SEH Address

Forum for discussion about user-mode development.
Post Reply
nothern
Posts: 1
Joined: Sat Nov 23, 2013 4:39 pm

SEH Address

Post by nothern » Mon Jul 27, 2015 11:32 am

Hi, i'am trying to get the SEH address of a remote process , however it seems that when i grab the TIB structure from the process, ExceptionList Field is always invalid whereas when i attach ollydbg to the process he successfully get the SEH Address from TIB, here is my code :

Code: Select all

THREAD_BASIC_INFORMATION tbi;
	TEB threadTEB;
	NT_TIB32 threadTIB;
	DWORD dwOld = 0;
	DWORD dwRead = 0;
	DWORD dwOut = 0;
	
	NTSTATUS ret = NtQueryInformationThread(hThread,ThreadBasicInformation,&tbi,sizeof(THREAD_BASIC_INFORMATION),&dwOut);
	if(NT_SUCCESS(ret))
	{
		printf("[*]Thread Information Grabbed");

		ret = NtReadVirtualMemory(hProcess,tbi.TebBaseAddress,&threadTEB,sizeof(TEB),&dwRead);
		if(NT_SUCCESS(ret))
		{
			printf("[*]Thread TEB Grabbed");
			printf("[*]Thread TIB Address : %x",threadTEB.NtTib.Self);

			VirtualProtectEx(hProcess,threadTEB.NtTib.Self,sizeof(NT_TIB32),PAGE_READWRITE,&dwOld);
			ret = NtReadVirtualMemory(hProcess,threadTEB.NtTib.Self,&threadTIB,sizeof(NT_TIB32),&dwRead);
			if(NT_SUCCESS(ret))
			{
				printf("[*]Thread TIB Grabbed");
				printf("[*]TIB Stack Base : %x",threadTIB.StackBase);
				printf("[*]TIB Version : %d",threadTIB.Version);
				printf("[*]Exception List FirstPointer : %x",threadTIB.ExceptionList);
	
			}
			else
			{
				printf("Error Grab TIB : %x",ret);
			}

		}
		else
		{
			printf("Error Grab TEB : %x",ret);
		}
	}
Thanks for help (and maybe i should put that in newbie question , i don't really know)

edit: In fact i found , it's just because i was dumping the TIB too fast so the process was not entirely initialized

Post Reply