-
-
Win10下面获取PPEB->ThreadLocalStoragePointer失败XP下正常win7win8没测试
-
发表于:
2017-1-10 17:29
3358
-
Win10下面获取PPEB->ThreadLocalStoragePointer失败XP下正常win7win8没测试
标题打错了这里改一下不是PPEB而是PTEB->ThreadLocalStoragePointer
我在Win10下面(win7win8没测试)获取PTEB->ThreadLocalStoragePointer失败
下面的代码在XP下可以正常获取到PTEB->ThreadLocalStoragePointer但在Win10下面就不行
在没有使用TLS的程序中, 这个指针应该为NULL,在XP下确实为NULL, 但在win10下面就获取不到正确的数值 代码在下面 就大神们帮帮忙 3Q!!!!
#include "stdafx.h"
#include <stdlib.h>
#include <Windows.h>
LPVOID PeLoaderGetTeb()
{
LPVOID teb;
__asm
{
push eax;
mov eax, fs:[0x18];
mov teb, eax;
pop eax;
}
return teb;
}
LPVOID PeLoaderGetPeb()
{
LPVOID peb;
__asm
{
push eax;
mov eax, fs:[0x30];
mov peb, eax;
pop eax;
}
return peb;
}
int main(int argc, char* argv[])
{
LPVOID *ThreadLocalStoragePointer;
// OSMajorVersion = *(WORD*)((LPBYTE)PeLoaderGetPeb() + 0xA4)
// OSMinorVersion = *(WORD*)((LPBYTE)PeLoaderGetPeb() + 0xA8)
if (*(WORD*)((LPBYTE)PeLoaderGetPeb() + 0xA4) < 10) // 小于10说明是Win10以下的操作系统
{
// ThreadLocalStoragePointer为PTEB->ThreadLocalStoragePointer我这里用的偏移
ThreadLocalStoragePointer = (LPVOID*)((LPBYTE)PeLoaderGetTeb() + 0x2C);
printf("PeLoaderGetTeb: 0x%08X\n", ThreadLocalStoragePointer);
printf("ThreadLocalStoragePointer: 0x%08X\n", *ThreadLocalStoragePointer); //XP下这里输出为NULL正常
} else {
// ThreadLocalStoragePointer为PTEB->ThreadLocalStoragePointer我这里用的偏移
ThreadLocalStoragePointer = (LPVOID*)((LPBYTE)PeLoaderGetTeb() + 0x2C);
printf("PeLoaderGetTeb: 0x%08X\n", ThreadLocalStoragePointer);
printf("ThreadLocalStoragePointer: 0x%08X\n", *ThreadLocalStoragePointer); //win10下这里不对
//*ThreadLocalStoragePointer = (LPVOID)0x88888888;
}
system("pause");
return 0;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
