0

So here is my question :

I wanted to get PEB from x64 and x86 without calling NtQueryProcessInformation.

I use ASM from this question : How to use NtCurrentTeb() without Windows header files?

ASM Code for X64 :

            byte[] asm = new byte[] { 0x53, 0x48, 0x31, 0xDB, 0x48, 0x31, 0xC0, 0x65, 0x48, 0x8B, 0x1C, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0xD8, 0x5B, 0xC3 };
        /* 
        push rbx
        xor rbx,rbx
        xor rax,rax
        mov rbx, qword ptr gs:[0x00000060]
        mov rax, rbx
        pop rbx
        ret
        */

And for X86 (I wrote same function based on question and x64 code):
 byte[] asm32 = new byte[] { 0x53, 0x31, 0xDB, 0x31, 0xC0, 0x64, 0x8B, 0x1D, 0x30, 0x00, 0x00, 0x00, 0x89, 0xD8, 0x5B, 0xC3 };
        /*
        push ebx
        xor ebx,ebx
        xor eax,eax
        mov ebx,  fs : [0x00000030]
        mov eax, ebx
        pop ebx
         ret
         */

So I checked with ProcessHacker the PEB address and for x64 it is the same address I got from proc but for x86 I Got a difference of 0x1000 (4096). I tested the two addresses (both x86 and x64) to get structure and all works fine. My question is : How can I have a different address from my procedure in x86 with process hacker and the whole structure is readable ? (offsets are correct)

Arsium
  • 1
  • 2
  • why so strange and not efficient asm code ? in wow64 process 2 peb exist so possible you mean defferent between 32 and 64 bit peb – RbMm Jul 16 '22 at 20:51
  • @RbMm since I cannot write that #if defined(_WIN64) return (PPEB)__readgsqword(0x60); #else return (PPEB)__readfsdword(0x30); #endif I made two basic procedures. Also idk that there are 2 PEB for WoW 64 and seems quite weird. There is only one. – Arsium Jul 17 '22 at 08:11
  • 1
    *since I cannot write that* - why ? you of course can. but also - why so bad asm code ? and exist 2 PEB for WoW 64. not 1 – RbMm Jul 17 '22 at 08:27
  • @RbMm Don't blame OP for the strange asm code, he just copied it from the linked question. – dialer Jul 17 '22 at 13:49
  • 1
    @dialer - yes, but i think need how minimum understand such code before use. all what we need, if want use asm - `mov rax, gs:[60h]; ret` or `mov eax, fs:[30h]; ret` . for what use rbx(ebx) register and this manipulation - unclear. and of course we can use *intrinh.h* on windows and `__readfsdword`; `__readgsqword` so asm code not need at all – RbMm Jul 17 '22 at 13:54
  • I don't write it because I work with C# @RbMm . This is why I cannot write that as simple it is in C++/C. This is why the code in ASM seems weird for you but it works very well with C#. Anyway it does not explain why there is a difference of 4KB with ProcessHacker or similar tools. – Arsium Jul 17 '22 at 15:17
  • @Arsium - i already say you - exist **2** peb in wow64 process - 32 and 64 bit peb. and not use this asm. use mov rax, gs:[60h]; ret or mov eax, fs:[30h]; ret – RbMm Jul 17 '22 at 16:39
  • @RbMm why should I not use asm above ? Just I try to understand. – Arsium Jul 17 '22 at 18:43
  • @RbMm (I tested your asm code mov rax, gs:[60h]; ret or mov eax, fs:[30h]; ret and it works correctly) Also how and why are there two PEBs for X86 ? And how do I know which PEB I'm using ? – Arsium Jul 17 '22 at 18:58
  • *why should I not use asm above ?* - why need use bad writed code. even if it only several instructions. *how and why are there two PEBs for X86*- not for x86 but for wow64 - 1 peb for 64 bit code and 1 for 32 bit. you got 32 bit peb this way – RbMm Jul 17 '22 at 20:46

0 Answers0