Realized that by using NtQueryInformationProcess and NtQueryInformationThread, we can get both the PEB base address of the process, and the entry point of any thread for any process. As a bonus, we can remove the need to use GetProcessId and even GetModuleFilename, both of which we can just get that same info from NtQueryInformationProcess for nothing more than a handle, which we already have. Note that the ProcessInformationClass parameter should be ProcessBasicInformation and receive a struct: https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess , and the ThreadInformationClass parameter should be ThreadQuerySetWin32StartAddress to get the thread entry point : https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationthread .
Will prioritize this, as it should be 100% safe when updated to use these functions and could be used universally to enum handles for any other malware ops such as process injections, thread hijack, process hollowing, memory dumping, hooking / unhooking, etc...
Teach2Breach
commented
1 year ago
Realized that by using NtQueryInformationProcess and NtQueryInformationThread, we can get both the PEB base address of the process, and the entry point of any thread for any process. As a bonus, we can remove the need to use GetProcessId and even GetModuleFilename, both of which we can just get that same info from NtQueryInformationProcess for nothing more than a handle, which we already have. Note that the ProcessInformationClass parameter should be ProcessBasicInformation and receive a struct: https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess , and the ThreadInformationClass parameter should be ThreadQuerySetWin32StartAddress to get the thread entry point : https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationthread .
Will prioritize this, as it should be 100% safe when updated to use these functions and could be used universally to enum handles for any other malware ops such as process injections, thread hijack, process hollowing, memory dumping, hooking / unhooking, etc...
This is a nonpublic technique.