Normally I would just cheat and use NtQueryInformationThread for ThreadBasicInformation to get the TebBaseAddress

Question

0

Editorial Team

Asked: May 27, 20262026-05-27T01:32:43+00:00 2026-05-27T01:32:43+00:00

Normally I would just cheat and use NtQueryInformationThread for ThreadBasicInformation to get the TebBaseAddress

0

Normally I would just cheat and use NtQueryInformationThread for ThreadBasicInformation
to get the TebBaseAddress

but wow64 threads have two stacks, this will only get the 64 bit Teb.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T01:32:43+00:00

Editorial Team

2026-05-27T01:32:43+00:00Added an answer on May 27, 2026 at 1:32 am

the best way I’ve found is to get the 32 bit context ( not via GetThreadContext, but Wow64GetThreadContext) and use Wow64GetThreadSelectorEntry to get the address of FS[0] and then use ReadProcessMemory. But the biggest problem is that this requires Win7/Windows2008 Server R2 )

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Normally I would just cheat and use NtQueryInformationThread for ThreadBasicInformation to get the TebBaseAddress

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply