This site uses cookies own and third. If you continue to browse consider to accept the use of cookies. OK More Info.

[m][PEB] Leer cadenas interesantes del PEB (Ruta, CommandLine y más)

  • 0 Replies

0 Members and 1 Guest are viewing this topic.

Offline Karcrack

  • *
  • Underc0der
  • Posts: 87
  • Actividad:
  • Reputación 0
  • Se siente observado ¬¬'
    • View Profile
Code: (vb) You are not allowed to view links. Register or Login
Option Explicit

Private Declare Function lstrcpyW Lib "KERNEL32" (ByVal lpString1 As Long, ByVal lpString2 As Long) As Long
Private Declare Function RtlGetCurrentPeb Lib "NTDLL" () As Long
Private Declare Sub GetMem4 Lib "MSVBVM60" (ByVal Addr As Long, ByRef RetVal As Long)

    CurrentDirectoryPath = &H28
    DllPath = &H34
    ImagePathName = &H3C
    CommandLine = &H44
    WindowTitle = &H74
    DesktopName = &H7C
    ShellInfo = &H80
    RuntimeData = &H84
End Enum

' Procedure : GetUPPString
' Author    : Karcrack
' Date      : 24/09/2009
' Purpose   : Get strings from PEB.RTL_USER_PROCESS_PARAMETERS
Public Sub GetUPPString(ByRef sRet As String, ByVal lType As STRING_TYPE)
    Dim lUPP        As Long         'RTL_USER_PROCESS_PARAMETERS
    Dim lAddr       As Long         'RTL_USER_PROCESS_PARAMETERS.X
    Call GetMem4(RtlGetCurrentPeb + &H10, lUPP)
    Call GetMem4(lUPP + lType, lAddr)
    Call lstrcpyW(StrPtr(sRet), lAddr)
End Sub

Ejemplo de uso:
Code: (vb) You are not allowed to view links. Register or Login
Sub Main()
    Dim sStr        As String * 260
    Call GetUPPString(sStr, ImagePathName)
    MsgBox "MiRuta:" & vbCrLf & sStr
End Sub

Minimalista al maximo ;D

Cualquier duda preguntad ;)
I code for $$$.

(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer