How can one process access foreign TIB?

Question

Is it possible (and how) to access Thread Information Block of a thread of some another process?

score 3 · Accepted Answer · answered Jan 05 '12 at 23:44

It is possible.

The first step is to get the adress of the Thread Information Block by using the NtQueryInformationThread function with ThreadInformationClass set to ThreadBasicInformation. The THREAD_BASIC_INFORMATION structure contains a pointer to the TEB of the thread. Then you can use ReadProcessMemory and WriteProcessMemory in order to read or modify the content of the TEB.

1 Answers1