-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathchangePeb.cpp
More file actions
61 lines (49 loc) · 2.22 KB
/
changePeb.cpp
File metadata and controls
61 lines (49 loc) · 2.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#include <string>
#include <iostream>
// Define the PROCESS_BASIC_INFORMATION structure
// Define the NtQueryInformationProcess function
typedef NTSTATUS(NTAPI* PNtQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
int main() {
wchar_t CommandLine[] = L"C:\\Windows\\system32\\explorer.exe";
wchar_t CurrentDirectory[] = L"C:\\Windows\\explorer.exe";
int result = SetCurrentDirectoryW(L"C:\\Windows\\");
std::cout << result << std::endl;
// Open the current process
HANDLE hProcess = GetCurrentProcess();
// Define a buffer to hold the information
PROCESS_BASIC_INFORMATION pbi;
// Load NtQueryInformationProcess dynamically
HMODULE hNtDll = GetModuleHandle(L"ntdll.dll");
PNtQueryInformationProcess pNtQueryInformationProcess =
(PNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess");
// Call NtQueryInformationProcess to get the PEB address
NTSTATUS status = pNtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
if (NT_SUCCESS(status)) {
// Access PEB address from the structure
PPEB pebAddress = pbi.PebBaseAddress;
wprintf(L"PEB Address: %p\n", pebAddress);
pbi.PebBaseAddress->ProcessParameters->CommandLine.Length = sizeof CommandLine;
pbi.PebBaseAddress->ProcessParameters->CommandLine.Buffer = CommandLine;
pbi.PebBaseAddress->ProcessParameters->ImagePathName.Length = sizeof(CurrentDirectory);
pbi.PebBaseAddress->ProcessParameters->ImagePathName.Buffer = CurrentDirectory;
UNICODE_STRING commandline = pbi.PebBaseAddress->ProcessParameters->CommandLine;
wprintf(L"commandline: %s\n", commandline.Buffer);
UNICODE_STRING ImagePathName = pbi.PebBaseAddress->ProcessParameters->ImagePathName;
wprintf(L"ImagePathName: %s\n", ImagePathName.Buffer);
}
else {
wprintf(L"Error: NtQueryInformationProcess failed with status 0x%X\n", status);
}
// Close the process handle
CloseHandle(hProcess);
return 0;
}