hakril
Getting PEB on ARM64 fails with error code 0xc000001d
Hello,
Sorry if this package is not intended for ARM64, but I had to use it on that architecture and unfortunately I got some errors.
When trying to get the PEB for a process, I get the following error:
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_bitness'. Did you mean: 'bitness'?
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_is_wow_64'. Did you mean: 'is_wow_64'?
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
return getattr(self, cache_name)
AttributeError: 'CurrentProcess' object has no attribute '_peb'. Did you mean: 'peb'?
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<pyshell#1>", line 1, in <module>
peb = windows.WinProcess(5148).peb
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 1155, in peb
if windows.current_process.bitness == 64 and self.bitness == 32:
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
setattr(self, cache_name, f(self))
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 84, in bitness
if self.is_wow_64:
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
setattr(self, cache_name, f(self))
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 74, in is_wow_64
return utils.is_wow_64(self.limited_handle)
File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 41, in is_wow_64
fnIsWow64Process = get_func_addr("kernel32.dll", "IsWow64Process")
File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 24, in get_func_addr
modules = windows.current_process.peb.modules
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
setattr(self, cache_name, f(self))
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 649, in peb
return PEB.from_address(self.get_peb_builtin()())
OSError: [WinError -1073741795] Windows Error 0xc000001d
From what I can see, the PEB is retrieved from FS:[0x30] on Win32 and from GS:[0x60] on x64. However, for ARM64, a __getReg(18) on 0x60 would be needed.
https://gist.github.com/ReneNyffenegger/74d1416242750e002ba4bb8fb1f4681e
https://vuls.cert.org/confluence/pages/viewpage.action?pageId=90210320#Creatingaarch64(ARM64)WindowsShellcode:Part2ASLRsupport-GettingtheTEBonARM64
Could you please add this code for getting the PEB on ARM64?
Thank you!
Hi,
Thank you for the issue, indeed I never took arm64 into account when developping PythonForWindows. I am quite curious and will try to adapt some of the code to make it work on arm64 as soon as I find a solution for testing. I do not have access to an arm64 windows computer right now, but will try to find one for these testing purpose. Fixing the PEB code will be a good introduction to arm64 I guess.
