2

Code:

STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };

WCHAR lpCmdline[] = L"ad.exe";
if (!CreateProcess(
    NULL,
    lpCmdline,
    NULL, NULL, TRUE,
    CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
    wprintf(L"Create process fail: %d\n", GetLastError());
    return -1;
}

PROCESS_BASIC_INFORMATION pbi = { 0 };
NtQueryInformationProcessFn pNtQueryInformationProcess = (NtQueryInformationProcessFn) \
    GetProcAddress(LoadLibrary(L"ntdll"), "NtQueryInformationProcess");

ULONG dwRead;
if (NT_ERROR(pNtQueryInformationProcess(
    pi.hProcess, ProcessBasicInformation,
    &pbi, sizeof pbi, &dwRead))) {
    wprintf(L"Call NtQueryInformationProcess error: %d\n", GetLastError());
    return -1;
}

PEB peb = { 0 };
SIZE_T stRead;
if (!ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &peb, sizeof PEB, NULL)) {
    wprintf(L"Call ReadProcessMemory fail: %d\n", GetLastError());
    return -1;
}

return 0;

Compiled as x86 binary, and the ad.exe is also x86 binary. System is Windows10 64-bit

PS C:\> .\t.exe
Call ReadProcessMemory fail: 6
PS C:\> file .\t.exe
.\t.exe: PE32 executable (console) Intel 80386, for MS Windows
PS C:\> file .\ad.exe
.\ad.exe: PE32 executable (console) Intel 80386, for MS Windows
Asesh
  • 3,186
  • 2
  • 21
  • 31
Iv4n
  • 239
  • 1
  • 8
  • Well, error code 6 is `ERROR_INVALID_HANDLE`... Your code works for me on Win10-64, for 32-bit executables – Vlad Feinstein Aug 28 '20 at 20:18
  • So weird. I have tested on 2 machines, they both returned error code 6. I wonder if there's any way I can debug for reason – Iv4n Aug 30 '20 at 14:39
  • Your code also works for me. My environment is the same as yours. Have you tried other 32-bit executable programs? – Strive Sun Aug 31 '20 at 03:08
  • Debugging suggestion: print `pi.hProcess` before and after your call to `pNtQueryInformationProcess()` to make sure it didn't get corrupted for some reason. Also, can you make sure that the version of `"ad.exe"` on the failing systems is in fact 32-bit? – Vlad Feinstein Sep 01 '20 at 17:52
  • Yes, I have tried other 32-bit executable, they are both error – Iv4n Sep 04 '20 at 14:02
  • I think you are right, the `pi.hProcess` has been corrupted after function calling. I have print `pi.hProcess` before and after calling `pNtQueryInformationProcess`, the first output is `000000F4` and the second is `00AFF000`. Why does this function calling change the value of `pi.hProcess` (isn't the `pi.hProcess` passed as a copy value?) – Iv4n Sep 04 '20 at 14:19
  • Found the reason, I forgot to specify the function calling convention. Thank you for your help! – Iv4n Sep 05 '20 at 02:34

0 Answers0