5

Specs: Windows 7 x64, Visual C++

Objective: I'm trying to get the remote PEB from a sample program (calc.exe e.g.). I've found the proc ID and I've opened a handle to the process with all the good rights. I've now moved on to writing a class to retrieve the location of the PEB from the process using PROCESS_BASIC_INFORMATION.

Problem: I've found several posts elsewhere that seem to indicate that the NtQueryInformationProcess turned to shit at MS. One post suggests a method of dynamic-runtime-linking NtQueryInformationProcess out of ntdll.dll. However, I think this would be unstable in the long-run (MS could remove NtQueryInformationProcess tomorrow) without extensive error handling.

This idea is realized later in this thread, and it is then suggested by Mike2343 that one should "use other methods."

Questions: What would be another method to locate the PEB of a remote process that doesn't involve NtQueryInformationProcess?

Thanks to anyone who spends any time looking at this.

user850275
  • 311
  • 3
  • 7
  • 17
  • 1
    NtQueryInformationProcess is part of the native Windows api. Which is undocumented and strongly subject to change from one version of Windows to another. The only reason it is documented at all is because they were forced to by a settlement with the Department of Justice. Taking a dependency on it is very unwise. You haven't at all mentioned *why* you need the PEB so you cut yourself off from documented alternatives for info that's stored in the PEB. – Hans Passant Jul 21 '12 at 16:09
  • I need it for experimentation above all things, but I suppose a specific and typical instance would help: PEBBaseAddress -> ImageBaseAddress -> return PLoaded_Image struct -> Remote Import Address -> IAT and ILT. – user850275 Jul 21 '12 at 16:32
  • I suppose I can get the base address of the image from [GetModuleHandle](http://msdn.microsoft.com/en-us/library/ms683199%28VS.85%29.aspx). Though, I'm not sure if there's a diff between 32bit and 64bit. – user850275 Jul 21 '12 at 17:29

1 Answers1

2

Method I ended up using:

I stole pretty much all of this code and fixed it up for 64-bit. I spent a ton of time wrapping my head around various documents related to all of the different headers and structs. I also ran into an issue regarding the PE32+ format, where jcopenha was kind enough to enlighten me on a few problems I might be facing. After accounting for these problems I had a functioning program that is capable of obtaining a list of all the DLL's and their respective functions loaded in by an executable along with their relative addresses.

In retrospect, I don't think I had a good handle on what I was attempting to do. I think that I thought I was going to read in a process out of memory and find the PEB related structs or something (Later I found out that image headers and the like account for the information in the PEB). Albeit that may be possible, but what I have now is an offline example that reads in exe files and works for me.

Community
  • 1
  • 1
user850275
  • 311
  • 3
  • 7
  • 17