x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

better hidedebugger code, new exported function GetPEBLocation64

This commit is contained in:
G36KV 2014-03-04 18:58:59 +01:00
parent f65ee470fb
commit 8efc8a4b5b
4 changed files with 302 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
TitanEngine/Global.Engine.Hider.cpp
View File

@ -19,89 +19,119 @@ static bool isAtleastVista()
return isAtleastVista; return isAtleastVista;
} }
bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide)
{ {
static ULONG OldHeapFlags=0; const BYTE patchCheckRemoteDebuggerPresent[5] = {0x33, 0xC0, 0xC2, 0x08, 0x00};
static ULONG OldForceFlag=0; const BYTE patchGetTickCount[3] = {0x33, 0xC0, 0xC3};
ULONG_PTR AddressOfPEB = NULL;
ULONG_PTR ueNumberOfBytesRead = NULL;
BYTE patchCheckRemoteDebuggerPresent[5] = {0x33, 0xC0, 0xC2, 0x08, 0x00};
BYTE patchGetTickCount[3] = {0x33, 0xC0, 0xC3};
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR APIPatchAddress = NULL; ULONG_PTR APIPatchAddress = NULL;
DWORD OldProtect; DWORD OldProtect;
NTPEB myPEB = {}; SIZE_T ueNumberOfBytesRead = 0;
if(hProcess != NULL)
{
AddressOfPEB = (ULONG_PTR)GetPEBLocation(hProcess);
if(ReadProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead))
{
if(Hide) if(Hide)
{ {
myPEB.BeingDebugged = false; APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
myPEB.NtGlobalFlag = NULL;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, sizeof(patchGetTickCount), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
}
else
{
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), sizeof(patchGetTickCount), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
}
}
bool FixPebInProcess(HANDLE hProcess, bool Hide)
{
PEB_CURRENT myPEB = {0};
SIZE_T ueNumberOfBytesRead = 0;
#ifndef _WIN64
PEB64 myPEB64 = {0};
void * AddressOfPEB64 = GetPEBLocation64(hProcess);
#endif
void * AddressOfPEB = GetPEBLocation(hProcess);
if (!AddressOfPEB)
return false;
if(ReadProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
{
#ifndef _WIN64
if (AddressOfPEB64)
{
ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
}
#endif
if(Hide)
{
myPEB.BeingDebugged = FALSE;
myPEB.NtGlobalFlag &= ~0x70;
#ifndef _WIN64
myPEB64.BeingDebugged = FALSE;
myPEB64.NtGlobalFlag &= ~0x70;
#endif
//Fix heap flags: https://github.com/eschweiler/ProReversing //Fix heap flags: https://github.com/eschweiler/ProReversing
BYTE* Heap=(BYTE*)myPEB.ProcessHeap; //BYTE* Heap = (BYTE*)myPEB.ProcessHeap;
}
else
{
myPEB.BeingDebugged = TRUE;
#ifndef _WIN64
myPEB64.BeingDebugged = TRUE;
#endif
}
if(WriteProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead)) if(WriteProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
{
#ifndef _WIN64
if (AddressOfPEB64)
{
WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
}
#endif
return true;
}
}
return false;
}
bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
{
if(hProcess)
{
if (FixPebInProcess(hProcess, Hide))
{ {
if(PatchAPILevel == UE_HIDE_BASIC) if(PatchAPILevel == UE_HIDE_BASIC)
{ {
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); FixAntidebugApiInProcess(hProcess, Hide);
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); }
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, 5, &ueNumberOfBytesRead);
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); return true;
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, 3, &ueNumberOfBytesRead);
}
return(true);
}
else
{
return(false);
} }
} }
else
{
myPEB.BeingDebugged = true;
if(WriteProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead))
{
if(PatchAPILevel == UE_HIDE_BASIC)
{
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), 5, &ueNumberOfBytesRead);
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); return false;
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), 3, &ueNumberOfBytesRead);
}
return(true);
}
else
{
return(false);
}
}
}
else
{
return(false);
}
}
else
{
return(false);
}
return(false);
} }

65
TitanEngine/TitanEngine.Hider.cpp
View File

@ -5,35 +5,70 @@
// TitanEngine.Hider.functions: // TitanEngine.Hider.functions:
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
{ {
ULONG RequiredLen = NULL; ULONG RequiredLen = 0;
PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); void * PebAddress = 0;
PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
if(!myProcessBasicInformation) if(!myProcessBasicInformation)
return 0; return 0;
#if !defined(_WIN64)
typedef NTSTATUS(WINAPI *fZwQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#else
typedef NTSTATUS(__fastcall *fZwQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#endif
LPVOID ZwQueryInformationProcess = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryInformationProcess");
fZwQueryInformationProcess cZwQueryInformationProcess = (fZwQueryInformationProcess)(ZwQueryInformationProcess);
if(cZwQueryInformationProcess != NULL) #if !defined(_WIN64)
typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#else
typedef NTSTATUS(__fastcall *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#endif
fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess");
if(cNtQueryInformationProcess != NULL)
{ {
if(cZwQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof PROCESS_BASIC_INFORMATION, &RequiredLen) == STATUS_SUCCESS) if(cNtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
{ {
return (void*)myProcessBasicInformation->PebBaseAddress; PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
} }
else else
{ {
if(cZwQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) if(cNtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
{ {
return (void*)myProcessBasicInformation->PebBaseAddress; PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
} }
} }
} }
return NULL;
VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE);
return PebAddress;
} }
#ifndef _WIN64
typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
static bool IsThisProcessWow64()
{
BOOL bIsWow64 = FALSE;
tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
if (fnIsWow64Process)
{
fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
}
return (bIsWow64 != FALSE);
}
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
{
if (IsThisProcessWow64())
{
//Only WOW64 processes have 2 PEBs
DWORD peb32 = (DWORD)GetPEBLocation(hProcess);
peb32 += 0x1000; //PEB64 after PEB32
return (void *)peb32;
}
return 0;
}
#endif
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel) __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel)
{ {
return ChangeHideDebuggerState(hProcess, PatchAPILevel, true); return ChangeHideDebuggerState(hProcess, PatchAPILevel, true);

3
TitanEngine/definitions.h
View File

@ -89,6 +89,9 @@ __declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap
__declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
// TitanEngine.Hider.functions: // TitanEngine.Hider.functions:
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess); __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
#ifndef _WIN64
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
#endif
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
// TitanEngine.Relocater.functions: // TitanEngine.Relocater.functions:

180
TitanEngine/stdafx.h
View File

@ -869,60 +869,130 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS {
RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;*/ } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;*/
typedef struct _NTPEB
///////////////////////////////////////////////////////////////////////////////////////
//Evolution of Process Environment Block (PEB) http://blog.rewolf.pl/blog/?p=573
//March 2, 2013 / ReWolf posted in programming, reverse engineering, source code, x64 /
#pragma pack(push)
#pragma pack(1)
template <class T>
struct LIST_ENTRY_T
{ {
BOOLEAN InheritedAddressSpace; T Flink;
BOOLEAN ReadImageFileExecOptions; T Blink;
BOOLEAN BeingDebugged; };
BOOLEAN Spare;
HANDLE Mutant; template <class T>
PVOID ImageBaseAddress; struct UNICODE_STRING_T
PPEB_LDR_DATA LoaderData; {
PRTL_USER_PROCESS_PARAMETERS ProcessParameters; union
PVOID SubSystemData; {
PVOID ProcessHeap; struct
PVOID FastPebLock; {
void* FastPebLockRoutine; WORD Length;
void* FastPebUnlockRoutine; WORD MaximumLength;
ULONG EnvironmentUpdateCount; };
PVOID* KernelCallbackTable; T dummy;
PVOID EventLogSection; };
PVOID EventLog; T _Buffer;
void* FreeList; };
ULONG TlsExpansionCounter;
PVOID TlsBitmap; template <class T, class NGF, int A>
ULONG TlsBitmapBits[0x2]; struct _PEB_T
PVOID ReadOnlySharedMemoryBase; {
PVOID ReadOnlySharedMemoryHeap; union
PVOID* ReadOnlyStaticServerData; {
PVOID AnsiCodePageData; struct
PVOID OemCodePageData; {
PVOID UnicodeCaseTableData; BYTE InheritedAddressSpace;
ULONG NumberOfProcessors; BYTE ReadImageFileExecOptions;
ULONG NtGlobalFlag; BYTE BeingDebugged;
BYTE Spare2[0x4]; BYTE _SYSTEM_DEPENDENT_01;
};
T dummy01;
};
T Mutant;
T ImageBaseAddress;
T Ldr;
T ProcessParameters;
T SubSystemData;
T ProcessHeap;
T FastPebLock;
T _SYSTEM_DEPENDENT_02;
T _SYSTEM_DEPENDENT_03;
T _SYSTEM_DEPENDENT_04;
union
{
T KernelCallbackTable;
T UserSharedInfoPtr;
};
DWORD SystemReserved;
DWORD _SYSTEM_DEPENDENT_05;
T _SYSTEM_DEPENDENT_06;
T TlsExpansionCounter;
T TlsBitmap;
DWORD TlsBitmapBits[2];
T ReadOnlySharedMemoryBase;
T _SYSTEM_DEPENDENT_07;
T ReadOnlyStaticServerData;
T AnsiCodePageData;
T OemCodePageData;
T UnicodeCaseTableData;
DWORD NumberOfProcessors;
union
{
DWORD NtGlobalFlag;
NGF dummy02;
};
LARGE_INTEGER CriticalSectionTimeout; LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve; T HeapSegmentReserve;
ULONG HeapSegmentCommit; T HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold; T HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold; T HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps; DWORD NumberOfHeaps;
ULONG MaximumNumberOfHeaps; DWORD MaximumNumberOfHeaps;
PVOID* *ProcessHeaps; T ProcessHeaps;
PVOID GdiSharedHandleTable; T GdiSharedHandleTable;
PVOID ProcessStarterHelper; T ProcessStarterHelper;
PVOID GdiDCAttributeList; T GdiDCAttributeList;
PVOID LoaderLock; T LoaderLock;
ULONG OSMajorVersion; DWORD OSMajorVersion;
ULONG OSMinorVersion; DWORD OSMinorVersion;
ULONG OSBuildNumber; WORD OSBuildNumber;
ULONG OSPlatformId; WORD OSCSDVersion;
ULONG ImageSubSystem; DWORD OSPlatformId;
ULONG ImageSubSystemMajorVersion; DWORD ImageSubsystem;
ULONG ImageSubSystemMinorVersion; DWORD ImageSubsystemMajorVersion;
ULONG GdiHandleBuffer[0x22]; T ImageSubsystemMinorVersion;
ULONG PostProcessInitRoutine; union
ULONG TlsExpansionBitmap; {
BYTE TlsExpansionBitmapBits[0x80]; T ImageProcessAffinityMask;
ULONG SessionId; T ActiveProcessAffinityMask;
} NTPEB, *PNTPEB; };
T GdiHandleBuffer[A];
T PostProcessInitRoutine;
T TlsExpansionBitmap;
DWORD TlsExpansionBitmapBits[32];
T SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
T pShimData;
T AppCompatInfo;
UNICODE_STRING_T<T> CSDVersion;
T ActivationContextData;
T ProcessAssemblyStorageMap;
T SystemDefaultActivationContextData;
T SystemAssemblyStorageMap;
T MinimumStackCommit;
};
typedef _PEB_T<DWORD, DWORD64, 34> PEB32;
typedef _PEB_T<DWORD64, DWORD, 30> PEB64;
#ifdef _WIN64
typedef PEB64 PEB_CURRENT;
#else
typedef PEB32 PEB_CURRENT;
#endif