这附图是我见过关于利用PEB查看模块信息最准确的一幅。
获取TEB
lkd> !teb
TEB at 7ffdd000
ExceptionList: 00c2976c
StackBase: 00c30000
StackLimit: 00c23000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffdd000
EnvironmentPointer: 00000000
ClientId: 00000238 . 000003b8
RpcHandle: 00000000
Tls Storage: 00000000
PEB Address: 7ffdf000 ***
LastErrorValue: 0
LastStatusValue: c0000139
Count Owned Locks: 0
HardErrorMode: 0
查看PEB
lkd> dt _peb 7ffdf000
nt!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0 ''
+0x003 SpareBool : 0 ''
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x01000000 Void
+0x00c Ldr : 0x00191e90 _PEB_LDR_DATA ***
+0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00090000 Void
+0x01c FastPebLock : 0x7c99d600 _RTL_CRITICAL_SECTION