A forum for reverse engineering, OS internals and malware analysis 

Getting the PEB address through EPROCESS

Forum for discussion about kernel-mode development.

Re: Getting the PEB address through EPROCESS

 #16860  by EP_X0FF
 Tue Nov 27, 2012 9:15 am
Redefine it or cast as pointer and use offsets for access, what is the problem at all.

Re: Getting the PEB address through EPROCESS

 #16863  by nullptr
 Tue Nov 27, 2012 11:37 am
XP EPROCESS
Code: Select all
typedef struct _EPROCESS {
    KPROCESS                        Pcb;                         // 0x00
    EX_PUSH_LOCK                    ProcessLock;                 // 0x6C
    LARGE_INTEGER                   CreateTime;                  // 0x70
    LARGE_INTEGER                   ExitTime;                    // 0x78
    EX_RUNDOWN_REF                  RundownProtect;              // 0x80
    ULONG                           UniqueProcessId;             // 0x84
    LIST_ENTRY                      ActiveProcessLinks;          // 0x88
    ULONG                           QuotaUsage[3];               // 0x90
    ULONG                           QuotaPeak[3];                // 0x9C
    ULONG                           CommitCharge;                // 0xA8
    ULONG                           PeakVirtualSize;             // 0xAC
    ULONG                           VirtualSize;                 // 0xB0
    LIST_ENTRY                      SessionProcessLinks;         // 0xB4
    PVOID                           DebugPort;                   // 0xBC
    PVOID                           ExceptionPort;               // 0xC0
    PHANDLE_TABLE                   ObjectTable;                 // 0xC4
    EX_FAST_REF                     Token;                       // 0xC8
    FAST_MUTEX                      WorkingSetLock;              // 0xCC
    ULONG                           WorkingSetPage;              // 0xEC
    FAST_MUTEX                      AddressCreationLock;         // 0xF0
    KSPIN_LOCK                      HyperSpaceLock;              // 0x110
    PETHREAD                        ForkInProgress;              // 0x114
    ULONG                           HardwareTrigger;             // 0x118
    PVOID                           VadRoot;                     // 0x11C
    PVOID                           VadHint;                     // 0x120
    PVOID                           CloneRoot;                   // 0x124
    ULONG                           NumberOfPrivatePages;        // 0x128
    ULONG                           NumberOfLockedPages;         // 0x12C
    PVOID                           Win32Process;                // 0x130
    PEJOB                           Job;                         // 0x134
    PSECTION_OBJECT                 SectionObject;               // 0x138
    PVOID                           SectionBaseAddress;          // 0x13C
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    PPAGEFAULT_HISTORY              WorkingSetWatch;
    PVOID                           Win32WindowStation;
    PVOID                           InheritedFromUniqueProcessId;// 0x14C
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
    PDEVICE_MAP                     DeviceMap;
    LIST_ENTRY                      PhysicalVadList;
    union {
        HARDWARE_PTE                PageDirectoryPte;
        ULONGLONG                   Filler;
    };
    PVOID                           Session;
    UCHAR                           ImageFileName[16];          // 0x174
    LIST_ENTRY                      JobLinks;                   // 0x184
    PVOID                           LockedPageList;             // 0x18C
    LIST_ENTRY                      ThreadListHead;             // 0x190
    PVOID                           SecurityPort;               // 0x198
    PVOID                           PaeTop;                     // 0x19C
    ULONG                           ActiveThreads;              // 0x1A0
    ULONG                           GrantedAccess;              // 0x1A4
    ULONG                           DefaultHardErrorProcessing; // 0x1A8
    NTSTATUS                        LastThreadExitStatus;       // 0x1AC
    PPEB                            Peb;                        // 0x1B0
    EX_FAST_REF                     PrefetchTrace;
    LARGE_INTEGER                   ReadOperationCount;
    LARGE_INTEGER                   WriteOperationCount;
    LARGE_INTEGER                   OtherOperationCount;
    LARGE_INTEGER                   ReadTransferCount;
    LARGE_INTEGER                   WriteTransferCount;
    LARGE_INTEGER                   OtherTransferCount;
    ULONG                           CommitChargeLimit;
    ULONG                           CommitChargePeak;
    PVOID                           AweInfo;
    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo;
    MMSUPPORT                       Vm;                          //0x1F8
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    ULONG                           NumberOfVads;
    ULONG                           JobStatus;
    union {
        ULONG                       Flags;
        struct {
            ULONG                   CreateReported              : 1;
            ULONG                   NoDebugInherit              : 1;
            ULONG                   ProcessExiting              : 1;
            ULONG                   ProcessDelete               : 1;
            ULONG                   Wow64SplitPages             : 1;
            ULONG                   VmDeleted                   : 1;
            ULONG                   OutswapEnabled              : 1;
            ULONG                   Outswapped                  : 1;
            ULONG                   ForkFailed                  : 1;
            ULONG                   HasPhysicalVad              : 1;
            ULONG                   AddressSpaceInitialized     : 2;
            ULONG                   SetTimerResolution          : 1;
            ULONG                   BreakOnTermination          : 1;
            ULONG                   SessionCreationUnderway     : 1;
            ULONG                   WriteWatch                  : 1;
            ULONG                   ProcessInSession            : 1;
            ULONG                   OverrideAddressSpace        : 1;
            ULONG                   HasAddressSpace             : 1;
            ULONG                   LaunchPrefetched            : 1;
            ULONG                   InjectInpageErrors          : 1;
            ULONG                   Unused                      : 11;
        };
    };
    NTSTATUS                        ExitStatus;
    USHORT                          NextPageColor;
    union {
        struct {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    UCHAR                           PriorityClass;
    BOOLEAN                         WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;
Cast as unsigned __int32 ( ULONG) and get the right offset.

Re: Getting the PEB address through EPROCESS

 #16864  by EP_X0FF
 Tue Nov 27, 2012 1:19 pm
Stylo wrote:I already cast it as a pointer
Code: Select all
INT pPeb = *(INT*)(eProcess + 0x190);
but then i get the weird address in kernel space.
I'm guessing redefining it is the only way?
No. Your offset is from 3790 SP0, Windows 2003.

Re: Getting the PEB address through EPROCESS

 #16871  by Vrtule
 Tue Nov 27, 2012 7:44 pm
Code: Select all
INT pPeb = *(INT*)(eProcess + 0x190);
This won't work on 64-bit platforms since INT is 32-bit there but pointers are 64-bit.

I recommend you to use, if possible, the PsGetProcessPeb routine as Alex had adviced.

Re: Getting the PEB address through EPROCESS

 #16874  by Stylo
 Tue Nov 27, 2012 9:11 pm
Ohhh crap...
My offset was wrong :X
i took the PEB structure from OpenRce forums..
i guess it was for other version of windows i wasn't looking
Thank u for the help :)
 Return to “Kernel-Mode Development”