Hi, i'am trying to get the SEH address of a remote process , however it seems that when i grab the TIB structure from the process, ExceptionList Field is always invalid whereas when i attach ollydbg to the process he successfully get the SEH Address from TIB, here is my code :
edit: In fact i found , it's just because i was dumping the TIB too fast so the process was not entirely initialized
Code: Select all
Thanks for help (and maybe i should put that in newbie question , i don't really know)THREAD_BASIC_INFORMATION tbi;
TEB threadTEB;
NT_TIB32 threadTIB;
DWORD dwOld = 0;
DWORD dwRead = 0;
DWORD dwOut = 0;
NTSTATUS ret = NtQueryInformationThread(hThread,ThreadBasicInformation,&tbi,sizeof(THREAD_BASIC_INFORMATION),&dwOut);
if(NT_SUCCESS(ret))
{
printf("[*]Thread Information Grabbed");
ret = NtReadVirtualMemory(hProcess,tbi.TebBaseAddress,&threadTEB,sizeof(TEB),&dwRead);
if(NT_SUCCESS(ret))
{
printf("[*]Thread TEB Grabbed");
printf("[*]Thread TIB Address : %x",threadTEB.NtTib.Self);
VirtualProtectEx(hProcess,threadTEB.NtTib.Self,sizeof(NT_TIB32),PAGE_READWRITE,&dwOld);
ret = NtReadVirtualMemory(hProcess,threadTEB.NtTib.Self,&threadTIB,sizeof(NT_TIB32),&dwRead);
if(NT_SUCCESS(ret))
{
printf("[*]Thread TIB Grabbed");
printf("[*]TIB Stack Base : %x",threadTIB.StackBase);
printf("[*]TIB Version : %d",threadTIB.Version);
printf("[*]Exception List FirstPointer : %x",threadTIB.ExceptionList);
}
else
{
printf("Error Grab TIB : %x",ret);
}
}
else
{
printf("Error Grab TEB : %x",ret);
}
}edit: In fact i found , it's just because i was dumping the TIB too fast so the process was not entirely initialized
