ZwQueryInformationThread(ThreadTebInformation)

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //A new method introduced in recent versions of Windows to Copy certain fields of TEB's of remote threads.
4. #include "stdafx.h"
5. #include "windows.h"
6. #include "stdio.h"
7.  
8. #define ThreadTebInformation            0x1A
9.  
10. extern "C"
11. {
12. int __stdcall ZwSetInformationThread(HANDLE,unsigned long,unsigned long*,unsigned long);
13. int __stdcall ZwQueryInformationThread(HANDLE,unsigned long,unsigned long*,unsigned long,unsigned long*);
14. }
15.  
16. struct TEB_INFO
17. {
18.     void* pDest; //Receives read TEB info.
19.     unsigned long Offset; //Offset at which TEB fields are read.
20.     unsigned long NumOfBytes; //Number of Bytes to read (0xFE4 as Max).
21. };
22.  
23. int main(int argc, char* argv[])
24. {
25.     //-----------
26.     char* ShadowTEB=(char*)LocalAlloc(LMEM_ZEROINIT,0x1000);
27.  
28.     TEB_INFO TB={ShadowTEB,0x0,0xFE4};
29.     int ret=ZwQueryInformationThread(GetCurrentThread(),
30.                                         ThreadTebInformation,
31.                                         (unsigned long*)(&TB),sizeof(TB),0);
32.     if(ret>=0)  printf("Okay\r\n");
33.     else        printf("Error: %x\r\n",ret);
34.  
35.     LocalFree(ShadowTEB);
36.     return 0;
37. }