-
Notifications
You must be signed in to change notification settings - Fork 1
/
entry-point.c
70 lines (49 loc) · 1.49 KB
/
entry-point.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#include <windows.h>
#include <winternl.h>
void* get_gs_60();
HANDLE stdOut;
void* get_peb_address() {
typedef NTSTATUS (NTAPI *ptrNtQueryInformationProcess)
(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
ptrNtQueryInformationProcess qry = (ptrNtQueryInformationProcess) GetProcAddress(
GetModuleHandleA("ntdll.dll"),
"NtQueryInformationProcess"
);
HANDLE proc = GetCurrentProcess();
PROCESS_BASIC_INFORMATION pbi;
qry(proc, 0, &pbi, sizeof(pbi), NULL);
return pbi.PebBaseAddress;
}
void printAddress(const char* text, void* addr) {
char buf[200];
int len = wsprintfA(buf, "%-20s: %p\n", text, addr);
DWORD charsWritten;
WriteConsoleA(stdOut, buf, len, &charsWritten, 0);
}
int __stdcall entryPoint(void* first_arg) {
stdOut = GetStdHandle(STD_OUTPUT_HANDLE);
//
// Use an compiler intrinsic function to get a pointer to
// the PEB:
//
DWORD64 intr = __readgsqword(0x60);
//
// Get the same pointer with «ordinary» assembly:
//
void* gs_60 = get_gs_60();
//
// Alternatively, use WinAPI functions:
//
void* PEB = get_peb_address();
printAddress("First argument", first_arg);
printAddress("gs:[60h]" , (void*) gs_60);
printAddress("intrinsic" , (void*) intr);
printAddress("PEB" , PEB);
return 42;
}