PEB 和 TIB结构
来源:互联网 发布:步进电机控制器编程 编辑:程序博客网 时间:2024/05/16 09:52
fs:7FFDF000nt!_TEBTEB at fs:7FFDF000 +0x000 NtTib // _NT_TIB +0x01c EnvironmentPointer // Ptr32 Void +0x020 ClientId // _CLIENT_ID +0x028 ActiveRpcHandle // Ptr32 Void +0x02c ThreadLocalStoragePointer // Ptr32 Void +0x030 ProcessEnvironmentBlock // Ptr32 _PEB 这里指向 PEB 表,即进程环境块 LastErrorValue LastStatusValue Count Owned Locks HardErrorsMode*******************************************typedef struct _NT_TIB //sizeof 1ch{ 00h struct _EXCEPTION_REGISTRATION *ExceptionList; //SEH链入口 04h PVOID StackBase; //堆栈基址 08h PVOID StackLimit; //堆栈大小 0ch PVOID SubSystemTib; union { PVOID FiberData; 10h DWORD Version; }; 14h PVOID ArbitraryUserPointer; 18h struct _NT_TIB *Self; //本NT_TIB结构自身的线性地址}NT_TIB;typedef NT_TIB *PNT_TIB;********************************************************SEH链入口fs[0]->*ExceptionListtypedef struc _EXCEPTION_REGISTRATION{ struc EXCEPTION_REGISTRATION *Prev; //前一个_EXCEPTION_REGISTRATION结构 DWORD Handler; //异常处理过程地址 struct scopetable_entry *scopetable; int trylevel; int _ebp; PEXCEPTION_POINTERS xpointers;} EXCEPTION_REGISTRATION, *PEXCEPTION_REGISTRATION;////////////////////////////////////////////////typedef struct _EXCEPTION_POINTERS{ PEXCEPTION_RECORD ExceptionRecord; //指向一个EXCEPTION_RECORD结构 PCONTEXT ContextRecord; //指向向一个CONTEXT结构} EXCEPTION_POINTERS, *PEXCEPTION_POINTERS;/////////////////////////////////////////////////typedef struct _EXCEPTION_RECORD{ 00h DWORD ExceptionCode; //异常事件码 04h DWORD ExceptionFlags; //标志 08h struct _EXCEPTION_RECORD *ExceptionRecord; //下一个EXCEPTION_RECORD结构地址 0ch PVOID ExceptionAddress; //异常发生的地址 10h DWORD NumberParameters; //ExceptionInformation的dword数目 14h ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];} 1ch EXCEPTION_RECORD; typedef EXCEPTION_RECORD *PEXCEPTION_RECORD; #define EXCEPTION_MAXIMUM_PARAMETERS 15/////////////////////////////////////////////////////////////////typedef struct _CONTEXT { DWORD ContextFlags // -| +00h DWORD Dr0 // | +04h DWORD Dr1 // | +08h DWORD Dr2 // >调试寄存器 +0Ch DWORD Dr3 // | +10h DWORD Dr6 // | +14h DWORD Dr7 // -| +18h FLOATING_SAVE_AREA FloatSave; //浮点寄存器区 +1Ch~~~88h DWORD SegGs //-| +8Ch DWORD SegFs // |\段寄存器 +90h DWORD SegEs // |/ +94h DWORD SegDs //-| +98h DWORD Edi //________ +9Ch DWORD Esi // | 通用 +A0h DWORD Ebx // | 寄 +A4h DWORD Edx // | 存 +A8h DWORD Ecx // | 器 +ACh DWORD Eax //_|___组_ +B0h DWORD Ebp //++++++ +B4h DWORD Eip // |控制 +B8h DWORD SegCs // |寄存 +BCh DWORD EFlag // |器组 +C0h DWORD Esp // | +C4h DWORD SegSs //++++++ +C8h BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];} CONTEXT; typedef CONTEXT *PCONTEXT; #define MAXIMUM_SUPPORTED_EXTENSION 512********************************************************fs:[30]->PEBtypedef struct _PEB { // Size: 0x1D8 000h UCHAR InheritedAddressSpace; 001h UCHAR ReadImageFileExecOptions; 002h UCHAR BeingDebugged; //Debug运行标志 003h UCHAR SpareBool; 004h HANDLE Mutant; 008h HINSTANCE ImageBaseAddress; //程序加载的基地址 00Ch struct _PEB_LDR_DATA *Ldr //Ptr32 _PEB_LDR_DATA 010h struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; 014h ULONG SubSystemData; 018h HANDLE DefaultHeap; 01Ch KSPIN_LOCK FastPebLock; 020h ULONG FastPebLockRoutine; 024h ULONG FastPebUnlockRoutine; 028h ULONG EnvironmentUpdateCount; 02Ch ULONG KernelCallbackTable; 030h LARGE_INTEGER SystemReserved; 038h struct _PEB_FREE_BLOCK *FreeList 03Ch ULONG TlsExpansionCounter; 040h ULONG TlsBitmap; 044h LARGE_INTEGER TlsBitmapBits; 04Ch ULONG ReadOnlySharedMemoryBase; 050h ULONG ReadOnlySharedMemoryHeap; 054h ULONG ReadOnlyStaticServerData; 058h ULONG AnsiCodePageData; 05Ch ULONG OemCodePageData; 060h ULONG UnicodeCaseTableData; 064h ULONG NumberOfProcessors; 068h LARGE_INTEGER NtGlobalFlag; // Address of a local copy 070h LARGE_INTEGER CriticalSectionTimeout; 078h ULONG HeapSegmentReserve; 07Ch ULONG HeapSegmentCommit; 080h ULONG HeapDeCommitTotalFreeThreshold; 084h ULONG HeapDeCommitFreeBlockThreshold; 088h ULONG NumberOfHeaps; 08Ch ULONG MaximumNumberOfHeaps; 090h ULONG ProcessHeaps; 094h ULONG GdiSharedHandleTable; 098h ULONG ProcessStarterHelper; 09Ch ULONG GdiDCAttributeList; 0A0h KSPIN_LOCK LoaderLock; 0A4h ULONG OSMajorVersion; 0A8h ULONG OSMinorVersion; 0ACh USHORT OSBuildNumber; 0AEh USHORT OSCSDVersion; 0B0h ULONG OSPlatformId; 0B4h ULONG ImageSubsystem; 0B8h ULONG ImageSubsystemMajorVersion; 0BCh ULONG ImageSubsystemMinorVersion; 0C0h ULONG ImageProcessAffinityMask; 0C4h ULONG GdiHandleBuffer[0x22]; 14Ch ULONG PostProcessInitRoutine; 150h ULONG TlsExpansionBitmap; 154h UCHAR TlsExpansionBitmapBits[0x80]; 1D4h ULONG SessionId;} PEB, *PPEB;***************************************************PEB[0C]->PEB_LDR_DATAtypedef struct _PEB_LDR_DATA{ ULONG Length; // 00h BOOLEAN Initialized; // 04h PVOID SsHandle; // 08h LIST_ENTRY InLoadOrderModuleList; // 0ch LIST_ENTRY InMemoryOrderModuleList; // 14h LIST_ENTRY InInitializationOrderModuleList; // 1ch} PEB_LDR_DATA, *PPEB_LDR_DATA; // 24h*********************************************************PEB_LDR_DATA[]->LIST_ENTRYnt!_LIST_ENTRY +0x000 Flink : Ptr32 _LIST_ENTRY //表示从前往后 +0x004 Blink : Ptr32 _LIST_ENTRY //表示从后往前********************************************************LIST_ENTRY[00].LDR_MODULEtypedef struct _LDR_MODULE{ LIST_ENTRY InLoadOrderModuleList; // 00h LIST_ENTRY InMemoryOrderModuleList; // 08h LIST_ENTRY InInitializationOrderModuleList; // 10h ntdll PVOID BaseAddress; // 18h kernel32.dll PVOID EntryPoint; // 1ch ULONG SizeOfImage; // 20h UNICODE_STRING FullDllName; // 24h UNICODE_STRING BaseDllName; // 2ch ULONG Flags; // 34h SHORT LoadCount; // 38h SHORT TlsIndex; // 3ah HANDLE SectionHandle; // 3ch ULONG CheckSum; // 40h ULONG TimeDateStamp; // 44h // 48h} LDR_MODULE, *PLDR_MODULE;*******************************************************
