$theTitle=wp_title(" - ", false); if($theTitle != "") { ?>
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
Today just some fun stuff with ASM, probably not the most recommended way to do things but for sure the most geeky way 😛
Get the Current Session Id:
1 2 3 4 5 6 | function GetCurrentSessionId: DWORD; asm mov eax,fs:[$00000018]; // Get TEB mov eax,[eax+$30]; // PPEB mov eax,[eax+$1d4]; // PEB.SessionId end; |
Get the Current Console Session Id:
1 2 3 4 | function GetConsoleSessionId: DWORD; asm mov eax, [$7ffe02d8]; end; |
And… if we can read it we can also write it?
1 2 3 4 5 6 | procedure SetCurrentSessionId(const SessionId: DWORD); asm mov edx,fs:[$00000018]; mov edx,[edx+$30]; mov [edx+$1d4], SessionId; end; |
and
1 2 3 4 5 6 7 8 9 10 | procedure SetConsoleSessionId(const SessionId: DWORD); var p: PDWORD; OldProtect: DWORD; begin p := PDWORD($7ffe02d8); Win32Check(VirtualProtect(p, SizeOf(p), PAGE_READWRITE, @OldProtect)); p^ := SessionId; Win32Check(VirtualProtect(p, SizeOf(p), OldProtect, @OldProtect)); end; |
You can safely try it since it of course affects the current process only, so don’t worry.
And perhaps more usefull
1 2 3 4 5 6 | procedure SetIsDebuggerPresent(const Value: Boolean); asm mov edx,fs:[$00000018]; // TEB mov edx, [edx+$30]; // PPEB mov byte ptr[edx+2], Value; // +0x002 BeingDebugged : UChar end; |
2 Responses for "Fun with asm"
Exellent article Remko!
Little question: imagine you have ThreadA and ThreadB. Is it possible to get ThreadB’s TEB from within ThreadA?
Thanks!
It’s possible by using NtQueryInformationThread function with ThreadBasicInformation class.
Leave a reply