My Windows is 64bit, and when runing 64bit process , thread.teb_base is okay.
But when I run 32bit process, thread.teb_base is wrong, because it is not same as x32dbg result:
My code resuit
x32dbg views:
My python code:
targetProcess = None
processList = windows.system.enumerate_processes()
for process in processList:
print("process name:", process.name)
# HWorks32.exe
if process.name == "HWorks32.exe":
targetProcess = process
threadList = targetProcess.threads
for thread in threadList:
teb = thread.teb_base
print("teb:", hex(teb))
I sure the x32dbg result is true, because I actually wanna get stackBaseAddress from teb:
stackBaseAddress = process.read_ptr(teb + 4)
The above code would get some 0x0 stackBaseAddress and would throw exception if I read it, but In x32dbg, I search it manually, the result is okay.
And you can find that the difference x32dbg teb between code result is 0x2000! It mean that I can add 0x2000 to very teb in my code and can get the true teb!
My Windows is 64bit, and when runing 64bit process , thread.teb_base is okay.
But when I run 32bit process, thread.teb_base is wrong, because it is not same as x32dbg result:
My code resuit
x32dbg views:
My python code:
I sure the x32dbg result is true, because I actually wanna get stackBaseAddress from teb:
The above code would get some 0x0 stackBaseAddress and would throw exception if I read it, but In x32dbg, I search it manually, the result is okay.
And you can find that the difference x32dbg teb between code result is 0x2000! It mean that I can add 0x2000 to very teb in my code and can get the true teb!