Forked from evernick/DirectPEB_ZwQueryInformationProcess.cpp
Created
August 1, 2017 23:09
-
-
Save spnow/d2e7ba26e180b9063c7b28ea505b89e0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _WIN32_WINNT 0x0501 | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <Winternl.h> | |
| typedef DWORD (WINAPI *PFZWQUERYINFORMATIONPROCESS) ( | |
| HANDLE ProcessHandle, | |
| DWORD ProcessInformationClass, // Origianl : _PROCESS_INFORMATION_CLASS | |
| PVOID ProcessInformation, | |
| ULONG ProcessInformationLength, | |
| PULONG ReturnLength | |
| ); | |
| int main(int argc, char **argv) | |
| { | |
| PROCESS_BASIC_INFORMATION pPib; | |
| PFZWQUERYINFORMATIONPROCESS pfZwQueryInformationProcess; | |
| HMODULE h_ntdll = GetModuleHandle("ntdll.dll"); | |
| pfZwQueryInformationProcess = (PFZWQUERYINFORMATIONPROCESS)GetProcAddress(h_ntdll, "ZwQueryInformationProcess"); | |
| pfZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, &pPib, sizeof(PROCESS_BASIC_INFORMATION), 0); // 0x0 : ProcessBasicInformation | |
| printf("PEB Address Is : %p\n", pPib.PebBaseAddress); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment