调试器用户经常会需要查看在启动调试目标时使用了哪些命令行参数,这个信息是保存在PEB中的,可以通过!peb来获取,这个命令将解析PEB并给出完整的命令行,所有已加载DLL的位置,以及环境变量等.
0:000> !peb
PEB at 7ffdf000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 008f0000
Ldr 77847880
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00312798 . 0036bd70
Ldr.InLoadOrderModuleList: 003126f8 . 0036bd60
Ldr.InMemoryOrderModuleList: 00312700 . 0036bd68
Base TimeStamp Module
8f0000 4ce7979d Nov 20 17:40:45 2010 C:\Windows\System32\calc.exe
77770000 4ec49b60 Nov 17 13:28:00 2011 C:\windows\SYSTEM32\ntdll.dll
77490000 506dbd3e Oct 05 00:45:50 2012 C:\windows\system32\kernel32.dll
75a30000 506dbd3f Oct 05 00:45:51 2012 C:\windows\system32\KERNELBASE.dll
76240000 4fd2d1d9 Jun 09 12:32:25 2012 C:\windows\system32\SHELL32.dll
75c30000 4eeaf722 Dec 16 15:45:38 2011 C:\windows\system32\msvcrt.dll
76e90000 4ce7b9e2 Nov 20 20:06:58 2010 C:\windows\system32\SHLWAPI.dll
75be0000 4ce7b80a Nov 20 19:59:06 2010 C:\windows\system32\GDI32.dll
76020000 4ce7ba26 Nov 20 20:08:06 2010 C:\windows\system32\USER32.dll
758e0000 4a5bda19 Jul 14 09:06:33 2009 C:\Windows\System32\LPK.dll
75f60000 4ce7ba29 Nov 20 20:08:09 2010 C:\windows\system32\USP10.dll
74090000 4f9235ab Apr 21 12:20:59 2012 C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll
77200000 4ce7b96f Nov 20 20:05:03 2010 C:\windows\system32\ole32.dll
773e0000 4ce7b9a2 Nov 20 20:05:54 2010 C:\windows\system32\RPCRT4.dll
75df0000 4ce7b706 Nov 20 19:54:46 2010 C:\windows\system32\ADVAPI32.dll
76000000 4a5bdb04 Jul 14 09:10:28 2009 C:\windows\SYSTEM32\sechost.dll
770f0000 4e58702a Aug 27 12:18:50 2011 C:\windows\system32\OLEAUT32.dll
745c0000 4a5bdb38 Jul 14 09:11:20 2009 C:\Windows\System32\UxTheme.dll
74220000 4ce7b71c Nov 20 19:55:08 2010 C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
73710000 4ce7ba42 Nov 20 20:08:34 2010 C:\Windows\System32\WINMM.dll
74ea0000 4a5bdb2b Jul 14 09:11:07 2009 C:\Windows\System32\VERSION.dll
778b0000 4ce7b845 Nov 20 20:00:05 2010 C:\windows\system32\IMM32.DLL
75e90000 4a5bda69 Jul 14 09:07:53 2009 C:\windows\system32\MSCTF.dll
73d30000 4ce7ba3a Nov 20 20:08:26 2010 C:\Windows\System32\WindowsCodecs.dll
651e0000 50910787 Oct 31 19:12:07 2012 C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT
75de0000 4a5bdace Jul 14 09:09:34 2009 C:\windows\system32\PSAPI.DLL
75ce0000 508b7cf0 Oct 27 14:19:28 2012 C:\windows\system32\WININET.dll
76100000 508b7cdb Oct 27 14:19:07 2012 C:\windows\system32\urlmon.dll
75a80000 4fc99664 Jun 02 12:28:20 2012 C:\windows\system32\CRYPT32.dll
75940000 4ce7b8c9 Nov 20 20:02:17 2010 C:\windows\system32\MSASN1.dll
77570000 508b7ba3 Oct 27 14:13:55 2012 C:\windows\system32\iertutil.dll
757f0000 4ce7b73e Nov 20 19:55:42 2010 C:\Windows\System32\apphelp.dll
73900000 3b7d84df Aug 18 04:55:59 2001 C:\windows\system32\JPWB.IME
77180000 4ce7b82d Nov 20 19:59:41 2010 C:\windows\system32\comdlg32.dll
73e60000 4a5bda07 Jul 14 09:06:15 2009 C:\Windows\System32\dwmapi.dll
75840000 4a5bbf41 Jul 14 07:12:01 2009 C:\Windows\System32\CRYPTBASE.dll
778d0000 4a5bd9b1 Jul 14 09:04:49 2009 C:\windows\system32\CLBCatQ.DLL
10000000 4ffa45cd Jul 09 10:45:33 2012 C:\Users\guoyouhuang\AppData\Local\Youdao\Dict\Application\5.1.36.3166\WordStrokeHelper32.dll
73610000 4e587028 Aug 27 12:18:48 2011 C:\Windows\system32\oleacc.dll
SubSystemData: 00000000
ProcessHeap: 00310000
ProcessParameters: 00311b48
WindowTitle: 'C:\Windows\System32\calc.exe'
ImageFile: 'C:\Windows\System32\calc.exe'
CommandLine: 'C:\Windows\System32\calc.exe'
DllPath: 'C:\Windows\System32;;C:\windows\system32;C:\windows\system;C:\windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\'
Environment: 00310810
=::=::\
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\guoyouhuang\AppData\Roaming
Basemake=D:\Program Files\Microsoft SDK\Include\BKOffice.Mak
Bkoffice=D:\Program Files\Microsoft SDK\.
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GUOYOUHUANG-PC0
ComSpec=C:\windows\system32\cmd.exe
configsetroot=C:\windows\ConfigSetRoot
DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (June 2010)\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\guoyouhuang
INCLUDE=D:\Program Files\Microsoft SDK\Include\.;D:\Program Files\VC98\atl\include;D:\Program Files\VC98\mfc\include;D:\Program Files\VC98\include
INETSDK=D:\Program Files\Microsoft SDK\.
LIB=D:\Program Files\Microsoft SDK\Lib\.;D:\Program Files\VC98\mfc\lib;D:\Program Files\VC98\lib
LOCALAPPDATA=C:\Users\guoyouhuang\AppData\Local
LOGONSERVER=\\GM-CADILLAC
MSDevDir=D:\Program Files\Vc6\MSDev98
MSSdk=D:\Program Files\Microsoft SDK\.
Mstools=D:\Program Files\Microsoft SDK\.
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PSModulePath=C:\windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\windows
TEMP=C:\Users\GUOYOU~1\AppData\Local\Temp
TMP=C:\Users\GUOYOU~1\AppData\Local\Temp
USERDNSDOMAIN=TENCENT.COM
USERDOMAIN=TENCENT
USERNAME=guoyouhuang
USERPROFILE=C:\Users\guoyouhuang
VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86)
windir=C:\windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
手工自己分析下:
0:000> dt _PEB @$peb ntdll!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0x1 '' +0x003 BitField : 0x8 '' +0x003 ImageUsesLargePages : 0y0 +0x003 IsProtectedProcess : 0y0 +0x003 IsLegacyProcess : 0y0 +0x003 IsImageDynamicallyRelocated : 0y1 +0x003 SkipPatchingUser32Forwarders : 0y0 +0x003 SpareBits : 0y000 +0x004 Mutant : 0xffffffff +0x008 ImageBaseAddress : 0x008f0000 +0x00c Ldr : 0x77847880 _PEB_LDR_DATA +0x010 ProcessParameters : 0x00311b48 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : (null) +0x018 ProcessHeap : 0x00310000 +0x01c FastPebLock : 0x77847380 _RTL_CRITICAL_SECTION +0x020 AtlThunkSListPtr : (null) +0x024 IFEOKey : (null) +0x028 CrossProcessFlags : 0 +0x028 ProcessInJob : 0y0 +0x028 ProcessInitializing : 0y0 +0x028 ProcessUsingVEH : 0y0 +0x028 ProcessUsingVCH : 0y0 +0x028 ProcessUsingFTH : 0y0 +0x028 ReservedBits0 : 0y000000000000000000000000000 (0) +0x02c KernelCallbackTable : 0x7603d568 +0x02c UserSharedInfoPtr : 0x7603d568 +0x030 SystemReserved : [1] 0 +0x034 AtlThunkSListPtr32 : 0 +0x038 ApiSetMap : 0x779b0000 +0x03c TlsExpansionCounter : 0 +0x040 TlsBitmap : 0x77847260 +0x044 TlsBitmapBits : [2] 0xffffffff +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 +0x050 HotpatchInformation : (null) +0x054 ReadOnlyStaticServerData : 0x7f6f0590 -> (null) +0x058 AnsiCodePageData : 0x7ffa0000 +0x05c OemCodePageData : 0x7ffa0000 +0x060 UnicodeCaseTableData : 0x7ffd0024 +0x064 NumberOfProcessors : 4 +0x068 NtGlobalFlag : 0x70 +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000 +0x078 HeapSegmentReserve : 0x100000 +0x07c HeapSegmentCommit : 0x2000 +0x080 HeapDeCommitTotalFreeThreshold : 0x10000 +0x084 HeapDeCommitFreeBlockThreshold : 0x1000 +0x088 NumberOfHeaps : 8 +0x08c MaximumNumberOfHeaps : 0x10 +0x090 ProcessHeaps : 0x77847500 -> 0x00310000 +0x094 GdiSharedHandleTable : 0x00410000 +0x098 ProcessStarterHelper : (null) +0x09c GdiDCAttributeList : 0x14 +0x0a0 LoaderLock : 0x77847340 _RTL_CRITICAL_SECTION +0x0a4 OSMajorVersion : 6 +0x0a8 OSMinorVersion : 1 +0x0ac OSBuildNumber : 0x1db1 +0x0ae OSCSDVersion : 0x100 +0x0b0 OSPlatformId : 2 +0x0b4 ImageSubsystem : 2 +0x0b8 ImageSubsystemMajorVersion : 6 +0x0bc ImageSubsystemMinorVersion : 1 +0x0c0 ActiveProcessAffinityMask : 0xf +0x0c4 GdiHandleBuffer : [34] 0 +0x14c PostProcessInitRoutine : (null) +0x150 TlsExpansionBitmap : 0x77847268 +0x154 TlsExpansionBitmapBits : [32] 1 +0x1d4 SessionId : 1 +0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0 +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0 +0x1e8 pShimData : (null) +0x1ec AppCompatInfo : (null) +0x1f0 CSDVersion : _UNICODE_STRING "Service Pack 1" +0x1f8 ActivationContextData : 0x00040000 _ACTIVATION_CONTEXT_DATA +0x1fc ProcessAssemblyStorageMap : 0x00314ee8 _ASSEMBLY_STORAGE_MAP +0x200 SystemDefaultActivationContextData : 0x00030000 _ACTIVATION_CONTEXT_DATA +0x204 SystemAssemblyStorageMap : 0x00313fe8 _ASSEMBLY_STORAGE_MAP +0x208 MinimumStackCommit : 0 +0x20c FlsCallback : 0x00315a48 _FLS_CALLBACK_INFO +0x210 FlsListHead : _LIST_ENTRY [ 0x315828 - 0x353ee8 ] +0x218 FlsBitmap : 0x77847270 +0x21c FlsBitmapBits : [4] 0x3f +0x22c FlsHighIndex : 5 +0x230 WerRegistrationData : 0x00220000 +0x234 WerShipAssertPtr : (null) +0x238 pContextData : 0x00050000 +0x23c pImageHeaderHash : (null) +0x240 TracingFlags : 0 +0x240 HeapTracingEnabled : 0y0 +0x240 CritSecTracingEnabled : 0y0 +0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)
直接分析ldr:
+0x00c Ldr : 0x77847880 _PEB_LDR_DATA
0:000> dt 0x77847880 _PEB_LDR_DATA ntdll!_PEB_LDR_DATA +0x000 Length : 0x30 +0x004 Initialized : 0x1 '' +0x008 SsHandle : (null) +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3126f8 - 0x36bd60 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x312700 - 0x36bd68 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x312798 - 0x36bd70 ] +0x024 EntryInProgress : (null) +0x028 ShutdownInProgress : 0 '' +0x02c ShutdownThreadId : (null)
对比!peb的内容:
Ldr 77847880
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00312798 . 0036bd70
Ldr.InLoadOrderModuleList: 003126f8 . 0036bd60
Ldr.InMemoryOrderModuleList: 00312700 . 0036bd68一样的~~~~,不一样就不正常了!
为什么有三个list:其实三个都一样,顺序不同而已.
LIST_ENTRY InLoadOrderModuleList; //按加载顺序 LIST_ENTRY InMemoryOrderModuleList; //按内存顺序 LIST_ENTRY InInitializationOrderModuleList;//按初始化顺序
_LIST_ENTRY的结构如下:
0:000> dt _LIST_ENTRY ntdll!_LIST_ENTRY +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY
按MSDN解释是:
Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure,双向循环链表吧,从一个方向开始,不停的循环,就回到初始位了,就相当于遍历了一次
0:000> dt _LDR_DATA_TABLE_ENTRY ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x010 InInitializationOrderLinks : _LIST_ENTRY +0x018 DllBase : Ptr32 Void +0x01c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING +0x034 Flags : Uint4B +0x038 LoadCount : Uint2B +0x03a TlsIndex : Uint2B +0x03c HashLinks : _LIST_ENTRY +0x03c SectionPointer : Ptr32 Void +0x040 CheckSum : Uint4B +0x044 TimeDateStamp : Uint4B +0x044 LoadedImports : Ptr32 Void +0x048 EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT +0x04c PatchInformation : Ptr32 Void +0x050 ForwarderLinks : _LIST_ENTRY +0x058 ServiceTagLinks : _LIST_ENTRY +0x060 StaticLinks : _LIST_ENTRY +0x068 ContextInformation : Ptr32 Void +0x06c OriginalBase : Uint4B +0x070 LoadTime : _LARGE_INTEGER可以看到头部开始就是个_LIST_ENTRY
我们来做次循环查询吧:
0:000> dt 0x77847880+0x00c _LIST_ENTRY ole32!_LIST_ENTRY [ 0x3126f8 - 0x36bd60 ] +0x000 Flink : 0x003126f8 _LIST_ENTRY [ 0x312788 - 0x7784788c ] +0x004 Blink : 0x0036bd60 _LIST_ENTRY [ 0x7784788c - 0x354a80 ]对比上面的显示:
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3126f8 - 0x36bd60 ]可以看出,windbg这里是在后面括号里显示Flink和Blink,那么我们向着Flink循环吧:
0:000> dt _LDR_DATA_TABLE_ENTRY 0x003126f8 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312788 - 0x7784788c ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312790 - 0x77847894 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x018 DllBase : 0x008f0000 +0x01c EntryPoint : 0x00902d6c +0x020 SizeOfImage : 0xc0000 +0x024 FullDllName : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x02c BaseDllName : _UNICODE_STRING "calc.exe" +0x034 Flags : 0x4000 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x31382c - 0x7784a6a8 ] +0x03c SectionPointer : 0x0031382c +0x040 CheckSum : 0x7784a6a8 +0x044 TimeDateStamp : 0x4ce7979d +0x044 LoadedImports : 0x4ce7979d +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x312748 - 0x312748 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x312750 - 0x312750 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x315768 - 0x313cf0 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0 +0x070 LoadTime : _LARGE_INTEGER 0x0 0:000> dt _LDR_DATA_TABLE_ENTRY 0x312788 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312ab0 - 0x3126f8 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312ab8 - 0x312700 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x312bd8 - 0x7784789c ] +0x018 DllBase : 0x77770000 +0x01c EntryPoint : (null) +0x020 SizeOfImage : 0x13c000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\SYSTEM32\ntdll.dll" +0x02c BaseDllName : _UNICODE_STRING "ntdll.dll" +0x034 Flags : 0x4004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x32384c - 0x7784a680 ] +0x03c SectionPointer : 0x0032384c +0x040 CheckSum : 0x7784a680 +0x044 TimeDateStamp : 0x4ec49b60 +0x044 LoadedImports : 0x4ec49b60 +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x3127d8 - 0x3127d8 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x3127e0 - 0x3127e0 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x3127e8 - 0x3127e8 ] +0x068 ContextInformation : (null) +0x06c OriginalBase : 0x77ec0000 +0x070 LoadTime : _LARGE_INTEGER 0x0 0:000> dt _LDR_DATA_TABLE_ENTRY 0x312ab0 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312bc8 - 0x312788 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312bd0 - 0x312790 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x3134e0 - 0x312bd8 ] +0x018 DllBase : 0x77490000 +0x01c EntryPoint : 0x774dcd6f +0x020 SizeOfImage : 0xd4000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\system32\kernel32.dll" +0x02c BaseDllName : _UNICODE_STRING "kernel32.dll" +0x034 Flags : 0x84004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x31558c - 0x7784a640 ] +0x03c SectionPointer : 0x0031558c +0x040 CheckSum : 0x7784a640 +0x044 TimeDateStamp : 0x506dbd3e +0x044 LoadedImports : 0x506dbd3e +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x3136b8 - 0x3136b8 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x312b08 - 0x312b08 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x312c80 - 0x312b40 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0x77de0000 +0x070 LoadTime : _LARGE_INTEGER 0x1cdef13`ea902171 0:000> dt _LDR_DATA_TABLE_ENTRY 0x312bc8 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3133e8 - 0x312ab0 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3133f0 - 0x312ab8 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x312ac0 - 0x312798 ] +0x018 DllBase : 0x75a30000 +0x01c EntryPoint : 0x75a37e90 +0x020 SizeOfImage : 0x4b000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\system32\KERNELBASE.dll" +0x02c BaseDllName : _UNICODE_STRING "KERNELBASE.dll" +0x034 Flags : 0x84004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x31ba9c - 0x7784a690 ] +0x03c SectionPointer : 0x0031ba9c +0x040 CheckSum : 0x7784a690 +0x044 TimeDateStamp : 0x506dbd3f +0x044 LoadedImports : 0x506dbd3f +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x312c18 - 0x312c18 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x312c20 - 0x312c20 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x312c58 - 0x312c58 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0xdce0000 +0x070 LoadTime : _LARGE_INTEGER 0x1cdef13`ea902171 0:000> dt _LDR_DATA_TABLE_ENTRY 0x3133e8 ole32!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3134d0 - 0x312bc8 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3134d8 - 0x312bd0 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x314578 - 0x3136f0 ] +0x018 DllBase : 0x76240000 +0x01c EntryPoint : 0x762c1621 +0x020 SizeOfImage : 0xc4a000 +0x024 FullDllName : _UNICODE_STRING "C:\windows\system32\SHELL32.dll" +0x02c BaseDllName : _UNICODE_STRING "SHELL32.dll" +0x034 Flags : 0xc4004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x316554 - 0x7784a688 ] +0x03c SectionPointer : 0x00316554 +0x040 CheckSum : 0x7784a688 +0x044 TimeDateStamp : 0x4fd2d1d9 +0x044 LoadedImports : 0x4fd2d1d9 +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x313438 - 0x313438 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x313440 - 0x313440 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x313cc8 - 0x3135d8 ] +0x068 ContextInformation : 0x777e0534 +0x06c OriginalBase : 0x73800000 +0x070 LoadTime : _LARGE_INTEGER 0x1cdef13`ea9282d2
对比!peb的输出:
8f0000 4ce7979d Nov 20 17:40:45 2010 C:\Windows\System32\calc.exe
77770000 4ec49b60 Nov 17 13:28:00 2011 C:\windows\SYSTEM32\ntdll.dll
77490000 506dbd3e Oct 05 00:45:50 2012 C:\windows\system32\kernel32.dll
75a30000 506dbd3f Oct 05 00:45:51 2012 C:\windows\system32\KERNELBASE.dll
76240000 4fd2d1d9 Jun 09 12:32:25 2012 C:\windows\system32\SHELL32.dll当然是一样的~~~
下一步是怎么直接得到进程的cmdline:我们注意到PEB0x10处的偏移
+0x010 ProcessParameters : 0x00311b48 _RTL_USER_PROCESS_PARAMETERSdt一下试试:
0:000> dt 0x00311b48 _RTL_USER_PROCESS_PARAMETERS ole32!_RTL_USER_PROCESS_PARAMETERS +0x000 MaximumLength : 0xaf2 +0x004 Length : 0xaf2 +0x008 Flags : 0x2001 +0x00c DebugFlags : 0 +0x010 ConsoleHandle : (null) +0x014 ConsoleFlags : 0 +0x018 StandardInput : (null) +0x01c StandardOutput : (null) +0x020 StandardError : (null) +0x024 CurrentDirectory : _CURDIR +0x030 DllPath : _UNICODE_STRING "C:\Windows\System32;;C:\windows\system32;C:\windows\system;C:\windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\" +0x038 ImagePathName : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x040 CommandLine : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x048 Environment : 0x00310810 +0x04c StartingX : 0 +0x050 StartingY : 0 +0x054 CountX : 0 +0x058 CountY : 0 +0x05c CountCharsX : 0 +0x060 CountCharsY : 0 +0x064 FillAttribute : 0 +0x068 WindowFlags : 0 +0x06c ShowWindowFlags : 0 +0x070 WindowTitle : _UNICODE_STRING "C:\Windows\System32\calc.exe" +0x078 DesktopInfo : _UNICODE_STRING "Winsta0\Default" +0x080 ShellInfo : _UNICODE_STRING "" +0x088 RuntimeData : _UNICODE_STRING "" +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR +0x290 EnvironmentSize : 0x131e +0x294 EnvironmentVersion : 1
都出来了~~~~~~~~~