hasherezade · July 21, 2025 11:35 · Nov 17, 2020 · Dec 21, 2017 · Dec 21, 2017
diff --git a/main.cpp b/main.cpp
@@ -15,7 +15,7 @@ PPEB get_default_peb()
 PPEB64 get_peb64(HANDLE hProcess, OUT PROCESS_BASIC_INFORMATION_WOW64 &pbi64)
 {
     if (NtWow64QueryInformationProcess64 == nullptr) {
-        return false;
+        return nullptr;
     }
     //reset structure:
     memset(&pbi64,0, sizeof(PROCESS_BASIC_INFORMATION_WOW64));

diff --git a/main.cpp b/main.cpp
@@ -5,9 +5,11 @@
 
 PPEB get_default_peb()
 {
-    PTEB myTeb = NtCurrentTeb();
-    PPEB myPeb = myTeb->ProcessEnvironmentBlock;
-    return myPeb;
+#if defined(_WIN64)
+    return (PPEB)__readgsqword(0x60);
+#else
+    return (PPEB)__readfsdword(0x30);
+#endif
 }
 
 PPEB64 get_peb64(HANDLE hProcess, OUT PROCESS_BASIC_INFORMATION_WOW64 &pbi64)

diff --git a/main.cpp b/main.cpp
@@ -0,0 +1,67 @@
+#include <Windows.h>
+
+#include <iostream>
+#include "ntdll_undoc.h"
+
+PPEB get_default_peb()
+{
+    PTEB myTeb = NtCurrentTeb();
+    PPEB myPeb = myTeb->ProcessEnvironmentBlock;
+    return myPeb;
+}
+
+PPEB64 get_peb64(HANDLE hProcess, OUT PROCESS_BASIC_INFORMATION_WOW64 &pbi64)
+{
+    if (NtWow64QueryInformationProcess64 == nullptr) {
+        return false;
+    }
+    //reset structure:
+    memset(&pbi64,0, sizeof(PROCESS_BASIC_INFORMATION_WOW64));
+
+    ULONG outLength = 0;
+    NTSTATUS status = NtWow64QueryInformationProcess64(
+        hProcess,
+        ProcessBasicInformation,
+        &pbi64,
+        sizeof(PROCESS_BASIC_INFORMATION_WOW64),
+        &outLength
+    );
+    if (status != STATUS_SUCCESS) {
+        return nullptr;
+    }
+    return (PPEB64) pbi64.PebBaseAddress;
+}
+
+int main()
+{
+    BOOL isWow64 = FALSE;
+    IsWow64Process(GetCurrentProcess(), &isWow64);
+    std::cout << "IsWow64" << " : " << isWow64 << std::endl;
+
+    if (init_ntdll_func(isWow64) == false) {
+        printf("Cannot load functions!\n");
+        return -1;
+    }
+
+    PPEB myPeb = get_default_peb();
+    std::cout << "PEB:  \t" ;
+    std::cout << std::hex << myPeb << std::endl;
+
+    PPEB64 pebWow64 = nullptr;
+    if (isWow64) {
+        PROCESS_BASIC_INFORMATION_WOW64 pbi64 = { 0 };
+        pebWow64 = get_peb64(GetCurrentProcess(), pbi64);
+        if (pebWow64 == nullptr) {
+            std::cerr << "Fetching PEB64 failed!" << std::endl;
+            return -1;
+        }
+        std::cout << "PEB64:\t" ;
+        std::cout << std::hex << pebWow64 << std::endl;
+    }
+    std::cout << "ImageBaseAddress from PEB: \t" << std::hex << myPeb->ImageBaseAddress << std::endl;
+    if (pebWow64 != nullptr) {
+        std::cout << "ImageBaseAddress from PEB64: \t" << std::hex << pebWow64->ImageBaseAddress << std::endl;
+    }
+    system("pause");
+    return 0;
+}
diff --git a/ntdll_undoc.cpp b/ntdll_undoc.cpp
@@ -0,0 +1,95 @@
+#include "ntdll_undoc.h"
+
+NTSTATUS (NTAPI *RtlCreateProcessParametersEx)(
+    _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+    _In_ PUNICODE_STRING ImagePathName,
+    _In_opt_ PUNICODE_STRING DllPath,
+    _In_opt_ PUNICODE_STRING CurrentDirectory,
+    _In_opt_ PUNICODE_STRING CommandLine,
+    _In_opt_ PVOID Environment,
+    _In_opt_ PUNICODE_STRING WindowTitle,
+    _In_opt_ PUNICODE_STRING DesktopInfo,
+    _In_opt_ PUNICODE_STRING ShellInfo,
+    _In_opt_ PUNICODE_STRING RuntimeData,
+    _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized
+) = nullptr;
+
+NTSTATUS (NTAPI *NtWow64ReadVirtualMemory64)(
+    IN HANDLE ProcessHandle,
+    IN PVOID64 BaseAddress,
+    OUT PVOID Buffer,
+    IN ULONG64 Size,
+    OUT PULONG64 NumberOfBytesRead
+) = nullptr;
+
+NTSTATUS (NTAPI *NtWow64QueryInformationProcess64) (
+    IN HANDLE ProcessHandle,
+    IN PROCESSINFOCLASS ProcessInformationClass,
+    OUT PVOID ProcessInformation,
+    IN ULONG ProcessInformationLength,
+    OUT PULONG ReturnLength OPTIONAL
+) = nullptr;
+
+bool init_wow64_func(HMODULE lib)
+{
+    if (lib == nullptr) {
+        return false;
+    }
+    FARPROC proc = GetProcAddress(lib, "NtWow64ReadVirtualMemory64");
+    if (proc == nullptr) {
+        return false;
+    }
+    NtWow64ReadVirtualMemory64 = (NTSTATUS (NTAPI *)(
+        HANDLE,
+        PVOID64,
+        PVOID,
+        ULONG64,
+        PULONG64
+    )) proc;
+
+    proc = GetProcAddress(lib, "NtWow64QueryInformationProcess64");
+    if (proc == nullptr) {
+        return false;
+    }
+    NtWow64QueryInformationProcess64 = (NTSTATUS (NTAPI *)(
+        HANDLE,
+        PROCESSINFOCLASS,
+        PVOID,
+        ULONG,
+        PULONG
+    )) proc;
+
+    return true;
+}
+
+bool init_ntdll_func(BOOL isWow64)
+{
+    HMODULE lib = LoadLibraryA("ntdll.dll");
+    if (lib == nullptr) {
+        return false;
+    }
+    FARPROC proc = GetProcAddress(lib, "RtlCreateProcessParametersEx");
+    if (proc == nullptr) {
+        return false;
+    }
+    RtlCreateProcessParametersEx = (NTSTATUS (NTAPI *)(
+        PRTL_USER_PROCESS_PARAMETERS*,
+        PUNICODE_STRING,
+        PUNICODE_STRING,
+        PUNICODE_STRING,
+        PUNICODE_STRING,
+        PVOID,
+        PUNICODE_STRING,
+        PUNICODE_STRING,
+        PUNICODE_STRING,
+        PUNICODE_STRING,
+        ULONG 
+    )) proc;
+
+    if (isWow64) {
+        if (!init_wow64_func(lib)) {
+            return false;
+        }
+    }
+    return true;
+}
diff --git a/ntdll_undoc.h b/ntdll_undoc.h
@@ -0,0 +1,111 @@
+#pragma once
+
+#include <Windows.h>
+#include "ntddk.h"
+#include "ntdll_types.h"
+
+//Structures:
+
+typedef struct _PROCESS_BASIC_INFORMATION_WOW64
+{
+    NTSTATUS ExitStatus;
+    ULONG64  PebBaseAddress;
+    ULONG64  AffinityMask;
+    KPRIORITY BasePriority;
+    ULONG64  UniqueProcessId;
+    ULONG64  InheritedFromUniqueProcessId;
+
+} PROCESS_BASIC_INFORMATION_WOW64, *PPROCESS_BASIC_INFORMATION_WOW64;
+
+typedef struct _UNICODE_STRING_WOW64 {
+    USHORT Length;
+    USHORT MaximumLength;
+    PVOID64 Buffer;
+} UNICODE_STRING_WOW64;
+
+// PEB 64:
+typedef struct _PEB64 {
+    BYTE Reserved[16];
+    PVOID64 ImageBaseAddress;
+    PVOID64 LdrData;
+    PVOID64 ProcessParameters;
+} PEB64, *PPEB64;
+
+typedef struct _CURDIR64
+{
+    UNICODE_STRING_WOW64 DosPath;
+    HANDLE Handle;
+} CURDIR64, *PCURDIR64;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS64
+{
+    ULONG MaximumLength;                            // Should be set before call RtlCreateProcessParameters
+    ULONG Length;                                   // Length of valid structure
+    ULONG Flags;                                    // Currently only PPF_NORMALIZED (1) is known:
+                                                    //  - Means that structure is normalized by call RtlNormalizeProcessParameters
+    ULONG DebugFlags;
+    PVOID64 ConsoleHandle;                            // HWND to console window associated with process (if any).
+    ULONG ConsoleFlags;
+    DWORD64 StandardInput;
+    DWORD64 StandardOutput;
+    DWORD64 StandardError;
+    CURDIR64 CurrentDirectory;                        // Specified in DOS-like symbolic link path, ex: "C:/WinNT/SYSTEM32"
+
+    UNICODE_STRING_WOW64 DllPath;                         // DOS-like paths separated by ';' where system should search for DLL files.
+    UNICODE_STRING_WOW64 ImagePathName;                   // Full path in DOS-like format to process'es file image.
+    UNICODE_STRING_WOW64 CommandLine;                     // Command line
+    PVOID64 Environment;                              // Pointer to environment block (see RtlCreateEnvironment)
+    ULONG StartingX;
+    ULONG StartingY;
+    ULONG CountX;
+    ULONG CountY;
+    ULONG CountCharsX;
+    ULONG CountCharsY;
+    ULONG FillAttribute;                            // Fill attribute for console window
+    ULONG WindowFlags;
+    ULONG ShowWindowFlags;
+    UNICODE_STRING_WOW64 WindowTitle;
+    UNICODE_STRING_WOW64 DesktopInfo;                     // Name of WindowStation and Desktop objects, where process is assigned
+    UNICODE_STRING_WOW64 ShellInfo;
+    UNICODE_STRING_WOW64 RuntimeData;
+    RTL_DRIVE_LETTER_CURDIR CurrentDirectores[0x20];
+    ULONG EnvironmentSize;
+} RTL_USER_PROCESS_PARAMETERS64, *PRTL_USER_PROCESS_PARAMETERS64;
+
+//Functions:
+
+extern NTSTATUS (NTAPI *RtlCreateProcessParametersEx)(
+    _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+    _In_ PUNICODE_STRING ImagePathName,
+    _In_opt_ PUNICODE_STRING DllPath,
+    _In_opt_ PUNICODE_STRING CurrentDirectory,
+    _In_opt_ PUNICODE_STRING CommandLine,
+    _In_opt_ PVOID Environment,
+    _In_opt_ PUNICODE_STRING WindowTitle,
+    _In_opt_ PUNICODE_STRING DesktopInfo,
+    _In_opt_ PUNICODE_STRING ShellInfo,
+    _In_opt_ PUNICODE_STRING RuntimeData,
+    _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized
+);
+
+//for 32bit process on 64bit system:
+
+extern NTSTATUS (NTAPI *NtWow64ReadVirtualMemory64)(
+    IN HANDLE ProcessHandle,
+    IN PVOID64 BaseAddress,
+    OUT PVOID Buffer,
+    IN ULONG64 Size,
+    OUT PULONG64 NumberOfBytesRead
+);
+
+extern NTSTATUS (NTAPI *NtWow64QueryInformationProcess64) (
+    IN HANDLE ProcessHandle,
+    IN PROCESSINFOCLASS ProcessInformationClass,
+    OUT PVOID ProcessInformation,
+    IN ULONG ProcessInformationLength,
+    OUT PULONG ReturnLength OPTIONAL
+);
+
+// Initialization function:
+
+bool init_ntdll_func(BOOL isWow64);
No results found