TechQA.

32-bit process failed to get another 32-bit process's PEB on Windows10 x64 system

382 views Asked by At

Code:

STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };

WCHAR lpCmdline[] = L"ad.exe";
if (!CreateProcess(
    NULL,
    lpCmdline,
    NULL, NULL, TRUE,
    CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
    wprintf(L"Create process fail: %d\n", GetLastError());
    return -1;
}

PROCESS_BASIC_INFORMATION pbi = { 0 };
NtQueryInformationProcessFn pNtQueryInformationProcess = (NtQueryInformationProcessFn) \
    GetProcAddress(LoadLibrary(L"ntdll"), "NtQueryInformationProcess");

ULONG dwRead;
if (NT_ERROR(pNtQueryInformationProcess(
    pi.hProcess, ProcessBasicInformation,
    &pbi, sizeof pbi, &dwRead))) {
    wprintf(L"Call NtQueryInformationProcess error: %d\n", GetLastError());
    return -1;
}

PEB peb = { 0 };
SIZE_T stRead;
if (!ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &peb, sizeof PEB, NULL)) {
    wprintf(L"Call ReadProcessMemory fail: %d\n", GetLastError());
    return -1;
}

return 0;

Compiled as x86 binary, and the ad.exe is also x86 binary. System is Windows10 64-bit

PS C:\> .\t.exe
Call ReadProcessMemory fail: 6
PS C:\> file .\t.exe
.\t.exe: PE32 executable (console) Intel 80386, for MS Windows
PS C:\> file .\ad.exe
.\ad.exe: PE32 executable (console) Intel 80386, for MS Windows
c++ winapi readprocessmemory wow64
Original Q&A
0

There are 0 answers

Related Questions in C++

Related Questions in WINAPI

Related Questions in READPROCESSMEMORY

Related Questions in WOW64

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions