x64 PEB简介 && 有关PEB的一些函数

来源：互联网发布：自动打电话骚扰软件编辑：程序博客网时间：2024/06/10 10:46

尽管操作PEB BLOCK现在已经没什么价值了，但是PEB BLOCK作为内核的一个重要结构，这里还是提一下：

x64 EPROCESS结构

   +0x000 Pcb              : _KPROCESS   +0x160 ProcessLock      : _EX_PUSH_LOCK   +0x168 CreateTime       : _LARGE_INTEGER   +0x170 ExitTime         : _LARGE_INTEGER   +0x178 RundownProtect   : _EX_RUNDOWN_REF   +0x180 UniqueProcessId  : Ptr64 Void   +0x188 ActiveProcessLinks : _LIST_ENTRY   +0x198 ProcessQuotaUsage : [2] Uint8B   +0x1a8 ProcessQuotaPeak : [2] Uint8B   +0x1b8 CommitCharge     : Uint8B   +0x1c0 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK   +0x1c8 CpuQuotaBlock    : Ptr64 _PS_CPU_QUOTA_BLOCK   +0x1d0 PeakVirtualSize  : Uint8B   +0x1d8 VirtualSize      : Uint8B   +0x1e0 SessionProcessLinks : _LIST_ENTRY   +0x1f0 DebugPort        : Ptr64 Void   +0x1f8 ExceptionPortData : Ptr64 Void   +0x1f8 ExceptionPortValue : Uint8B   +0x1f8 ExceptionPortState : Pos 0, 3 Bits   +0x200 ObjectTable      : Ptr64 _HANDLE_TABLE   +0x208 Token            : _EX_FAST_REF   +0x210 WorkingSetPage   : Uint8B   +0x218 AddressCreationLock : _EX_PUSH_LOCK   +0x220 RotateInProgress : Ptr64 _ETHREAD   +0x228 ForkInProgress   : Ptr64 _ETHREAD   +0x230 HardwareTrigger  : Uint8B   +0x238 PhysicalVadRoot  : Ptr64 _MM_AVL_TABLE   +0x240 CloneRoot        : Ptr64 Void   +0x248 NumberOfPrivatePages : Uint8B   +0x250 NumberOfLockedPages : Uint8B   +0x258 Win32Process     : Ptr64 Void   +0x260 Job              : Ptr64 _EJOB   +0x268 SectionObject    : Ptr64 Void   +0x270 SectionBaseAddress : Ptr64 Void   +0x278 Cookie           : Uint4B   +0x27c UmsScheduledThreads : Uint4B   +0x280 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY   +0x288 Win32WindowStation : Ptr64 Void   +0x290 InheritedFromUniqueProcessId : Ptr64 Void   +0x298 LdtInformation   : Ptr64 Void   +0x2a0 Spare            : Ptr64 Void   +0x2a8 ConsoleHostProcess : Uint8B   +0x2b0 DeviceMap        : Ptr64 Void   +0x2b8 EtwDataSource    : Ptr64 Void   +0x2c0 FreeTebHint      : Ptr64 Void   +0x2c8 FreeUmsTebHint   : Ptr64 Void   +0x2d0 PageDirectoryPte : _HARDWARE_PTE   +0x2d0 Filler           : Uint8B   +0x2d8 Session          : Ptr64 Void   +0x2e0 ImageFileName    : [15] UChar   +0x2ef PriorityClass    : UChar   +0x2f0 JobLinks         : _LIST_ENTRY   +0x300 LockedPagesList  : Ptr64 Void   +0x308 ThreadListHead   : _LIST_ENTRY   +0x318 SecurityPort     : Ptr64 Void   +0x320 Wow64Process     : Ptr64 Void   +0x328 ActiveThreads    : Uint4B   +0x32c ImagePathHash    : Uint4B   +0x330 DefaultHardErrorProcessing : Uint4B   +0x334 LastThreadExitStatus : Int4B   +0x338 Peb              : Ptr64 _PEB   +0x340 PrefetchTrace    : _EX_FAST_REF   +0x348 ReadOperationCount : _LARGE_INTEGER   +0x350 WriteOperationCount : _LARGE_INTEGER   +0x358 OtherOperationCount : _LARGE_INTEGER   +0x360 ReadTransferCount : _LARGE_INTEGER   +0x368 WriteTransferCount : _LARGE_INTEGER   +0x370 OtherTransferCount : _LARGE_INTEGER   +0x378 CommitChargeLimit : Uint8B   +0x380 CommitChargePeak : Uint8B   +0x388 AweInfo          : Ptr64 Void   +0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO   +0x398 Vm               : _MMSUPPORT   +0x420 MmProcessLinks   : _LIST_ENTRY   +0x430 HighestUserAddress : Ptr64 Void   +0x438 ModifiedPageCount : Uint4B   +0x43c Flags2           : Uint4B   +0x43c JobNotReallyActive : Pos 0, 1 Bit   +0x43c AccountingFolded : Pos 1, 1 Bit   +0x43c NewProcessReported : Pos 2, 1 Bit   +0x43c ExitProcessReported : Pos 3, 1 Bit   +0x43c ReportCommitChanges : Pos 4, 1 Bit   +0x43c LastReportMemory : Pos 5, 1 Bit   +0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit   +0x43c HandleTableRundown : Pos 7, 1 Bit   +0x43c NeedsHandleRundown : Pos 8, 1 Bit   +0x43c RefTraceEnabled  : Pos 9, 1 Bit   +0x43c NumaAware        : Pos 10, 1 Bit   +0x43c ProtectedProcess : Pos 11, 1 Bit   +0x43c DefaultPagePriority : Pos 12, 3 Bits   +0x43c PrimaryTokenFrozen : Pos 15, 1 Bit   +0x43c ProcessVerifierTarget : Pos 16, 1 Bit   +0x43c StackRandomizationDisabled : Pos 17, 1 Bit   +0x43c AffinityPermanent : Pos 18, 1 Bit   +0x43c AffinityUpdateEnable : Pos 19, 1 Bit   +0x43c PropagateNode    : Pos 20, 1 Bit   +0x43c ExplicitAffinity : Pos 21, 1 Bit   +0x440 Flags            : Uint4B   +0x440 CreateReported   : Pos 0, 1 Bit   +0x440 NoDebugInherit   : Pos 1, 1 Bit   +0x440 ProcessExiting   : Pos 2, 1 Bit   +0x440 ProcessDelete    : Pos 3, 1 Bit   +0x440 Wow64SplitPages  : Pos 4, 1 Bit   +0x440 VmDeleted        : Pos 5, 1 Bit   +0x440 OutswapEnabled   : Pos 6, 1 Bit   +0x440 Outswapped       : Pos 7, 1 Bit   +0x440 ForkFailed       : Pos 8, 1 Bit   +0x440 Wow64VaSpace4Gb  : Pos 9, 1 Bit   +0x440 AddressSpaceInitialized : Pos 10, 2 Bits   +0x440 SetTimerResolution : Pos 12, 1 Bit   +0x440 BreakOnTermination : Pos 13, 1 Bit   +0x440 DeprioritizeViews : Pos 14, 1 Bit   +0x440 WriteWatch       : Pos 15, 1 Bit   +0x440 ProcessInSession : Pos 16, 1 Bit   +0x440 OverrideAddressSpace : Pos 17, 1 Bit   +0x440 HasAddressSpace  : Pos 18, 1 Bit   +0x440 LaunchPrefetched : Pos 19, 1 Bit   +0x440 InjectInpageErrors : Pos 20, 1 Bit   +0x440 VmTopDown        : Pos 21, 1 Bit   +0x440 ImageNotifyDone  : Pos 22, 1 Bit   +0x440 PdeUpdateNeeded  : Pos 23, 1 Bit   +0x440 VdmAllowed       : Pos 24, 1 Bit   +0x440 CrossSessionCreate : Pos 25, 1 Bit   +0x440 ProcessInserted  : Pos 26, 1 Bit   +0x440 DefaultIoPriority : Pos 27, 3 Bits   +0x440 ProcessSelfDelete : Pos 30, 1 Bit   +0x440 SetTimerResolutionLink : Pos 31, 1 Bit   +0x444 ExitStatus       : Int4B   +0x448 VadRoot          : _MM_AVL_TABLE   +0x488 AlpcContext      : _ALPC_PROCESS_CONTEXT   +0x4a8 TimerResolutionLink : _LIST_ENTRY   +0x4b8 RequestedTimerResolution : Uint4B   +0x4bc ActiveThreadsHighWatermark : Uint4B   +0x4c0 SmallestTimerResolution : Uint4B   +0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD

PEB BLOCK 位于EPROCESS块的0x338偏移位置，在应用层空间中。

x86中，寻找PEB的方法很简单

_asm{mov eax, fs:0x30mov peb, eax//mov eax, [eax+0x10] }

在64位系统中，PEB BLOCK位于gs:[60h]

.codeGetgs proc mov rax, gs:[60h]retGetgs endpend

在inc文件中输入：EXPORTSGetgs在def文件中输入：Getgs proto;

构建编译。

在.c文件中声明

#pragma comment(lib, "xxx.lib")typedef  unsigned _int64 QWORD;extern "C" QWORD __stdcall Getgs();

即可获得PEB地址

x64PEB的结构内容 windbg一试便知：

   +0x000 InheritedAddressSpace : UChar   +0x001 ReadImageFileExecOptions : UChar   +0x002 BeingDebugged    : UChar   +0x003 BitField         : UChar   +0x003 ImageUsesLargePages : Pos 0, 1 Bit   +0x003 IsProtectedProcess : Pos 1, 1 Bit   +0x003 IsLegacyProcess  : Pos 2, 1 Bit   +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit   +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit   +0x003 SpareBits        : Pos 5, 3 Bits   +0x008 Mutant           : Ptr64 Void   +0x010 ImageBaseAddress : Ptr64 Void   +0x018 Ldr              : Ptr64 _PEB_LDR_DATA   +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS   +0x028 SubSystemData    : Ptr64 Void   +0x030 ProcessHeap      : Ptr64 Void   +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION   +0x040 AtlThunkSListPtr : Ptr64 Void   +0x048 IFEOKey          : Ptr64 Void   +0x050 CrossProcessFlags : Uint4B   +0x050 ProcessInJob     : Pos 0, 1 Bit   +0x050 ProcessInitializing : Pos 1, 1 Bit   +0x050 ProcessUsingVEH  : Pos 2, 1 Bit   +0x050 ProcessUsingVCH  : Pos 3, 1 Bit   +0x050 ProcessUsingFTH  : Pos 4, 1 Bit   +0x050 ReservedBits0    : Pos 5, 27 Bits   +0x058 KernelCallbackTable : Ptr64 Void   +0x058 UserSharedInfoPtr : Ptr64 Void   +0x060 SystemReserved   : [1] Uint4B   +0x064 AtlThunkSListPtr32 : Uint4B   +0x068 ApiSetMap        : Ptr64 Void   +0x070 TlsExpansionCounter : Uint4B   +0x078 TlsBitmap        : Ptr64 Void   +0x080 TlsBitmapBits    : [2] Uint4B   +0x088 ReadOnlySharedMemoryBase : Ptr64 Void   +0x090 HotpatchInformation : Ptr64 Void   +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void   +0x0a0 AnsiCodePageData : Ptr64 Void   +0x0a8 OemCodePageData  : Ptr64 Void   +0x0b0 UnicodeCaseTableData : Ptr64 Void   +0x0b8 NumberOfProcessors : Uint4B   +0x0bc NtGlobalFlag     : Uint4B   +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER   +0x0c8 HeapSegmentReserve : Uint8B   +0x0d0 HeapSegmentCommit : Uint8B   +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B   +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B   +0x0e8 NumberOfHeaps    : Uint4B   +0x0ec MaximumNumberOfHeaps : Uint4B   +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void   +0x0f8 GdiSharedHandleTable : Ptr64 Void   +0x100 ProcessStarterHelper : Ptr64 Void   +0x108 GdiDCAttributeList : Uint4B   +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION   +0x118 OSMajorVersion   : Uint4B   +0x11c OSMinorVersion   : Uint4B   +0x120 OSBuildNumber    : Uint2B   +0x122 OSCSDVersion     : Uint2B   +0x124 OSPlatformId     : Uint4B   +0x128 ImageSubsystem   : Uint4B   +0x12c ImageSubsystemMajorVersion : Uint4B   +0x130 ImageSubsystemMinorVersion : Uint4B   +0x138 ActiveProcessAffinityMask : Uint8B   +0x140 GdiHandleBuffer  : [60] Uint4B   +0x230 PostProcessInitRoutine : Ptr64     void    +0x238 TlsExpansionBitmap : Ptr64 Void   +0x240 TlsExpansionBitmapBits : [32] Uint4B   +0x2c0 SessionId        : Uint4B   +0x2c8 AppCompatFlags   : _ULARGE_INTEGER   +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER   +0x2d8 pShimData        : Ptr64 Void   +0x2e0 AppCompatInfo    : Ptr64 Void   +0x2e8 CSDVersion       : _UNICODE_STRING   +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA   +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP   +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA   +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP   +0x318 MinimumStackCommit : Uint8B   +0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO   +0x328 FlsListHead      : _LIST_ENTRY   +0x338 FlsBitmap        : Ptr64 Void   +0x340 FlsBitmapBits    : [4] Uint4B   +0x350 FlsHighIndex     : Uint4B   +0x358 WerRegistrationData : Ptr64 Void   +0x360 WerShipAssertPtr : Ptr64 Void   +0x368 pContextData     : Ptr64 Void   +0x370 pImageHeaderHash : Ptr64 Void   +0x378 TracingFlags     : Uint4B   +0x378 HeapTracingEnabled : Pos 0, 1 Bit   +0x378 CritSecTracingEnabled : Pos 1, 1 Bit   +0x378 SpareTracingBits : Pos 2, 30 Bits

获得下本机的当前PEB地址

kd> !pebPEB at 000007fffffd5000    InheritedAddressSpace:    No    ReadImageFileExecOptions: No    BeingDebugged:            No    ImageBaseAddress:         00000000ffec0000    Ldr                       0000000077572640    Ldr.Initialized:          Yes    Ldr.InInitializationOrderModuleList: 00000000001d2730 . 00000000001e8100    Ldr.InLoadOrderModuleList:           00000000001d2620 . 00000000001e81d0    Ldr.InMemoryOrderModuleList:         00000000001d2630 . 00000000001e81e0            Base TimeStamp                     Module        ffec0000 4ce79f61 Nov 20 18:13:53 2010 C:\Windows\system32\slui.exe        77440000 4ce7c8f9 Nov 20 21:11:21 2010 C:\Windows\SYSTEM32\ntdll.dll        77320000 4ce7c78b Nov 20 21:05:15 2010 C:\Windows\system32\kernel32.dll     7fefd440000 4ce7c78c Nov 20 21:05:16 2010 C:\Windows\system32\KERNELBASE.dll     7feff5f0000 4a5bde6b Jul 14 09:24:59 2009 C:\Windows\system32\ADVAPI32.dll     7feff190000 4a5bdfbe Jul 14 09:30:38 2009 C:\Windows\system32\msvcrt.dll     7feff3e0000 4a5be05e Jul 14 09:33:18 2009 C:\Windows\SYSTEM32\sechost.dll     7fefd770000 4ce7c96e Nov 20 21:13:18 2010 C:\Windows\system32\RPCRT4.dll        77220000 4ce7c9f1 Nov 20 21:15:29 2010 C:\Windows\system32\USER32.dll     7feff6d0000 4ce7c651 Nov 20 21:00:01 2010 C:\Windows\system32\GDI32.dll     7fefd760000 4a5bdf5f Jul 14 09:29:03 2009 C:\Windows\system32\LPK.dll     7fefdd80000 4ce7c9f5 Nov 20 21:15:33 2010 C:\Windows\system32\USP10.dll     7fefa5b0000 4a5be067 Jul 14 09:33:27 2009 C:\Windows\system32\sppcommdlg.dll     7fefc000000 4ce7c45b Nov 20 20:51:39 2010 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll     7feff360000 4ce7c9ab Nov 20 21:14:19 2010 C:\Windows\system32\SHLWAPI.dll     7feff460000 4a5bdf40 Jul 14 09:28:32 2009 C:\Windows\system32\IMM32.dll     7fefe150000 4a5bdfaa Jul 14 09:30:18 2009 C:\Windows\system32\MSCTF.dll     7fefd8f0000 4ce7c92c Nov 20 21:12:12 2010 C:\Windows\system32\ole32.dll     7feff510000 4ce7c930 Nov 20 21:12:16 2010 C:\Windows\system32\OLEAUT32.dll     7fefe260000 4ce7c9a6 Nov 20 21:14:14 2010 C:\Windows\system32\SHELL32.dll     7fefb870000 4a5be0a2 Jul 14 09:34:26 2009 C:\Windows\system32\WINBRAND.dll     7fefae10000 4a5be063 Jul 14 09:33:23 2009 C:\Windows\system32\slc.dll     7fefa560000 4ce7c946 Nov 20 21:12:38 2010 C:\Windows\system32\SPPC.DLL     7fefd280000 4a5bdf91 Jul 14 09:29:53 2009 C:\Windows\system32\CRYPTBASE.dll     7fefbe20000 4a5be093 Jul 14 09:34:11 2009 C:\Windows\system32\uxtheme.dll     7fefdce0000 4a5bdeba Jul 14 09:26:18 2009 C:\Windows\system32\CLBCatQ.DLL     7fefcc40000 4a5bdf96 Jul 14 09:29:58 2009 C:\Windows\system32\CRYPTSP.dll     7fefc940000 4a5be039 Jul 14 09:32:41 2009 C:\Windows\system32\rsaenh.dll     7fefd330000 4ce7c96f Nov 20 21:13:19 2010 C:\Windows\system32\RpcRtRemote.dll     7fefa500000 4ce7c9c0 Nov 20 21:14:40 2010 C:\Windows\system32\sppcomapi.dll    SubSystemData:     0000000000000000    ProcessHeap:       00000000001d0000    ProcessParameters: 00000000001d1d50    CurrentDirectory:  'C:\Windows\system32\'    WindowTitle:  'C:\Windows\system32\slui.exe'    ImageFile:    'C:\Windows\system32\slui.exe'    CommandLine:  '"C:\Windows\system32\slui.exe"'    DllPath:      'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'    Environment:  00000000001d1320        ALLUSERSPROFILE=C:\ProgramData        APPDATA=C:\Users\BillG\AppData\Roaming        CommonProgramFiles=C:\Program Files\Common Files        CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files        CommonProgramW6432=C:\Program Files\Common Files        COMPUTERNAME=WIN-TQVCU2J0T9S        ComSpec=C:\Windows\system32\cmd.exe        FP_NO_HOST_CHECK=NO        HOMEDRIVE=C:        HOMEPATH=\Users\BillG        LOCALAPPDATA=C:\Users\BillG\AppData\Local        LOGONSERVER=\\WIN-TQVCU2J0T9S        NUMBER_OF_PROCESSORS=1        OS=Windows_NT        Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC        PROCESSOR_ARCHITECTURE=AMD64        PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 58 Stepping 9, GenuineIntel        PROCESSOR_LEVEL=6        PROCESSOR_REVISION=3a09        ProgramData=C:\ProgramData        ProgramFiles=C:\Program Files        ProgramFiles(x86)=C:\Program Files (x86)        ProgramW6432=C:\Program Files        PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\        PUBLIC=C:\Users\Public        SESSIONNAME=Console        SystemDrive=C:        SystemRoot=C:\Windows        TEMP=C:\Users\BillG\AppData\Local\Temp        TMP=C:\Users\BillG\AppData\Local\Temp        USERDOMAIN=WIN-TQVCU2J0T9S        USERNAME=BillG        USERPROFILE=C:\Users\BillG        windir=C:\Windows        windows_tracing_flags=3        windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

dt 000007fffffd5000 _PEB_LDR_DATA  nt!_PEB_LDR_DATA   +0x000 Length           : 0x8000000   +0x004 Initialized      : 0 ''   +0x008 SsHandle         : 0xffffffff`ffffffff Void   +0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`ffec0000 - 0x77572640 ]   +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`001d1d50 - 0x0 ]   +0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`001d0000 - 0x7757a900 ]   +0x040 EntryInProgress  : (null)    +0x048 ShutdownInProgress : 0 ''   +0x050 ShutdownThreadId : 0x00000000`00000001 Void

InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList 这三条链是根据加载顺序、内存映像顺序、初始化顺序而建立的

其中的辅助成员Flink Blink指向_LDR_DATA_TABLE_ENTRY结构体

kd> dt _LDR_DATA_TABLE_ENTRYnt!_LDR_DATA_TABLE_ENTRY   +0x000 InLoadOrderLinks : _LIST_ENTRY   +0x010 InMemoryOrderLinks : _LIST_ENTRY   +0x020 InInitializationOrderLinks : _LIST_ENTRY   +0x030 DllBase          : Ptr64 Void   +0x038 EntryPoint       : Ptr64 Void   +0x040 SizeOfImage      : Uint4B   +0x048 FullDllName      : _UNICODE_STRING   +0x058 BaseDllName      : _UNICODE_STRING   +0x068 Flags            : Uint4B   +0x06c LoadCount        : Uint2B   +0x06e TlsIndex         : Uint2B   +0x070 HashLinks        : _LIST_ENTRY   +0x070 SectionPointer   : Ptr64 Void   +0x078 CheckSum         : Uint4B   +0x080 TimeDateStamp    : Uint4B   +0x080 LoadedImports    : Ptr64 Void   +0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT   +0x090 PatchInformation : Ptr64 Void   +0x098 ForwarderLinks   : _LIST_ENTRY   +0x0a8 ServiceTagLinks  : _LIST_ENTRY   +0x0b8 StaticLinks      : _LIST_ENTRY   +0x0c8 ContextInformation : Ptr64 Void   +0x0d0 OriginalBase     : Uint8B   +0x0d8 LoadTime         : _LARGE_INTEGER

至此，PEB一些重要的结构已经一览无余了。

如果病毒/木马试图在PEB隐藏自己的进程模块时，应该把这三条链全抹掉。

尽管如此，一些强力工具会检测出PEB的断链行为。这往往是_LDR_DATA_TABLE_ENTRY结构体中的SizeOfImage出卖了你。所以，我们应该修改SizeOfImage的值让它看上去和实际更像一点。

有一些古老的程序，通过PEB BLOCK来获取EXE的ImagePathName。在以前，一些木马也通过修改RTL_USER_PROCESS_PARAMETERS结构体内的成员来迷惑防火墙。

这里再总结一些Ring3层上获取进程模块的函数。

CreateToolhelp32Snapshot函数

NtQueryInformationProcess

EnumProcessModules

这三种方法实现原理无一例外，底层都是通过遍历PEB块来实现的。

1、3如果大家不信，可以自己逆向一下。

第二个放出NtQueryInformaionProcess WRK的源码：

NTSTATUS00590 NtQueryInformationProcess(00591     __in HANDLE ProcessHandle,00592     __in PROCESSINFOCLASS ProcessInformationClass,00593     __out_bcount(ProcessInformationLength) PVOID ProcessInformation,00594     __in ULONG ProcessInformationLength,00595     __out_opt PULONG ReturnLength00596     )

case ProcessBasicInformation:00732 00733         if (ProcessInformationLength != (ULONG) sizeof(PROCESS_BASIC_INFORMATION)) {00734             return STATUS_INFO_LENGTH_MISMATCH;00735         }00736 00737         st = ObReferenceObjectByHandle (ProcessHandle,00738                                         PROCESS_QUERY_INFORMATION,00739                                         PsProcessType,00740                                         PreviousMode,00741                                         &Process,00742                                         NULL);00743         if (!NT_SUCCESS (st)) {00744             return st;00745         }00746 00747         BasicInfo.ExitStatus = Process->ExitStatus;00748         BasicInfo.PebBaseAddress = Process->Peb;00749         BasicInfo.AffinityMask = Process->Pcb.Affinity;00750         BasicInfo.BasePriority = Process->Pcb.BasePriority;00751         BasicInfo.UniqueProcessId = (ULONG_PTR)Process->UniqueProcessId;00752         BasicInfo.InheritedFromUniqueProcessId = (ULONG_PTR)Process->InheritedFromUniqueProcessId;00753 00754         ObDereferenceObject(Process);00755 00756         //00757         // Either of these may cause an access violation. The00758         // exception handler will return access violation as00759         // status code. No further cleanup needs to be done.00760         //00761 00762         try {00763             *(PPROCESS_BASIC_INFORMATION) ProcessInformation = BasicInfo;00764 00765             if (ARGUMENT_PRESENT (ReturnLength) ) {00766                 *ReturnLength = sizeof(PROCESS_BASIC_INFORMATION);00767             }00768         } except (EXCEPTION_EXECUTE_HANDLER) {00769             return GetExceptionCode ();00770         }00771 00772         return STATUS_SUCCESS;

所以，如果R3层上用上述函数搜索进程模块的话，实际上强度很弱。

但是，ZwQueryVirtualMemory这个函数遍历的是进程的虚拟地址空间，实际上是枚举VAD树。VAD树的根节点在EPROCESS块中，是一颗平衡树。断链无法避开这种检测。

0 0