TEB PEB
PEB
1 typedef struct _PEB 2 { 3 UCHAR InheritedAddressSpace; // 00h 4 UCHAR ReadImageFileExecOptions; // 01h 5 UCHAR BeingDebugged; // 02h 6 UCHAR Spare; // 03h 7 PVOID Mutant; // 04h 8 PVOID ImageBaseAddress; // 08h 9 PPEB_LDR_DATA Ldr; // 0Ch 10 PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h 11 PVOID SubSystemData; // 14h 12 PVOID ProcessHeap; // 18h 13 PVOID FastPebLock; // 1Ch 14 PPEBLOCKROUTINE FastPebLockRoutine; // 20h 15 PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h 16 ULONG EnvironmentUpdateCount; // 28h 17 PVOID* KernelCallbackTable; // 2Ch 18 PVOID EventLogSection; // 30h 19 PVOID EventLog; // 34h 20 PPEB_FREE_BLOCK FreeList; // 38h 21 ULONG TlsExpansionCounter; // 3Ch 22 PVOID TlsBitmap; // 40h 23 ULONG TlsBitmapBits[0x2]; // 44h 24 PVOID ReadOnlySharedMemoryBase; // 4Ch 25 PVOID ReadOnlySharedMemoryHeap; // 50h 26 PVOID* ReadOnlyStaticServerData; // 54h 27 PVOID AnsiCodePageData; // 58h 28 PVOID OemCodePageData; // 5Ch 29 PVOID UnicodeCaseTableData; // 60h 30 ULONG NumberOfProcessors; // 64h 31 ULONG NtGlobalFlag; // 68h 32 UCHAR Spare2[0x4]; // 6Ch 33 LARGE_INTEGER CriticalSectionTimeout; // 70h 34 ULONG HeapSegmentReserve; // 78h 35 ULONG HeapSegmentCommit; // 7Ch 36 ULONG HeapDeCommitTotalFreeThreshold; // 80h 37 ULONG HeapDeCommitFreeBlockThreshold; // 84h 38 ULONG NumberOfHeaps; // 88h 39 ULONG MaximumNumberOfHeaps; // 8Ch 40 PVOID** ProcessHeaps; // 90h 41 PVOID GdiSharedHandleTable; // 94h 42 PVOID ProcessStarterHelper; // 98h 43 PVOID GdiDCAttributeList; // 9Ch 44 PVOID LoaderLock; // A0h 45 ULONG OSMajorVersion; // A4h 46 ULONG OSMinorVersion; // A8h 47 ULONG OSBuildNumber; // ACh 48 ULONG OSPlatformId; // B0h 49 ULONG ImageSubSystem; // B4h 50 ULONG ImageSubSystemMajorVersion; // B8h 51 ULONG ImageSubSystemMinorVersion; // C0h 52 ULONG GdiHandleBuffer[0x22]; // C4h 53 PVOID ProcessWindowStation; // ??? 54 } PEB, *PPEB; 55
TEB
1 // 2 // Thread Environment Block (TEB) 3 // 4 typedef struct _TEB 5 { 6 NT_TIB Tib; /* 00h */ 7 PVOID EnvironmentPointer; /* 1Ch */ 8 CLIENT_ID Cid; /* 20h */ 9 PVOID ActiveRpcHandle; /* 28h */ 10 PVOID ThreadLocalStoragePointer; /* 2Ch */ 11 struct _PEB *ProcessEnvironmentBlock; /* 30h */ 12 ULONG LastErrorValue; /* 34h */ 13 ULONG CountOfOwnedCriticalSections; /* 38h */ 14 PVOID CsrClientThread; /* 3Ch */ 15 struct _W32THREAD* Win32ThreadInfo; /* 40h */ 16 ULONG User32Reserved[0x1A]; /* 44h */ 17 ULONG UserReserved[5]; /* ACh */ 18 PVOID WOW32Reserved; /* C0h */ 19 LCID CurrentLocale; /* C4h */ 20 ULONG FpSoftwareStatusRegister; /* C8h */ 21 PVOID SystemReserved1[0x36]; /* CCh */ 22 LONG ExceptionCode; /* 1A4h */ 23 struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /* 1A8h */ 24 UCHAR SpareBytes1[0x28]; /* 1ACh */ 25 GDI_TEB_BATCH GdiTebBatch; /* 1D4h */ 26 CLIENT_ID RealClientId; /* 6B4h */ 27 PVOID GdiCachedProcessHandle; /* 6BCh */ 28 ULONG GdiClientPID; /* 6C0h */ 29 ULONG GdiClientTID; /* 6C4h */ 30 PVOID GdiThreadLocalInfo; /* 6C8h */ 31 ULONG Win32ClientInfo[62]; /* 6CCh */ 32 PVOID glDispatchTable[0xE9]; /* 7C4h */ 33 ULONG glReserved1[0x1D]; /* B68h */ 34 PVOID glReserved2; /* BDCh */ 35 PVOID glSectionInfo; /* BE0h */ 36 PVOID glSection; /* BE4h */ 37 PVOID glTable; /* BE8h */ 38 PVOID glCurrentRC; /* BECh */ 39 PVOID glContext; /* BF0h */ 40 NTSTATUS LastStatusValue; /* BF4h */ 41 UNICODE_STRING StaticUnicodeString; /* BF8h */ 42 WCHAR StaticUnicodeBuffer[0x105]; /* C00h */ 43 PVOID DeallocationStack; /* E0Ch */ 44 PVOID TlsSlots[0x40]; /* E10h */ 45 LIST_ENTRY TlsLinks; /* F10h */ 46 PVOID Vdm; /* F18h */ 47 PVOID ReservedForNtRpc; /* F1Ch */ 48 PVOID DbgSsReserved[0x2]; /* F20h */ 49 ULONG HardErrorDisabled; /* F28h */ 50 PVOID Instrumentation[14]; /* F2Ch */ 51 PVOID SubProcessTag; /* F64h */ 52 PVOID EtwTraceData; /* F68h */ 53 PVOID WinSockData; /* F6Ch */ 54 ULONG GdiBatchCount; /* F70h */ 55 BOOLEAN InDbgPrint; /* F74h */ 56 BOOLEAN FreeStackOnTermination; /* F75h */ 57 BOOLEAN HasFiberData; /* F76h */ 58 UCHAR IdealProcessor; /* F77h */ 59 ULONG GuaranteedStackBytes; /* F78h */ 60 PVOID ReservedForPerf; /* F7Ch */ 61 PVOID ReservedForOle; /* F80h */ 62 ULONG WaitingOnLoaderLock; /* F84h */ 63 ULONG SparePointer1; /* F88h */ 64 ULONG SoftPatchPtr1; /* F8Ch */ 65 ULONG SoftPatchPtr2; /* F90h */ 66 PVOID *TlsExpansionSlots; /* F94h */ 67 ULONG ImpersionationLocale; /* F98h */ 68 ULONG IsImpersonating; /* F9Ch */ 69 PVOID NlsCache; /* FA0h */ 70 PVOID pShimData; /* FA4h */ 71 ULONG HeapVirualAffinity; /* FA8h */ 72 PVOID CurrentTransactionHandle; /* FACh */ 73 PTEB_ACTIVE_FRAME ActiveFrame; /* FB0h */ 74 PVOID FlsData; /* FB4h */ 75 UCHAR SafeThunkCall; /* FB8h */ 76 UCHAR BooleanSpare[3]; /* FB9h */ 77 } TEB, *PTEB;
FS:0指向线程环境块TEB;
FS:[0]指向当前线程的结构化异常处理结构(SEH);
FS:0指向TEB的理解应该是:
TEB结构存放于FS段从0开始的位置,整个TEB结构数据在FS段中;
FS:[0]指向当前线程的结构化异常处理结构的理解应该是:
在FS:0所指向的TEB结构中,第一个元素指向当前线程的结构化异常处理结构,而这个结构存在与DS段中;
