Arsium
Reputation: 1
PEB X86 wrong address
So here is my question :
I wanted to get PEB from x64 and x86 without calling NtQueryProcessInformation.
I use ASM from this question : How to use NtCurrentTeb() without Windows header files?
ASM Code for X64 :
byte[] asm = new byte[] { 0x53, 0x48, 0x31, 0xDB, 0x48, 0x31, 0xC0, 0x65, 0x48, 0x8B, 0x1C, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0xD8, 0x5B, 0xC3 };
/*
push rbx
xor rbx,rbx
xor rax,rax
mov rbx, qword ptr gs:[0x00000060]
mov rax, rbx
pop rbx
ret
*/
And for X86 (I wrote same function based on question and x64 code):
byte[] asm32 = new byte[] { 0x53, 0x31, 0xDB, 0x31, 0xC0, 0x64, 0x8B, 0x1D, 0x30, 0x00, 0x00, 0x00, 0x89, 0xD8, 0x5B, 0xC3 };
/*
push ebx
xor ebx,ebx
xor eax,eax
mov ebx, fs : [0x00000030]
mov eax, ebx
pop ebx
ret
*/
So I checked with ProcessHacker the PEB address and for x64 it is the same address I got from proc but for x86 I Got a difference of 0x1000 (4096). I tested the two addresses (both x86 and x64) to get structure and all works fine. My question is : How can I have a different address from my procedure in x86 with process hacker and the whole structure is readable ? (offsets are correct)
Upvotes: 0
Views: 99
Answers (0)
Related Questions
- Ctypes- Can't get PEB Address using NtQueryInformationProcess
- Weird behavior of x86 assembly LEA instruction - Impact on Stack
- What is the meaning of "non temporal" memory accesses in x86
- (VC++) Runtime Check for Uninitialized Variables: How is the test Implemented?
- ImageBaseAddress in PEB is wrong
- PEB (Process Environment Block) invalid DllBase address
- Reproducing Unexpected Behavior w/Cross-Modifying Code on x86-64 CPUs