Probably a fairly simple mistake/question as I'm relatively new to C++. I'm trying to query a process's basic information via NtQueryInformationProcess. It all works as expected when using the PROCESS_BASIC_INFORMATION defined in winternl.h.
typedef struct _PROCESS_BASIC_INFORMATION {
PVOID Reserved1;
PPEB PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
Now, I've tried partially modifying the structure to have a PPEBx64 structure instead of a PPEB with:
typedef struct _PROCESS_BASIC_INFORMATION_x64 {
PVOID Reserved1;
_PEBx64 PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;} _PROCESS_BASIC_INFORMATIONx64;
typedef _PROCESS_BASIC_INFORMATION_x64* _PPROCESS_BASIC_INFORMATIONx64;
And
typedef struct _PEBx64 {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[21];
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved3[520];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved4[136];
ULONG SessionId;} PEBx64;
The _PEBx64 definition comes straight from https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
It goes without saying that I could work with the original PROCESS_BASIC_INFORMATION but I'd like to know, for learning purposes, what am I doing wrong here. There's no error whatsoever but _PROCESS_BASIC_INFORMATIONx64 fails to load process data(UniqueId is 0, there's no Peb Base Address, etc...)
I'm using:
NtQueryInformationProcess(pStartupInfo.hProcess, ProcessBasicInformation, &pProcessInfo, sizeof(_PROCESS_BASIC_INFORMATION_x64), &returnLength);
Update:Debugger
Thanks in advance!
