PEB TIB TEB结构展示
丛看雪看到这3个结构体的,fs:的地址位置就是TEB,TIB是TEB的第一个成员,TEB的0x30处指向PEB。这里有个问题没想明白,如何从PEB枚举所有TEB呢?
代码如下:
#define EXCEPTION_MAXIMUM_PARAMETERS 15 // maximum number of exception parameters
typedef unsigned int DWORD;
typedef unsigned long ULONG;
typedef short SHORT;
typedef unsigned short WORD;
typedef unsigned short USHORT;
typedef void* PVOID;
typedef PVOID* PPVOID;
typedef unsigned char UCHAR;
typedef unsigned char BYTE;
typedef long LONG;
typedef unsigned short WCHAR;
typedef char CHAR;
typedef __int64 LONGLONG;
typedef unsigned __int64 ULONGLONG;
typedef WCHAR *PWCHAR, *LPWCH, *PWCH;
typedef CHAR *PCHAR, *LPCH, *PCH;
typedef unsigned short UINT16;
typedef unsigned int UINT32;
typedef unsigned __int64 UINT64;
typedef short INT16;
typedef int INT32;
typedef __int64 INT64;
#if !defined(_W64)
#if !defined(__midl) && (defined(_X86_) || defined(_M_IX86)) && _MSC_VER >= 1300
#define _W64 __w64
#else
#define _W64
#endif
#endif
#if ( 501 < __midl )
typedef __int3264 INT_PTR, *PINT_PTR;
typedef unsigned __int3264 UINT_PTR, *PUINT_PTR;
typedef __int3264 LONG_PTR, *PLONG_PTR;
typedef unsigned __int3264 ULONG_PTR, *PULONG_PTR;
#else// midl64
// old midl and C++ compiler
#if defined(_WIN64)
typedef __int64 INT_PTR, *PINT_PTR;
typedef unsigned __int64 UINT_PTR, *PUINT_PTR;
typedef __int64 LONG_PTR, *PLONG_PTR;
typedef unsigned __int64 ULONG_PTR, *PULONG_PTR;
#define __int3264 __int64
#else
typedef _W64 int INT_PTR, *PINT_PTR;
typedef _W64 unsigned int UINT_PTR, *PUINT_PTR;
typedef _W64 long LONG_PTR, *PLONG_PTR;
typedef _W64 unsigned long ULONG_PTR, *PULONG_PTR;
#define __int3264 __int32
#endif
#endif // midl64
#ifdef STRICT
typedef void *HANDLE;
#if 0 && (_MSC_VER > 1000)
#define DECLARE_HANDLE(name) struct name##__; typedef struct name##__ *name
#else
#define DECLARE_HANDLE(name) struct name##__{int unused;}; typedef struct name##__ *name
#endif
#else
typedef PVOID HANDLE;
#define DECLARE_HANDLE(name) typedef HANDLE name
#endif
typedef HANDLE *PHANDLE;
#if defined(MIDL_PASS)
typedef struct _LARGE_INTEGER
{
#else // MIDL_PASS
typedef union _LARGE_INTEGER
{
struct
{
DWORD LowPart;
LONG HighPart;
} DUMMYSTRUCTNAME;
struct
{
DWORD LowPart;
LONG HighPart;
} u;
#endif //MIDL_PASS
LONGLONG QuadPart;
} LARGE_INTEGER;
#if defined(MIDL_PASS)
typedef struct _ULARGE_INTEGER
{
#else // MIDL_PASS
typedef union _ULARGE_INTEGER
{
struct
{
DWORD LowPart;
DWORD HighPart;
} DUMMYSTRUCTNAME;
struct
{
DWORD LowPart;
DWORD HighPart;
} u;
#endif //MIDL_PASS
ULONGLONG QuadPart;
} ULARGE_INTEGER;
#ifndef GUID_DEFINED
#define GUID_DEFINED
#if defined(__midl)
typedef struct
{
unsigned longData1;
unsigned short Data2;
unsigned short Data3;
byte Data4;
} GUID;
#else
typedef struct _GUID
{
unsigned longData1;
unsigned short Data2;
unsigned short Data3;
unsigned charData4;
} GUID;
#endif
#endif
typedef enum _EXCEPTION_DISPOSITION
{
ExceptionContinueExecution,
ExceptionContinueSearch,
ExceptionNestedException,
ExceptionCollidedUnwind
} EXCEPTION_DISPOSITION, *PEXCEPTION_DISPOSITION;
typedef struct _EXCEPTION_RECORD
{
DWORD ExceptionCode;
DWORD ExceptionFlags;
struct _EXCEPTION_RECORD *ExceptionRecord;
PVOID ExceptionAddress;
DWORD NumberParameters;
ULONG_PTR ExceptionInformation;
} EXCEPTION_RECORD, *PEXCEPTION_RECORD;
typedef EXCEPTION_DISPOSITION __stdcall EXCEPTION_ROUTINE(struct _EXCEPTION_RECORD *ExceptionRecord,
PVOID EstablisherFrame, struct _CONTEXT *ContextRecord, PVOID DispatcherContext);
typedef EXCEPTION_ROUTINE *PEXCEPTION_ROUTINE;
typedef struct _EXCEPTION_REGISTRATION_RECORD
{
struct _EXCEPTION_REGISTRATION_RECORD *Next;
PEXCEPTION_ROUTINE Handler;
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
typedef struct _NT_TIB
{
struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList;
PVOID StackBase;
PVOID StackLimit;
PVOID SubSystemTib;
#if defined(_MSC_EXTENSIONS)
union
{
PVOID FiberData;
DWORD Version;
};
#else
PVOID FiberData;
#endif
PVOID ArbitraryUserPointer;
struct _NT_TIB *Self;
} NT_TIB, *PNT_TIB;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef struct _LIST_ENTRY
{
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *PRLIST_ENTRY;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
USHORT * Buffer;
#else // MIDL_PASS
PWCH Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef struct _RTL_CRITICAL_SECTION_DEBUG
{
WORD Type;
WORD CreatorBackTraceIndex;
struct _RTL_CRITICAL_SECTION *CriticalSection;
LIST_ENTRY ProcessLocksList;
DWORD EntryCount;
DWORD ContentionCount;
DWORD Flags;
WORD CreatorBackTraceIndexHigh;
WORD SpareWORD;
} RTL_CRITICAL_SECTION_DEBUG, *PRTL_CRITICAL_SECTION_DEBUG, RTL_RESOURCE_DEBUG, *PRTL_RESOURCE_DEBUG;
#pragma pack(push, 8)
typedef struct _RTL_CRITICAL_SECTION
{
PRTL_CRITICAL_SECTION_DEBUG DebugInfo;
LONG LockCount;
LONG RecursionCount;
HANDLE OwningThread; // from the thread's ClientId->UniqueThread
HANDLE LockSemaphore;
ULONG_PTR SpinCount; // force size on 64-bit systems when packed
} RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION;
#pragma pack(pop)
typedef struct _PEB_LDR_DATA
{
UINT32 Length;
UCHAR Initialized;
PVOID SsHandle;
_LIST_ENTRY InLoadOrderModuleList;
_LIST_ENTRY InMemoryOrderModuleList;
_LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
UCHAR ShutdownInProgress;
PVOID ShutdownThreadId;
}PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList; // +0x000
LIST_ENTRY InMemoryOrderModuleList; // +0x008
LIST_ENTRY InInitializationOrderModuleList;// +0x010
PVOID BaseAddress; // +0x018
PVOID EntryPoint; // +0x01C
ULONG SizeOfImage; // +0x020
UNICODE_STRING FullDllName; // +0x024
UNICODE_STRING BaseDllName; // +0x02C
ULONG Flags; // +0x034
SHORT LoadCount; // +0x038
SHORT TlsIndex; // +0x03A
LIST_ENTRY HashTableEntry; // +0x03C
ULONG TimeDateStamp; // +0x044
// +0x048
} LDR_MODULE, *PLDR_MODULE;
typedef struct _CURDIR
{
_UNICODE_STRING DosPath;
PVOID Handle;
}CURDIR, *PCURDIR;
typedef struct _STRING
{
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
#endif // MIDL_PASS
PCHAR Buffer;
} STRING;
typedef STRING *PSTRING;
typedef STRING ANSI_STRING;
typedef PSTRING PANSI_STRING;
typedef struct RTL_DRIVE_LETTER_CURDIR
{
UINT16 Flags;
UINT16 Length;
UINT32 TimeStamp;
_STRING DosPath;
}RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
UINT32 MaximumLength;
UINT32 Length;
UINT32 Flags;
UINT32 DebugFlags;
PVOID ConsoleHandle;
UINT32 ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
_CURDIR CurrentDirectory;
_UNICODE_STRING DllPath;
_UNICODE_STRING ImagePathName;
_UNICODE_STRING CommandLine;
PVOID Environment;
UINT32 StartingX;
UINT32 StartingY;
UINT32 CountX;
UINT32 CountY;
UINT32 CountCharsX;
UINT32 CountCharsY;
UINT32 FillAttribute;
UINT32 WindowFlags;
UINT32 ShowWindowFlags;
_UNICODE_STRING WindowTitle;
_UNICODE_STRING DesktopInfo;
_UNICODE_STRING ShellInfo;
_UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectores;
UINT64 EnvironmentSize;
UINT64 EnvironmentVersion;
PVOID PackageDependencyData;
UINT32 ProcessGroupId;
}RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
#pragma pack(push, 1)
typedef struct _PEB
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
//UCHAR BitField
BYTE ImageUsesLargePages : 1;
BYTE IsProtectedProcess : 1;
BYTE IsImageDynamicallyRelocated : 1;
BYTE SkipPatchingUser32Forwarders : 1;
BYTE IsPackagedProcess : 1;
BYTE IsAppContainer : 1;
BYTE IsProtectedProcessLight : 1;
BYTE SpareBits : 1;
PVOID Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
UINT32 CrossProcessFlags;
unsigned ProcessInJob : 1;
unsigned ProcessInitializing : 1;
unsigned ProcessUsingVEH : 1;
unsigned ProcessUsingVCH : 1;
unsigned ProcessUsingFTH : 1;
unsigned ReservedBits0 : 27;
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
UINT32 SystemReserved;
UINT32 AtlThunkSListPtr32;
UINT32 ApiSetMap;
UINT32 TlsExpansionCounter;
UINT32 TlsBitmap;
UINT32 TlsBitmapBits;
PVOID ReadOnlySharedMemoryBase;
PVOID HotpatchInformation;
PVOID ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
UINT32 NumberOfProcessors;
UINT32 NtGlobalFlag;
_LARGE_INTEGER CriticalSectionTimeout;
UINT32 HeapSegmentReserve;
UINT32 HeapSegmentCommit;
UINT32 HeapDeCommitTotalFreeThreshold;
UINT32 HeapDeCommitFreeBlockThreshold;
UINT32 NumberOfHeaps;
UINT32 MaximumNumberOfHeaps;
PPVOID ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
UINT32 GdiDCAttributeList;
PRTL_CRITICAL_SECTION LoaderLock;
UINT32 OSMajorVersion;
UINT32 OSMinorVersion;
UINT16 OSBuildNumber;
UINT16 OSCSDVersion;
UINT32 OSPlatformId;
UINT32 ImageSubsystem;
UINT32 ImageSubsystemMajorVersion;
UINT32 ImageSubsystemMinorVersion;
UINT32 ActiveProcessAffinityMask;
UINT32 GdiHandleBuffer;
PVOID PostProcessInitRoutine;
PVOID TlsExpansionBitmap;
PVOID TlsExpansionBitmapBits;
UINT32 SessionId;
_ULARGE_INTEGER AppCompatFlags;
_ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PVOID AppCompatInfo;
_UNICODE_STRING CSDVersion;
PVOID ActivationContextData;
PVOID ProcessAssemblyStorageMap;
PVOID SystemDefaultActivationContextData;
PVOID SystemAssemblyStorageMap;
UINT32 MinimumStackCommit;
}PEB, *PPEB;
#pragma pop
typedef struct _GDI_TEB_BATCH
{
unsigned Offset : 31;
unsigned HasRenderingCommand : 1;
UINT64 HDC;
UINT32 Buffer;
}GDI_TEB_BATCH, *PGDI_TEB_BATCH;
typedef struct _PROCESSOR_NUMBER
{
WORD Group;
BYTENumber;
BYTEReserved;
} PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT
{
UINT32 Flags;
PCHAR FrameName;
}TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME
{
UINT32 Flags;
_TEB_ACTIVE_FRAME* Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
}TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
typedef struct _TEB
{
_NT_TIB NtTib;
PVOID EnvironmentPointer;
_CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
UINT32 LastErrorValue;
UINT32 CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
UINT32 User32Reserved;
UINT32 UserReserved;
PVOID WOW32Reserved;
UINT32 CurrentLocale;
UINT32 FpSoftwareStatusRegister;
PVOID SystemReserved1;
INT32 ExceptionCode;
PVOID ActivationContextStackPointer;
UCHAR SpareBytes;
UINT32 TxFsContext;
_GDI_TEB_BATCH GdiTebBatch;
_CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
UINT32 GdiClientPID;
UINT32 GdiClientTID;
PVOID GdiThreadLocalInfo;
UINT32 Win32ClientInfo;
PVOID glDispatchTable;
UINT32 glReserved1;
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
UINT32 LastStatusValue;
_UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer;
PVOID DeallocationStack;
PVOID TlsSlots;
_LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved;
UINT32 HardErrorMode;
PVOID Instrumentation;
_GUID ActivityId;
PVOID SubProcessTag;
PVOID EtwLocalData;
PVOID EtwTraceData;
PVOID WinSockData;
UINT32 GdiBatchCount;
_PROCESSOR_NUMBER CurrentIdealProcessor;
UINT32 IdealProcessorValue;
UCHAR ReservedPad0;
UCHAR ReservedPad1;
UCHAR ReservedPad2;
UCHAR IdealProcessor;
UINT32 GuaranteedStackBytes;
PVOID ReservedForPerf;
PVOID ReservedForOle;
UINT32 WaitingOnLoaderLock;
PVOID SavedPriorityState;
UINT32 SoftPatchPtr1;
PVOID ThreadPoolData;
PPVOID TlsExpansionSlots;
UINT32 MuiGeneration;
UINT32 IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
UINT32 HeapVirtualAffinity;
PVOID CurrentTransactionHandle;
PTEB_ACTIVE_FRAME ActiveFrame;
}TEB, *PTEB;
#include <iostream>
using namespace std;
#define printsegdec(x) cout<<dec<<"\t"###x##":"<<x<<endl
#define printseghex(x) cout<<hex<<"\t"###x##":"<<x<<endl
#define printsegwstr(x) if(x) wcout<<dec<<"\t"###x##":"<<(wchar_t*)x<<endl
void main()
{
PTEB pteb = 0;
_asm
{
mov eax, dword ptr fs : ;
mov pteb, eax;
};
cout << hex << "TEB address:" << pteb << endl;
printseghex(pteb->EnvironmentPointer);
printsegdec(pteb->ClientId.UniqueProcess);
printsegdec(pteb->ClientId.UniqueThread);
printsegdec(pteb->ThreadLocalStoragePointer);
printseghex(pteb->ActiveRpcHandle);
printsegdec(pteb->LastErrorValue);
printsegdec(pteb->CountOfOwnedCriticalSections);
printseghex(pteb->CurrentLocale);
printsegdec(pteb->LastStatusValue);
cout << endl;
//打印TIB
NT_TIB& ptib = pteb->NtTib;
EXCEPTION_REGISTRATION_RECORD* perr = ptib.ExceptionList;
printseghex(ptib.StackBase);
printseghex(ptib.StackLimit);
while (perr != (EXCEPTION_REGISTRATION_RECORD*)-1)
{
printseghex(perr->Next);
printseghex(perr->Handler);
perr = perr->Next;
}
cout << endl;
//打印PEB
cout << hex << "PEB address:" << pteb->ProcessEnvironmentBlock << endl;
PPEB ppeb= pteb->ProcessEnvironmentBlock;
printsegdec((int)ppeb->InheritedAddressSpace);
printsegdec((int)ppeb->ReadImageFileExecOptions);
printsegdec((int)ppeb->BeingDebugged);
printsegdec((int)ppeb->ImageUsesLargePages);
printsegdec((int)ppeb->IsProtectedProcess);
printsegdec((int)ppeb->IsImageDynamicallyRelocated);
printsegdec((int)ppeb->SkipPatchingUser32Forwarders);
printsegdec((int)ppeb->IsPackagedProcess);
printsegdec((int)ppeb->IsAppContainer);
printsegdec((int)ppeb->IsProtectedProcessLight);
printsegdec((int)ppeb->SpareBits);
printseghex(ppeb->ImageBaseAddress);
printseghex(ppeb->ProcessHeap);
printsegdec(ppeb->NumberOfProcessors);
printseghex(ppeb->NtGlobalFlag);
printseghex(ppeb->HeapSegmentReserve);
printseghex(ppeb->HeapSegmentCommit);
printseghex(ppeb->HeapDeCommitTotalFreeThreshold);
printseghex(ppeb->HeapDeCommitFreeBlockThreshold);
printsegdec(ppeb->NumberOfHeaps);
printsegdec(ppeb->MaximumNumberOfHeaps);
printseghex(ppeb->ProcessHeaps);
printsegdec(ppeb->OSMajorVersion);
printsegdec(ppeb->OSMinorVersion);
printsegdec(ppeb->OSBuildNumber);
printsegdec(ppeb->OSPlatformId);
printsegdec(ppeb->ImageSubsystem);
printsegdec(ppeb->ImageSubsystemMajorVersion);
printsegdec(ppeb->ImageSubsystemMinorVersion);
printsegdec(ppeb->SessionId);
cout << endl;
printseghex(ppeb->Ldr);
printsegdec(ppeb->Ldr->Length);
PLDR_MODULE plm1 = (PLDR_MODULE)ppeb->Ldr->InLoadOrderModuleList.Flink;
cout << "LoadOrder:" << endl;
do
{
printseghex(plm1->BaseAddress);
printseghex(plm1->EntryPoint);
printsegdec(plm1->SizeOfImage);
printsegwstr(plm1->FullDllName.Buffer);
printsegwstr(plm1->BaseDllName.Buffer);
printseghex(plm1->Flags);
printsegdec(plm1->LoadCount);
printsegdec(plm1->TlsIndex);
plm1 = (PLDR_MODULE)plm1->InLoadOrderModuleList.Flink;
} while (plm1 != (PLDR_MODULE)ppeb->Ldr->InLoadOrderModuleList.Flink);
cout << endl;
printseghex(ppeb->ProcessParameters);
printsegdec(ppeb->ProcessParameters->MaximumLength);
printsegdec(ppeb->ProcessParameters->Length);
printseghex(ppeb->ProcessParameters->Flags);
printseghex(ppeb->ProcessParameters->DebugFlags);
printsegdec(ppeb->ProcessParameters->MaximumLength);
printsegdec(ppeb->ProcessParameters->MaximumLength);
wcout << L"\tCurrentDirectory:" << ppeb->ProcessParameters->CurrentDirectory.DosPath.Buffer<<endl;
wcout << L"\tCommandLine:" << ppeb->ProcessParameters->CommandLine.Buffer << endl;
wcout << L"\tWindowTitle:" << ppeb->ProcessParameters->WindowTitle.Buffer << endl;
wcout << L"\tDesktopInfo:" << ppeb->ProcessParameters->DesktopInfo.Buffer << endl;
cout << endl;
}
欢迎某天尊加入驱动开发行列。 0xAA55 发表于 2015-5-2 14:19
欢迎某天尊加入驱动开发行列。
还没呢,其实,哈哈 看到PEB 和 TEB 包含了这么多的成员,我就醉了
页:
[1]