Reputation: 2109
How can I get the 32 bit stack limits / the 32 bit TEB/TIB from an existing 32 bit process under windows in x64 mode?
Normally I would just cheat and use NtQueryInformationThread for ThreadBasicInformation to get the TebBaseAddress
but wow64 threads have two stacks, this will only get the 64 bit Teb.
Upvotes: 2
Views: 995
Answers (3)
Reputation: 904
This is an easier, albeit undocumented, method: http://redplait.blogspot.ru/2012/12/teb32-of-wow64-process.html
Upvotes: 1
Reputation: 1462
Are you using the Windows debugging interface to attach to the process? If so, you should be able to use the lpThreadLocalBase field of the events CREATE_THREAD_DEBUG_INFO and CREATE_PROCESS_DEBUG_INFO to get the TEB base address when a new thread is created.
But I think this only works if your debugger has controlled the process from its creation. This wouldn't help for attaching to an existing process.
Upvotes: 1
Reputation: 2109
the best way I've found is to get the 32 bit context ( not via GetThreadContext, but Wow64GetThreadContext) and use Wow64GetThreadSelectorEntry to get the address of FS[0] and then use ReadProcessMemory. But the biggest problem is that this requires Win7/Windows2008 Server R2 )
Upvotes: 2
Related Questions
- Is there a Windbg command to find out if a process is a 32-bit one or a 64-bit one?
- Get 32bit PEB of another process from a x64 process
- x64dbg Windows APIs Stack details
- How to get a reliable memory usage information for a 64-bit process from a 32-bit process?
- How can I determine if process is 32 or 64Bit from a handle?
- get the entry point to a 64bit process memory from a 32bit process
- How can I programmatically retrieve the details of a 64 bit process in C++?
- How to get stack size and stack limit of any thread using Win32 API
- How to trace the call stack under x64 Windows?
- Getting the TEB of a 64bit process on WIndows