emesare
commented
1 year ago Apologies for the late reply, I am in the process of moving houses.
According to the core docs here, what you want is ProcessInfo.address which can be retrieved like so:
from memflow import *
import logging
# Setup logging
FORMAT = "%(levelname)s %(name)s %(asctime)-15s %(filename)s:%(lineno)d %(message)s"
logging.basicConfig(format=FORMAT)
logging.getLogger().setLevel(logging.INFO)
class PEB(Structure):
_fields_ = [
# TODO: Finish
("_pad_0x0", c_byte * 0x10),
("ImageBaseAddress", c_uint64)
]
def __str__(self):
return f"ImageBaseAddress = {hex(self.ImageBaseAddress)}"
class EPROCESS(Structure):
_fields_ = []
_offsets_ = [
(0x550, "PEB", POINTER64(PEB))
]
inventory = Inventory()
conn = inventory.create_connector("kvm")
os = inventory.create_os("win32", conn)
process = os.process_from_name("lsass.exe")
eprocess = os.read(process.info().address, EPROCESS)
print(eprocess)
peb = process.read_ptr(eprocess.PEB)
print(peb)PEB=PEB @ 0x84ac9fa000
ImageBaseAddress = 0x7ff654cb0000It should be noted that the PEB offset 0x550 in EPROCESS can change across windows versions, for compatibility I would first check the field eproc_peb within these configuration files.
Hello,
I hope you are doing well. I would like to request your help in obtaining the Process Environment Block (PEB) address of a process in Windows using your module.
The PEB is a crucial data structure that contains critical information about a running process. I am interested in accessing this information to analyze and better understand the behavior of certain processes in my application.
I would appreciate if you could provide guidance on how I can use your library to access the PEB of a process. Any code examples, documentation, or related resources would be greatly appreciated.
Thank you very much for your time and consideration.
Thank you in advance, Alejandro