Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB
Proofs
Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
mov rcx, [r8+0F0h] ; load _KTHREAD.Teb in rcx
test rcx, rcx
jz loc_1403E521A
mov rax, [rbx+418h] ; EPROCESS.Wow64Process
test rax, rax
jz short loc_1403E5178 ; not wow64 process
lea r9, [rcx+2000h] ; wow64 process - load TEB32
loc_1403E5178: mov edx, [rsp+118h+var_AC]
cmp edx, 40h
jnb short loc_1403E519F
test rax, rax ; again check for wow64 process
jnz short loc_1403E5190
mov [rcx+rdx*8+1480h], rsi ; store to TEB.TlsSlots[rdx]
loc_1403E5190:
test r9, r9
jz short loc_1403E520A
mov [r9+rdx*4+0E10h], esi ; store to TEB32.TlsSlots[rdx]
Next lets check MmCreateTeb function:
mov ebx, 1820h ; sizeof(TEB)
mov rax, [rcx+418h] ; EPROCESS.Wow64Process
mov [rsp+98h+var_78], rax
mov ecx, 2FE8h ; sizeof(TEB) rounded to page size + sizeof(TEB32)
test rax, rax ; check if this process is wow64
cmovnz ebx, ecx ; if yes apply size for both TEBs
lea rdx, [rsp+98h+var_60]
mov rcx, r12
call KeStackAttachProcess
lea r9, [rsp+98h+var_70]
mov r8d, ebx ; use this size as 3rd argument to MiCreatePebOrTeb mov rdx, rdi
mov rcx, r12
call MiCreatePebOrTeb
really helpful , thanks a lot
ОтветитьУдалить