Getting PEB on ARM64 fails with error code 0xc000001d

[cpoenaru]

Hello,

Sorry if this package is not intended for ARM64, but I had to use it on that architecture and unfortunately I got some errors.

When trying to get the PEB for a process, I get the following error:

  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
    return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_bitness'. Did you mean: 'bitness'?

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
    return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_is_wow_64'. Did you mean: 'is_wow_64'?

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
    return getattr(self, cache_name)
AttributeError: 'CurrentProcess' object has no attribute '_peb'. Did you mean: 'peb'?

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<pyshell#1>", line 1, in <module>
    peb = windows.WinProcess(5148).peb
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 1155, in peb
    if windows.current_process.bitness == 64 and self.bitness == 32:
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
    setattr(self, cache_name, f(self))
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 84, in bitness
    if self.is_wow_64:
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
    setattr(self, cache_name, f(self))
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 74, in is_wow_64
    return utils.is_wow_64(self.limited_handle)
  File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 41, in is_wow_64
    fnIsWow64Process = get_func_addr("kernel32.dll", "IsWow64Process")
  File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 24, in get_func_addr
    modules = windows.current_process.peb.modules
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
    setattr(self, cache_name, f(self))
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 649, in peb
    return PEB.from_address(self.get_peb_builtin()())
OSError: [WinError -1073741795] Windows Error 0xc000001d

From what I can see, the PEB is retrieved from FS:[0x30] on Win32 and from GS:[0x60] on x64. However, for ARM64, a __getReg(18) on 0x60 would be needed.

https://gist.github.com/ReneNyffenegger/74d1416242750e002ba4bb8fb1f4681e

https://vuls.cert.org/confluence/pages/viewpage.action?pageId=90210320#Creatingaarch64(ARM64)WindowsShellcode:Part2ASLRsupport-GettingtheTEBonARM64

Could you please add this code for getting the PEB on ARM64?

Thank you!

[hakril]

Hi,

Thank you for the issue, indeed I never took arm64 into account when developping PythonForWindows.
I am quite curious and will try to adapt some of the code to make it work on arm64 as soon as I find a solution for testing.
I do not have access to an arm64 windows computer right now, but will try to find one for these testing purpose.
Fixing the PEB code will be a good introduction to arm64 I guess.

[cpoenaru]

Got it, thank you for the fast reply and interest!

[hakril]

Should be fixed with #78