commented PEB64 patches for WOW64 processes to prevent crashes of debuggee since Win10 Creators Update

TitanEngine/Global.Engine.Hider.cpp

@@ -189,10 +189,13 @@ static bool FixPebInProcess(HANDLE hProcess, bool Hide)
     void* heapForceFlagsAddress = 0;
     DWORD heapForceFlags = 0;
 
-#ifndef _WIN64
+// getting the PEB64 doesnt work anymore since WIN10 creators update as the PEB32+0x1000 offset doesnt seem to be correct anymore
-    PEB64 myPEB64 = {0};
+// maybe earlier as some comments suggested. at least this code causes crashes of debuggee as of that update only
-    void* AddressOfPEB64 = GetPEBLocation64(hProcess);
+// in theory, we could get the PEB64 via TEB64 (TitanEngine.Hider GetTEBLocation64) or via ntdll.Wow64QueryInformationProcess64
-#endif
+//#ifndef _WIN64
+//    PEB64 myPEB64 = {0};
+//    void* AddressOfPEB64 = GetPEBLocation64(hProcess);
+//#endif
 
     void* AddressOfPEB = GetPEBLocation(hProcess);
 
@@ -201,12 +204,12 @@ static bool FixPebInProcess(HANDLE hProcess, bool Hide)
 
     if(ReadProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
     {
-#ifndef _WIN64
+//#ifndef _WIN64
-        if(AddressOfPEB64)
+//        if(AddressOfPEB64)
-        {
+//        {
-            ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
+//            ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
-        }
+//        }
-#endif
+//#endif
 
         if(Hide)
         {
@@ -214,19 +217,22 @@ static bool FixPebInProcess(HANDLE hProcess, bool Hide)
             myPEB.BeingDebugged = FALSE;
             myPEB.NtGlobalFlag &= ~0x70;
 
-#ifndef _WIN64
+//#ifndef _WIN64
-            myPEB64.BeingDebugged = FALSE;
+//            myPEB64.BeingDebugged = FALSE;
-            myPEB64.NtGlobalFlag &= ~0x70;
+//            myPEB64.NtGlobalFlag &= ~0x70;
-#endif
+//#endif
 
             //TODO: backup heap flags
-#ifdef _WIN64
+//#ifdef _WIN64
-            heapFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(true));
+//            heapFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(true));
-            heapForceFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(true));
+//            heapForceFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(true));
-#else
+//#else
+//            heapFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(false));
+//            heapForceFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(false));
+//#endif //_WIN64
             heapFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(false));
             heapForceFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(false));
-#endif //_WIN64
+
             ReadProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0);
             ReadProcessMemory(hProcess, heapForceFlagsAddress, &heapForceFlags, sizeof(DWORD), 0);
 
@@ -239,19 +245,19 @@ static bool FixPebInProcess(HANDLE hProcess, bool Hide)
         else
         {
             myPEB.BeingDebugged = TRUE;
-#ifndef _WIN64
+//#ifndef _WIN64
-            myPEB64.BeingDebugged = TRUE;
+//            myPEB64.BeingDebugged = TRUE;
-#endif
+//#endif
         }
 
         if(WriteProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
         {
-#ifndef _WIN64
+//#ifndef _WIN64
-            if(AddressOfPEB64)
+//            if(AddressOfPEB64)
-            {
+//            {
-                WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
+//                WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
-            }
+//            }
-#endif
+//#endif
             return true;
         }
     }