zoukankan      html  css  js  c++  java
  • PEB和TEB资料整合

    一、概念

      TEB(Thread Environment Block,线程环境块)系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间,在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。一个进程的所有TEB都以堆栈的方式,存放在从0x7FFDE000开始的线性内存中,每 4KB为一个完整的TEB,不过该内存区域是向下扩展的。在用户模式下,当前线程的TEB位于独立的4KB段,可通过CPU的FS寄存器来访问该段,一般存储在[FS:0]。在用户态下WinDbg中可用命令$thread取得TEB地址。

       PEB(Process Environment Block,进程环境块)存放进程信息,每个进程都有自己的PEB信息。位于用户地址空间。在Win 2000下,进程环境块的地址对于每个进程来说是固定的,在0x7FFDF000处,这是用户地址空间,所以程序能够直接访问。准确的PEB地址应从系统 的EPROCESS结构的0x1b0偏移处获得,但由于EPROCESS在系统地址空间,访问这个结构需要有ring0的权限。还可以通过TEB结构的偏 移0x30处获得PEB的位置,FS段寄存器指向当前的TEB结构:

    mov eax,fs:[0x30]
    
    mov PEB,eax

    在用户态下WinDbg中可用命令$proc取得PEB地址。

    二、TEB偏移
    FS:[000]   指向SEH链指针
    FS:[004]  线程堆栈顶部
    FS:[008] 线程堆栈底部
    FS:[00C]  SubSystemTib
    FS:[010]  FiberData
    FS:[014] ArbitraryUserPointer
    FS:[018]  指向TEB自身
    FS:[020] 进程PID
    FS:[024] 线程ID
    FS:[02C] 指向线程局部存储指针
    FS:[030] PEB结构地址(进程结构)
    FS:[034] 上个错误号

    三、参考

      1.PEB结构----枚举用户模块列表http://bbs.pediy.com/showthread.php?t=52398

      2.FS TIB TEB PEB :http://bbs.pediy.com/showthread.php?p=704601

      3.http://bbs.pediy.com/showthread.php?t=175833

    四、结构

    // Thread Environment Block (TEB)
    typedef struct _TEB
    {
        NT_TIB Tib;                             /* 00h */
        PVOID EnvironmentPointer;               /* 1Ch */
        CLIENT_ID Cid;                          /* 20h */
        PVOID ActiveRpcHandle;                  /* 28h */
        PVOID ThreadLocalStoragePointer;        /* 2Ch */
        struct _PEB *ProcessEnvironmentBlock;   /* 30h */
        ULONG LastErrorValue;                   /* 34h */
        ULONG CountOfOwnedCriticalSections;     /* 38h */
        PVOID CsrClientThread;                  /* 3Ch */
        struct _W32THREAD* Win32ThreadInfo;     /* 40h */
        ULONG User32Reserved[0x1A];             /* 44h */
        ULONG UserReserved[5];                  /* ACh */
        PVOID WOW32Reserved;                    /* C0h */
        LCID CurrentLocale;                     /* C4h */
        ULONG FpSoftwareStatusRegister;         /* C8h */
        PVOID SystemReserved1[0x36];            /* CCh */
        LONG ExceptionCode;                     /* 1A4h */
        struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /* 1A8h */
        UCHAR SpareBytes1[0x28];                /* 1ACh */
        GDI_TEB_BATCH GdiTebBatch;              /* 1D4h */
        CLIENT_ID RealClientId;                 /* 6B4h */
        PVOID GdiCachedProcessHandle;           /* 6BCh */
        ULONG GdiClientPID;                     /* 6C0h */
        ULONG GdiClientTID;                     /* 6C4h */
        PVOID GdiThreadLocalInfo;               /* 6C8h */
        ULONG Win32ClientInfo[62];              /* 6CCh */
        PVOID glDispatchTable[0xE9];            /* 7C4h */
        ULONG glReserved1[0x1D];                /* B68h */
        PVOID glReserved2;                      /* BDCh */
        PVOID glSectionInfo;                    /* BE0h */
        PVOID glSection;                        /* BE4h */
        PVOID glTable;                          /* BE8h */
        PVOID glCurrentRC;                      /* BECh */
        PVOID glContext;                        /* BF0h */
        NTSTATUS LastStatusValue;               /* BF4h */
        UNICODE_STRING StaticUnicodeString;     /* BF8h */
        WCHAR StaticUnicodeBuffer[0x105];       /* C00h */
        PVOID DeallocationStack;                /* E0Ch */
        PVOID TlsSlots[0x40];                   /* E10h */
        LIST_ENTRY TlsLinks;                    /* F10h */
        PVOID Vdm;                              /* F18h */
        PVOID ReservedForNtRpc;                 /* F1Ch */
        PVOID DbgSsReserved[0x2];               /* F20h */
        ULONG HardErrorDisabled;                /* F28h */
        PVOID Instrumentation[14];              /* F2Ch */
        PVOID SubProcessTag;                    /* F64h */
        PVOID EtwTraceData;                     /* F68h */
        PVOID WinSockData;                      /* F6Ch */
        ULONG GdiBatchCount;                    /* F70h */
        BOOLEAN InDbgPrint;                     /* F74h */
        BOOLEAN FreeStackOnTermination;         /* F75h */
        BOOLEAN HasFiberData;                   /* F76h */
        UCHAR IdealProcessor;                   /* F77h */
        ULONG GuaranteedStackBytes;             /* F78h */
        PVOID ReservedForPerf;                  /* F7Ch */
        PVOID ReservedForOle;                   /* F80h */
        ULONG WaitingOnLoaderLock;              /* F84h */
        ULONG SparePointer1;                    /* F88h */
        ULONG SoftPatchPtr1;                    /* F8Ch */
        ULONG SoftPatchPtr2;                    /* F90h */
        PVOID *TlsExpansionSlots;               /* F94h */
        ULONG ImpersionationLocale;             /* F98h */
        ULONG IsImpersonating;                  /* F9Ch */
        PVOID NlsCache;                         /* FA0h */
        PVOID pShimData;                        /* FA4h */
        ULONG HeapVirualAffinity;               /* FA8h */
        PVOID CurrentTransactionHandle;         /* FACh */
        PTEB_ACTIVE_FRAME ActiveFrame;          /* FB0h */
        PVOID FlsData;                          /* FB4h */
        UCHAR SafeThunkCall;                    /* FB8h */
        UCHAR BooleanSpare[3];                  /* FB9h */
    } TEB, *PTEB; 
    //Process Environment Block
    typedef struct _PEB
    {
        UCHAR InheritedAddressSpace; // 00h
        UCHAR ReadImageFileExecOptions; // 01h
        UCHAR BeingDebugged; // 02h
        UCHAR Spare; // 03h
        PVOID Mutant; // 04h
        PVOID ImageBaseAddress; // 08h
        PPEB_LDR_DATA Ldr; // 0Ch
        PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h
        PVOID SubSystemData; // 14h
        PVOID ProcessHeap; // 18h
        PVOID FastPebLock; // 1Ch
        PPEBLOCKROUTINE FastPebLockRoutine; // 20h
        PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h
        ULONG EnvironmentUpdateCount; // 28h
        PVOID* KernelCallbackTable; // 2Ch
        PVOID EventLogSection; // 30h
        PVOID EventLog; // 34h
        PPEB_FREE_BLOCK FreeList; // 38h
        ULONG TlsExpansionCounter; // 3Ch
        PVOID TlsBitmap; // 40h
        ULONG TlsBitmapBits[0x2]; // 44h
        PVOID ReadOnlySharedMemoryBase; // 4Ch
        PVOID ReadOnlySharedMemoryHeap; // 50h
        PVOID* ReadOnlyStaticServerData; // 54h
        PVOID AnsiCodePageData; // 58h
        PVOID OemCodePageData; // 5Ch
        PVOID UnicodeCaseTableData; // 60h
        ULONG NumberOfProcessors; // 64h
        ULONG NtGlobalFlag; // 68h
        UCHAR Spare2[0x4]; // 6Ch
        LARGE_INTEGER CriticalSectionTimeout; // 70h
        ULONG HeapSegmentReserve; // 78h
        ULONG HeapSegmentCommit; // 7Ch
        ULONG HeapDeCommitTotalFreeThreshold; // 80h
        ULONG HeapDeCommitFreeBlockThreshold; // 84h
        ULONG NumberOfHeaps; // 88h
        ULONG MaximumNumberOfHeaps; // 8Ch
        PVOID** ProcessHeaps; // 90h
        PVOID GdiSharedHandleTable; // 94h
        PVOID ProcessStarterHelper; // 98h
        PVOID GdiDCAttributeList; // 9Ch
        PVOID LoaderLock; // A0h
        ULONG OSMajorVersion; // A4h
        ULONG OSMinorVersion; // A8h
        ULONG OSBuildNumber; // ACh
        ULONG OSPlatformId; // B0h
        ULONG ImageSubSystem; // B4h
        ULONG ImageSubSystemMajorVersion; // B8h
        ULONG ImageSubSystemMinorVersion; // C0h
        ULONG GdiHandleBuffer[0x22]; // C4h
        PVOID ProcessWindowStation; // ???
    } PEB, *PPEB;
  • 相关阅读:
    Python3基础 keyword 查看所有的关键字
    Python3基础 print 格式化输出 %% 输出%
    Python3基础 print 格式化输出 %f %d 保留浮点数的位数 整数的位数不够零来凑
    Python3基础 for-else break、continue跳出循环示例
    Python3基础 global 在函数内部对全局变量进行修改
    Python3基础 continue while循环示例
    Python3基础 def 函数要先定义再调用
    Python3基础 输出逐行递增的小星星
    Python3基础 九九乘法表
    C#调用接口返回json数据中含有双引号 或其他非法字符的解决办法
  • 原文地址:https://www.cnblogs.com/Viwilla/p/5109966.html
Copyright © 2011-2022 走看看