getCurrentProcess function

Jan 7, 2013 at 9:57 PM

Hey guys,

Out of curiosity what is the pointer that this returns? To EPROCESS? KPCR? PEB?


Jan 9, 2013 at 6:23 AM

For kernel mode debuggibg it returns a pointer to EPROCESS/KPROCESS.
For user mode debugging it returns pointer to PEB. If you are debugging wow64 process, getCurrentProcess returns a pointer to a native PEB, x86 PEB must be found manually ( well known trick:  peb32 = peb64 - pageSize() )