x64 PEB简介 && 有关PEB的一些函数

尽管操作PEB BLOCK现在已经没什么价值了,但是PEB BLOCK作为内核的一个重要结构,这里还是提一下:

x64 EPROCESS结构

   +0x000 Pcb              : _KPROCESS
   +0x160 ProcessLock      : _EX_PUSH_LOCK
   +0x168 CreateTime       : _LARGE_INTEGER
   +0x170 ExitTime         : _LARGE_INTEGER
   +0x178 RundownProtect   : _EX_RUNDOWN_REF
   +0x180 UniqueProcessId  : Ptr64 Void
   +0x188 ActiveProcessLinks : _LIST_ENTRY
   +0x198 ProcessQuotaUsage : [2] Uint8B
   +0x1a8 ProcessQuotaPeak : [2] Uint8B
   +0x1b8 CommitCharge     : Uint8B
   +0x1c0 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
   +0x1c8 CpuQuotaBlock    : Ptr64 _PS_CPU_QUOTA_BLOCK
   +0x1d0 PeakVirtualSize  : Uint8B
   +0x1d8 VirtualSize      : Uint8B
   +0x1e0 SessionProcessLinks : _LIST_ENTRY
   +0x1f0 DebugPort        : Ptr64 Void
   +0x1f8 ExceptionPortData : Ptr64 Void
   +0x1f8 ExceptionPortValue : Uint8B
   +0x1f8 ExceptionPortState : Pos 0, 3 Bits
   +0x200 ObjectTable      : Ptr64 _HANDLE_TABLE
   +0x208 Token            : _EX_FAST_REF
   +0x210 WorkingSetPage   : Uint8B
   +0x218 AddressCreationLock : _EX_PUSH_LOCK
   +0x220 RotateInProgress : Ptr64 _ETHREAD
   +0x228 ForkInProgress   : Ptr64 _ETHREAD
   +0x230 HardwareTrigger  : Uint8B
   +0x238 PhysicalVadRoot  : Ptr64 _MM_AVL_TABLE
   +0x240 CloneRoot        : Ptr64 Void
   +0x248 NumberOfPrivatePages : Uint8B
   +0x250 NumberOfLockedPages : Uint8B
   +0x258 Win32Process     : Ptr64 Void
   +0x260 Job              : Ptr64 _EJOB
   +0x268 SectionObject    : Ptr64 Void
   +0x270 SectionBaseAddress : Ptr64 Void
   +0x278 Cookie           : Uint4B
   +0x27c UmsScheduledThreads : Uint4B
   +0x280 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
   +0x288 Win32WindowStation : Ptr64 Void
   +0x290 InheritedFromUniqueProcessId : Ptr64 Void
   +0x298 LdtInformation   : Ptr64 Void
   +0x2a0 Spare            : Ptr64 Void
   +0x2a8 ConsoleHostProcess : Uint8B
   +0x2b0 DeviceMap        : Ptr64 Void
   +0x2b8 EtwDataSource    : Ptr64 Void
   +0x2c0 FreeTebHint      : Ptr64 Void
   +0x2c8 FreeUmsTebHint   : Ptr64 Void
   +0x2d0 PageDirectoryPte : _HARDWARE_PTE
   +0x2d0 Filler           : Uint8B
   +0x2d8 Session          : Ptr64 Void
   +0x2e0 ImageFileName    : [15] UChar
   +0x2ef PriorityClass    : UChar
   +0x2f0 JobLinks         : _LIST_ENTRY
   +0x300 LockedPagesList  : Ptr64 Void
   +0x308 ThreadListHead   : _LIST_ENTRY
   +0x318 SecurityPort     : Ptr64 Void
   +0x320 Wow64Process     : Ptr64 Void
   +0x328 ActiveThreads    : Uint4B
   +0x32c ImagePathHash    : Uint4B
   +0x330 DefaultHardErrorProcessing : Uint4B
   +0x334 LastThreadExitStatus : Int4B
   +0x338 Peb              : Ptr64 _PEB
   +0x340 PrefetchTrace    : _EX_FAST_REF
   +0x348 ReadOperationCount : _LARGE_INTEGER
   +0x350 WriteOperationCount : _LARGE_INTEGER
   +0x358 OtherOperationCount : _LARGE_INTEGER
   +0x360 ReadTransferCount : _LARGE_INTEGER
   +0x368 WriteTransferCount : _LARGE_INTEGER
   +0x370 OtherTransferCount : _LARGE_INTEGER
   +0x378 CommitChargeLimit : Uint8B
   +0x380 CommitChargePeak : Uint8B
   +0x388 AweInfo          : Ptr64 Void
   +0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x398 Vm               : _MMSUPPORT
   +0x420 MmProcessLinks   : _LIST_ENTRY
   +0x430 HighestUserAddress : Ptr64 Void
   +0x438 ModifiedPageCount : Uint4B
   +0x43c Flags2           : Uint4B
   +0x43c JobNotReallyActive : Pos 0, 1 Bit
   +0x43c AccountingFolded : Pos 1, 1 Bit
   +0x43c NewProcessReported : Pos 2, 1 Bit
   +0x43c ExitProcessReported : Pos 3, 1 Bit
   +0x43c ReportCommitChanges : Pos 4, 1 Bit
   +0x43c LastReportMemory : Pos 5, 1 Bit
   +0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit
   +0x43c HandleTableRundown : Pos 7, 1 Bit
   +0x43c NeedsHandleRundown : Pos 8, 1 Bit
   +0x43c RefTraceEnabled  : Pos 9, 1 Bit
   +0x43c NumaAware        : Pos 10, 1 Bit
   +0x43c ProtectedProcess : Pos 11, 1 Bit
   +0x43c DefaultPagePriority : Pos 12, 3 Bits
   +0x43c PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x43c ProcessVerifierTarget : Pos 16, 1 Bit
   +0x43c StackRandomizationDisabled : Pos 17, 1 Bit
   +0x43c AffinityPermanent : Pos 18, 1 Bit
   +0x43c AffinityUpdateEnable : Pos 19, 1 Bit
   +0x43c PropagateNode    : Pos 20, 1 Bit
   +0x43c ExplicitAffinity : Pos 21, 1 Bit
   +0x440 Flags            : Uint4B
   +0x440 CreateReported   : Pos 0, 1 Bit
   +0x440 NoDebugInherit   : Pos 1, 1 Bit
   +0x440 ProcessExiting   : Pos 2, 1 Bit
   +0x440 ProcessDelete    : Pos 3, 1 Bit
   +0x440 Wow64SplitPages  : Pos 4, 1 Bit
   +0x440 VmDeleted        : Pos 5, 1 Bit
   +0x440 OutswapEnabled   : Pos 6, 1 Bit
   +0x440 Outswapped       : Pos 7, 1 Bit
   +0x440 ForkFailed       : Pos 8, 1 Bit
   +0x440 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x440 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x440 SetTimerResolution : Pos 12, 1 Bit
   +0x440 BreakOnTermination : Pos 13, 1 Bit
   +0x440 DeprioritizeViews : Pos 14, 1 Bit
   +0x440 WriteWatch       : Pos 15, 1 Bit
   +0x440 ProcessInSession : Pos 16, 1 Bit
   +0x440 OverrideAddressSpace : Pos 17, 1 Bit
   +0x440 HasAddressSpace  : Pos 18, 1 Bit
   +0x440 LaunchPrefetched : Pos 19, 1 Bit
   +0x440 InjectInpageErrors : Pos 20, 1 Bit
   +0x440 VmTopDown        : Pos 21, 1 Bit
   +0x440 ImageNotifyDone  : Pos 22, 1 Bit
   +0x440 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x440 VdmAllowed       : Pos 24, 1 Bit
   +0x440 CrossSessionCreate : Pos 25, 1 Bit
   +0x440 ProcessInserted  : Pos 26, 1 Bit
   +0x440 DefaultIoPriority : Pos 27, 3 Bits
   +0x440 ProcessSelfDelete : Pos 30, 1 Bit
   +0x440 SetTimerResolutionLink : Pos 31, 1 Bit
   +0x444 ExitStatus       : Int4B
   +0x448 VadRoot          : _MM_AVL_TABLE
   +0x488 AlpcContext      : _ALPC_PROCESS_CONTEXT
   +0x4a8 TimerResolutionLink : _LIST_ENTRY
   +0x4b8 RequestedTimerResolution : Uint4B
   +0x4bc ActiveThreadsHighWatermark : Uint4B
   +0x4c0 SmallestTimerResolution : Uint4B
   +0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
PEB BLOCK 位于EPROCESS块的0x338偏移位置,在应用层空间中。


x86中,寻找PEB的方法很简单


	_asm
	{
		mov eax, fs:0x30
		mov peb, eax
		//mov eax, [eax+0x10] 
	}


在64位系统中,PEB BLOCK位于gs:[60h]

	.code
	Getgs proc 
	mov rax, gs:[60h]
	ret
	Getgs endp
	end

	在inc文件中输入:
	EXPORTS
	Getgs
	
	在def文件中输入:
	Getgs proto;

构建编译。


在.c文件中声明

#pragma comment(lib, "xxx.lib")

typedef  unsigned _int64 QWORD;
extern "C" QWORD __stdcall Getgs();

即可获得PEB地址 


x64PEB的结构内容 windbg一试便知:

   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 BitField         : UChar
   +0x003 ImageUsesLargePages : Pos 0, 1 Bit
   +0x003 IsProtectedProcess : Pos 1, 1 Bit
   +0x003 IsLegacyProcess  : Pos 2, 1 Bit
   +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
   +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
   +0x003 SpareBits        : Pos 5, 3 Bits
   +0x008 Mutant           : Ptr64 Void
   +0x010 ImageBaseAddress : Ptr64 Void
   +0x018 Ldr              : Ptr64 _PEB_LDR_DATA
   +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
   +0x028 SubSystemData    : Ptr64 Void
   +0x030 ProcessHeap      : Ptr64 Void
   +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION
   +0x040 AtlThunkSListPtr : Ptr64 Void
   +0x048 IFEOKey          : Ptr64 Void
   +0x050 CrossProcessFlags : Uint4B
   +0x050 ProcessInJob     : Pos 0, 1 Bit
   +0x050 ProcessInitializing : Pos 1, 1 Bit
   +0x050 ProcessUsingVEH  : Pos 2, 1 Bit
   +0x050 ProcessUsingVCH  : Pos 3, 1 Bit
   +0x050 ProcessUsingFTH  : Pos 4, 1 Bit
   +0x050 ReservedBits0    : Pos 5, 27 Bits
   +0x058 KernelCallbackTable : Ptr64 Void
   +0x058 UserSharedInfoPtr : Ptr64 Void
   +0x060 SystemReserved   : [1] Uint4B
   +0x064 AtlThunkSListPtr32 : Uint4B
   +0x068 ApiSetMap        : Ptr64 Void
   +0x070 TlsExpansionCounter : Uint4B
   +0x078 TlsBitmap        : Ptr64 Void
   +0x080 TlsBitmapBits    : [2] Uint4B
   +0x088 ReadOnlySharedMemoryBase : Ptr64 Void
   +0x090 HotpatchInformation : Ptr64 Void
   +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
   +0x0a0 AnsiCodePageData : Ptr64 Void
   +0x0a8 OemCodePageData  : Ptr64 Void
   +0x0b0 UnicodeCaseTableData : Ptr64 Void
   +0x0b8 NumberOfProcessors : Uint4B
   +0x0bc NtGlobalFlag     : Uint4B
   +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
   +0x0c8 HeapSegmentReserve : Uint8B
   +0x0d0 HeapSegmentCommit : Uint8B
   +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
   +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
   +0x0e8 NumberOfHeaps    : Uint4B
   +0x0ec MaximumNumberOfHeaps : Uint4B
   +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void
   +0x0f8 GdiSharedHandleTable : Ptr64 Void
   +0x100 ProcessStarterHelper : Ptr64 Void
   +0x108 GdiDCAttributeList : Uint4B
   +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION
   +0x118 OSMajorVersion   : Uint4B
   +0x11c OSMinorVersion   : Uint4B
   +0x120 OSBuildNumber    : Uint2B
   +0x122 OSCSDVersion     : Uint2B
   +0x124 OSPlatformId     : Uint4B
   +0x128 ImageSubsystem   : Uint4B
   +0x12c ImageSubsystemMajorVersion : Uint4B
   +0x130 ImageSubsystemMinorVersion : Uint4B
   +0x138 ActiveProcessAffinityMask : Uint8B
   +0x140 GdiHandleBuffer  : [60] Uint4B
   +0x230 PostProcessInitRoutine : Ptr64     void 
   +0x238 TlsExpansionBitmap : Ptr64 Void
   +0x240 TlsExpansionBitmapBits : [32] Uint4B
   +0x2c0 SessionId        : Uint4B
   +0x2c8 AppCompatFlags   : _ULARGE_INTEGER
   +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
   +0x2d8 pShimData        : Ptr64 Void
   +0x2e0 AppCompatInfo    : Ptr64 Void
   +0x2e8 CSDVersion       : _UNICODE_STRING
   +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
   +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
   +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
   +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
   +0x318 MinimumStackCommit : Uint8B
   +0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO
   +0x328 FlsListHead      : _LIST_ENTRY
   +0x338 FlsBitmap        : Ptr64 Void
   +0x340 FlsBitmapBits    : [4] Uint4B
   +0x350 FlsHighIndex     : Uint4B
   +0x358 WerRegistrationData : Ptr64 Void
   +0x360 WerShipAssertPtr : Ptr64 Void
   +0x368 pContextData     : Ptr64 Void
   +0x370 pImageHeaderHash : Ptr64 Void
   +0x378 TracingFlags     : Uint4B
   +0x378 HeapTracingEnabled : Pos 0, 1 Bit
   +0x378 CritSecTracingEnabled : Pos 1, 1 Bit
   +0x378 SpareTracingBits : Pos 2, 30 Bits

获得下本机的当前PEB地址
kd> !peb
PEB at 000007fffffd5000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00000000ffec0000
    Ldr                       0000000077572640
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00000000001d2730 . 00000000001e8100
    Ldr.InLoadOrderModuleList:           00000000001d2620 . 00000000001e81d0
    Ldr.InMemoryOrderModuleList:         00000000001d2630 . 00000000001e81e0
            Base TimeStamp                     Module
        ffec0000 4ce79f61 Nov 20 18:13:53 2010 C:\Windows\system32\slui.exe
        77440000 4ce7c8f9 Nov 20 21:11:21 2010 C:\Windows\SYSTEM32\ntdll.dll
        77320000 4ce7c78b Nov 20 21:05:15 2010 C:\Windows\system32\kernel32.dll
     7fefd440000 4ce7c78c Nov 20 21:05:16 2010 C:\Windows\system32\KERNELBASE.dll
     7feff5f0000 4a5bde6b Jul 14 09:24:59 2009 C:\Windows\system32\ADVAPI32.dll
     7feff190000 4a5bdfbe Jul 14 09:30:38 2009 C:\Windows\system32\msvcrt.dll
     7feff3e0000 4a5be05e Jul 14 09:33:18 2009 C:\Windows\SYSTEM32\sechost.dll
     7fefd770000 4ce7c96e Nov 20 21:13:18 2010 C:\Windows\system32\RPCRT4.dll
        77220000 4ce7c9f1 Nov 20 21:15:29 2010 C:\Windows\system32\USER32.dll
     7feff6d0000 4ce7c651 Nov 20 21:00:01 2010 C:\Windows\system32\GDI32.dll
     7fefd760000 4a5bdf5f Jul 14 09:29:03 2009 C:\Windows\system32\LPK.dll
     7fefdd80000 4ce7c9f5 Nov 20 21:15:33 2010 C:\Windows\system32\USP10.dll
     7fefa5b0000 4a5be067 Jul 14 09:33:27 2009 C:\Windows\system32\sppcommdlg.dll
     7fefc000000 4ce7c45b Nov 20 20:51:39 2010 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll
     7feff360000 4ce7c9ab Nov 20 21:14:19 2010 C:\Windows\system32\SHLWAPI.dll
     7feff460000 4a5bdf40 Jul 14 09:28:32 2009 C:\Windows\system32\IMM32.dll
     7fefe150000 4a5bdfaa Jul 14 09:30:18 2009 C:\Windows\system32\MSCTF.dll
     7fefd8f0000 4ce7c92c Nov 20 21:12:12 2010 C:\Windows\system32\ole32.dll
     7feff510000 4ce7c930 Nov 20 21:12:16 2010 C:\Windows\system32\OLEAUT32.dll
     7fefe260000 4ce7c9a6 Nov 20 21:14:14 2010 C:\Windows\system32\SHELL32.dll
     7fefb870000 4a5be0a2 Jul 14 09:34:26 2009 C:\Windows\system32\WINBRAND.dll
     7fefae10000 4a5be063 Jul 14 09:33:23 2009 C:\Windows\system32\slc.dll
     7fefa560000 4ce7c946 Nov 20 21:12:38 2010 C:\Windows\system32\SPPC.DLL
     7fefd280000 4a5bdf91 Jul 14 09:29:53 2009 C:\Windows\system32\CRYPTBASE.dll
     7fefbe20000 4a5be093 Jul 14 09:34:11 2009 C:\Windows\system32\uxtheme.dll
     7fefdce0000 4a5bdeba Jul 14 09:26:18 2009 C:\Windows\system32\CLBCatQ.DLL
     7fefcc40000 4a5bdf96 Jul 14 09:29:58 2009 C:\Windows\system32\CRYPTSP.dll
     7fefc940000 4a5be039 Jul 14 09:32:41 2009 C:\Windows\system32\rsaenh.dll
     7fefd330000 4ce7c96f Nov 20 21:13:19 2010 C:\Windows\system32\RpcRtRemote.dll
     7fefa500000 4ce7c9c0 Nov 20 21:14:40 2010 C:\Windows\system32\sppcomapi.dll
    SubSystemData:     0000000000000000
    ProcessHeap:       00000000001d0000
    ProcessParameters: 00000000001d1d50
    CurrentDirectory:  'C:\Windows\system32\'
    WindowTitle:  'C:\Windows\system32\slui.exe'
    ImageFile:    'C:\Windows\system32\slui.exe'
    CommandLine:  '"C:\Windows\system32\slui.exe"'
    DllPath:      'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'
    Environment:  00000000001d1320
        ALLUSERSPROFILE=C:\ProgramData
        APPDATA=C:\Users\BillG\AppData\Roaming
        CommonProgramFiles=C:\Program Files\Common Files
        CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
        CommonProgramW6432=C:\Program Files\Common Files
        COMPUTERNAME=WIN-TQVCU2J0T9S
        ComSpec=C:\Windows\system32\cmd.exe
        FP_NO_HOST_CHECK=NO
        HOMEDRIVE=C:
        HOMEPATH=\Users\BillG
        LOCALAPPDATA=C:\Users\BillG\AppData\Local
        LOGONSERVER=\\WIN-TQVCU2J0T9S
        NUMBER_OF_PROCESSORS=1
        OS=Windows_NT
        Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=AMD64
        PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 58 Stepping 9, GenuineIntel
        PROCESSOR_LEVEL=6
        PROCESSOR_REVISION=3a09
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        ProgramFiles(x86)=C:\Program Files (x86)
        ProgramW6432=C:\Program Files
        PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
        PUBLIC=C:\Users\Public
        SESSIONNAME=Console
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\Users\BillG\AppData\Local\Temp
        TMP=C:\Users\BillG\AppData\Local\Temp
        USERDOMAIN=WIN-TQVCU2J0T9S
        USERNAME=BillG
        USERPROFILE=C:\Users\BillG
        windir=C:\Windows
        windows_tracing_flags=3
        windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

dt 000007fffffd5000 _PEB_LDR_DATA  
nt!_PEB_LDR_DATA
   +0x000 Length           : 0x8000000
   +0x004 Initialized      : 0 ''
   +0x008 SsHandle         : 0xffffffff`ffffffff Void
   +0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`ffec0000 - 0x77572640 ]
   +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`001d1d50 - 0x0 ]
   +0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`001d0000 - 0x7757a900 ]
   +0x040 EntryInProgress  : (null) 
   +0x048 ShutdownInProgress : 0 ''
   +0x050 ShutdownThreadId : 0x00000000`00000001 Void

InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList 这三条链是根据加载顺序、内存映像顺序、初始化顺序而建立的

其中的辅助成员Flink Blink指向_LDR_DATA_TABLE_ENTRY结构体

kd> dt _LDR_DATA_TABLE_ENTRY
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x010 InMemoryOrderLinks : _LIST_ENTRY
   +0x020 InInitializationOrderLinks : _LIST_ENTRY
   +0x030 DllBase          : Ptr64 Void
   +0x038 EntryPoint       : Ptr64 Void
   +0x040 SizeOfImage      : Uint4B
   +0x048 FullDllName      : _UNICODE_STRING
   +0x058 BaseDllName      : _UNICODE_STRING
   +0x068 Flags            : Uint4B
   +0x06c LoadCount        : Uint2B
   +0x06e TlsIndex         : Uint2B
   +0x070 HashLinks        : _LIST_ENTRY
   +0x070 SectionPointer   : Ptr64 Void
   +0x078 CheckSum         : Uint4B
   +0x080 TimeDateStamp    : Uint4B
   +0x080 LoadedImports    : Ptr64 Void
   +0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT
   +0x090 PatchInformation : Ptr64 Void
   +0x098 ForwarderLinks   : _LIST_ENTRY
   +0x0a8 ServiceTagLinks  : _LIST_ENTRY
   +0x0b8 StaticLinks      : _LIST_ENTRY
   +0x0c8 ContextInformation : Ptr64 Void
   +0x0d0 OriginalBase     : Uint8B
   +0x0d8 LoadTime         : _LARGE_INTEGER
至此,PEB一些重要的结构已经一览无余了。

如果病毒/木马试图在PEB隐藏自己的进程模块时,应该把这三条链全抹掉。

尽管如此,一些强力工具会检测出PEB的断链行为。这往往是_LDR_DATA_TABLE_ENTRY结构体中的SizeOfImage出卖了你。所以,我们应该修改SizeOfImage的值让它看上去和实际更像一点。


有一些古老的程序,通过PEB BLOCK来获取EXE的ImagePathName。在以前,一些木马也通过修改RTL_USER_PROCESS_PARAMETERS结构体内的成员来迷惑防火墙。


这里再总结一些Ring3层上获取进程模块的函数。

CreateToolhelp32Snapshot函数

NtQueryInformationProcess

EnumProcessModules

这三种方法实现原理无一例外,底层都是通过遍历PEB块来实现的。

1、3如果大家不信,可以自己逆向一下。

第二个放出NtQueryInformaionProcess WRK的源码:

NTSTATUS
00590 NtQueryInformationProcess(
00591     __in HANDLE ProcessHandle,
00592     __in PROCESSINFOCLASS ProcessInformationClass,
00593     __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
00594     __in ULONG ProcessInformationLength,
00595     __out_opt PULONG ReturnLength
00596     )
case ProcessBasicInformation:
00732 
00733         if (ProcessInformationLength != (ULONG) sizeof(PROCESS_BASIC_INFORMATION)) {
00734             return STATUS_INFO_LENGTH_MISMATCH;
00735         }
00736 
00737         st = ObReferenceObjectByHandle (ProcessHandle,
00738                                         PROCESS_QUERY_INFORMATION,
00739                                         PsProcessType,
00740                                         PreviousMode,
00741                                         &Process,
00742                                         NULL);
00743         if (!NT_SUCCESS (st)) {
00744             return st;
00745         }
00746 
00747         BasicInfo.ExitStatus = Process->ExitStatus;
00748         BasicInfo.PebBaseAddress = Process->Peb;
00749         BasicInfo.AffinityMask = Process->Pcb.Affinity;
00750         BasicInfo.BasePriority = Process->Pcb.BasePriority;
00751         BasicInfo.UniqueProcessId = (ULONG_PTR)Process->UniqueProcessId;
00752         BasicInfo.InheritedFromUniqueProcessId = (ULONG_PTR)Process->InheritedFromUniqueProcessId;
00753 
00754         ObDereferenceObject(Process);
00755 
00756         //
00757         // Either of these may cause an access violation. The
00758         // exception handler will return access violation as
00759         // status code. No further cleanup needs to be done.
00760         //
00761 
00762         try {
00763             *(PPROCESS_BASIC_INFORMATION) ProcessInformation = BasicInfo;
00764 
00765             if (ARGUMENT_PRESENT (ReturnLength) ) {
00766                 *ReturnLength = sizeof(PROCESS_BASIC_INFORMATION);
00767             }
00768         } except (EXCEPTION_EXECUTE_HANDLER) {
00769             return GetExceptionCode ();
00770         }
00771 
00772         return STATUS_SUCCESS;

所以,如果R3层上用上述函数搜索进程模块的话,实际上强度很弱。

但是,ZwQueryVirtualMemory这个函数遍历的是进程的虚拟地址空间,实际上是枚举VAD树。VAD树的根节点在EPROCESS块中,是一颗平衡树。断链无法避开这种检测。

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值