PsGetProcessPEB fails (is there any alternative way to get PEB)?

[jguo5258]

Hello, I am trying to use PsGetProcessPEB in order to get the base address of a module. My base address function takes in PEPROCESS and module name parameter. Whenever I try to get the process environment block, the PPEB is null pointer...

I know that PEPROCESS is correct because when I tried pslookupprocessbyprocessid it worked with STATUS_SUCCESS.

This is my function:

`DWORD64 GetModuleBasex64(PEPROCESS proc, UNICODE_STRING module_name)
{

KAPC_STATE state;
KeStackAttachProcess(proc, &state);

PPEB pPeb = (PPEB)PsGetProcessPeb(proc);
if (!pPeb)
{
return 0;
}
PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)pPeb->Ldr;

if (!pLdr)
{
KeUnstackDetachProcess(&state);
return 1;
}

UNICODE_STRING name;

for (PLIST_ENTRY list = (PLIST_ENTRY)pLdr->ModuleListLoadOrder.Flink;
list != &pLdr->ModuleListLoadOrder; list = (PLIST_ENTRY)list->Flink)
{
PLDR_DATA_TABLE_ENTRY pEntry =
CONTAINING_RECORD(list, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
if (RtlCompareUnicodeString(&pEntry->BaseDllName, &module_name, TRUE) ==
0) {
ULONG64 baseAddr = (ULONG64)pEntry->DllBase;
KeUnstackDetachProcess(&state);
return baseAddr;
}
}
KeUnstackDetachProcess(&state);

return 3; // failed
}`

Continue reading...