Problem with NtQueryInformationProcess

Hi guys
I want to extract the PEB Address of a specific process like calc.exe but as the result of NtQueryInformationProcess is STATUS_SUCCESS but still the PebBaseAddress filed is invalid :).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PPEB FindRemotePEB(HANDLE hProcess)
{
	HANDLE heap;
	NTSTATUS ntStatus;
	HMODULE hHndldll = LoadLibrary(L"ntdll.dll");
	PPROCESS_BASIC_INFORMATION pBasicInfo;
	heap = GetProcessHeap();
	pBasicInfo = (PPROCESS_BASIC_INFORMATION)HeapAlloc(heap,HEAP_ZERO_MEMORY,sizeof(PROCESS_BASIC_INFORMATION));
	DWORD ReturnLength = 0;
	pNTQueryInformationProcess = (NTQueryInformationProcess)GetProcAddress(hHndldll,"ZwQueryInformationProcess");
	ntStatus = pNTQueryInformationProcess(hProcess,ProcessBasicInformation,&pBasicInfo,sizeof(PROCESS_BASIC_INFORMATION),&ReturnLength);
	if(ntStatus == 0 && sizeof(PROCESS_BASIC_INFORMATION) < ReturnLength)
	{
		HeapFree(heap,0,pBasicInfo);
		pBasicInfo = (PPROCESS_BASIC_INFORMATION)HeapAlloc(heap,HEAP_ZERO_MEMORY,ReturnLength);
		ntStatus = pNTQueryInformationProcess(hProcess,ProcessBasicInformation,&pBasicInfo,sizeof(PROCESS_BASIC_INFORMATION),&ReturnLength);
	}
	return(pBasicInfo->PebBaseAddress);
}
ntStatus = pNTQueryInformationProcess(hProcess,ProcessBasicInformation,&pBasicInfo,sizeof(PROCESS_BASIC_INFORMATION),&ReturnLength); pBasicInfo is a pointer, so you don't need to pass an address of it.
ntStatus = pNTQueryInformationProcess(hProcess,ProcessBasicInformation,pBasicInfo,sizeof(PROCESS_BASIC_INFORMATION),&ReturnLength); should work
Topic archived. No new replies allowed.