ImageBaseAddress in PEB is wrong

0

I'm currently trying to retrieve the Image Base Address of a suspended 32-bits process.

I successfully retrieved the PEB VA by using (*CTX).Ebx - 0x1000 (where CTX is the CONTEXT structure retrieved with GetThreadContext()), it's in correlation with the data I got from some process analysis tools.

The problem is that the field ImageBaseAddress at offset 0x08 is equal to 0xffffffff. I verified and all the other fields are okay, if for example I create the process in debug mode the BeingDebugged byte is set to 1 etc...

And if I look with some tools where the Image of the PE is loaded I see that it's at 0x880000, unfortunately that data isn't present in the PEB.

So I basically tried to create a "normal" process that isn't suspended but I have the same problem.

All the fiels of the PEB are fine, the process too, there's just that 32-bits integer at offset 0x08 that is equal to 0xffffffff for some mysterious reasons.

(P.S.: I know that the PEB isn't documented and that it is not a great idea to depend of it as it's fields might change in the future but I really need to get the Image Base Address of a suspended process from it's PEB).

Thanks.

winapi
memory
portable-executable
asked on Stack Overflow Dec 28, 2019 by Aleister Crowley • edited Dec 29, 2019 by Aleister Crowley

1 Answer

0

Use NtQueryInformationProcess with the ProcessBasicInformation, the resulting PROCESS_BASIC_INFORMATION structure will contain the correct peb address.

typedef NTSTATUS(__stdcall* tNtQueryInformationProcess)
(
    HANDLE ProcessHandle,
    PROCESSINFOCLASS ProcessInformationClass,
    PVOID ProcessInformation,
    ULONG ProcessInformationLength,
    PULONG ReturnLength
    );

PEB GetPEBExternal(HANDLE hProc)
{
    PROCESS_BASIC_INFORMATION pbi;
    PEB peb = { 0 };

    tNtQueryInformationProcess NtQueryInformationProcess =
        (tNtQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");

    NTSTATUS status = NtQueryInformationProcess(hProc, ProcessBasicInformation, &pbi, sizeof(pbi), 0);

    if (NT_SUCCESS(status))
    {
        ReadProcessMemory(hProc, pbi.PebBaseAddress, &peb, sizeof(peb), 0);
    }

    return peb;
}

PEB peb = GetPEBExternal(hProc);

std::cout << "0x" << std::hex << peb.ImageBaseAddress << std::endl;

Use the PEB definition from x64dbg source code, it's the best source for undocumented structures in my experience.

answered on Stack Overflow Apr 19, 2020 by GuidedHacking

User contributions licensed under CC BY-SA 3.0