FS寄存器指向当前活动线程的TEB结构(线程结构)
偏移 说明
000 指向SEH链指针
004 线程堆栈顶部
008 线程堆栈底部
00C SubSystemTib
010 FiberData
014 ArbitraryUserPointer
018 TEB地址
020 进程PID
024 线程ID
02C 指向线程局部存储指针
030 PEB结构地址(进程结构)
034 上个错误号
注意:
1.fs:18h 地址指向线程环境块_TEB可以使用windbg证明如下(将windbg附加到QQ进程中):
0:016> dd fs:18h L1
0038:00000018
7ffda0000:016> !teb
TEB at
7ffda0002.fs:30h 地址指向进程环境块_PEB同样可以使用windbg证明如下(将windbg附加到QQ进程中):
Symbol ntdll!_TEB not found.
0:016> dd fs:30h L1
0038:00000030
7ffde0000:016> !peb
PEB at
7ffde0003.fs:00h获得SEH头指针ShellCode可以利用SEH来实现。
4.得到KTHREAD结构体的指针在内核模式下,FS指向的是KPCR结构,通过
mov reg, FS:[124h]
这样就能获得当前线程的指针。
得到kernel32.dll地址的方法:mov eax,fs:30h //得到PEB结构地址
mov eax,[eax+0ch] //得到PEB_LDR_DATA结构地址
mov esi,[eax+1ch] //
InMemoryOrderModuleListlodsd //得到KERNEL32.DLL所在LDR_MODULE结构的
InMemoryOrderModuleList地址
mov eax,[eax+08h] //得到BaseAddress,既Kernel32.dll基址
mov hRet,eax
得到的结果如下:
PEB结构如下:
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr; //指向PEB_LDR_DATA结构
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;
PEB_LDR_DATA结构如下:
typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
InMemoryOrderModuleList:双向链表的头,包含进程的可加载模块。链表中的每一项包含指向LDR_DATA_TABLE_ENTRY结构的指针。
LDR_DATA_TABLE_ENTRY结构如下:
typedef struct _LDR_DATA_TABLE_ENTRY {
PVOID Reserved1[2];
LIST_ENTRY InMemoryOrderLinks;
PVOID Reserved2[2];
PVOID DllBase; //加载的DLL的基址
PVOID EntryPoint;
PVOID Reserved3;
UNICODE_STRING FullDllName;
BYTE Reserved4[8];
PVOID Reserved5[3];
union {
ULONG CheckSum;
PVOID Reserved6;
};
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
在windbg下通过直接查看某个进程的PEB也可以看到kernel32.dll的基址:
!peb 7ffdf000
PEB at 7ffdf000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 01000000
Ldr 00191e90
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00191f28 . 00193990
Ldr.InLoadOrderModuleList: 00191ec0 . 00193980
Ldr.InMemoryOrderModuleList: 00191ec8 . 00193988
Base TimeStamp Module
1000000 49a5f6a7 Feb 26 09:55:51 2009 D:\Program Files\Debugging Tools for Windows\windbg.exe
7c920000 4c2b5b27 Jun 30 22:56:39 2010 C:\WINDOWS\system32\ntdll.dll
7c800000 49c4f481 Mar 21 22:06:57 2009 C:\WINDOWS\system32\kernel32.dll
77da0000 49900afa Feb 09 18:52:42 2009 C:\WINDOWS\system32\ADVAPI32.dll
77e50000 49e5f493 Apr 15 22:52:03 2009 C:\WINDOWS\system32\RPCRT4.dll
77fc0000 4a43384a Jun 25 16:41:46 2009 C:\WINDOWS\system32\Secur32.dll
77ef0000 49007030 Oct 23 20:38:08 2008 C:\WINDOWS\system32\GDI32.dll
77d10000 4802bdbd Apr 14 10:13:17 2008 C:\WINDOWS\system32\USER32.dll
77be0000 4802be3f Apr 14 10:15:27 2008 C:\WINDOWS\system32\msvcrt.dll
2000000 49a5f69f Feb 26 09:55:43 2009 D:\Program Files\Debugging Tools for Windows\dbgeng.dll
3000000 49a5f692 Feb 26 09:55:30 2009 D:\Program Files\Debugging Tools for Windows\dbghelp.dll
77bd0000 4802bdbf Apr 14 10:13:19 2008 C:\WINDOWS\system32\VERSION.dll
76990000 4802bdbc Apr 14 10:13:16 2008 C:\WINDOWS\system32\ole32.dll
7d590000 4c4e8159 Jul 27 14:48:57 2010 C:\WINDOWS\system32\SHELL32.dll
77f40000 4b1e1b15 Dec 08 17:23:33 2009 C:\WINDOWS\system32\SHLWAPI.dll
77180000 4802bd6c Apr 14 10:11:56 2008 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
71a90000 4802bdbc Apr 14 10:13:16 2008 C:\WINDOWS\system32\MPR.dll
76300000 4802bdb3 Apr 14 10:13:07 2008 C:\WINDOWS\system32\IMM32.DLL
62c20000 4802bd9f Apr 14 10:12:47 2008 C:\WINDOWS\system32\LPK.DLL
73fa0000 4802bdbf Apr 14 10:13:19 2008 C:\WINDOWS\system32\USP10.dll
5adc0000 4802bdc0 Apr 14 10:13:20 2008 C:\WINDOWS\system32\uxtheme.dll
8c0000 4c5316df Jul 31 02:15:59 2010 D:\Program Files\360\360Safe\safemon\safemon.dll
770f0000 4802bdbd Apr 14 10:13:17 2008 C:\WINDOWS\system32\OLEAUT32.dll
762f0000 4802be16 Apr 14 10:14:46 2008 C:\WINDOWS\system32\MSIMG32.dll
75ff0000 4802be3e Apr 14 10:15:26 2008 C:\WINDOWS\system32\MSVCP60.dll
3e410000 4c234cd6 Jun 24 20:17:26 2010 C:\WINDOWS\system32\WININET.dll
950000 44a3ec46 Jun 29 23:05:42 2006 C:\WINDOWS\system32\Normaliz.dll
3eab0000 4c234cdc Jun 24 20:17:32 2010 C:\WINDOWS\system32\iertutil.dll
76bc0000 4802bdab Apr 14 10:12:59 2008 C:\WINDOWS\system32\PSAPI.DLL
71a20000 4802be08 Apr 14 10:14:32 2008 C:\WINDOWS\system32\WS2_32.dll
71a10000 4802be09 Apr 14 10:14:33 2008 C:\WINDOWS\system32\WS2HELP.dll
74680000 4802bde3 Apr 14 10:13:55 2008 C:\WINDOWS\system32\MSCTF.dll
49010000 4802bdff Apr 14 10:14:23 2008 C:\WINDOWS\system32\MSFTEDIT.DLL
73640000 49a7726d Feb 27 12:56:13 2009 C:\WINDOWS\system32\msctfime.ime
1400000 49a5f692 Feb 26 09:55:30 2009 D:\Program Files\Debugging Tools for Windows\winext\ext.dll
1900000 49a5f68c Feb 26 09:55:24 2009 D:\Program Files\Debugging Tools for Windows\WINXP\exts.dll
1140000 49a5f68c Feb 26 09:55:24 2009 D:\Program Files\Debugging Tools for Windows\winext\kext.dll
10000000 49a5f670 Feb 26 09:54:56 2009 D:\Program Files\Debugging Tools for Windows\WINXP\kdexts.dll
1d00000 49a5f6a6 Feb 26 09:55:50 2009 D:\Program Files\Debugging Tools for Windows\symsrv.dll
2390000 4802454c Apr 14 01:39:24 2008 C:\WINDOWS\system32\xpsp2res.dll
SubSystemData: 00000000
ProcessHeap: 00090000
ProcessParameters: 00020000
WindowTitle: 'C:\Documents and Settings\All Users\「开始」菜单\程序\Debugging Tools for Windows (x86)\WinDbg.lnk'
ImageFile: 'D:\Program Files\Debugging Tools for Windows\windbg.exe'
CommandLine: '"D:\Program Files\Debugging Tools for Windows\windbg.exe" '
DllPath: 'D:\Program Files\Debugging Tools for Windows;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Thunder Network\KanKan\Codecs;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;d:\Program Files\MATLAB\R2008a\bin;d:\Program Files\MATLAB\R2008a\bin\win32;C:\Program Files\QuickTime\QTSystem\;d:\Program Files\StormII\Codec;d:\Program Files\StormII'
Environment: 00010000
=::=::\
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=724-FC4FA9F2840
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\724-FC4FA9F2840
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=D:\Program Files\Debugging Tools for Windows\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Thunder Network\KanKan\Codecs;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;d:\Program Files\MATLAB\R2008a\bin;d:\Program Files\MATLAB\R2008a\bin\win32;C:\Program Files\QuickTime\QTSystem\;d:\Program Files\StormII\Codec;d:\Program Files\StormII
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=170a
ProgramFiles=C:\Program Files
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=724-FC4FA9F2840
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
VS80COMNTOOLS=D:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
WINDBG_DIR=D:\Program Files\Debugging Tools for Windows
windir=C:\WINDOWS
由此也可以验证上面得到的地址是对的。