среда, 19 декабря 2012 г.

teb32 of wow64 process

It seems that internet is full of wrong recipes how to get subj (like this one - true anal surgery IMHO)
Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB

Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
  mov   rcx, [r8+0F0h]           ; load _KTHREAD.Teb in rcx
  test  rcx, rcx
  jz    loc_1403E521A
  mov   rax, [rbx+418h]          ; EPROCESS.Wow64Process
  test  rax, rax
  jz    short loc_1403E5178      ; not wow64 process
  lea   r9, [rcx+2000h]          ; wow64 process - load TEB32

  mov   edx, [rsp+118h+var_AC]
  cmp   edx, 40h
  jnb   short loc_1403E519F
  test  rax, rax                 ; again check for wow64 process
  jnz   short loc_1403E5190
  mov   [rcx+rdx*8+1480h], rsi   ; store to TEB.TlsSlots[rdx]
  test  r9, r9
  jz    short loc_1403E520A
  mov   [r9+rdx*4+0E10h], esi    ; store to TEB32.TlsSlots[rdx]

Next lets check MmCreateTeb function:   
  mov   ebx, 1820h            ; sizeof(TEB)
  mov   rax, [rcx+418h]       ; EPROCESS.Wow64Process
  mov   [rsp+98h+var_78], rax
  mov   ecx, 2FE8h            ; sizeof(TEB) rounded to page size + sizeof(TEB32)
  test  rax, rax              ; check if this process is wow64
  cmovnz ebx, ecx             ; if yes apply size for both TEBs
  lea   rdx, [rsp+98h+var_60]
  mov   rcx, r12
  call  KeStackAttachProcess
  lea   r9, [rsp+98h+var_70]
  mov   r8d, ebx              ; use this size as 3rd argument to
  mov   rdx, rdi
  mov   rcx, r12
  call  MiCreatePebOrTeb

