PEB及PEB_LDR_DATA结构
2016-07-09 19:08
1206 查看
PEB结构如下:(比MSDN上详细多了http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx)
这个进程环境块就不罗嗦了,直接贴代码。
[cpp] view plain copy
- typedef struct _PEB { // Size: 0x1D8
- /*000*/ UCHAR InheritedAddressSpace;
- /*001*/ UCHAR ReadImageFileExecOptions;
- /*002*/ UCHAR BeingDebugged;
- /*003*/ UCHAR SpareBool; // Allocation size
- /*004*/ HANDLE Mutant;
- /*008*/ HINSTANCE ImageBaseAddress; // Instance
- /*00C*/ VOID *DllList;
- /*010*/ PPROCESS_PARAMETERS *ProcessParameters;
- /*014*/ ULONG SubSystemData;
- /*018*/ HANDLE DefaultHeap;
- /*01C*/ KSPIN_LOCK FastPebLock;
- /*020*/ ULONG FastPebLockRoutine;
- /*024*/ ULONG FastPebUnlockRoutine;
- /*028*/ ULONG EnvironmentUpdateCount;
- /*02C*/ ULONG KernelCallbackTable;
- /*030*/ LARGE_INTEGER SystemReserved;
- /*038*/ ULONG FreeList;
- /*03C*/ ULONG TlsExpansionCounter;
- /*040*/ ULONG TlsBitmap;
- /*044*/ LARGE_INTEGER TlsBitmapBits;
- /*04C*/ ULONG ReadOnlySharedMemoryBase;
- /*050*/ ULONG ReadOnlySharedMemoryHeap;
- /*054*/ ULONG ReadOnlyStaticServerData;
- /*058*/ ULONG AnsiCodePageData;
- /*05C*/ ULONG OemCodePageData;
- /*060*/ ULONG UnicodeCaseTableData;
- /*064*/ ULONG NumberOfProcessors;
- /*068*/ LARGE_INTEGER NtGlobalFlag; // Address of a local copy
- /*070*/ LARGE_INTEGER CriticalSectionTimeout;
- /*078*/ ULONG HeapSegmentReserve;
- /*07C*/ ULONG HeapSegmentCommit;
- /*080*/ ULONG HeapDeCommitTotalFreeThreshold;
- /*084*/ ULONG HeapDeCommitFreeBlockThreshold;
- /*088*/ ULONG NumberOfHeaps;
- /*08C*/ ULONG MaximumNumberOfHeaps;
- /*090*/ ULONG ProcessHeaps;
- /*094*/ ULONG GdiSharedHandleTable;
- /*098*/ ULONG ProcessStarterHelper;
- /*09C*/ ULONG GdiDCAttributeList;
- /*0A0*/ KSPIN_LOCK LoaderLock;
- /*0A4*/ ULONG OSMajorVersion;
- /*0A8*/ ULONG OSMinorVersion;
- /*0AC*/ USHORT OSBuildNumber;
- /*0AE*/ USHORT OSCSDVersion;
- /*0B0*/ ULONG OSPlatformId;
- /*0B4*/ ULONG ImageSubsystem;
- /*0B8*/ ULONG ImageSubsystemMajorVersion;
- /*0BC*/ ULONG ImageSubsystemMinorVersion;
- /*0C0*/ ULONG ImageProcessAffinityMask;
- /*0C4*/ ULONG GdiHandleBuffer[0x22];
- /*14C*/ ULONG PostProcessInitRoutine;
- /*150*/ ULONG TlsExpansionBitmap;
- /*154*/ UCHAR TlsExpansionBitmapBits[0x80];
- /*1D4*/ ULONG SessionId;
- } PEB, *PPEB;
PEB_LDR_DATA结构:(MSDN再次保留了,http://msdn.microsoft.com/en-us/library/windows/desktop/aa813708(v=vs.85).aspx)
这个结构记录着进程加载的模块的信息,MSDN上指出该结构在未来的Windows版本可能更改。
[cpp] view plain copy
- typedef struct _PEB_LDR_DATA
- {
- ULONG Length; // +0x00
- BOOLEAN Initialized; // +0x04
- PVOID SsHandle; // +0x08
- LIST_ENTRY InLoadOrderModuleList; // +0x0c
- LIST_ENTRY InMemoryOrderModuleList; // +0x14
- LIST_ENTRY InInitializationOrderModuleList;// +0x1c
- } PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24
相关文章推荐
- 通过PEB->LDR_DATA结构获取模块基址
- PEB及PEB_LDR_DATA结构
- DriverObject->DriverSection结构体LDR_DATA_TABLE_ENTRY中的结构
- LDR_DATA_TABLE_ENTRY结构得不到完整路径?
- WIN7_LDR_DATA_TABLE_ENTRY结构(x86 x64)
- PCIe学习笔记(5)---PCIe的层次结构--DATA LINK LAYER
- Spring Data JPA 配置数据库表根据实体属性自动创建表结构
- WIN32_FIND_DATA结构
- DATA BLOCK物理结构
- Cacti的库表结构-Data
- 8.2.6 PEB —— PEB结构值不正确的问题
- WIN32_FIND_DATA结构
- LitJson库中JsonMapper.ToJson中如果存在JsonData结构导致解析失败
- 搜索PEB结构获取Kernel32.dll基址
- 通过PEB结构遍历进程模块
- Orchard运用 - 理解App_Data目录结构
- PE总结7---PE文件结构NT头之数据目录表 IMAGE_DATA_DIRECTORY
- Oracle Data Block物理结构
- UVA - 11995 I Can Guess the Data Structure! 猜猜数据结构(STL模拟)
- 【Data】数据结构之C++程序设计(1)