jiurl玩玩win2k进程线程篇 peb.htm
来自「关于win2000核心编程的文章」· HTM 代码 · 共 286 行 · 第 1/2 页
HTM
286 行
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0066)http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/PsPeb.htm -->
<HTML><HEAD><TITLE>JIURL玩玩Win2k进程线程篇 PEB</TITLE>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<STYLE type=text/css>.title {
FONT-FAMILY: "黑体", Arial, sans-serif; FONT-SIZE: 21px; FONT-WEIGHT: bold; LINE-HEIGHT: 48px; TEXT-DECORATION: none
}
.author {
FONT-FAMILY: "宋体"; FONT-SIZE: 12px; LINE-HEIGHT: 16px
}
.content {
FONT-SIZE: 14px; LINE-HEIGHT: 20px
}
</STYLE>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR></HEAD>
<BODY bgColor=#f7f7f7 topMargin=5>
<DIV align=center>
<CENTER>
<TABLE border=0 cellPadding=0 cellSpacing=0 height=29 width="96%">
<TBODY>
<TR>
<TD class=title height=41 width="100%">
<P align=center><FONT face=宋体>JIURL玩玩Win2k进程线程篇 PEB
</FONT></P></TD></TR></CENTER>
<TR>
<TD class=author height=9 width="100%">
<P align=center><FONT face=宋体>作者: <A
href="mailto:jiurl@mail.china.com">JIURL</A> </FONT></P></TD></TR>
<TR>
<TD class=author height=6 width="100%">
<P align=center><FONT
face=宋体>
主页: <A href="http://jiurl.yeah.net/">http://jiurl.yeah.net/</A>
</FONT></P></TD></TR>
<TR>
<TD class=author height=2 width="100%">
<P align=center><FONT face=宋体> 日期: 2003-7-30</FONT>
</P></TD></TR></TBODY></TABLE></DIV>
<DIV align=center>
<CENTER>
<TABLE border=0 cellPadding=0 cellSpacing=0 height=1 width="96%">
<TBODY>
<TR>
<TD height=1 width="100%">
<HR color=#396da5 SIZE=3>
</TD></TR></TBODY></TABLE></CENTER></DIV>
<DIV align=center>
<TABLE border=0 cellPadding=0 cellSpacing=0 class=content height=4300
width="96%">
<TBODY>
<TR>
<TD height=2132 vAlign=top width="131%">
<P> PEB,Process Environment Block ,进程环境块。位于用户地址空间。在地址
0x7FFDF000 处。所以用户进程可以直接访问自己的 PEB 结构。Win2k Build 2195 中进程的 EPROCESS
结构偏移+1b0 处的 *Peb 也指向 PEB 结构。在 undocumented.ntinternals.net
(需要注意的是这是个非官方的站点)我们可以找到 PEB
及其相关结构的定义。我们首先列出结构的定义,然后对一些内容进行说明。<BR><BR>typedef struct _PEB {<BR>BOOLEAN
InheritedAddressSpace;<BR>BOOLEAN ReadImageFileExecOptions;<BR>BOOLEAN
BeingDebugged;<BR>BOOLEAN Spare;<BR>HANDLE Mutant;<BR>PVOID
ImageBaseAddress;<BR>PPEB_LDR_DATA
LoaderData;<BR>PRTL_USER_PROCESS_PARAMETERS ProcessParameters;<BR>PVOID
SubSystemData;<BR>PVOID ProcessHeap;<BR>PVOID
FastPebLock;<BR>PPEBLOCKROUTINE FastPebLockRoutine;<BR>PPEBLOCKROUTINE
FastPebUnlockRoutine;<BR>ULONG EnvironmentUpdateCount;<BR>PPVOID
KernelCallbackTable;<BR>PVOID EventLogSection;<BR>PVOID
EventLog;<BR>PPEB_FREE_BLOCK FreeList;<BR>ULONG
TlsExpansionCounter;<BR>PVOID TlsBitmap;<BR>ULONG
TlsBitmapBits[0x2];<BR>PVOID ReadOnlySharedMemoryBase;<BR>PVOID
ReadOnlySharedMemoryHeap;<BR>PPVOID ReadOnlyStaticServerData;<BR>PVOID
AnsiCodePageData;<BR>PVOID OemCodePageData;<BR>PVOID
UnicodeCaseTableData;<BR>ULONG NumberOfProcessors;<BR>ULONG
NtGlobalFlag;<BR>BYTE Spare2[0x4];<BR>LARGE_INTEGER
CriticalSectionTimeout;<BR>ULONG HeapSegmentReserve;<BR>ULONG
HeapSegmentCommit;<BR>ULONG HeapDeCommitTotalFreeThreshold;<BR>ULONG
HeapDeCommitFreeBlockThreshold;<BR>ULONG NumberOfHeaps;<BR>ULONG
MaximumNumberOfHeaps;<BR>PPVOID *ProcessHeaps;<BR>PVOID
GdiSharedHandleTable;<BR>PVOID ProcessStarterHelper;<BR>PVOID
GdiDCAttributeList;<BR>PVOID LoaderLock;<BR>ULONG OSMajorVersion;<BR>ULONG
OSMinorVersion;<BR>ULONG OSBuildNumber;<BR>ULONG OSPlatformId;<BR>ULONG
ImageSubSystem;<BR>ULONG ImageSubSystemMajorVersion;<BR>ULONG
ImageSubSystemMinorVersion;<BR>ULONG GdiHandleBuffer[0x22];<BR>ULONG
PostProcessInitRoutine;<BR>ULONG TlsExpansionBitmap;<BR>BYTE
TlsExpansionBitmapBits[0x80];<BR>ULONG SessionId;<BR>} PEB,
*PPEB;<BR><BR>typedef void (*PPEBLOCKROUTINE)(PVOID
PebLock); <BR><BR>typedef struct _PEB_LDR_DATA {<BR>ULONG
Length;<BR>BOOLEAN Initialized;<BR>PVOID SsHandle;<BR>LIST_ENTRY
InLoadOrderModuleList;<BR>LIST_ENTRY
InMemoryOrderModuleList;<BR>LIST_ENTRY
InInitializationOrderModuleList;<BR>} PEB_LDR_DATA,
*PPEB_LDR_DATA;<BR><BR>typedef struct _LDR_MODULE {<BR>LIST_ENTRY
InLoadOrderModuleList;<BR>LIST_ENTRY
InMemoryOrderModuleList;<BR>LIST_ENTRY
InInitializationOrderModuleList;<BR>PVOID BaseAddress;<BR>PVOID
EntryPoint;<BR>ULONG SizeOfImage;<BR>UNICODE_STRING
FullDllName;<BR>UNICODE_STRING BaseDllName;<BR>ULONG Flags;<BR>SHORT
LoadCount;<BR>SHORT TlsIndex;<BR>LIST_ENTRY HashTableEntry;<BR>ULONG
TimeDateStamp;<BR>} LDR_MODULE, *PLDR_MODULE;<BR><BR>typedef struct
_UNICODE_STRING {<BR>USHORT Length;<BR>USHORT MaximumLength;<BR>PWSTR
Buffer;<BR>} UNICODE_STRING, *PUNICODE_STRING;<BR><BR>typedef struct
_RTL_USER_PROCESS_PARAMETERS {<BR>ULONG MaximumLength;<BR>ULONG
Length;<BR>ULONG Flags;<BR>ULONG DebugFlags;<BR>PVOID
ConsoleHandle;<BR>ULONG ConsoleFlags;<BR>HANDLE StdInputHandle;<BR>HANDLE
StdOutputHandle;<BR>HANDLE StdErrorHandle;<BR>UNICODE_STRING
CurrentDirectoryPath;<BR>HANDLE CurrentDirectoryHandle;<BR>UNICODE_STRING
DllPath;<BR>UNICODE_STRING ImagePathName;<BR>UNICODE_STRING
CommandLine;<BR>PVOID Environment;<BR>ULONG StartingPositionLeft;<BR>ULONG
StartingPositionTop;<BR>ULONG Width;<BR>ULONG Height;<BR>ULONG
CharWidth;<BR>ULONG CharHeight;<BR>ULONG ConsoleTextAttributes;<BR>ULONG
WindowFlags;<BR>ULONG ShowWindowFlags;<BR>UNICODE_STRING
WindowTitle;<BR>UNICODE_STRING DesktopName;<BR>UNICODE_STRING
ShellInfo;<BR>UNICODE_STRING RuntimeData;<BR>RTL_DRIVE_LETTER_CURDIR
DLCurrentDirectory[0x20];<BR>} RTL_USER_PROCESS_PARAMETERS,
*PRTL_USER_PROCESS_PARAMETERS;<BR><BR>typedef struct
_RTL_DRIVE_LETTER_CURDIR {<BR>USHORT Flags;<BR>USHORT Length;<BR>ULONG
TimeStamp;<BR>UNICODE_STRING DosPath;<BR>} RTL_DRIVE_LETTER_CURDIR,
*PRTL_DRIVE_LETTER_CURDIR;<BR><BR>typedef struct _PEB_FREE_BLOCK
{<BR>_PEB_FREE_BLOCK *Next;<BR>ULONG Size;<BR>} PEB_FREE_BLOCK,
*PPEB_FREE_BLOCK;<BR><BR>我写了一个叫 <A
href="http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/JiurlPebSee.zip">JiurlPebSee</A>
的程序来分析指定进程的 PEB。下面我结合 <A
href="http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/JiurlPebSee.zip">JiurlPebSee</A>
的输出来对 PEB 及其相关结构的一些内容进行说明。<BR><BR>ProcessId(Decimal):
516<BR>Explorer.exe:<BR><BR>PEB at 0x7ffdf000<BR><BR>LoaderData:
0x00071e90<BR>ProcessParameters: 0x00020000<BR>ProcessHeap:
0x00070000<BR>NumberOfHeaps: 11<BR>MaximumNumberOfHeaps:
16<BR>*ProcessHeaps: 0x77fce380<BR><BR>7ffdf000: 00000000 ffffffff
00400000 00071e90<BR>7ffdf010: 00020000 00000000 00070000
77fcd170<BR>7ffdf020: 77f8aa4c 77f8aa7d 00000001 77e14380<BR>7ffdf030:
00000000 00000000 00000000 00000000<BR>7ffdf040: 77fcd1a8 03cfffff
00000000 7f6f0000<BR>7ffdf050: 7f6f0000 7f6f0688 7ffa0000
7ffa0000<BR>7ffdf060: 7ffd1000 00000001 00000000 00000000<BR>7ffdf070:
079b8000 ffffe86d 00100000 00002000<BR>7ffdf080: 00010000 00001000
0000000b 00000010<BR>7ffdf090: 77fce380 00350000 00000000
00000014<BR>7ffdf0a0: 77fcd348 00000005 00000000 00000893<BR>7ffdf0b0:
00000002 00000002 00000004 00000000<BR>7ffdf0c0: 00000000 00000000
00000002 00000000<BR>7ffdf0d0: 00000004 00000000 b51003ba
391001e4<BR>7ffdf0e0: 00000000 00000000 00000000 00000000<BR>7ffdf0f0:
00000000 00000000 00000000 00000000<BR>7ffdf100: 00000000 00000000
00000000 00000000<BR>7ffdf110: 00000000 00000000 00000000
00000000<BR>7ffdf120: 8204019c 7004019b cf04019e a104019d<BR>7ffdf130:
00000000 00000000 00000000 00000000<BR>7ffdf140: 00000000 00000000
00000000 00000000<BR>7ffdf150: 77fcdcc0 00000000 00000000
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?