Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-05-26 01:00:02 +0000

lakamha gravatar image

In order to parse PEB (Process Environment Block) using a job in Windows, the following steps can be taken:

  1. Create a new job object: This is done by calling the CreateJobObject API function.

  2. Set the job object's inheritability: This can be done using the SetHandleInformation function.

  3. Create the process to be analyzed: This can be done by calling the CreateProcess API function with the CREATE_SUSPENDED flag.

  4. Assign the process to the job object: This can be done by calling the AssignProcessToJobObject API function.

  5. Obtain a handle to the process's PEB: This can be done by calling the NtQueryInformationProcess function with the ProcessBasicInformation information class.

  6. Read the PEB: This can be done using the ReadProcessMemory API function with the handle to the process and the address of the PEB.

  7. Clean up: Close any open handles and terminate the job object if necessary.

By following these steps, a job can be used to parse the PEB of a process in Windows.


Copyright QStack.ai, 2010-2023. Content on this site is licensed under the Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service | contact