NtQueryInformationProcess

Get Base Address of Remote Process

STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
PROCESS_BASIC_INFORMATION pbi = {0};

// Relies on CreateFileW for handle
if (CreateProcessW(L"C:\\Windows\\System32\\svchost.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, pSi, pPi) == 0) {
    wprintf(L"CreateProcessW Failed %d", GetLastError()) ;
    return FALSE;
};


PVOID FetchRemoteBaseAddress(PPROCESS_INFORMATION pPi, PPROCESS_BASIC_INFORMATION pPbi) {

    fnNtQueryInformationProcess NtQueryInformationProcess = (fnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(L"NTDLL.DLL"), "NtQueryInformationProcess");
    // get target image PEB address and pointer to image base
    DWORD dwReturnLength = 0;
    LPVOID imageBase;
    NtQueryInformationProcess(pPi->hProcess, ProcessBasicInformation, pPbi, sizeof(PROCESS_BASIC_INFORMATION), &dwReturnLength);
    DWORD_PTR pebOffset = (DWORD_PTR)pPbi->PebBaseAddress + 0x10;
    ReadProcessMemory(pPi->hProcess, (LPCVOID)pebOffset, &imageBase, sizeof(LPVOID), NULL);
    return imageBase;
}

PreviousNtQuerySystemInformation NextThread Enumeration

Last updated 8 months ago