PEB和TEB资料整合
一、概念
TEB(Thread Environment Block,线程环境块)系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间,在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。一个进程的所有TEB都以堆栈的方式,存放在从0x7FFDE000开始的线性内存中,每 4KB为一个完整的TEB,不过该内存区域是向下扩展的。在用户模式下,当前线程的TEB位于独立的4KB段,可通过CPU的FS寄存器来访问该段,一般存储在[FS:0]。在用户态下WinDbg中可用命令$thread取得TEB地址。
PEB(Process Environment Block,进程环境块)存放进程信息,每个进程都有自己的PEB信息。位于用户地址空间。在Win 2000下,进程环境块的地址对于每个进程来说是固定的,在0x7FFDF000处,这是用户地址空间,所以程序能够直接访问。准确的PEB地址应从系统 的EPROCESS结构的0x1b0偏移处获得,但由于EPROCESS在系统地址空间,访问这个结构需要有ring0的权限。还可以通过TEB结构的偏 移0x30处获得PEB的位置,FS段寄存器指向当前的TEB结构:
mov eax,fs:[0x30] mov PEB,eax
在用户态下WinDbg中可用命令$proc取得PEB地址。
二、TEB偏移
FS:[000] 指向SEH链指针
FS:[004] 线程堆栈顶部
FS:[008] 线程堆栈底部
FS:[00C] SubSystemTib
FS:[010] FiberData
FS:[014] ArbitraryUserPointer
FS:[018] 指向TEB自身
FS:[020] 进程PID
FS:[024] 线程ID
FS:[02C] 指向线程局部存储指针
FS:[030] PEB结构地址(进程结构)
FS:[034] 上个错误号
三、参考
1.PEB结构----枚举用户模块列表:http://bbs.pediy.com/showthread.php?t=52398
2.FS TIB TEB PEB :http://bbs.pediy.com/showthread.php?p=704601
3.http://bbs.pediy.com/showthread.php?t=175833
四、结构
// Thread Environment Block (TEB) typedef struct _TEB { NT_TIB Tib; /* 00h */ PVOID EnvironmentPointer; /* 1Ch */ CLIENT_ID Cid; /* 20h */ PVOID ActiveRpcHandle; /* 28h */ PVOID ThreadLocalStoragePointer; /* 2Ch */ struct _PEB *ProcessEnvironmentBlock; /* 30h */ ULONG LastErrorValue; /* 34h */ ULONG CountOfOwnedCriticalSections; /* 38h */ PVOID CsrClientThread; /* 3Ch */ struct _W32THREAD* Win32ThreadInfo; /* 40h */ ULONG User32Reserved[0x1A]; /* 44h */ ULONG UserReserved[5]; /* ACh */ PVOID WOW32Reserved; /* C0h */ LCID CurrentLocale; /* C4h */ ULONG FpSoftwareStatusRegister; /* C8h */ PVOID SystemReserved1[0x36]; /* CCh */ LONG ExceptionCode; /* 1A4h */ struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /* 1A8h */ UCHAR SpareBytes1[0x28]; /* 1ACh */ GDI_TEB_BATCH GdiTebBatch; /* 1D4h */ CLIENT_ID RealClientId; /* 6B4h */ PVOID GdiCachedProcessHandle; /* 6BCh */ ULONG GdiClientPID; /* 6C0h */ ULONG GdiClientTID; /* 6C4h */ PVOID GdiThreadLocalInfo; /* 6C8h */ ULONG Win32ClientInfo[62]; /* 6CCh */ PVOID glDispatchTable[0xE9]; /* 7C4h */ ULONG glReserved1[0x1D]; /* B68h */ PVOID glReserved2; /* BDCh */ PVOID glSectionInfo; /* BE0h */ PVOID glSection; /* BE4h */ PVOID glTable; /* BE8h */ PVOID glCurrentRC; /* BECh */ PVOID glContext; /* BF0h */ NTSTATUS LastStatusValue; /* BF4h */ UNICODE_STRING StaticUnicodeString; /* BF8h */ WCHAR StaticUnicodeBuffer[0x105]; /* C00h */ PVOID DeallocationStack; /* E0Ch */ PVOID TlsSlots[0x40]; /* E10h */ LIST_ENTRY TlsLinks; /* F10h */ PVOID Vdm; /* F18h */ PVOID ReservedForNtRpc; /* F1Ch */ PVOID DbgSsReserved[0x2]; /* F20h */ ULONG HardErrorDisabled; /* F28h */ PVOID Instrumentation[14]; /* F2Ch */ PVOID SubProcessTag; /* F64h */ PVOID EtwTraceData; /* F68h */ PVOID WinSockData; /* F6Ch */ ULONG GdiBatchCount; /* F70h */ BOOLEAN InDbgPrint; /* F74h */ BOOLEAN FreeStackOnTermination; /* F75h */ BOOLEAN HasFiberData; /* F76h */ UCHAR IdealProcessor; /* F77h */ ULONG GuaranteedStackBytes; /* F78h */ PVOID ReservedForPerf; /* F7Ch */ PVOID ReservedForOle; /* F80h */ ULONG WaitingOnLoaderLock; /* F84h */ ULONG SparePointer1; /* F88h */ ULONG SoftPatchPtr1; /* F8Ch */ ULONG SoftPatchPtr2; /* F90h */ PVOID *TlsExpansionSlots; /* F94h */ ULONG ImpersionationLocale; /* F98h */ ULONG IsImpersonating; /* F9Ch */ PVOID NlsCache; /* FA0h */ PVOID pShimData; /* FA4h */ ULONG HeapVirualAffinity; /* FA8h */ PVOID CurrentTransactionHandle; /* FACh */ PTEB_ACTIVE_FRAME ActiveFrame; /* FB0h */ PVOID FlsData; /* FB4h */ UCHAR SafeThunkCall; /* FB8h */ UCHAR BooleanSpare[3]; /* FB9h */ } TEB, *PTEB;
//Process Environment Block typedef struct _PEB { UCHAR InheritedAddressSpace; // 00h UCHAR ReadImageFileExecOptions; // 01h UCHAR BeingDebugged; // 02h UCHAR Spare; // 03h PVOID Mutant; // 04h PVOID ImageBaseAddress; // 08h PPEB_LDR_DATA Ldr; // 0Ch PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h PVOID SubSystemData; // 14h PVOID ProcessHeap; // 18h PVOID FastPebLock; // 1Ch PPEBLOCKROUTINE FastPebLockRoutine; // 20h PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h ULONG EnvironmentUpdateCount; // 28h PVOID* KernelCallbackTable; // 2Ch PVOID EventLogSection; // 30h PVOID EventLog; // 34h PPEB_FREE_BLOCK FreeList; // 38h ULONG TlsExpansionCounter; // 3Ch PVOID TlsBitmap; // 40h ULONG TlsBitmapBits[0x2]; // 44h PVOID ReadOnlySharedMemoryBase; // 4Ch PVOID ReadOnlySharedMemoryHeap; // 50h PVOID* ReadOnlyStaticServerData; // 54h PVOID AnsiCodePageData; // 58h PVOID OemCodePageData; // 5Ch PVOID UnicodeCaseTableData; // 60h ULONG NumberOfProcessors; // 64h ULONG NtGlobalFlag; // 68h UCHAR Spare2[0x4]; // 6Ch LARGE_INTEGER CriticalSectionTimeout; // 70h ULONG HeapSegmentReserve; // 78h ULONG HeapSegmentCommit; // 7Ch ULONG HeapDeCommitTotalFreeThreshold; // 80h ULONG HeapDeCommitFreeBlockThreshold; // 84h ULONG NumberOfHeaps; // 88h ULONG MaximumNumberOfHeaps; // 8Ch PVOID** ProcessHeaps; // 90h PVOID GdiSharedHandleTable; // 94h PVOID ProcessStarterHelper; // 98h PVOID GdiDCAttributeList; // 9Ch PVOID LoaderLock; // A0h ULONG OSMajorVersion; // A4h ULONG OSMinorVersion; // A8h ULONG OSBuildNumber; // ACh ULONG OSPlatformId; // B0h ULONG ImageSubSystem; // B4h ULONG ImageSubSystemMajorVersion; // B8h ULONG ImageSubSystemMinorVersion; // C0h ULONG GdiHandleBuffer[0x22]; // C4h PVOID ProcessWindowStation; // ??? } PEB, *PPEB;