jiurl玩玩win2k进程线程篇 peb.htm
来自「关于win2000核心编程的文章」· HTM 代码 · 共 286 行 · 第 1/2 页
HTM
286 行
00000000<BR>7ffdf160: 00000000 00000000 00000000 00000000<BR>7ffdf170:
00000000 00000000 00000000 00000000<BR>7ffdf180: 00000000 00000000
00000000 00000000<BR>7ffdf190: 00000000 00000000 00000000
00000000<BR>7ffdf1a0: 00000000 00000000 00000000 00000000<BR>7ffdf1b0:
00000000 00000000 00000000 00000000<BR>7ffdf1c0: 00000000 00000000
00000000 00000000<BR>7ffdf1d0: 00000000 00000000 00000000
00020000<BR>7ffdf1e0: 7f6f06c2 00000000 00000000 00000000<BR>7ffdf1f0:
00000000 00000000 00000000 00000000<BR>7ffdf200: 00000000 00000000
00000000 00000000<BR>...<BR><BR>我们以进程 Explorer.exe 进行分析。<BR>LoaderData 是指向
PEB_LDR_DATA 的指针,通过 PEB_LDR_DATA ,我们可以找到进程载入的所有模组。<BR>ProcessParameters
是指向 RTL_USER_PROCESS_PARAMETERS 的指针,RTL_USER_PROCESS_PARAMETERS
中是一些进程的参数。<BR>进程通常有多个用户堆。ProcessHeap 是进程堆(默认的那个)的首地址。NumberOfHeaps
是当前进程的堆的个数。MaximumNumberOfHeaps 是进程的堆的最大个数。*ProcessHeaps
是一个堆指针数组的首地址,每个数组元素长4个字节,是一个堆的指针。<BR><BR><BR>LoaderData at
0x00071e90<BR><BR>Length: 36 Bytes<BR>Initialized: 1<BR>SsHandle:
0x00000000<BR>InLoadOrderModuleList<BR>Flink: 0x00071ec0 Blink:
0x000a0508<BR>InMemoryOrderModuleList<BR>Flink: 0x00071ec8 Blink:
0x000a0510<BR>InInitializationOrderModuleList<BR>Flink: 0x00071f48 Blink:
0x000a0518<BR><BR>Module at 0x00071ec0<BR>FullDllName:
D:\WINNT\Explorer.exe<BR>BaseDllName: Explorer.exe<BR>BaseAddress:
0x00400000<BR>SizeOfImage: 0x0003c000<BR><BR>Module at
0x00071f38<BR>FullDllName: D:\WINNT\System32\ntdll.dll<BR>BaseDllName:
ntdll.dll<BR>BaseAddress: 0x77f80000<BR>SizeOfImage:
0x00079000<BR><BR>Module at 0x00072470<BR>FullDllName:
D:\WINNT\system32\ADVAPI32.DLL<BR>BaseDllName:
ADVAPI32.DLL<BR>BaseAddress: 0x77d90000<BR>SizeOfImage:
0x0005a000<BR><BR>...<BR><BR>从PEB可以找到 PEB_LDR_DATA ,PEB_LDR_DATA
中有三个双向循环链表的表头,分别是
InLoadOrderModuleList,InMemoryOrderModuleList,InInitializationOrderModuleList。<BR>每个链表项都是一个
LDR_MODULE 结构。<BR><BR>ProcessParameters at
0x00020000<BR><BR>MaximumLength: 0x00001000<BR>Length:
0x00000838<BR>...<BR><BR><BR>Environment at 0x00010000<BR><BR>00010000:
004c0041 0055004c 00450053 00530052 A.L.L.U.S.E.R.S.<BR>00010010: 00520050
0046004f 004c0049 003d0045 P.R.O.F.I.L.E.=.<BR>00010020: 003a0049 0044005c
0063006f 006d0075 I.:.\.D.o.c.u.m.<BR>00010030: 006e0065 00730074 00610020
0064006e e.n.t.s. .a.n.d.<BR>00010040: 00530020 00740065 00690074 0067006e
.S.e.t.t.i.n.g.<BR>...<BR>00010340: 00640075 00000065 0069006c 003d0062
u.d.e...l.i.b.=.<BR>00010350: 003a0047 004d005c 00630069 006f0072
G.:.\.M.i.c.r.o.<BR>00010360: 006f0073 00740066 00560020 00730069 s.o.f.t.
.V.i.s.<BR>00010370: 00610075 0020006c 00740053 00640075 u.a.l.
.S.t.u.d.<BR>...<BR>00010a70: 005c0031 00650054 0070006d 00540000
1.\.T.e.m.p...T.<BR>...<BR>00010b80: 003a0044 0057005c 004e0049 0054004e
D.:.\.W.I.N.N.T.<BR>00010b90: 00000000 00000000 00000000 00000000
................<BR>...<BR>00010ff0: 00000000 00000000 00000000 00000000
................<BR><BR>RTL_USER_PROCESS_PARAMETERS 中的 PVOID Environment;
指明了环境变量的地址。<BR><BR><BR>从结构定义中就可以看出 是象 StdInputHandle,ImagePathName
这样的参数。<BR><BR><BR>ProcessHeaps at 0x77fce380<BR><BR>ProcessHeaps[0]:
0x00070000<BR>ProcessHeaps[1]: 0x00170000<BR>ProcessHeaps[2]:
0x008c0000<BR>ProcessHeaps[3]: 0x00cd0000<BR>ProcessHeaps[4]:
0x00ed0000<BR>ProcessHeaps[5]: 0x00f10000<BR>ProcessHeaps[6]:
0x01290000<BR>ProcessHeaps[7]: 0x013e0000<BR>ProcessHeaps[8]:
0x01ce0000<BR>ProcessHeaps[9]: 0x01f50000<BR>ProcessHeaps[10]:
0x03bf0000<BR><BR>77fce380: 00070000 00170000 008c0000
00cd0000<BR>77fce390: 00ed0000 00f10000 01290000 013e0000<BR>77fce3a0:
01ce0000 01f50000 03bf0000 00000000<BR>77fce3b0: 00000000 00000000
00000000 00000000<BR><BR>从 ProcessHeaps 数组,我们可以找到进程的每一个堆。
<P>为了方便观察某个进程地址空间中内容,我写了一个叫 <A
href="http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/JiurlProcessMemSee.zip">JiurlProcessMemSee</A>
的程序,可以获得指定进程地址空间中的内容。<BR><BR>使用 KD(内核调试器) 我们也可以找到 PEB
及其相关结构的定义。<BR><BR>kd> !strct PEB<BR>!strct PEB<BR>struct _PEB
(sizeof=488)<BR>+000 byte InheritedAddressSpace<BR>+001 byte
ReadImageFileExecOptions<BR>+002 byte BeingDebugged<BR>+003 byte
SpareBool<BR>+004 void *Mutant<BR>+008 void *ImageBaseAddress<BR>+00c
struct _PEB_LDR_DATA *Ldr<BR>+010 struct _RTL_USER_PROCESS_PARAMETERS
*ProcessParameters<BR>+014 void *SubSystemData<BR>+018 void
*ProcessHeap<BR>+01c void *FastPebLock<BR>+020 void
*FastPebLockRoutine<BR>+024 void *FastPebUnlockRoutine<BR>+028 uint32
EnvironmentUpdateCount<BR>+02c void *KernelCallbackTable<BR>+030 uint32
SystemReserved[2]<BR>+038 struct _PEB_FREE_BLOCK *FreeList<BR>+03c uint32
TlsExpansionCounter<BR>+040 void *TlsBitmap<BR>+044 uint32
TlsBitmapBits[2]<BR>+04c void *ReadOnlySharedMemoryBase<BR>+050 void
*ReadOnlySharedMemoryHeap<BR>+054 void **ReadOnlyStaticServerData<BR>+058
void *AnsiCodePageData<BR>+05c void *OemCodePageData<BR>+060 void
*UnicodeCaseTableData<BR>+064 uint32 NumberOfProcessors<BR>+068 uint32
NtGlobalFlag<BR>+070 union _LARGE_INTEGER CriticalSectionTimeout<BR>+070
uint32 LowPart<BR>+074 int32 HighPart<BR>+070 struct __unnamed3 u<BR>+070
uint32 LowPart<BR>+074 int32 HighPart<BR>+070 int64 QuadPart<BR>+078
uint32 HeapSegmentReserve<BR>+07c uint32 HeapSegmentCommit<BR>+080 uint32
HeapDeCommitTotalFreeThreshold<BR>+084 uint32
HeapDeCommitFreeBlockThreshold<BR>+088 uint32 NumberOfHeaps<BR>+08c uint32
MaximumNumberOfHeaps<BR>+090 void **ProcessHeaps<BR>+094 void
*GdiSharedHandleTable<BR>+098 void *ProcessStarterHelper<BR>+09c uint32
GdiDCAttributeList<BR>+0a0 void *LoaderLock<BR>+0a4 uint32
OSMajorVersion<BR>+0a8 uint32 OSMinorVersion<BR>+0ac uint16
OSBuildNumber<BR>+0ae uint16 OSCSDVersion<BR>+0b0 uint32
OSPlatformId<BR>+0b4 uint32 ImageSubsystem<BR>+0b8 uint32
ImageSubsystemMajorVersion<BR>+0bc uint32
ImageSubsystemMinorVersion<BR>+0c0 uint32 ImageProcessAffinityMask<BR>+0c4
uint32 GdiHandleBuffer[34]<BR>+14c function
*PostProcessInitRoutine<BR>+150 void *TlsExpansionBitmap<BR>+154 uint32
TlsExpansionBitmapBits[32]<BR>+1d4 uint32 SessionId<BR>+1d8 void
*AppCompatInfo<BR>+1dc struct _UNICODE_STRING CSDVersion<BR>+1dc uint16
Length<BR>+1de uint16 MaximumLength<BR>+1e0 uint16 *Buffer<BR><BR>kd>
!strct PEB_LDR_DATA<BR>!strct PEB_LDR_DATA<BR>struct _PEB_LDR_DATA
(sizeof=36)<BR>+00 uint32 Length<BR>+04 byte Initialized<BR>+08 void
*SsHandle<BR>+0c struct _LIST_ENTRY InLoadOrderModuleList<BR>+0c struct
_LIST_ENTRY *Flink<BR>+10 struct _LIST_ENTRY *Blink<BR>+14 struct
_LIST_ENTRY InMemoryOrderModuleList<BR>+14 struct _LIST_ENTRY
*Flink<BR>+18 struct _LIST_ENTRY *Blink<BR>+1c struct _LIST_ENTRY
InInitializationOrderModuleList<BR>+1c struct _LIST_ENTRY *Flink<BR>+20
struct _LIST_ENTRY *Blink<BR><BR>kd> !strct
RTL_USER_PROCESS_PARAMETERS<BR>!strct
RTL_USER_PROCESS_PARAMETERS<BR>struct _RTL_USER_PROCESS_PARAMETERS
(sizeof=656)<BR>+000 uint32 MaximumLength<BR>+004 uint32 Length<BR>+008
uint32 Flags<BR>+00c uint32 DebugFlags<BR>+010 void *ConsoleHandle<BR>+014
uint32 ConsoleFlags<BR>+018 void *StandardInput<BR>+01c void
*StandardOutput<BR>+020 void *StandardError<BR>+024 struct _CURDIR
CurrentDirectory<BR>+024 struct _UNICODE_STRING DosPath<BR>+024 uint16
Length<BR>+026 uint16 MaximumLength<BR>+028 uint16 *Buffer<BR>+02c void
*Handle<BR>+030 struct _UNICODE_STRING DllPath<BR>+030 uint16
Length<BR>+032 uint16 MaximumLength<BR>+034 uint16 *Buffer<BR>+038 struct
_UNICODE_STRING ImagePathName<BR>+038 uint16 Length<BR>+03a uint16
MaximumLength<BR>+03c uint16 *Buffer<BR>+040 struct _UNICODE_STRING
CommandLine<BR>+040 uint16 Length<BR>+042 uint16 MaximumLength<BR>+044
uint16 *Buffer<BR>+048 void *Environment<BR>+04c uint32 StartingX<BR>+050
uint32 StartingY<BR>+054 uint32 CountX<BR>+058 uint32 CountY<BR>+05c
uint32 CountCharsX<BR>+060 uint32 CountCharsY<BR>+064 uint32
FillAttribute<BR>+068 uint32 WindowFlags<BR>+06c uint32
ShowWindowFlags<BR>+070 struct _UNICODE_STRING WindowTitle<BR>+070 uint16
Length<BR>+072 uint16 MaximumLength<BR>+074 uint16 *Buffer<BR>+078 struct
_UNICODE_STRING DesktopInfo<BR>+078 uint16 Length<BR>+07a uint16
MaximumLength<BR>+07c uint16 *Buffer<BR>+080 struct _UNICODE_STRING
ShellInfo<BR>+080 uint16 Length<BR>+082 uint16 MaximumLength<BR>+084
uint16 *Buffer<BR>+088 struct _UNICODE_STRING RuntimeData<BR>+088 uint16
Length<BR>+08a uint16 MaximumLength<BR>+08c uint16 *Buffer<BR>+090 struct
_RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]<BR>uint16 Flags<BR>uint16
Length<BR>uint32 TimeStamp<BR>struct _STRING DosPath<BR>uint16
Length<BR>uint16 MaximumLength<BR>char *Buffer<BR><BR>kd> !strct
RTL_DRIVE_LETTER_CURDIR<BR>!strct RTL_DRIVE_LETTER_CURDIR<BR>struct
_RTL_DRIVE_LETTER_CURDIR (sizeof=16)<BR>+00 uint16 Flags<BR>+02 uint16
Length<BR>+04 uint32 TimeStamp<BR>+08 struct _STRING DosPath<BR>+08 uint16
Length<BR>+0a uint16 MaximumLength<BR>+0c char *Buffer<BR><BR>kd>
!strct PEB_FREE_BLOCK<BR>!strct PEB_FREE_BLOCK<BR>struct _PEB_FREE_BLOCK
(sizeof=8)<BR>+0 struct _PEB_FREE_BLOCK *Next<BR>+4 uint32 Size
<P>欢迎交流,欢迎交朋友,<BR>欢迎访问 <A
href="http://jiurl.yeah.net/">http://jiurl.yeah.net/</A> <A
href="http://jiurl.cosoft.org.cn/forum">http://jiurl.cosoft.org.cn/forum</A><BR><BR><BR><A
href="http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/JiurlPebSee.zip">下载
JiurlPebSee 可执行文件及源程序</A><BR><A
href="http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/JiurlProcessMemSee.zip">下载
JiurlProcessMemSee 可执行文件及源程序</A>
<BR><BR><BR><BR></P></TD></TR></TBODY></TABLE></DIV></BODY></HTML>
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?