a constant address
i was wanting to find the peb of a remote process
actually wanted to modify some data in peb of a remote process while fiddling with a plugin to ollydbg
and after googling a lot and finding bits and pieces of
info around the world i made a working code that could
achieve my objective
after looking at joestewarts blog (attachanyway plugin )that effectively wanted to do the same thing i sent a message posting the snippet he asked me to blog it so here it is my first try in the bloggin world :)
hope it turns out to be an addiction
the code is some thing like this
#include <winternl.h> <-- fetch this .h from winecvs those who dont have this (bcb free commandline users like me)
NTSTATUS (WINAPI *ntdll_NtQueryInformationProcess)(HANDLE,PROCESSINFOCLASS,PVOID,ULONG,PULONG);
now thats not correct by standards but the hacks work :)
PROCESS_BASIC_INFORMATION pbi;
now actual code (its ollydbg plugin based but you can easily strip the unwanted and modify it to suit the needs
if (debev.u.Exception.ExceptionRecord.ExceptionAddress == ntdll_DbgBreakPoint)
{
*(FARPROC *)&ntdll_NtQueryInformationProcess = GetProcAddress(Dll_Handle,"NtQueryInformationProcess");
if(ntdll_NtQueryInformationProcess == 0)
{
MessageBox(hwmain,"error","GetProcFailed",MB_OK);
return 0;
}
pid = Plugingetvalue(VAL_PROCESSID);
debproc = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
ntdll_NtQueryInformationProcess(debproc,ProcessBasicInformation,&pbi,sizeof(pbi),NULL);
status = pbi.PebBaseAddress;
(byte *)status += 0x68;
VirtualQueryEx(debproc,status,&mbi,sizeof(mbi));
VirtualProtectEx(debproc,mbi.BaseAddress,mbi.RegionSize,PAGE_EXECUTE_READWRITE,&lpOld);
ReadProcessMemory(debproc,status,&dlah,4,NULL);
elah = (long)dlah;
elah |= 0x02;
WriteProcessMemory(debproc,status,&elah,4,NULL);
the above code modifies a remote processes GlobalFlag
peb->+0x68 to OR LDR_SHOW_SNAPS
now i should thank mattpietrek(in his msdn blog) and russel osterlund (on a comment to the above mentioned blog)
whose ideas the above code is based upon
edit :-
well i remember seeing russell comment stating that his pebrowse is able to fetch the environment strings from remote process but i cant find it now :(
but the blog still mentions russels toptobottom
http://blogs.msdn.com/matt_pietrek/archive/2004/08/25/220330.aspx
while googling i stumbled upon this today
http://www.codeproject.com/threads/CmdLine.asp#xx1113411xx
should be worth bookmarking
Best Regards
anonymouse
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |