OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, September 8 2005 08:36.04 CDT Modified: Saturday, September 10 2005 09:22.28 CDT

Printer Friendly ...

finding the peb of other process in xp-sp2

Author: anonymouse

# Views: 2610

well till w2k the peb was at constant address wiz 0x7ff######
everyone could find that easily by just # defining a constant or getting fs:[30]
but things changed a little with xp-sp2
all the hardcoded peb programs were starting to fail because xp-sp2 was not mapping it to a constant address

i was wanting to find the peb of a remote process
actually wanted to modify some data in peb of a remote process while fiddling with a plugin to ollydbg
and after googling a lot and finding bits and pieces of
info around the world i made a working code that could
achieve my objective

after looking at joestewarts blog (attachanyway plugin )that effectively wanted to do the same thing i sent a message posting the snippet he asked me to blog it so here it is my first try in the bloggin world :)
hope it turns out to be an addiction
the code is some thing like this





#include <winternl.h> <-- fetch this .h from winecvs those who dont have this (bcb free commandline users like me)



NTSTATUS (WINAPI *ntdll_NtQueryInformationProcess)(HANDLE,PROCESSINFOCLASS,PVOID,ULONG,PULONG);

now thats not correct by standards but the hacks work :)



PROCESS_BASIC_INFORMATION 	pbi;



now actual code (its ollydbg plugin based but you can easily strip the unwanted and modify it to suit the needs



if (debev.u.Exception.ExceptionRecord.ExceptionAddress == ntdll_DbgBreakPoint)

		{ 		



			*(FARPROC *)&ntdll_NtQueryInformationProcess = GetProcAddress(Dll_Handle,"NtQueryInformationProcess");

			if(ntdll_NtQueryInformationProcess == 0)

			{

			MessageBox(hwmain,"error","GetProcFailed",MB_OK);

			return 0;

			}



			pid = Plugingetvalue(VAL_PROCESSID);

			debproc = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);

			ntdll_NtQueryInformationProcess(debproc,ProcessBasicInformation,&pbi,sizeof(pbi),NULL);

			status = pbi.PebBaseAddress;

			(byte *)status += 0x68;

			VirtualQueryEx(debproc,status,&mbi,sizeof(mbi));

			VirtualProtectEx(debproc,mbi.BaseAddress,mbi.RegionSize,PAGE_EXECUTE_READWRITE,&lpOld);

			ReadProcessMemory(debproc,status,&dlah,4,NULL);

			elah = (long)dlah;

			elah |= 0x02;

			WriteProcessMemory(debproc,status,&elah,4,NULL);



the above code modifies a remote processes GlobalFlag 

peb->+0x68 to OR LDR_SHOW_SNAPS

now i should thank mattpietrek(in his msdn blog) and russel osterlund (on a comment to the above mentioned blog)
whose ideas the above code is based upon

edit :-
well i remember seeing russell comment stating that his pebrowse is able to fetch the environment strings from remote process but i cant find it now :(
but the blog still mentions russels toptobottom

http://blogs.msdn.com/matt_pietrek/archive/2004/08/25/220330.aspx
while googling i stumbled upon this today
http://www.codeproject.com/threads/CmdLine.asp#xx1113411xx
should be worth bookmarking

Best Regards
anonymouse

There are 31,316 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit