进程PEB-和线程TEB

1、线程TEB结构 在FS:0x18typedef struct _NT_TEB /TEB=Thread Environment Block000h NT_TIB Tib; FS段寄存器在内存中的镜像基质/指向TEB的指针01Ch PVOID EnvironmentPointer;进程ID020h CLIENT_ID Cid;028h PVOID ActiveRpcInfo; 02Ch PVOID ThreadLocalStoragePointer; /指向线程局部存储指针 030h PPEB Peb;/指向PEB结构 034h ULONG LastErrorValue;038h ULONG Co

2、untOfOwnedCriticalSections;03Ch PVOID CsrClientThread;040h PVOID Win32ThreadInfo;044h ULONG Win32ClientInfo0x1F;0C0h PVOID WOW32Reserved;0C4h ULONG CurrentLocale;0C8h ULONG FpSoftwareStatusRegister;0CCh PVOID SystemReserved10x36;1A4h PVOID Spare1;1A8h LONG ExceptionCode;1ACh ULONG SpareBytes10x28;1D

3、4h PVOID SystemReserved20xA;1FCh GDI_TEB_BATCH GdiTebBatch;6DCh ULONG gdiRgn;6E0h ULONG gdiPen;6E4h ULONG gdiBrush;6E8h CLIENT_ID RealClientId;6F0h PVOID GdiCachedProcessHandle;6F4h ULONG GdiClientPID;6F8h ULONG GdiClientTID;6FCh PVOID GdiThreadLocaleInfo;700h PVOID UserReserved5;714h PVOID glDispat

4、chTable0x118;B74h ULONG glReserved10x1A;BDCh PVOID glReserved2;BE0h PVOID glSectionInfo;BE4h PVOID glSection;BE8h PVOID glTable;BECh PVOID glCurrentRC;BF0h PVOID glContext;BF4h NTSTATUS LastStatusValue;BF8h UNICODE_STRING StaticUnicodeString;C00h WCHAR StaticUnicodeBuffer0x105;E0Ch PVOID Deallocatio

5、nStack;E10h PVOID TlsSlots0x40;/线程的TLS存储槽（0x40个四字节PVOID指针）F10h LIST_ENTRY TlsLinks; F18h PVOID Vdm;F1Ch PVOID ReservedForNtRpc;F20h PVOID DbgSsReserved0x2;F28h ULONG HardErrorDisabled; F2Ch PVOID Instrumentation0x10;F6Ch PVOID WinSockData;F70h ULONG GdiBatchCount;F74h ULONG Spare2;F78h ULONG Spare3;

6、F7Ch ULONG Spare4;F80h PVOID ReservedForOle;F84h ULONG WaitingOnLoaderLock;F88h PVOID StackCommit;F8Ch PVOID StackCommitMax;F90h PVOID StackReserve;?h PVOID MessageQueue;NT_TEB, *PNT_TEB;PS:文字说明：FS:0指向线程环境块TEB，同时也是FS段寄存器的基质。FS:0指向当前线程的结构化异常处理结构(SEH)；FS:0指向TEB的理解应该是: TEB结构存放于FS段从0开始的位置，整个TEB结构数据在FS段中

7、；FS:0指向当前线程的结构化异常处理结构的理解应该是: 在FS:0所指向的TEB结构中，第一个元素指向当前线程的结构化异常处理结构，而这个结构存在与DS段中；FS:18指向线程环境块TEB，同时也是FS段寄存器的基质。FS段寄存器的基质FS:0FS:0图片说明：FS:18 进程PEB结构 在FS:0x30 OR mov eax,FS:18 mov eax,eax+0x30/此时EAX是指向PEB的指针typedef struct _PEB UCHAR InheritedAddressSpace; / 00h指向一个RTL_BITMAP结构 UCHAR ReadImageFileExecOpt

8、ions; / 01h UCHAR BeingDebugged; / 02h 进程是否在被调试状态 UCHAR Spare; / 03h PVOID Mutant; / 04h PVOID ImageBaseAddress; / 08h 进程映像基地址 PPEB_LDR_DATA Ldr; / 0Ch 加载的其它模块信息 PRTL_USER_PROCESS_PARAMETERS ProcessParameters; / 10h PVOID SubSystemData; / 14h PVOID ProcessHeap; / 18h PVOID FastPebLock; / 1Ch PPEBLOC

9、KROUTINE FastPebLockRoutine; / 20h PPEBLOCKROUTINE FastPebUnlockRoutine; / 24h ULONG EnvironmentUpdateCount; / 28h PVOID* KernelCallbackTable; / 2Ch PVOID EventLogSection; / 30h PVOID EventLog; / 34h PPEB_FREE_BLOCK FreeList; / 38h ULONG TlsExpansionCounter; / 3Ch TLS索引计数 PVOID TlsBitmap; / 40h TLS位

10、图指针 ULONG TlsBitmapBits0x2; / 44h TLS进程标志位 PVOID ReadOnlySharedMemoryBase; / 4Ch PVOID ReadOnlySharedMemoryHeap; / 50h PVOID* ReadOnlyStaticServerData; / 54h PVOID AnsiCodePageData; / 58h PVOID OemCodePageData; / 5Ch PVOID UnicodeCaseTableData; / 60h ULONG NumberOfProcessors; / 64h ULONG NtGlobalFla

11、g; / 68h 全局标志 UCHAR Spare20x4; / 6Ch LARGE_INTEGER CriticalSectionTimeout; / 70h ULONG HeapSegmentReserve; / 78h ULONG HeapSegmentCommit; / 7Ch ULONG HeapDeCommitTotalFreeThreshold; / 80h ULONG HeapDeCommitFreeBlockThreshold; / 84h ULONG NumberOfHeaps; / 88h ULONG MaximumNumberOfHeaps; / 8Ch PVOID*

12、ProcessHeaps; / 90h PVOID GdiSharedHandleTable; / 94h PVOID ProcessStarterHelper; / 98h PVOID GdiDCAttributeList; / 9Ch PVOID LoaderLock; / A0h ULONG OSMajorVersion; / A4h ULONG OSMinorVersion; / A8h ULONG OSBuildNumber; / ACh ULONG OSPlatformId; / B0h ULONG ImageSubSystem; / B4h ULONG ImageSubSyste

13、mMajorVersion; / B8h ULONG ImageSubSystemMinorVersion; / C0h ULONG GdiHandleBuffer0x22; / C4h ULONG PostProcessInitRoutine;/ 14Ch ULONG TlsExpansionBitmap;/150h BYTE TlsExpansionBitmapBits0x80; /154h ULONG ?SessionId; /1D4h PEB, *PPEB;typedef struct _LDR_DATA_TABLE_ENTRY LIST_ENTRY InLoadOrderLinks;

14、 LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; WORD LoadCount; WORD TlsIndex; union LIST_ENTRY HashLinks; struct PVOID SectionPointer; ULONG CheckSum; ; ;

15、union ULONG TimeDateStamp; PVOID LoadedImports; ; _ACTIVATION_CONTEXT * EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY ForwarderLinks; LIST_ENTRY ServiceTagLinks; LIST_ENTRY StaticLinks; LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;模块链表结构图： PEB PEB_LDR_DATA LdrLengthInitializedSsHan

16、dleInLoadOrderModuleList.FlinkInLoadOrderModuleList.BlinkInMemoryOrderModuleList.FlinkInMemoryOrderModuleList.BlinkInInitializationOrderModuleList.FlinkInInitializationOrderModuleList.BlinkEntryInProgress LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRYInLoadOrderLinks.FlinkInLoadOrder

17、Links.BlinkInMemoryOrderLinks.FlinkInMemoryOrderLinks.BlinkInInitializationOrderLinks.FlinkInInitializationOrderLinks.BlinkDllBaseEntryPointSizeOfImageFullDllName.InLoadOrderLinks.FlinkInLoadOrderLinks.BlinkInMemoryOrderLinks.FlinkInMemoryOrderLinks.BlinkInInitializationOrderLinks.FlinkInInitializat

18、ionOrderLinks.BlinkDllBaseEntryPointSizeOfImageFullDllName.InLoadOrderLinks.FlinkInLoadOrderLinks.BlinkInMemoryOrderLinks.FlinkInMemoryOrderLinks.BlinkInInitializationOrderLinks.FlinkInInitializationOrderLinks.BlinkDllBaseEntryPointSizeOfImageFullDllName.代码：实现遍历当前进程中的所有模块路径及地址.h文件中： typedef struct _

19、UNICODE_STRING USHORT Length;USHORT MaximumLength;PWSTR Buffer; UNICODE_STRING, *PUNICODE_STRING;typedef struct _PEB_LDR_DATADWORD Length;DWORD Initialized; PVOID SsHandle;LIST_ENTRY InLoadOrderModuleList;LIST_ENTRY InMemoryOrderModuleList;LIST_ENTRY InInitializationOrderModuleList;PVOID EntryInProg

20、ress;PEB_LDR_DATA, *PPEB_LDR_DATA;typedef struct _LDR_DATA_TABLE_ENTRYLIST_ENTRY InLoadOrderLinks;LIST_ENTRY InMemoryOrderLinks;LIST_ENTRY InInitializationOrderLinks;PVOID DllBase;PVOID EntryPoint;DWORD SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;DWORD Flags;WORD LoadCount;WORD

21、 TlsIndex;LIST_ENTRY HashLinks;PVOID SectionPointer;DWORD CheckSum;DWORD TimeDateStamp;PVOID LoadedImports;PVOID EntryPointActivationContext;PVOID PatchInformation;LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;typedef struct _PEBUCHAR InheritedAddressSpace;UCHAR ReadImageFileExecOptions;UCHAR BeingDebugged;UCHAR SpareBool;PVOID Mutant;PVOID ImageBaseAddress;PPEB_LDR_DATA Ldr;PEB, *PPEB;.cpp文件/获取LDTE的基质PLDR_DATA_TABLE_ENTRY GetLDTEPoint(PVOID Flink)PLDR_DATA_TABLE_ENTRY pReturn = (PLDR_DATA_TABLE_ENTRY)(DWORD)Flink - 8);return pReturn;int _tmain(int argc, _TCHAR* argv) /获取PEB;PPEB MyPeb = NULL;