fs:7FFDF000
nt!_TEB
TEB at fs:7FFDF000
+0x000 NtTib // _NT_TIB
+0x01c EnvironmentPointer // Ptr32 Void
+0x020 ClientId // _CLIENT_ID
+0x028 ActiveRpcHandle // Ptr32 Void
+0x02c ThreadLocalStoragePointer // Ptr32 Void
+0x030 ProcessEnvironmentBlock // Ptr32 _PEB 这里指向 PEB 表,即进程环境块
LastErrorValue
LastStatusValue
Count Owned Locks
HardErrorsMode
*******************************************
typedef struct _NT_TIB //sizeof 1ch
{
00h struct _EXCEPTION_REGISTRATION *ExceptionList; //SEH链入口
04h PVOID StackBase; //堆栈基址
08h PVOID StackLimit; //堆栈大小
0ch PVOID SubSystemTib;
union {
PVOID FiberData;
10h DWORD Version;
};
14h PVOID ArbitraryUserPointer;
18h struct _NT_TIB *Self; //本NT_TIB结构自身的线性地址
}NT_TIB;
typedef NT_TIB *PNT_TIB;
********************************************************
SEH链入口
fs[0]->*ExceptionList
typedef struc _EXCEPTION_REGISTRATION
{
struc EXCEPTION_REGISTRATION *Prev; //前一个_EXCEPTION_REGISTRATION结构
DWORD Handler; //异常处理过程地址
struct scopetable_entry *scopetable;
int trylevel;
int _ebp;
PEXCEPTION_POINTERS xpointers;
}
EXCEPTION_REGISTRATION,
*PEXCEPTION_REGISTRATION;
////////////////////////////////////////////////
typedef struct _EXCEPTION_POINTERS
{
PEXCEPTION_RECORD ExceptionRecord; //指向一个EXCEPTION_RECORD结构
PCONTEXT ContextRecord; //指向向一个CONTEXT结构
}
EXCEPTION_POINTERS,
*PEXCEPTION_POINTERS;
/////////////////////////////////////////////////
typedef struct _EXCEPTION_RECORD
{
00h DWORD ExceptionCode; //异常事件码
04h DWORD ExceptionFlags; //标志
08h struct _EXCEPTION_RECORD *ExceptionRecord; //下一个EXCEPTION_RECORD结构地址
0ch PVOID ExceptionAddress; //异常发生的地址
10h DWORD NumberParameters; //ExceptionInformation的dword数目
14h ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} 1ch
EXCEPTION_RECORD;
typedef EXCEPTION_RECORD *PEXCEPTION_RECORD;
#define EXCEPTION_MAXIMUM_PARAMETERS 15
/////////////////////////////////////////////////////////////////
typedef struct _CONTEXT {
DWORD ContextFlags // -| +00h
DWORD Dr0 // | +04h
DWORD Dr1 // | +08h
DWORD Dr2 // >调试寄存器 +0Ch
DWORD Dr3 // | +10h
DWORD Dr6 // | +14h
DWORD Dr7 // -| +18h
FLOATING_SAVE_AREA FloatSave; //浮点寄存器区 +1Ch~~~88h
DWORD SegGs //-| +8Ch
DWORD SegFs // |段寄存器 +90h
DWORD SegEs // |/ +94h
DWORD SegDs //-| +98h
DWORD Edi //________ +9Ch
DWORD Esi // | 通用 +A0h
DWORD Ebx // | 寄 +A4h
DWORD Edx // | 存 +A8h
DWORD Ecx // | 器 +ACh
DWORD Eax //_|___组_ +B0h
DWORD Ebp //++++++ +B4h
DWORD Eip // |控制 +B8h
DWORD SegCs // |寄存 +BCh
DWORD EFlag // |器组 +C0h
DWORD Esp // | +C4h
DWORD SegSs //++++++ +C8h
BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];
} CONTEXT;
typedef CONTEXT *PCONTEXT;
#define MAXIMUM_SUPPORTED_EXTENSION 512
********************************************************
fs:[30]->PEB
typedef struct _PEB { // Size: 0x1D8
000h UCHAR InheritedAddressSpace;
001h UCHAR ReadImageFileExecOptions;
002h UCHAR BeingDebugged; //Debug运行标志
003h UCHAR SpareBool;
004h HANDLE Mutant;
008h HINSTANCE ImageBaseAddress; //程序加载的基地址
00Ch struct _PEB_LDR_DATA *Ldr //Ptr32 _PEB_LDR_DATA
010h struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;
014h ULONG SubSystemData;
018h HANDLE DefaultHeap;
01Ch KSPIN_LOCK FastPebLock;
020h ULONG FastPebLockRoutine;
024h ULONG FastPebUnlockRoutine;
028h ULONG EnvironmentUpdateCount;
02Ch ULONG KernelCallbackTable;
030h LARGE_INTEGER SystemReserved;
038h struct _PEB_FREE_BLOCK *FreeList
03Ch ULONG TlsExpansionCounter;
040h ULONG TlsBitmap;
044h LARGE_INTEGER TlsBitmapBits;
04Ch ULONG ReadOnlySharedMemoryBase;
050h ULONG ReadOnlySharedMemoryHeap;
054h ULONG ReadOnlyStaticServerData;
058h ULONG AnsiCodePageData;
05Ch ULONG OemCodePageData;
060h ULONG UnicodeCaseTableData;
064h ULONG NumberOfProcessors;
068h LARGE_INTEGER NtGlobalFlag; // Address of a local copy
070h LARGE_INTEGER CriticalSectionTimeout;
078h ULONG HeapSegmentReserve;
07Ch ULONG HeapSegmentCommit;
080h ULONG HeapDeCommitTotalFreeThreshold;
084h ULONG HeapDeCommitFreeBlockThreshold;
088h ULONG NumberOfHeaps;
08Ch ULONG MaximumNumberOfHeaps;
090h ULONG ProcessHeaps;
094h ULONG GdiSharedHandleTable;
098h ULONG ProcessStarterHelper;
09Ch ULONG GdiDCAttributeList;
0A0h KSPIN_LOCK LoaderLock;
0A4h ULONG OSMajorVersion;
0A8h ULONG OSMinorVersion;
0ACh USHORT OSBuildNumber;
0AEh USHORT OSCSDVersion;
0B0h ULONG OSPlatformId;
0B4h ULONG ImageSubsystem;
0B8h ULONG ImageSubsystemMajorVersion;
0BCh ULONG ImageSubsystemMinorVersion;
0C0h ULONG ImageProcessAffinityMask;
0C4h ULONG GdiHandleBuffer[0x22];
14Ch ULONG PostProcessInitRoutine;
150h ULONG TlsExpansionBitmap;
154h UCHAR TlsExpansionBitmapBits[0x80];
1D4h ULONG SessionId;
} PEB, *PPEB;
***************************************************
PEB[0C]->PEB_LDR_DATA
typedef struct _PEB_LDR_DATA
{
ULONG Length; // 00h
BOOLEAN Initialized; // 04h
PVOID SsHandle; // 08h
LIST_ENTRY InLoadOrderModuleList; // 0ch
LIST_ENTRY InMemoryOrderModuleList; // 14h
LIST_ENTRY InInitializationOrderModuleList; // 1ch
}
PEB_LDR_DATA,
*PPEB_LDR_DATA; // 24h
*********************************************************
PEB_LDR_DATA[]->LIST_ENTRY
nt!_LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY //表示从前往后
+0x004 Blink : Ptr32 _LIST_ENTRY //表示从后往前
********************************************************
LIST_ENTRY[00].LDR_MODULE
typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList; // 00h
LIST_ENTRY InMemoryOrderModuleList; // 08h
LIST_ENTRY InInitializationOrderModuleList; // 10h ntdll
PVOID BaseAddress; // 18h kernel32.dll
PVOID EntryPoint; // 1ch
ULONG SizeOfImage; // 20h
UNICODE_STRING FullDllName; // 24h
UNICODE_STRING BaseDllName; // 2ch
ULONG Flags; // 34h
SHORT LoadCount; // 38h
SHORT TlsIndex; // 3ah
HANDLE SectionHandle; // 3ch
ULONG CheckSum; // 40h
ULONG TimeDateStamp; // 44h
// 48h
} LDR_MODULE, *PLDR_MODULE;
*******************************************************