NtQueryInformationProcess Undocumented Structs & PEB Ldr
0Support us on Patreon: http://bit.ly/38mnveC
Learn how to use NtQueryInformationProcess to parse the PEB Ldr module linked list. You can use this method as an alternative to using ToolHelp32Snapshot. You can find the NtQueryInformationProcess function exported by ntdll.dll and call the function. This will give you a PROCESS_BASIC_INFORMATION structure which contains the PEB address. The PEB contains the Ldr, the Ldr contains the linked list full of modules. The modules are defined as LDR_DATA_TABLE_ENTRY and contain many useful variables such as dll name, address and size.
Time stamps:
0:00 Introduction
0:42 NtQueryInformationProcess
3:21 Grabbing definitions from x64dbg/ntdll.h
5:59 Getting PEB Externally
8:36 Getting PEB Internally
9:35 GetModuleBaseAddress from PEB
This tutorial will teach you how to use undocumented windows structures, of which there are many. Using NtQueryProcessInformation and PROCESS_BASIC_INFORMATION is an alternative to using toolhelp32snapshot
Discussion & Download : https://bit.ly/2UkTirE
The Windows API (WinAPI) is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. Almost all Windows programs interact with WinAPI. Despite a lot of the APIs and the structures they use being officially documented, there is a portion of them that is not. These APIs have been studied, reversed and documented non-officially.
In this video, you will learn how to get the base address of modules based on information acquired from the PEB, in addition to how to get the PEB externally, using NtQueryInformationProcess, or internally. In the beginning, the undocumented structs need to be grabbed. These structs may be found on NTinternals, x64dbg ntdll header file or Vergilius project. Then, NtQueryInformationProcess is used to get the PEB. To do so, call NtQueryProcessInformation to get a PROCESS_BASIC_INFORMATION struct which contains an address of the PEB and use ReadProcessMemory to read the PEB of the process. Getting the PEB internally is easier since the address of the PEB can be grabbed from the segment registers.
After having the address to the PEB, the modules list will be scanned to get the base address of the required module. To do so, the modules list is grabbed from the loader (which exists in the PEB) and then looped through, checking the names of the modules, to the determine if the modules is found. One important note to keep in mind is that three versions of the modules exist in the loader (with different order), and if you need to hide your module from anti-cheat then you have to remove it from all three to be sure that the anti-cheat is not searching a version of the list other than the one you removed the module from.
After finishing this video, you will have knowledge about some undocumented WinAPI functions and structs as well as how to get the base address of a module by parsing data from the PEB.
Support us on Patreon : http://bit.ly/38mnveC
Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu
https://guidedhacking.com