playing PEB (Process Environment Block) again 
. Now try Extract PEB information from 64bit process, use Wow64 api.
about WoW64 :
[url]http://en.wikipedia.org/wiki/WoW64[/url]
[url]http://msdn.microsoft.com/en-us/library/aa384274(v=vs.85).aspx[/url]
Instead of using the x86 system-service call sequence, 32-bit binaries that make system calls are rebuilt to use a custom calling sequence. This calling sequence is inexpensive for WOW64 to intercept because it remains entirely in user mode. When the custom calling sequence is detected, the WOW64 CPU transitions back to native 64-bit mode and calls into Wow64.dll. Thunking is done in user mode to reduce the impact on the 64-bit kernel and to reduce the risk of a bug in the thunk that might cause a kernel-mode crash, data corruption, or a security hole. The thunks extract arguments from the 32-bit stack, extend them to 64 bits, then make the native system call.
). Garis besar dari tutorialnya sih untuk meng’Unlock file maka perlu membebaskan penggunaan dari file itu seperti kill processnya, jika berupa dll unload it, and close handlenya di system handle information. 
