To get 32-bit PEB from 32-bit process:
BYTE* _teb = (BYTE*)__readfsdword(0x18); PEB32* _peb = *(PEB32**)(_teb + 0x30); |
To get 64-bit PEB from 64-bit process:
BYTE* _teb = (BYTE*)__readgsqword(0x30); PEB64* _peb = *(PEB64**)(_teb + 0x60); |
To get 64-bit PEB from 32-bit WoW64 process:
BYTE* _teb = (BYTE*)__readfsdword(0x18) - 0x2000; DWORD64 _peb = *(DWORD64*)(_teb + 0x60); |
微软已经给我们准备好了现成的方法
NtCurrentPeb()
NtCurrentPeb()
内联方式的函数,对win32 和64 做了处理,最终也是调用了以上的函数
__readfsdword
__readgsqword