!peb和PEB结构
来源:互联网 发布:顶级域名有几种类型 编辑:程序博客网 时间:2024/04/29 15:43
本文转自:http://blog.csdn.net/hgy413/article/details/8490918
调试器用户经常会需要查看在启动调试目标时使用了哪些命令行参数,这个信息是保存在PEB中的,可以通过!peb来获取,这个命令将解析PEB并给出完整的命令行,所有已加载DLL的位置,以及环境变量等.
0:000> !pebPEB at 7ffdf000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 008f0000 Ldr 77847880 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00312798 . 0036bd70 Ldr.InLoadOrderModuleList: 003126f8 . 0036bd60 Ldr.InMemoryOrderModuleList: 00312700 . 0036bd68 Base TimeStamp Module 8f0000 4ce7979d Nov 20 17:40:45 2010 C:\Windows\System32\calc.exe 77770000 4ec49b60 Nov 17 13:28:00 2011 C:\windows\SYSTEM32\ntdll.dll 77490000 506dbd3e Oct 05 00:45:50 2012 C:\windows\system32\kernel32.dll 75a30000 506dbd3f Oct 05 00:45:51 2012 C:\windows\system32\KERNELBASE.dll 76240000 4fd2d1d9 Jun 09 12:32:25 2012 C:\windows\system32\SHELL32.dll 75c30000 4eeaf722 Dec 16 15:45:38 2011 C:\windows\system32\msvcrt.dll 76e90000 4ce7b9e2 Nov 20 20:06:58 2010 C:\windows\system32\SHLWAPI.dll 75be0000 4ce7b80a Nov 20 19:59:06 2010 C:\windows\system32\GDI32.dll 76020000 4ce7ba26 Nov 20 20:08:06 2010 C:\windows\system32\USER32.dll 758e0000 4a5bda19 Jul 14 09:06:33 2009 C:\Windows\System32\LPK.dll 75f60000 4ce7ba29 Nov 20 20:08:09 2010 C:\windows\system32\USP10.dll 74090000 4f9235ab Apr 21 12:20:59 2012 C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll 77200000 4ce7b96f Nov 20 20:05:03 2010 C:\windows\system32\ole32.dll 773e0000 4ce7b9a2 Nov 20 20:05:54 2010 C:\windows\system32\RPCRT4.dll 75df0000 4ce7b706 Nov 20 19:54:46 2010 C:\windows\system32\ADVAPI32.dll 76000000 4a5bdb04 Jul 14 09:10:28 2009 C:\windows\SYSTEM32\sechost.dll 770f0000 4e58702a Aug 27 12:18:50 2011 C:\windows\system32\OLEAUT32.dll 745c0000 4a5bdb38 Jul 14 09:11:20 2009 C:\Windows\System32\UxTheme.dll 74220000 4ce7b71c Nov 20 19:55:08 2010 C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll 73710000 4ce7ba42 Nov 20 20:08:34 2010 C:\Windows\System32\WINMM.dll 74ea0000 4a5bdb2b Jul 14 09:11:07 2009 C:\Windows\System32\VERSION.dll 778b0000 4ce7b845 Nov 20 20:00:05 2010 C:\windows\system32\IMM32.DLL 75e90000 4a5bda69 Jul 14 09:07:53 2009 C:\windows\system32\MSCTF.dll 73d30000 4ce7ba3a Nov 20 20:08:26 2010 C:\Windows\System32\WindowsCodecs.dll 651e0000 50910787 Oct 31 19:12:07 2012 C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT 75de0000 4a5bdace Jul 14 09:09:34 2009 C:\windows\system32\PSAPI.DLL 75ce0000 508b7cf0 Oct 27 14:19:28 2012 C:\windows\system32\WININET.dll 76100000 508b7cdb Oct 27 14:19:07 2012 C:\windows\system32\urlmon.dll 75a80000 4fc99664 Jun 02 12:28:20 2012 C:\windows\system32\CRYPT32.dll 75940000 4ce7b8c9 Nov 20 20:02:17 2010 C:\windows\system32\MSASN1.dll 77570000 508b7ba3 Oct 27 14:13:55 2012 C:\windows\system32\iertutil.dll 757f0000 4ce7b73e Nov 20 19:55:42 2010 C:\Windows\System32\apphelp.dll 73900000 3b7d84df Aug 18 04:55:59 2001 C:\windows\system32\JPWB.IME 77180000 4ce7b82d Nov 20 19:59:41 2010 C:\windows\system32\comdlg32.dll 73e60000 4a5bda07 Jul 14 09:06:15 2009 C:\Windows\System32\dwmapi.dll 75840000 4a5bbf41 Jul 14 07:12:01 2009 C:\Windows\System32\CRYPTBASE.dll 778d0000 4a5bd9b1 Jul 14 09:04:49 2009 C:\windows\system32\CLBCatQ.DLL 10000000 4ffa45cd Jul 09 10:45:33 2012 C:\Users\guoyouhuang\AppData\Local\Youdao\Dict\Application\5.1.36.3166\WordStrokeHelper32.dll 73610000 4e587028 Aug 27 12:18:48 2011 C:\Windows\system32\oleacc.dll SubSystemData: 00000000 ProcessHeap: 00310000 ProcessParameters: 00311b48 WindowTitle: 'C:\Windows\System32\calc.exe' ImageFile: 'C:\Windows\System32\calc.exe' CommandLine: 'C:\Windows\System32\calc.exe' DllPath: 'C:\Windows\System32;;C:\windows\system32;C:\windows\system;C:\windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\' Environment: 00310810 =::=::\ ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\guoyouhuang\AppData\Roaming Basemake=D:\Program Files\Microsoft SDK\Include\BKOffice.Mak Bkoffice=D:\Program Files\Microsoft SDK\. CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=GUOYOUHUANG-PC0 ComSpec=C:\windows\system32\cmd.exe configsetroot=C:\windows\ConfigSetRoot DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (June 2010)\ FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Users\guoyouhuang INCLUDE=D:\Program Files\Microsoft SDK\Include\.;D:\Program Files\VC98\atl\include;D:\Program Files\VC98\mfc\include;D:\Program Files\VC98\include INETSDK=D:\Program Files\Microsoft SDK\. LIB=D:\Program Files\Microsoft SDK\Lib\.;D:\Program Files\VC98\mfc\lib;D:\Program Files\VC98\lib LOCALAPPDATA=C:\Users\guoyouhuang\AppData\Local LOGONSERVER=\\GM-CADILLAC MSDevDir=D:\Program Files\Vc6\MSDev98 MSSdk=D:\Program Files\Microsoft SDK\. Mstools=D:\Program Files\Microsoft SDK\. NUMBER_OF_PROCESSORS=4 OS=Windows_NT Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=2a07 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files PSModulePath=C:\windows\system32\WindowsPowerShell\v1.0\Modules\ PUBLIC=C:\Users\Public SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\windows TEMP=C:\Users\GUOYOU~1\AppData\Local\Temp TMP=C:\Users\GUOYOU~1\AppData\Local\Temp USERDNSDOMAIN=TENCENT.COM USERDOMAIN=TENCENT USERNAME=guoyouhuang USERPROFILE=C:\Users\guoyouhuang VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\ WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86) windir=C:\windows windows_tracing_flags=3 windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
手工自己分析下:
直接分析ldr:
+0x00c Ldr : 0x77847880 _PEB_LDR_DATA
0:000> dt 0x77847880 _PEB_LDR_DATAntdll!_PEB_LDR_DATA +0x000 Length : 0x30 +0x004 Initialized : 0x1 '' +0x008 SsHandle : (null) +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3126f8 - 0x36bd60 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x312700 - 0x36bd68 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x312798 - 0x36bd70 ] +0x024 EntryInProgress : (null) +0x028 ShutdownInProgress : 0 '' +0x02c ShutdownThreadId : (null)
对比!peb的内容:
Ldr 77847880 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00312798 . 0036bd70 Ldr.InLoadOrderModuleList: 003126f8 . 0036bd60 Ldr.InMemoryOrderModuleList: 00312700 . 0036bd68
一样的~~~~,不一样就不正常了!
为什么有三个list:其实三个都一样,顺序不同而已.
_LIST_ENTRY的结构如下:
0:000> dt _LIST_ENTRYntdll!_LIST_ENTRY +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY
按MSDN解释是:
Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure,双向循环链表吧,从一个方向开始,不停的循环,就回到初始位了,就相当于遍历了一次
0:000> dt _LDR_DATA_TABLE_ENTRY ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x010 InInitializationOrderLinks : _LIST_ENTRY +0x018 DllBase : Ptr32 Void +0x01c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING +0x034 Flags : Uint4B +0x038 LoadCount : Uint2B +0x03a TlsIndex : Uint2B +0x03c HashLinks : _LIST_ENTRY +0x03c SectionPointer : Ptr32 Void +0x040 CheckSum : Uint4B +0x044 TimeDateStamp : Uint4B +0x044 LoadedImports : Ptr32 Void +0x048 EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT +0x04c PatchInformation : Ptr32 Void +0x050 ForwarderLinks : _LIST_ENTRY +0x058 ServiceTagLinks : _LIST_ENTRY +0x060 StaticLinks : _LIST_ENTRY +0x068 ContextInformation : Ptr32 Void +0x06c OriginalBase : Uint4B +0x070 LoadTime : _LARGE_INTEGER
可以看到头部开始就是个_LIST_ENTRY
我们来做次循环查询吧:
0:000> dt 0x77847880+0x00c _LIST_ENTRYole32!_LIST_ENTRY [ 0x3126f8 - 0x36bd60 ] +0x000 Flink : 0x003126f8 _LIST_ENTRY [ 0x312788 - 0x7784788c ] +0x004 Blink : 0x0036bd60 _LIST_ENTRY [ 0x7784788c - 0x354a80 ]
对比上面的显示:
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3126f8 - 0x36bd60 ]
可以看出,windbg这里是在后面括号里显示Flink和Blink,那么我们向着Flink循环吧:
0:000> dt _LDR_DATA_TABLE_ENTRY 0x003126f8 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312788 - 0x7784788c ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312790 - 0x77847894 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x018 DllBase : 0x008f0000 +0x01c EntryPoint : 0x00902d6c +0x020 SizeOfImage : 0xc0000 +0x024 FullDllName : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x02c BaseDllName : _UNICODE_STRING "calc.exe" +0x034 Flags : 0x4000 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x31382c - 0x7784a6a8 ] +0x03c SectionPointer : 0x0031382c +0x040 CheckSum : 0x7784a6a8 +0x044 TimeDateStamp : 0x4ce7979d +0x044 LoadedImports : 0x4ce7979d +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x312748 - 0x312748 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x312750 - 0x312750 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x315768 - 0x313cf0 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0 +0x070 LoadTime : _LARGE_INTEGER 0x00:000> dt _LDR_DATA_TABLE_ENTRY 0x312788ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312ab0 - 0x3126f8 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312ab8 - 0x312700 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x312bd8 - 0x7784789c ] +0x018 DllBase : 0x77770000 +0x01c EntryPoint : (null) +0x020 SizeOfImage : 0x13c000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\SYSTEM32\ntdll.dll" +0x02c BaseDllName : _UNICODE_STRING "ntdll.dll" +0x034 Flags : 0x4004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x32384c - 0x7784a680 ] +0x03c SectionPointer : 0x0032384c +0x040 CheckSum : 0x7784a680 +0x044 TimeDateStamp : 0x4ec49b60 +0x044 LoadedImports : 0x4ec49b60 +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x3127d8 - 0x3127d8 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x3127e0 - 0x3127e0 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x3127e8 - 0x3127e8 ] +0x068 ContextInformation : (null) +0x06c OriginalBase : 0x77ec0000 +0x070 LoadTime : _LARGE_INTEGER 0x00:000> dt _LDR_DATA_TABLE_ENTRY 0x312ab0 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312bc8 - 0x312788 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312bd0 - 0x312790 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x3134e0 - 0x312bd8 ] +0x018 DllBase : 0x77490000 +0x01c EntryPoint : 0x774dcd6f +0x020 SizeOfImage : 0xd4000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\system32\kernel32.dll" +0x02c BaseDllName : _UNICODE_STRING "kernel32.dll" +0x034 Flags : 0x84004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x31558c - 0x7784a640 ] +0x03c SectionPointer : 0x0031558c +0x040 CheckSum : 0x7784a640 +0x044 TimeDateStamp : 0x506dbd3e +0x044 LoadedImports : 0x506dbd3e +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x3136b8 - 0x3136b8 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x312b08 - 0x312b08 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x312c80 - 0x312b40 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0x77de0000 +0x070 LoadTime : _LARGE_INTEGER 0x1cdef13`ea9021710:000> dt _LDR_DATA_TABLE_ENTRY 0x312bc8 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3133e8 - 0x312ab0 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3133f0 - 0x312ab8 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x312ac0 - 0x312798 ] +0x018 DllBase : 0x75a30000 +0x01c EntryPoint : 0x75a37e90 +0x020 SizeOfImage : 0x4b000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\system32\KERNELBASE.dll" +0x02c BaseDllName : _UNICODE_STRING "KERNELBASE.dll" +0x034 Flags : 0x84004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x31ba9c - 0x7784a690 ] +0x03c SectionPointer : 0x0031ba9c +0x040 CheckSum : 0x7784a690 +0x044 TimeDateStamp : 0x506dbd3f +0x044 LoadedImports : 0x506dbd3f +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x312c18 - 0x312c18 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x312c20 - 0x312c20 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x312c58 - 0x312c58 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0xdce0000 +0x070 LoadTime : _LARGE_INTEGER 0x1cdef13`ea9021710:000> dt _LDR_DATA_TABLE_ENTRY 0x3133e8 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3134d0 - 0x312bc8 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3134d8 - 0x312bd0 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x314578 - 0x3136f0 ] +0x018 DllBase : 0x76240000 +0x01c EntryPoint : 0x762c1621 +0x020 SizeOfImage : 0xc4a000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\system32\SHELL32.dll" +0x02c BaseDllName : _UNICODE_STRING "SHELL32.dll" +0x034 Flags : 0xc4004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x316554 - 0x7784a688 ] +0x03c SectionPointer : 0x00316554 +0x040 CheckSum : 0x7784a688 +0x044 TimeDateStamp : 0x4fd2d1d9 +0x044 LoadedImports : 0x4fd2d1d9 +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x313438 - 0x313438 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x313440 - 0x313440 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x313cc8 - 0x3135d8 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0x73800000 +0x070 LoadTime : _LARGE_INTEGER 0x1cdef13`ea9282d2
对比!peb的输出:
8f0000 4ce7979d Nov 20 17:40:45 2010 C:\Windows\System32\calc.exe 77770000 4ec49b60 Nov 17 13:28:00 2011 C:\windows\SYSTEM32\ntdll.dll 77490000 506dbd3e Oct 05 00:45:50 2012 C:\windows\system32\kernel32.dll 75a30000 506dbd3f Oct 05 00:45:51 2012 C:\windows\system32\KERNELBASE.dll 76240000 4fd2d1d9 Jun 09 12:32:25 2012 C:\windows\system32\SHELL32.dll
当然是一样的~~~
下一步是怎么直接得到进程的cmdline:我们注意到PEB0x10处的偏移
+0x010 ProcessParameters : 0x00311b48 _RTL_USER_PROCESS_PARAMETERS
dt一下试试:
0:000> dt 0x00311b48 _RTL_USER_PROCESS_PARAMETERSole32!_RTL_USER_PROCESS_PARAMETERS +0x000 MaximumLength : 0xaf2 +0x004 Length : 0xaf2 +0x008 Flags : 0x2001 +0x00c DebugFlags : 0 +0x010 ConsoleHandle : (null) +0x014 ConsoleFlags : 0 +0x018 StandardInput : (null) +0x01c StandardOutput : (null) +0x020 StandardError : (null) +0x024 CurrentDirectory : _CURDIR +0x030 DllPath : _UNICODE_STRING "C:\Windows\System32;;C:\windows\system32;C:\windows\system;C:\windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\" +0x038 ImagePathName : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x040 CommandLine : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x048 Environment : 0x00310810 +0x04c StartingX : 0 +0x050 StartingY : 0 +0x054 CountX : 0 +0x058 CountY : 0 +0x05c CountCharsX : 0 +0x060 CountCharsY : 0 +0x064 FillAttribute : 0 +0x068 WindowFlags : 0 +0x06c ShowWindowFlags : 0 +0x070 WindowTitle : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x078 DesktopInfo : _UNICODE_STRING "Winsta0\Default" +0x080 ShellInfo : _UNICODE_STRING "" +0x088 RuntimeData : _UNICODE_STRING "" +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR +0x290 EnvironmentSize : 0x131e +0x294 EnvironmentVersion : 1
都出来了~~~~~~~~~
0 0
- !peb和PEB结构
- PEB 和 TIB结构
- PEB结构
- PEB结构
- PEB
- PEB
- 进程peb结构、获得peb的方法
- PEB及PEB_LDR_DATA结构
- peb的结构
- PEB结构的获取
- PEB及PEB_LDR_DATA结构
- PEB结构块解析
- PEB结构块解析
- 修改PEB结构绕防火墙
- PEB TEB结构体使用
- 32 64 peb结构体
- 线程的TEB和进程的PEB结构
- 36.windbg-!peb(手工分析PEB结构)
- 自适应屏幕分辨率的基类窗口
- 题目1166:迭代求立方根
- jQuery验证控件jquery.validate.js使用说明+中文API
- Android 8位颜色值和6位颜色值的区别
- 数据库开发(15)并行数据库
- !peb和PEB结构
- android开发: The import com.google cannot be resolved 的解决办法
- DSP 之(HPI) 编程
- Nginx安装配置
- hdu step5.3.3 Median Filter(树状数组求第k大的值)
- 色彩的数学规则(二)(转)
- 数组 数组反转,排序
- samba 共享权限设置的问题
- [深入浅出Cocoa]详解键值观察(KVO)及其实现机理
