trancexx

Implementation of a standalone TEB and PEB read Method for the Simulation of GetModuleHandle and GetProcAddress functions for loaded PE Module

22 posts in this topic




#2 ·  Posted (edited)

I have absolutely no idea what you are talking (writing) about but the Mandelbrot demo is cool which seems to be based on the 1kb Mandelbrot version. I wondered why a fan has started on my notebook while the demo is running although the CPU usage is accordingly very low until I found out that the calculation is done by the GPU (ok, you said it in 8. Example already which I've overseen first).

But a very nice documentation  :thumbsup:  I need probably several weeks to understand what you are talking about here...

Your skills are far beyond mine and that's terrifying but good to know.

Br,

UEZ

Edited by UEZ
1 person likes this

Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Share this post


Link to post
Share on other sites

Nice article describing how one can use alternate methods to find DLL export addresses.  I'm curious why you posted this here? You could have easily create a blog :)

I've done this export lookup in Assembly threads before, as you probably know. One source of inspiration I used for doing that was this article, which uses assembly and hash lookups. (I don't use hashes myself)

Also, for anyone interested in seeing whats in the TEB and PEB in more detail, try the GUI's out in the Processes and Threads UDF in my signature.

1 person likes this

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Holy crap I dont understand crap about this crap.  The demo is very nice, and the 100% pass rate for 64-bit against AV is interesting, is there a limit to the type of payload you can sneak by with?

Edited by boththose

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Very used in malware developement.

Saludos

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

The wordy title of this thread reminds me of the long titles in 'Science and Supercomputing in Europe' - 2007 Report, I posted in chat. Quite a mouthful indeed. :wub:

Edited by czardas

Share this post


Link to post
Share on other sites

Which versions of Windows did you try this on? Need any help testing on others?

Windows 7 and 8.1.

If you have Windows RT and know how to run unauthorised app there, I could add code for it too and write small app to test with.

@Ascend4nt thanks for the link. And it's here just because, I guess. And maybe because I was told by few people that this place is dumb and have nothing to show. I said yes, but there are some smart people with enormous capacity around. Plus, there is possibility it will make me look smarter than I am, which is kind of appealing.

3 people like this

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Interesting code. I like how the example is synchronized when you run it multiple times.

 

Windows 7 and 8.1.

If you have Windows RT and know how to run unauthorised app there, I could add code for it too and write small app to test with.

I could test it for you. I was thinking about resetting my Surface anyway so I guess I could downgrade to 8.0 for a while.

Share this post


Link to post
Share on other sites

Interesting code. I like how the example is synchronized when you run it multiple times.

 

I could test it for you. I was thinking about resetting my Surface anyway so I guess I could downgrade to 8.0 for a while.

Excellent. Here's one small app compiled for ARM, using the function, with no imports:Direct2dClock.zip

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Mexico?

Excelentemente senor! Oh dios mio, voy a actualizar el post original.

Vaya con dios mi hermoso.

2 people like this

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Hello,

 

Sorry for re up this thread. I have a little question. why didn't you do it like this ? for example :

auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));

or

DWORD offset = 0x30;
auto pPeb = reinterpret_cast<PPEB>(__readfsdword(offset));

Well for the last one i can understand. But why not like the first one ? you don't need TEB or TIB structure :)

I also have one last question.

Why can you pass from a TIB structure to a TEB structure ? there are not the same :/ so why not using TEB directly ? i mean, in this line for example :

auto pTeb = reinterpret_cast<PTEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PNT_TIB>(nullptr)->Self)));

You start from PNT_TIB to finish with PTEB. How is it possible ? is that mean on the FS segment, there is a TEB structure , not a TIB ?

 

Best regards

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

Hello,

 

Sorry for re up this thread. I have a little question. why didn't you do it like this ? for example :

auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));

or

DWORD offset = 0x30;
auto pPeb = reinterpret_cast<PPEB>(__readfsdword(offset));

Well for the last one i can understand. But why not like the first one ? you don't need TEB or TIB structure :)

I also have one last question.

Why can you pass from a TIB structure to a TEB structure ? there are not the same :/ so why not using TEB directly ? i mean, in this line for example :

auto pTeb = reinterpret_cast<PTEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PNT_TIB>(nullptr)->Self)));

You start from PNT_TIB to finish with PTEB. How is it possible ? is that mean on the FS segment, there is a TEB structure , not a TIB ?

 

Best regards

why not just 0x30. 

Because it's just for x86 architecture.

It's because PNT_TIB it's the first field of TEB.

TIB and TEB are same.  Thread Environment Block (TEB) or Thread Information Block (TIB)

Saludos

Edited by Danyfirex

Share this post


Link to post
Share on other sites

Yes , that's why i said ok for the 0x30 to not using it.

But this line works right ? :

auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));

It's shorter.

Yes TEB and TIB are the same in documentation, but the structure is different in the code. I found why you can convert TIB to TEB. It's because at the begining of the TEB structure you have a TIB structure as first field :) 

 

Share this post


Link to post
Share on other sites

Yes , that's why i said ok for the 0x30 to not using it.

But this line works right ? :

auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));

It's shorter.

Yes TEB and TIB are the same in documentation, but the structure is different in the code. I found why you can convert TIB to TEB. It's because at the begining of the TEB structure you have a TIB structure as first field :) 

 

NT_TIB is not a TIB/TEB. It's a part of TEB/TIB.

That Line Should not. "Alone". Because You first need to fill your structure. as Topic say here

#include <winnt.h>
#include <winternl.h>

#if defined(_M_X64) // x64
    auto pTeb = reinterpret_cast<PTEB>(__readgsqword(reinterpret_cast<DWORD>(&static_cast<NT_TIB*>(nullptr)->Self)));
#elif defined(_M_ARM) // ARM
    auto pTeb = reinterpret_cast<PTEB>(_MoveFromCoprocessor(15, 0, 13, 0, 2)); // CP15_TPIDRURW
#else // x86
    auto pTeb = reinterpret_cast<PTEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<NT_TIB*>(nullptr)->Self)));
#endif

Saludos

Share this post


Link to post
Share on other sites

NT_TIB is not a TIB/TEB. It's a part of TEB/TIB.

That Line Should not. "Alone". Because You first need to fill your structure. as Topic say here

#include <winnt.h>
#include <winternl.h>

#if defined(_M_X64) // x64
    auto pTeb = reinterpret_cast<PTEB>(__readgsqword(reinterpret_cast<DWORD>(&static_cast<NT_TIB*>(nullptr)->Self)));
#elif defined(_M_ARM) // ARM
    auto pTeb = reinterpret_cast<PTEB>(_MoveFromCoprocessor(15, 0, 13, 0, 2)); // CP15_TPIDRURW
#else // x86
    auto pTeb = reinterpret_cast<PTEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<NT_TIB*>(nullptr)->Self)));
#endif

Saludos

Yes , it shoudn't be alone but like this :

#if defined(_M_X64) // x64
    auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));
#elif defined(_M_ARM) // ARM
    auto pTeb = reinterpret_cast<PTEB>(_MoveFromCoprocessor(15, 0, 13, 0, 2)); // CP15_TPIDRURW
#else // x86
    auto pPeb = reinterpret_cast<PPEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PTEB>(nullptr)->ProcessEnvironmentBlock)));
#endif

Share this post


Link to post
Share on other sites

Hm, I explained every step in detail. Of course things can be writen differently, but following available documentation and being very strict with structures definitions and read fields while avoiding possible shortucts, is what often makes difference between good and bad implementation. Wouldn't you agree?

I could have also used hardcoded offests to read data, and everything would be working. But that's not how things shoud be done because forward compatibility would have been lost, if nothing else.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Quick question if you will trancexx (or anyone else with the knowledge)

Could this function be adapted to get TEB address of remote process thread?

I'm currently using the dodgy NtQueryInformationThread and a load of hacky crap from around the internet.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
4 hours ago, JohnOne said:

Quick question if you will trancexx (or anyone else with the knowledge)

Could this function be adapted to get TEB address of remote process thread?

I'm currently using the dodgy NtQueryInformationThread and a load of hacky crap from around the internet.

Dodgy how?
Just go with it. It's been done before, and works just fine if proper privileges are set for your process and thread accessed with correct flags ...as far as I know.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now