Getting the TEB of a 64bit process on WIndows

Question

I'm trying to get the TEB of a 64 remote thread in Windows 8.

Following the definition from here, I do this:

    sz = sizeof(NTSTATUS) + sizeof(PTEB) + sizeof(HANDLE) + sizeof(HANDLE) + sizeof(ULONG_PTR) + sizeof(LONG) + sizeof(LONG);
infoBuff = malloc(sz);
stat = NtQueryInformationThread(mainThread, (THREADINFOCLASS) 0, infoBuff, sz, NULL);
if (!NT_SUCCESS(stat)) {
    printf ("ERROR (code 0x%x): Cannot get information about about the main TEB. \n", stat);
    return 1;
}

If I compile for 32bit, sz is 0x1C and the call returns succesfully. If I compile for 64bit, sz is 0x2C but the call returns status 0xC0000004:STATUS_INFO_LENGTH_MISMATCH.

Any ideea what is the right size of _THREAD_BASIC_INFORMATION on 64 bit targets? Or maybe an alternate way of getting a remote TEB?

Thanks, Alex

Answer 1

There's padding in the struct which you are not allowing for that, hence the STATUS_INFO_LENGTH_MISMATCH error.

The easiest and most reliable way to find out the size of the struct is to get the compiler to work it out:

sizeof(THREAD_BASIC_INFORMATION)

Anyway, you can work it out by hand readily enough:

Type         Name              Offset   Size
----         ----              ------   ----
NTSTATUS     ExitStatus;        0        4
             Padding            4        4
PVOID        TebBaseAddress;    8        8
CLIENT_ID    ClientId;          16      16
KAFFINITY    AffinityMask;      32       8
KPRIORITY    Priority;          40       4
KPRIORITY    BasePriority;      44       4

So that would make the total size of the struct 48 bytes, or 0x30.

The padding is to ensure that TebBaseAddress is 8 byte aligned.