zoukankan      html  css  js  c++  java

  • FS寄存器

    FS寄存器指向当前活动线程的TEB结构(线程结构)
    偏移  说明
    000  指向SEH链指针
    004  线程堆栈顶部
    008  线程堆栈底部
    00C  SubSystemTib
    010  FiberData
    014  ArbitraryUserPointer
    018  FS段寄存器在内存中的镜像地址
    020  进程PID
    024  线程ID
    02C  指向线程局部存储指针
    030  PEB结构地址(进程结构)
    034  上个错误号

    fs:[30]->PEB
    typedef struct _PEB {               // Size: 0x1D8
        000h    UCHAR           InheritedAddressSpace;
        001h    UCHAR           ReadImageFileExecOptions;
        002h    UCHAR           BeingDebugged;              //Debug运行标志
        003h    UCHAR           SpareBool;
        004h    HANDLE          Mutant;
        008h    HINSTANCE       ImageBaseAddress;           //程序加载的基地址
        00Ch    struct _PEB_LDR_DATA    *Ldr                //Ptr32 _PEB_LDR_DATA
        010h    struct _RTL_USER_PROCESS_PARAMETERS  *ProcessParameters;
        014h    ULONG           SubSystemData;
        018h    HANDLE          DefaultHeap;
        01Ch    KSPIN_LOCK      FastPebLock;
        020h    ULONG           FastPebLockRoutine;
        024h    ULONG           FastPebUnlockRoutine;
        028h    ULONG           EnvironmentUpdateCount;
        02Ch    ULONG           KernelCallbackTable;
        030h    LARGE_INTEGER   SystemReserved;
        038h    struct _PEB_FREE_BLOCK  *FreeList
        03Ch    ULONG           TlsExpansionCounter;
        040h    ULONG           TlsBitmap;
        044h    LARGE_INTEGER   TlsBitmapBits;
        04Ch    ULONG           ReadOnlySharedMemoryBase;
        050h    ULONG           ReadOnlySharedMemoryHeap;

     异常处理信息:

    fs[0]->*ExceptionList

    typedef struc _EXCEPTION_REGISTRATION
    {
        struc EXCEPTION_REGISTRATION    *Prev;      //前一个_EXCEPTION_REGISTRATION结构
        DWORD                           Handler;    //异常处理过程地址
        struct scopetable_entry         *scopetable;
        int                             trylevel;
        int                             _ebp;
        PEXCEPTION_POINTERS             xpointers;
    }
        EXCEPTION_REGISTRATION,
        *PEXCEPTION_REGISTRATION;
    ////////////////////////////////////////////////
    typedef struct _EXCEPTION_POINTERS
    {
        PEXCEPTION_RECORD   ExceptionRecord;        //指向一个EXCEPTION_RECORD结构
        PCONTEXT            ContextRecord;          //指向向一个CONTEXT结构
    }
        EXCEPTION_POINTERS,
        *PEXCEPTION_POINTERS;
    /////////////////////////////////////////////////
    typedef struct _EXCEPTION_RECORD
    {
      00h  DWORD                     ExceptionCode;      //异常事件码
      04h  DWORD                     ExceptionFlags;     //标志
      08h  struct _EXCEPTION_RECORD  *ExceptionRecord;   //下一个EXCEPTION_RECORD结构地址
      0ch  PVOID                     ExceptionAddress;   //异常发生的地址
      10h  DWORD                     NumberParameters;   //ExceptionInformation的dword数目
      14h  ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
    } 1ch
        EXCEPTION_RECORD;

        typedef     EXCEPTION_RECORD        *PEXCEPTION_RECORD;
        #define     EXCEPTION_MAXIMUM_PARAMETERS    15
    /////////////////////////////////////////////////////////////////
    typedef struct _CONTEXT {
        DWORD           ContextFlags    // -|               +00h
        DWORD           Dr0             //  |               +04h
        DWORD           Dr1             //  |               +08h
        DWORD           Dr2             //  >调试寄存器     +0Ch
        DWORD           Dr3             //  |               +10h
        DWORD           Dr6             //  |               +14h
        DWORD           Dr7             // -|               +18h

        FLOATING_SAVE_AREA FloatSave;   //浮点寄存器区      +1Ch~~~88h

        DWORD           SegGs           //-|                +8Ch
        DWORD           SegFs           // |\段寄存器       +90h
        DWORD           SegEs           // |/               +94h
        DWORD           SegDs           //-|                +98h

        DWORD           Edi             //________          +9Ch
        DWORD           Esi             // |  通用          +A0h
        DWORD           Ebx             // |   寄           +A4h
        DWORD           Edx             // |   存           +A8h
        DWORD           Ecx             // |   器           +ACh
        DWORD           Eax             //_|___组_          +B0h

        DWORD           Ebp             //++++++            +B4h
        DWORD           Eip             // |控制            +B8h
        DWORD           SegCs           // |寄存            +BCh
        DWORD           EFlag           // |器组            +C0h
        DWORD           Esp             // |                +C4h
        DWORD           SegSs           //++++++            +C8h

        BYTE    ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];
    } CONTEXT;
        typedef     CONTEXT     *PCONTEXT;
        #define     MAXIMUM_SUPPORTED_EXTENSION     512

        054h    ULONG           ReadOnlyStaticServerData;
        058h    ULONG           AnsiCodePageData;
        05Ch    ULONG           OemCodePageData;
        060h    ULONG           UnicodeCaseTableData;
        064h    ULONG           NumberOfProcessors;
        068h    LARGE_INTEGER   NtGlobalFlag;               // Address of a local copy
        070h    LARGE_INTEGER   CriticalSectionTimeout;
        078h    ULONG           HeapSegmentReserve;
        07Ch    ULONG           HeapSegmentCommit;
        080h    ULONG           HeapDeCommitTotalFreeThreshold;
        084h    ULONG           HeapDeCommitFreeBlockThreshold;
        088h    ULONG           NumberOfHeaps;
        08Ch    ULONG           MaximumNumberOfHeaps;
        090h    ULONG           ProcessHeaps;
        094h    ULONG           GdiSharedHandleTable;
        098h    ULONG           ProcessStarterHelper;
        09Ch    ULONG           GdiDCAttributeList;
        0A0h    KSPIN_LOCK      LoaderLock;
        0A4h    ULONG           OSMajorVersion;
        0A8h    ULONG           OSMinorVersion;
        0ACh    USHORT          OSBuildNumber;
        0AEh    USHORT          OSCSDVersion;
        0B0h    ULONG           OSPlatformId;
        0B4h    ULONG           ImageSubsystem;
        0B8h    ULONG           ImageSubsystemMajorVersion;
        0BCh    ULONG           ImageSubsystemMinorVersion;
        0C0h    ULONG           ImageProcessAffinityMask;
        0C4h    ULONG           GdiHandleBuffer[0x22];
        14Ch    ULONG           PostProcessInitRoutine;
        150h    ULONG           TlsExpansionBitmap;
        154h    UCHAR           TlsExpansionBitmapBits[0x80];
        1D4h    ULONG           SessionId;
    } PEB, *PPEB;
  • 相关阅读:
    可爱的中国电信 请问我们的电脑还属于我们自己吗?
    了解客户的需求,写出的代码或许才是最优秀的............
    DELPHI DATASNAP 入门操作(3)简单的主从表的简单更新【含简单事务处理】
    用数组公式获取字符在字符串中最后出现的位置
    在ehlib的DBGridEh控件中使用过滤功能(可以不用 MemTableEh 控件 适用ehlib 5.2 ehlib 5.3)
    格式化json返回的时间
    ExtJs中使用Ajax赋值给全局变量异常解决方案
    java compiler level does not match the version of the installed java project facet (转)
    收集的资料(六)ASP.NET编程中的十大技巧
    收集的资料共享出来(五)Asp.Net 权限解决办法
  • 原文地址:https://www.cnblogs.com/dsky/p/2358864.html
Copyright © 2011-2022 走看看