[m][PEB] Leer cadenas interesantes del PEB (Ruta, CommandLine y más)

Karcrack · Junio 16, 2013, 06:28:38 PM

Código: vb

Option Explicit

'KERNEL32
Private Declare Function lstrcpyW Lib "KERNEL32" (ByVal lpString1 As Long, ByVal lpString2 As Long) As Long
'NTDLL
Private Declare Function RtlGetCurrentPeb Lib "NTDLL" () As Long
'MSVBVM60
Private Declare Sub GetMem4 Lib "MSVBVM60" (ByVal Addr As Long, ByRef RetVal As Long)

Public Enum STRING_TYPE
    CurrentDirectoryPath = &H28
    DllPath = &H34
    ImagePathName = &H3C
    CommandLine = &H44
    WindowTitle = &H74
    DesktopName = &H7C
    ShellInfo = &H80
    RuntimeData = &H84
End Enum

'---------------------------------------------------------------------------------------
' Procedure : GetUPPString
' Author    : Karcrack
' Date      : 24/09/2009
' Purpose   : Get strings from PEB.RTL_USER_PROCESS_PARAMETERS
'---------------------------------------------------------------------------------------
'
Public Sub GetUPPString(ByRef sRet As String, ByVal lType As STRING_TYPE)
    Dim lUPP        As Long         'RTL_USER_PROCESS_PARAMETERS
    Dim lAddr       As Long         'RTL_USER_PROCESS_PARAMETERS.X
    
    Call GetMem4(RtlGetCurrentPeb + &H10, lUPP)
    Call GetMem4(lUPP + lType, lAddr)
    Call lstrcpyW(StrPtr(sRet), lAddr)
End Sub

Ejemplo de uso:

Código: vb

Sub Main()
    Dim sStr        As String * 260
    
    Call GetUPPString(sStr, ImagePathName)
    
    MsgBox "MiRuta:" & vbCrLf & sStr
End Sub

Minimalista al maximo

Cualquier duda preguntad

[m][PEB] Leer cadenas interesantes del PEB (Ruta, CommandLine y más)

Karcrack

Junio 16, 2013, 06:28:38 PM