TEB信息是在0x7FFxxxxx的，所以有了地址就可以用ZwReadVirtualMemory读，获取TEB地址方法如下：
ZwQueryInformationThread的0号调用（ThreadBasicInformation），返回类型为_THREAD_BASIC_INFORMATION，定义如下：

typedef struct _THREAD_BASIC_INFORMATION {
    NTSTATUS ExitStatus;
    PTEB TebBaseAddress;
    CLIENT_ID ClientId;
    ULONG_PTR AffinityMask;
    KPRIORITY Priority;
    LONG BasePriority;
} THREAD_BASIC_INFORMATION;

其中的TebBaseAddress就是TEB地址
ZwQueryInformationThread的ThreadHandle就是hThread了

函数原型等：

NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationThread (
    __in HANDLE ThreadHandle,
    __in THREADINFOCLASS ThreadInformationClass,
    __out_bcount(ThreadInformationLength) PVOID ThreadInformation,
    __in ULONG ThreadInformationLength,
    __out_opt PULONG ReturnLength
    );
typedef enum _THREADINFOCLASS {
    ThreadBasicInformation,
    ThreadTimes,
    ThreadPriority,
    ThreadBasePriority,
    ThreadAffinityMask,
    ThreadImpersonationToken,
    ThreadDescriptorTableEntry,
    ThreadEnableAlignmentFaultFixup,
    ThreadEventPair_Reusable,
    ThreadQuerySetWin32StartAddress,
    ThreadZeroTlsCell,
    ThreadPerformanceCount,
    ThreadAmILastThread,
    ThreadIdealProcessor,
    ThreadPriorityBoost,
    ThreadSetTlsArrayAddress,
    ThreadIsIoPending,
    ThreadHideFromDebugger,
    ThreadBreakOnTermination,
    ThreadSwitchLegacyState,
    ThreadIsTerminated,
    MaxThreadInfoClass
    } THREADINFOCLASS;
PVOID ThreadInformation是指向返回数据缓冲区的指针。

给的都是nativeApi，如果要用win32api可以用ReadProcessMemory，至于ZwQueryInfoThread的话，偶也不知道什么win32api可以搞定~  nativeAPI用多了 -。-

ZwReadVirtualMemory & ZwQueryInformationThread位于ntdll.dll

谢谢炉子兄弟了，
我忘了还有NtQueryInformationThread存在哈。