deck_bsd

Yes , it shoudn't be alone but like this : #if defined(_M_X64) // x64     auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock))); #elif defined(_M_ARM) // ARM     auto pTeb = reinterpret_cast<PTEB>(_MoveFromCoprocessor(15, 0, 13, 0, 2)); // CP15_TPIDRURW #else // x86     auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock))); #endif

Yes , that's why i said ok for the 0x30 to not using it. But this line works right ? : auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));It's shorter. Yes TEB and TIB are the same in documentation, but the structure is different in the code. I found why you can convert TIB to TEB. It's because at the begining of the TEB structure you have a TIB structure as first field

Hello, Sorry for re up this thread. I have a little question. why didn't you do it like this ? for example : auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));or DWORD offset = 0x30; auto pPeb = reinterpret_cast<PPEB>(__readfsdword(offset));Well for the last one i can understand. But why not like the first one ? you don't need TEB or TIB structure I also have one last question. Why can you pass from a TIB structure to a TEB structure ? there are not the same :/ so why not using TEB directly ? i mean, in this line for example : auto pTeb = reinterpret_cast<PTEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PNT_TIB>(nullptr)->Self))); You start from PNT_TIB to finish with PTEB. How is it possible ? is that mean on the FS segment, there is a TEB structure , not a TIB ? Best regards