PEB结构如下:(比MSDN上详细多了http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx)
这个进程环境块就不罗嗦了,直接贴代码。
- typedef struct _PEB {
- UCHAR InheritedAddressSpace;
- UCHAR ReadImageFileExecOptions;
- UCHAR BeingDebugged;
- UCHAR SpareBool;
- HANDLE Mutant;
- HINSTANCE ImageBaseAddress;
- VOID *DllList;
- PPROCESS_PARAMETERS *ProcessParameters;
- ULONG SubSystemData;
- HANDLE DefaultHeap;
- KSPIN_LOCK FastPebLock;
- ULONG FastPebLockRoutine;
- ULONG FastPebUnlockRoutine;
- ULONG EnvironmentUpdateCount;
- ULONG KernelCallbackTable;
- LARGE_INTEGER SystemReserved;
- ULONG FreeList;
- ULONG TlsExpansionCounter;
- ULONG TlsBitmap;
- LARGE_INTEGER TlsBitmapBits;
- ULONG ReadOnlySharedMemoryBase;
- ULONG ReadOnlySharedMemoryHeap;
- ULONG ReadOnlyStaticServerData;
- ULONG AnsiCodePageData;
- ULONG OemCodePageData;
- ULONG UnicodeCaseTableData;
- ULONG NumberOfProcessors;
- LARGE_INTEGER NtGlobalFlag;
- LARGE_INTEGER CriticalSectionTimeout;
- ULONG HeapSegmentReserve;
- ULONG HeapSegmentCommit;
- ULONG HeapDeCommitTotalFreeThreshold;
- ULONG HeapDeCommitFreeBlockThreshold;
- ULONG NumberOfHeaps;
- ULONG MaximumNumberOfHeaps;
- ULONG ProcessHeaps;
- ULONG GdiSharedHandleTable;
- ULONG ProcessStarterHelper;
- ULONG GdiDCAttributeList;
- KSPIN_LOCK LoaderLock;
- ULONG OSMajorVersion;
- ULONG OSMinorVersion;
- USHORT OSBuildNumber;
- USHORT OSCSDVersion;
- ULONG OSPlatformId;
- ULONG ImageSubsystem;
- ULONG ImageSubsystemMajorVersion;
- ULONG ImageSubsystemMinorVersion;
- ULONG ImageProcessAffinityMask;
- ULONG GdiHandleBuffer[0x22];
- ULONG PostProcessInitRoutine;
- ULONG TlsExpansionBitmap;
- UCHAR TlsExpansionBitmapBits[0x80];
- ULONG SessionId;
- } PEB, *PPEB;
PEB_LDR_DATA结构:(MSDN再次保留了,http://msdn.microsoft.com/en-us/library/windows/desktop/aa813708(v=vs.85).aspx)
这个结构记录着进程加载的模块的信息,MSDN上指出该结构在未来的Windows版本可能更改。
- typedef struct _PEB_LDR_DATA
- {
- ULONG Length;
- BOOLEAN Initialized;
- PVOID SsHandle;
- LIST_ENTRY InLoadOrderModuleList;
- LIST_ENTRY InMemoryOrderModuleList;
- LIST_ENTRY InInitializationOrderModuleList;
- } PEB_LDR_DATA,*PPEB_LDR_DATA;