Sign in to follow this  
Followers 0
Mosoo

Reading PEB

3 posts in this topic

#1 ·  Posted (edited)

Hi Guys

I tried to get the adress of the PEB of the own process , it seems to work but the return value is wrong..

Can anyone took a look at the script and show me where the failure is..

The structures and methodic were taken from a script by trancexx

ty

$hProcess = DllCall("kernel32.dll", "handle", "GetCurrentProcess")
$hThread = DllCall("kernel32.dll", "handle", "GetCurrentThread")


$interpreter_type = @AutoItX64
ConsoleWrite("x64 Interpreter? = " & $interpreter_type &@CRLF)



If $interpreter_type Then
    $iRunFlag = 2
    $tCONTEXT = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;" & _ ; Register parameter home addresses
            "dword ContextFlags; dword MxCsr;" & _ ; Control flags
            "word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;" & _ ; Segment Registers and processor flags
            "uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;" & _ ; Debug registers
            "uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;" & _ ; Integer registers
            "uint64 Rip;" & _ ; Program counter
            "uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];" & _ ; Floating point state (types are not correct for simplicity reasons!!!)
            "uint64 VectorRegister[52]; uint64 VectorControl;" & _ ; Vector registers (type for VectorRegister is not correct for simplicity reasons!!!)
            "uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip") ; Special debug control registers

Else
    $iRunFlag = 1
    $tCONTEXT = DllStructCreate("dword ContextFlags;" & _ ; Control flags
            "dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;" & _ ; CONTEXT_DEBUG_REGISTERS
            "dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;" & _ ; CONTEXT_FLOATING_POINT
            "dword SegGs; dword SegFs; dword SegEs; dword SegDs;" & _ ; CONTEXT_SEGMENTS
            "dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;" & _ ; CONTEXT_INTEGER
            "dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;" & _ ; CONTEXT_CONTROL
            "byte ExtendedRegisters[512]") ; CONTEXT_EXTENDED_REGISTERS
EndIf


    Switch $iRunFlag
        Case 1
            $CONTEXT_FULL = 0x10007
        Case 2
            $CONTEXT_FULL = 0x100007
    EndSwitch


    $set = DllStructSetData($tCONTEXT, "ContextFlags", $CONTEXT_FULL)

    $aCall = DllCall("kernel32.dll", "bool", "GetThreadContext", _
            "handle", $hThread[0], _
            "ptr", DllStructGetPtr($tCONTEXT))

    If @error Or Not $aCall[0] Then
        MsgBox(16,"","call to GetThreadContext failed")
    EndIf


    Local $pPEB
    Switch $iRunFlag
        Case 1
            $pPEB = DllStructGetData($tCONTEXT, "Ebx")
        Case 2
            $pPEB = DllStructGetData($tCONTEXT, "Rdx")
    EndSwitch

MsgBox(0,"","PEB adr: " & hex($pPEB) &@CRLF)
Edited by Mosoo

Share this post


Link to post
Share on other sites



ebx is a workregister kinda like a variable, though not at all...

It will only hold PEB at the specific moment trancexx used it.

When proc is running, it will hold ANY value..

Look at trancexx's code, edit of mine, here instead...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Thats pretty perfect.. Ty

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0