Flat addresses for TEBs in another process?

Question

Win32 system structures like TEB, PEB and so on are easy to find for the current process, by accessing the TIB relative to FS/GS like NtCurrentTeb() and the TLS functions do.

Doing the same in another process would require code injection for performing accesses relative to FS/GS, or knowledge of the flat address of some key data item so that the process info structures can be walked using ReadProcessMemory().

What would be the best - most stable, least undocumented - way of accomplishing the latter? In case it matters, at the moment I'm mostly interested in accessing TLS data.

Answer 1

Matt Pietrek's "Under the Hood" column for August 2004 Reading another process's environment mentions the NtQueryInformationProcess() function.

For information class 0 (ProcessBasicInformation) it returns a structure that contains a pointer to the PEB, among other things. The function comes with some health warnings and it is not contained in the standard import libraries of the Windows SDK, but a declaration for it is available in <winternl.h> so that the result of GetProcAddress() can be typed correctly.

A file named utility.cpp on Google Code demonstrates how to use GetThreadSelectorEntry() to obtain the selector base for a given selector in a given thread. With the actual values of the segment registers available via GetThreadContext(), this allows it to resolve segmented user-space addresses to linear addresses for use with ReadProcessMemory(). These functions are part of the core debugger support and hence reliably available.

WOW64 adds a few minor twists (Wow64GetThreadContext() etc.) but no serious complications.

Tested on XP, Windows 7 and Windows 8.1.