How can I get the 32 bit stack limits / the 32 bit TEB/TIB from an existing 32 bit process under windows in x64 mode?
https://stackoverflow.com/questions/9169683
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Normally I would just cheat and use NtQueryInformationThread for ThreadBasicInformation to get the TebBaseAddress
but wow64 threads have two stacks, this will only get the 64 bit Teb.
Solution
the best way I've found is to get the 32 bit context ( not via GetThreadContext, but Wow64GetThreadContext) and use Wow64GetThreadSelectorEntry to get the address of FS[0] and then use ReadProcessMemory. But the biggest problem is that this requires Win7/Windows2008 Server R2 )
OTHER TIPS
Are you using the Windows debugging interface to attach to the process? If so, you should be able to use the lpThreadLocalBase field of the events CREATE_THREAD_DEBUG_INFO and CREATE_PROCESS_DEBUG_INFO to get the TEB base address when a new thread is created.
But I think this only works if your debugger has controlled the process from its creation. This wouldn't help for attaching to an existing process.
This is an easier, albeit undocumented, method: http://redplait.blogspot.ru/2012/12/teb32-of-wow64-process.html
