How can I get the 32 bit stack limits / the 32 bit TEB/TIB from an existing 32 bit process under windows in x64 mode?

Question

Normally I would just cheat and use NtQueryInformationThread for ThreadBasicInformation to get the TebBaseAddress

but wow64 threads have two stacks, this will only get the 64 bit Teb.

score 2 · Accepted Answer · answered Nov 21 '11 at 13:23

the best way I've found is to get the 32 bit context ( not via GetThreadContext, but Wow64GetThreadContext) and use Wow64GetThreadSelectorEntry to get the address of FS[0] and then use ReadProcessMemory. But the biggest problem is that this requires Win7/Windows2008 Server R2 )

score 1 · Answer 2 · answered Dec 28 '12 at 12:13

1

This is an easier, albeit undocumented, method: http://redplait.blogspot.ru/2012/12/teb32-of-wow64-process.html

answered Dec 28 '12 at 12:13

MarioVilas

912
10
16

1

seems valid, Personally I prefer: http://www.dumpanalysis.org/blog/index.php/2010/10/08/raw-stack-dump-of-all-threads-part-4/ – Dan Dec 28 '12 at 20:04

score 1 · Answer 3 · answered Feb 07 '12 at 01:04

1

Are you using the Windows debugging interface to attach to the process? If so, you should be able to use the lpThreadLocalBase field of the events CREATE_THREAD_DEBUG_INFO and CREATE_PROCESS_DEBUG_INFO to get the TEB base address when a new thread is created.

But I think this only works if your debugger has controlled the process from its creation. This wouldn't help for attaching to an existing process.

answered Feb 07 '12 at 01:04

Mark Seaborn

1,392
13
11

Yes this is for existing processes, but that is a good point. Other people may find that satisfactory. – Dan Feb 07 '12 at 14:56

How can I get the 32 bit stack limits / the 32 bit TEB/TIB from an existing 32 bit process under windows in x64 mode?

3 Answers3