问题
In 32-bit assembly, I can access the ProcessEnvironmentBlock of the TEB structure. From there I access Ldr of the TEB structure.
This technique is described here: http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
The code to do this in 32-bit assembly is:
void* ptr = NULL;
__asm
{
mov eax, FS:[0x18]
mov eax, [eax + 0x30] //Offset of PEB
mov eax, [eax + 0x0C] //Offset of LDR in PEB structure
mov eax, _ptr
};
std::cout<<ptr<<"\n";
The TEB structure can be seen here: http://msdn.moonsols.com/win7rtm_x64/TEB.html and the PEB structure can be seen here: http://msdn.moonsols.com/win7rtm_x64/PEB.html
The above works for 32-bit code.
However, I want to also write code to work on x64 machines. I viewed the x64 version of the structures and wrote:
__asm
{
mov rax, GS:[0x30]
mov rax, [rax + 0x60]
mov rax, [rax + 0x18]
mov rax, _ptr
};
This can be done using Winnt.h NtCurrentTeb() but I want to use assembly.
However, it fails to work at all. Any ideas why?
回答1:
If you using visual studio, you can use Intrinsics!
[x86] __readfsbyte __readfsdword __readfsqword __readfsword
[x64] __readgsbyte __readgsdword __readgsqword __readgsword
Good luck~
回答2:
Visual studio doesn't allow inline assembler for X64 C++. The __asm keyword isn't supported. You can write your assembler in a separate file and link it in or you can use intrinsics do what you need to do.
来源:https://stackoverflow.com/questions/21973330/access-x64-teb-c-assembly