// author: daax

// 0x4a65 = 19045 (windows version)
int main()
{
    PSAPI_WORKING_SET_INFORMATION* w = ( PSAPI_WORKING_SET_INFORMATION* ) malloc( 1 << 20 );
    QueryWorkingSet( GetCurrentProcess(), w, 1 << 20 );
    for ( u32 i = 0; i < w->NumberOfEntries; i++ )
        if ( ( w->WorkingSetInfo[ i ].Flags & 31 ) == 4 )
            for ( u8* p = ( u8* ) ( ( w->WorkingSetInfo[ i ].Flags >> 12 ) << 12 ),
                  *e = p + 4094; p < e && !( *( u16* ) p == 0x4A65 &&
                  printf( "%p\n%S\n", ( PPEB ) ( p - 0x120 ),
                  *( PWSTR* ) ( ( u8* ) ( *( u64* ) ( ( p - 0x120 ) + 0x20 ) ) + 0xc0 + 0x8 ) ) );
                  p++ );
    return free( w ), 0;
}

#define READWRITE 4
int main()
{
    PSAPI_WORKING_SET_INFORMATION* wsi = ( PSAPI_WORKING_SET_INFORMATION * )malloc( 1<<20 );
    QueryWorkingSet( GetCurrentProcess(), wsi, 1<<20 );

    for ( ULONG_PTR i = 0; i < wsi->NumberOfEntries; i++ )
    {
        ULONG_PTR flags = wsi->WorkingSetInfo[ i ].Flags;
        if ( ( flags & 0x1F ) == READWRITE )
        {
            unsigned char* addr = ( unsigned char* ) ( ( flags >> 12 ) << 12 );
            unsigned char* end = addr + 4094;

            while ( addr < end )
            {
                if ( *( uint16_t* ) addr == 0x4A65 )
                {
                    PPEB peb = ( PPEB ) ( ( ULONG_PTR ) addr - 0x120 );
                    printf( "%p\n%S\n", peb, peb->ProcessParameters->DesktopInfo.Buffer );
                    free( wsi );
                    return 0;
                }
                addr++;
            }
        }
    }
    free( wsi );
    return 0;
}