本文共 12787 字,大约阅读时间需要 42 分钟。
JIURL玩玩Win2k进程线程篇 PEB |
作者: |
主页: |
日期: 2003-7-30 |
|
PEB,Process Environment Block ,进程环境块。位于用户地址空间。在地址 0x7FFDF000 处。所以用户进程可以直接访问自己的 PEB 结构。Win2k Build 2195 中进程的 EPROCESS 结构偏移+1b0 处的 *Peb 也指向 PEB 结构。在 undocumented.ntinternals.net (需要注意的是这是个非官方的站点)我们可以找到 PEB 及其相关结构的定义。我们首先列出结构的定义,然后对一些内容进行说明。 typedef struct _PEB { BOOLEAN InheritedAddressSpace;BOOLEAN ReadImageFileExecOptions;BOOLEAN BeingDebugged;BOOLEAN Spare;HANDLE Mutant;PVOID ImageBaseAddress;PPEB_LDR_DATA LoaderData;PRTL_USER_PROCESS_PARAMETERS ProcessParameters;PVOID SubSystemData;PVOID ProcessHeap;PVOID FastPebLock;PPEBLOCKROUTINE FastPebLockRoutine;PPEBLOCKROUTINE FastPebUnlockRoutine;ULONG EnvironmentUpdateCount;PPVOID KernelCallbackTable;PVOID EventLogSection;PVOID EventLog;PPEB_FREE_BLOCK FreeList;ULONG TlsExpansionCounter;PVOID TlsBitmap;ULONG TlsBitmapBits[0x2];PVOID ReadOnlySharedMemoryBase;PVOID ReadOnlySharedMemoryHeap;PPVOID ReadOnlyStaticServerData;PVOID AnsiCodePageData;PVOID OemCodePageData;PVOID UnicodeCaseTableData;ULONG NumberOfProcessors;ULONG NtGlobalFlag;BYTE Spare2[0x4];LARGE_INTEGER CriticalSectionTimeout;ULONG HeapSegmentReserve;ULONG HeapSegmentCommit;ULONG HeapDeCommitTotalFreeThreshold;ULONG HeapDeCommitFreeBlockThreshold;ULONG NumberOfHeaps;ULONG MaximumNumberOfHeaps;PPVOID *ProcessHeaps;PVOID GdiSharedHandleTable;PVOID ProcessStarterHelper;PVOID GdiDCAttributeList;PVOID LoaderLock;ULONG OSMajorVersion;ULONG OSMinorVersion;ULONG OSBuildNumber;ULONG OSPlatformId;ULONG ImageSubSystem;ULONG ImageSubSystemMajorVersion;ULONG ImageSubSystemMinorVersion;ULONG GdiHandleBuffer[0x22];ULONG PostProcessInitRoutine;ULONG TlsExpansionBitmap;BYTE TlsExpansionBitmapBits[0x80];ULONG SessionId;} PEB, *PPEB;typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); typedef struct _PEB_LDR_DATA { ULONG Length;BOOLEAN Initialized;PVOID SsHandle;LIST_ENTRY InLoadOrderModuleList;LIST_ENTRY InMemoryOrderModuleList;LIST_ENTRY InInitializationOrderModuleList;} PEB_LDR_DATA, *PPEB_LDR_DATA;typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList;LIST_ENTRY InMemoryOrderModuleList;LIST_ENTRY InInitializationOrderModuleList;PVOID BaseAddress;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;SHORT LoadCount;SHORT TlsIndex;LIST_ENTRY HashTableEntry;ULONG TimeDateStamp;} LDR_MODULE, *PLDR_MODULE;typedef struct _UNICODE_STRING { USHORT Length;USHORT MaximumLength;PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength;ULONG Length;ULONG Flags;ULONG DebugFlags;PVOID ConsoleHandle;ULONG ConsoleFlags;HANDLE StdInputHandle;HANDLE StdOutputHandle;HANDLE StdErrorHandle;UNICODE_STRING CurrentDirectoryPath;HANDLE CurrentDirectoryHandle;UNICODE_STRING DllPath;UNICODE_STRING ImagePathName;UNICODE_STRING CommandLine;PVOID Environment;ULONG StartingPositionLeft;ULONG StartingPositionTop;ULONG Width;ULONG Height;ULONG CharWidth;ULONG CharHeight;ULONG ConsoleTextAttributes;ULONG WindowFlags;ULONG ShowWindowFlags;UNICODE_STRING WindowTitle;UNICODE_STRING DesktopName;UNICODE_STRING ShellInfo;UNICODE_STRING RuntimeData;RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags;USHORT Length;ULONG TimeStamp;UNICODE_STRING DosPath;} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;typedef struct _PEB_FREE_BLOCK { _PEB_FREE_BLOCK *Next;ULONG Size;} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;我写了一个叫 JiurlPebSee 的程序来分析指定进程的 PEB。下面我结合 JiurlPebSee 的输出来对 PEB 及其相关结构的一些内容进行说明。ProcessId(Decimal): 516Explorer.exe:PEB at 0x7ffdf000LoaderData: 0x00071e90ProcessParameters: 0x00020000ProcessHeap: 0x00070000NumberOfHeaps: 11MaximumNumberOfHeaps: 16*ProcessHeaps: 0x77fce3807ffdf000: 00000000 ffffffff 00400000 00071e907ffdf010: 00020000 00000000 00070000 77fcd1707ffdf020: 77f8aa4c 77f8aa7d 00000001 77e143807ffdf030: 00000000 00000000 00000000 000000007ffdf040: 77fcd1a8 03cfffff 00000000 7f6f00007ffdf050: 7f6f0000 7f6f0688 7ffa0000 7ffa00007ffdf060: 7ffd1000 00000001 00000000 000000007ffdf070: 079b8000 ffffe86d 00100000 000020007ffdf080: 00010000 00001000 0000000b 000000107ffdf090: 77fce380 00350000 00000000 000000147ffdf0a0: 77fcd348 00000005 00000000 000008937ffdf0b0: 00000002 00000002 00000004 000000007ffdf0c0: 00000000 00000000 00000002 000000007ffdf0d0: 00000004 00000000 b51003ba 391001e47ffdf0e0: 00000000 00000000 00000000 000000007ffdf0f0: 00000000 00000000 00000000 000000007ffdf100: 00000000 00000000 00000000 000000007ffdf110: 00000000 00000000 00000000 000000007ffdf120: 8204019c 7004019b cf04019e a104019d7ffdf130: 00000000 00000000 00000000 000000007ffdf140: 00000000 00000000 00000000 000000007ffdf150: 77fcdcc0 00000000 00000000 000000007ffdf160: 00000000 00000000 00000000 000000007ffdf170: 00000000 00000000 00000000 000000007ffdf180: 00000000 00000000 00000000 000000007ffdf190: 00000000 00000000 00000000 000000007ffdf1a0: 00000000 00000000 00000000 000000007ffdf1b0: 00000000 00000000 00000000 000000007ffdf1c0: 00000000 00000000 00000000 000000007ffdf1d0: 00000000 00000000 00000000 000200007ffdf1e0: 7f6f06c2 00000000 00000000 000000007ffdf1f0: 00000000 00000000 00000000 000000007ffdf200: 00000000 00000000 00000000 00000000...我们以进程 Explorer.exe 进行分析。LoaderData 是指向 PEB_LDR_DATA 的指针,通过 PEB_LDR_DATA ,我们可以找到进程载入的所有模组。ProcessParameters 是指向 RTL_USER_PROCESS_PARAMETERS 的指针,RTL_USER_PROCESS_PARAMETERS 中是一些进程的参数。进程通常有多个用户堆。ProcessHeap 是进程堆(默认的那个)的首地址。NumberOfHeaps 是当前进程的堆的个数。MaximumNumberOfHeaps 是进程的堆的最大个数。*ProcessHeaps 是一个堆指针数组的首地址,每个数组元素长4个字节,是一个堆的指针。LoaderData at 0x00071e90Length: 36 BytesInitialized: 1SsHandle: 0x00000000InLoadOrderModuleListFlink: 0x00071ec0 Blink: 0x000a0508InMemoryOrderModuleListFlink: 0x00071ec8 Blink: 0x000a0510InInitializationOrderModuleListFlink: 0x00071f48 Blink: 0x000a0518Module at 0x00071ec0FullDllName: D:/WINNT/Explorer.exeBaseDllName: Explorer.exeBaseAddress: 0x00400000SizeOfImage: 0x0003c000Module at 0x00071f38FullDllName: D:/WINNT/System32/ntdll.dllBaseDllName: ntdll.dllBaseAddress: 0x77f80000SizeOfImage: 0x00079000Module at 0x00072470FullDllName: D:/WINNT/system32/ADVAPI32.DLLBaseDllName: ADVAPI32.DLLBaseAddress: 0x77d90000SizeOfImage: 0x0005a000...从PEB可以找到 PEB_LDR_DATA ,PEB_LDR_DATA 中有三个双向循环链表的表头,分别是 InLoadOrderModuleList,InMemoryOrderModuleList,InInitializationOrderModuleList。每个链表项都是一个 LDR_MODULE 结构。ProcessParameters at 0x00020000MaximumLength: 0x00001000Length: 0x00000838...Environment at 0x0001000000010000: 004c0041 0055004c 00450053 00530052 A.L.L.U.S.E.R.S.00010010: 00520050 0046004f 004c0049 003d0045 P.R.O.F.I.L.E.=.00010020: 003a0049 0044005c 0063006f 006d0075 I.:./.D.o.c.u.m.00010030: 006e0065 00730074 00610020 0064006e e.n.t.s. .a.n.d.00010040: 00530020 00740065 00690074 0067006e .S.e.t.t.i.n.g....00010340: 00640075 00000065 0069006c 003d0062 u.d.e...l.i.b.=.00010350: 003a0047 004d005c 00630069 006f0072 G.:./.M.i.c.r.o.00010360: 006f0073 00740066 00560020 00730069 s.o.f.t. .V.i.s.00010370: 00610075 0020006c 00740053 00640075 u.a.l. .S.t.u.d....00010a70: 005c0031 00650054 0070006d 00540000 1./.T.e.m.p...T....00010b80: 003a0044 0057005c 004e0049 0054004e D.:./.W.I.N.N.T.00010b90: 00000000 00000000 00000000 00000000 ...................00010ff0: 00000000 00000000 00000000 00000000 ................RTL_USER_PROCESS_PARAMETERS 中的 PVOID Environment; 指明了环境变量的地址。从结构定义中就可以看出 是象 StdInputHandle,ImagePathName 这样的参数。ProcessHeaps at 0x77fce380ProcessHeaps[0]: 0x00070000ProcessHeaps[1]: 0x00170000ProcessHeaps[2]: 0x008c0000ProcessHeaps[3]: 0x00cd0000ProcessHeaps[4]: 0x00ed0000ProcessHeaps[5]: 0x00f10000ProcessHeaps[6]: 0x01290000ProcessHeaps[7]: 0x013e0000ProcessHeaps[8]: 0x01ce0000ProcessHeaps[9]: 0x01f50000ProcessHeaps[10]: 0x03bf000077fce380: 00070000 00170000 008c0000 00cd000077fce390: 00ed0000 00f10000 01290000 013e000077fce3a0: 01ce0000 01f50000 03bf0000 0000000077fce3b0: 00000000 00000000 00000000 00000000从 ProcessHeaps 数组,我们可以找到进程的每一个堆。为了方便观察某个进程地址空间中内容,我写了一个叫 JiurlProcessMemSee 的程序,可以获得指定进程地址空间中的内容。 使用 KD(内核调试器) 我们也可以找到 PEB 及其相关结构的定义。kd> !strct PEB!strct PEBstruct _PEB (sizeof=488)+000 byte InheritedAddressSpace+001 byte ReadImageFileExecOptions+002 byte BeingDebugged+003 byte SpareBool+004 void *Mutant+008 void *ImageBaseAddress+00c struct _PEB_LDR_DATA *Ldr+010 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters+014 void *SubSystemData+018 void *ProcessHeap+01c void *FastPebLock+020 void *FastPebLockRoutine+024 void *FastPebUnlockRoutine+028 uint32 EnvironmentUpdateCount+02c void *KernelCallbackTable+030 uint32 SystemReserved[2]+038 struct _PEB_FREE_BLOCK *FreeList+03c uint32 TlsExpansionCounter+040 void *TlsBitmap+044 uint32 TlsBitmapBits[2]+04c void *ReadOnlySharedMemoryBase+050 void *ReadOnlySharedMemoryHeap+054 void **ReadOnlyStaticServerData+058 void *AnsiCodePageData+05c void *OemCodePageData+060 void *UnicodeCaseTableData+064 uint32 NumberOfProcessors+068 uint32 NtGlobalFlag+070 union _LARGE_INTEGER CriticalSectionTimeout+070 uint32 LowPart+074 int32 HighPart+070 struct __unnamed3 u+070 uint32 LowPart+074 int32 HighPart+070 int64 QuadPart+078 uint32 HeapSegmentReserve+07c uint32 HeapSegmentCommit+080 uint32 HeapDeCommitTotalFreeThreshold+084 uint32 HeapDeCommitFreeBlockThreshold+088 uint32 NumberOfHeaps+08c uint32 MaximumNumberOfHeaps+090 void **ProcessHeaps+094 void *GdiSharedHandleTable+098 void *ProcessStarterHelper+09c uint32 GdiDCAttributeList+0a0 void *LoaderLock+0a4 uint32 OSMajorVersion+0a8 uint32 OSMinorVersion+0ac uint16 OSBuildNumber+0ae uint16 OSCSDVersion+0b0 uint32 OSPlatformId+0b4 uint32 ImageSubsystem+0b8 uint32 ImageSubsystemMajorVersion+0bc uint32 ImageSubsystemMinorVersion+0c0 uint32 ImageProcessAffinityMask+0c4 uint32 GdiHandleBuffer[34]+14c function *PostProcessInitRoutine+150 void *TlsExpansionBitmap+154 uint32 TlsExpansionBitmapBits[32]+1d4 uint32 SessionId+1d8 void *AppCompatInfo+1dc struct _UNICODE_STRING CSDVersion+1dc uint16 Length+1de uint16 MaximumLength+1e0 uint16 *Bufferkd> !strct PEB_LDR_DATA!strct PEB_LDR_DATAstruct _PEB_LDR_DATA (sizeof=36)+00 uint32 Length+04 byte Initialized+08 void *SsHandle+0c struct _LIST_ENTRY InLoadOrderModuleList+0c struct _LIST_ENTRY *Flink+10 struct _LIST_ENTRY *Blink+14 struct _LIST_ENTRY InMemoryOrderModuleList+14 struct _LIST_ENTRY *Flink+18 struct _LIST_ENTRY *Blink+1c struct _LIST_ENTRY InInitializationOrderModuleList+1c struct _LIST_ENTRY *Flink+20 struct _LIST_ENTRY *Blinkkd> !strct RTL_USER_PROCESS_PARAMETERS!strct RTL_USER_PROCESS_PARAMETERSstruct _RTL_USER_PROCESS_PARAMETERS (sizeof=656)+000 uint32 MaximumLength+004 uint32 Length+008 uint32 Flags+00c uint32 DebugFlags+010 void *ConsoleHandle+014 uint32 ConsoleFlags+018 void *StandardInput+01c void *StandardOutput+020 void *StandardError+024 struct _CURDIR CurrentDirectory+024 struct _UNICODE_STRING DosPath+024 uint16 Length+026 uint16 MaximumLength+028 uint16 *Buffer+02c void *Handle+030 struct _UNICODE_STRING DllPath+030 uint16 Length+032 uint16 MaximumLength+034 uint16 *Buffer+038 struct _UNICODE_STRING ImagePathName+038 uint16 Length+03a uint16 MaximumLength+03c uint16 *Buffer+040 struct _UNICODE_STRING CommandLine+040 uint16 Length+042 uint16 MaximumLength+044 uint16 *Buffer+048 void *Environment+04c uint32 StartingX+050 uint32 StartingY+054 uint32 CountX+058 uint32 CountY+05c uint32 CountCharsX+060 uint32 CountCharsY+064 uint32 FillAttribute+068 uint32 WindowFlags+06c uint32 ShowWindowFlags+070 struct _UNICODE_STRING WindowTitle+070 uint16 Length+072 uint16 MaximumLength+074 uint16 *Buffer+078 struct _UNICODE_STRING DesktopInfo+078 uint16 Length+07a uint16 MaximumLength+07c uint16 *Buffer+080 struct _UNICODE_STRING ShellInfo+080 uint16 Length+082 uint16 MaximumLength+084 uint16 *Buffer+088 struct _UNICODE_STRING RuntimeData+088 uint16 Length+08a uint16 MaximumLength+08c uint16 *Buffer+090 struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]uint16 Flagsuint16 Lengthuint32 TimeStampstruct _STRING DosPathuint16 Lengthuint16 MaximumLengthchar *Bufferkd> !strct RTL_DRIVE_LETTER_CURDIR!strct RTL_DRIVE_LETTER_CURDIRstruct _RTL_DRIVE_LETTER_CURDIR (sizeof=16)+00 uint16 Flags+02 uint16 Length+04 uint32 TimeStamp+08 struct _STRING DosPath+08 uint16 Length+0a uint16 MaximumLength+0c char *Bufferkd> !strct PEB_FREE_BLOCK!strct PEB_FREE_BLOCKstruct _PEB_FREE_BLOCK (sizeof=8)+0 struct _PEB_FREE_BLOCK *Next+4 uint32 Size欢迎交流,欢迎交朋友, 欢迎访问 下载 JiurlPebSee 可执行文件及源程序下载 JiurlProcessMemSee 可执行文件及源程序 |
转载地址:http://bgnob.baihongyu.com/