-
-
[求助]TEB结构以哪个为准?
-
发表于: 2010-1-27 13:05
-
在网搜到的定义:
typedef struct _NT_TEB{ //TEB=>Thread Environment Block
000h NT_TIB Tib;
01Ch PVOID EnvironmentPointer;
020h CLIENT_ID Cid;
028h PVOID ActiveRpcInfo;
02Ch PVOID ThreadLocalStoragePointer;
030h PPEB Peb;
034h ULONG LastErrorValue;
038h ULONG CountOfOwnedCriticalSections;
03Ch PVOID CsrClientThread;
040h PVOID Win32ThreadInfo;
044h ULONG Win32ClientInfo[0x1F];
0C0h PVOID WOW32Reserved;
0C4h ULONG CurrentLocale;
0C8h ULONG FpSoftwareStatusRegister;
0CCh PVOID SystemReserved1[0x36];
1A4h PVOID Spare1;
1A8h LONG ExceptionCode;
1ACh ULONG SpareBytes1[0x28];
1D4h PVOID SystemReserved2[0xA];
1FCh GDI_TEB_BATCH GdiTebBatch;
6DCh ULONG gdiRgn;
6E0h ULONG gdiPen;
6E4h ULONG gdiBrush;
6E8h CLIENT_ID RealClientId;
6F0h PVOID GdiCachedProcessHandle;
6F4h ULONG GdiClientPID;
6F8h ULONG GdiClientTID;
6FCh PVOID GdiThreadLocaleInfo;
700h PVOID UserReserved[5];
714h PVOID glDispatchTable[0x118];
B74h ULONG glReserved1[0x1A];
BDCh PVOID glReserved2;
BE0h PVOID glSectionInfo;
BE4h PVOID glSection;
BE8h PVOID glTable;
BECh PVOID glCurrentRC;
BF0h PVOID glContext;
BF4h NTSTATUS LastStatusValue;
BF8h UNICODE_STRING StaticUnicodeString;
C00h WCHAR StaticUnicodeBuffer[0x105];
E0Ch PVOID DeallocationStack;
E10h PVOID TlsSlots[0x40];
F10h LIST_ENTRY TlsLinks;
F18h PVOID Vdm;
F1Ch PVOID ReservedForNtRpc;
F20h PVOID DbgSsReserved[0x2];
F28h ULONG HardErrorDisabled;
F2Ch PVOID Instrumentation[0x10];
F6Ch PVOID WinSockData;
F70h ULONG GdiBatchCount;
F74h ULONG Spare2;
F78h ULONG Spare3;
F7Ch ULONG Spare4;
F80h PVOID ReservedForOle;
F84h ULONG WaitingOnLoaderLock;
F88h PVOID StackCommit;
F8Ch PVOID StackCommitMax;
F90h PVOID StackReserve;
???h PVOID MessageQueue;
}NT_TEB, *PNT_TEB;
但是用windbg查看是下面的:
kd> dt _TEB
nt!_TEB
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : Ptr32 Void
+0x02c ThreadLocalStoragePointer : Ptr32 Void
+0x030 ProcessEnvironmentBlock : Ptr32 _PEB
+0x034 LastErrorValue : Uint4B
+0x038 CountOfOwnedCriticalSections : Uint4B
+0x03c CsrClientThread : Ptr32 Void
+0x040 Win32ThreadInfo : Ptr32 Void
+0x044 User32Reserved : [26] Uint4B
+0x0ac UserReserved : [5] Uint4B
+0x0c0 WOW32Reserved : Ptr32 Void
+0x0c4 CurrentLocale : Uint4B
+0x0c8 FpSoftwareStatusRegister : Uint4B
+0x0cc SystemReserved1 : [54] Ptr32 Void
+0x1a4 ExceptionCode : Int4B
+0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK
+0x1bc SpareBytes1 : [24] UChar
+0x1d4 GdiTebBatch : _GDI_TEB_BATCH
+0x6b4 RealClientId : _CLIENT_ID
+0x6bc GdiCachedProcessHandle : Ptr32 Void
+0x6c0 GdiClientPID : Uint4B
+0x6c4 GdiClientTID : Uint4B
+0x6c8 GdiThreadLocalInfo : Ptr32 Void
+0x6cc Win32ClientInfo : [62] Uint4B
+0x7c4 glDispatchTable : [233] Ptr32 Void
+0xb68 glReserved1 : [29] Uint4B
+0xbdc glReserved2 : Ptr32 Void
+0xbe0 glSectionInfo : Ptr32 Void
+0xbe4 glSection : Ptr32 Void
+0xbe8 glTable : Ptr32 Void
+0xbec glCurrentRC : Ptr32 Void
+0xbf0 glContext : Ptr32 Void
+0xbf4 LastStatusValue : Uint4B
+0xbf8 StaticUnicodeString : _UNICODE_STRING
+0xc00 StaticUnicodeBuffer : [261] Uint2B
+0xe0c DeallocationStack : Ptr32 Void
+0xe10 TlsSlots : [64] Ptr32 Void
+0xf10 TlsLinks : _LIST_ENTRY
+0xf18 Vdm : Ptr32 Void
+0xf1c ReservedForNtRpc : Ptr32 Void
+0xf20 DbgSsReserved : [2] Ptr32 Void
+0xf28 HardErrorsAreDisabled : Uint4B
+0xf2c Instrumentation : [16] Ptr32 Void
+0xf6c WinSockData : Ptr32 Void
+0xf70 GdiBatchCount : Uint4B
+0xf74 InDbgPrint : UChar
+0xf75 FreeStackOnTermination : UChar
+0xf76 HasFiberData : UChar
+0xf77 IdealProcessor : UChar
+0xf78 Spare3 : Uint4B
+0xf7c ReservedForPerf : Ptr32 Void
+0xf80 ReservedForOle : Ptr32 Void
+0xf84 WaitingOnLoaderLock : Uint4B
+0xf88 Wx86Thread : _Wx86ThreadState
+0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
+0xf98 ImpersonationLocale : Uint4B
+0xf9c IsImpersonating : Uint4B
+0xfa0 NlsCache : Ptr32 Void
+0xfa4 pShimData : Ptr32 Void
+0xfa8 HeapVirtualAffinity : Uint4B
+0xfac CurrentTransactionHandle : Ptr32 Void
+0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
应该以哪一个为准呢?后面的定义明显不同。。不仅仅是TEB还有PEB等结构也不完全相同,为何?
还有TIB:
typedef struct _NT_TIB{ //TIB=>Thread Information Block
00h _EXCEPTION_REGISTRATION *ExceptionList; 04h PVOID StackBase;
08h PVOID StackLimit;
0Ch PVOID SubSystemTib;
union {
PVOID FiberData;
10h DWORD Version;
};
14h PVOID ArbitraryUserPointer;
18h struct _NT_TIB *Self;
}NT_TIB,*PNT_TIB;
第一个元素说是_EXCEPTION_REGISTRATION结构,而在windbg中dt _EXCEPTION_REGISTRATION会出现没有
Symbol _EXCEPTION_REGISTRATION not found.
而在windbg中的TIB结构是:
nt!_NT_TIB
+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 StackBase : Ptr32 Void
+0x008 StackLimit : Ptr32 Void
+0x00c SubSystemTib : Ptr32 Void
+0x010 FiberData : Ptr32 Void
+0x010 Version : Uint4B
+0x014 ArbitraryUserPointer : Ptr32 Void
+0x018 Self : Ptr32 _NT_TIB
第一个元素是_EXCEPTION_REGISTRATION_RECORD而非_EXCEPTION_REGISTRATION。真是头大了。到底哪个才对啊?
typedef struct _NT_TEB{ //TEB=>Thread Environment Block
000h NT_TIB Tib;
01Ch PVOID EnvironmentPointer;
020h CLIENT_ID Cid;
028h PVOID ActiveRpcInfo;
02Ch PVOID ThreadLocalStoragePointer;
030h PPEB Peb;
034h ULONG LastErrorValue;
038h ULONG CountOfOwnedCriticalSections;
03Ch PVOID CsrClientThread;
040h PVOID Win32ThreadInfo;
044h ULONG Win32ClientInfo[0x1F];
0C0h PVOID WOW32Reserved;
0C4h ULONG CurrentLocale;
0C8h ULONG FpSoftwareStatusRegister;
0CCh PVOID SystemReserved1[0x36];
1A4h PVOID Spare1;
1A8h LONG ExceptionCode;
1ACh ULONG SpareBytes1[0x28];
1D4h PVOID SystemReserved2[0xA];
1FCh GDI_TEB_BATCH GdiTebBatch;
6DCh ULONG gdiRgn;
6E0h ULONG gdiPen;
6E4h ULONG gdiBrush;
6E8h CLIENT_ID RealClientId;
6F0h PVOID GdiCachedProcessHandle;
6F4h ULONG GdiClientPID;
6F8h ULONG GdiClientTID;
6FCh PVOID GdiThreadLocaleInfo;
700h PVOID UserReserved[5];
714h PVOID glDispatchTable[0x118];
B74h ULONG glReserved1[0x1A];
BDCh PVOID glReserved2;
BE0h PVOID glSectionInfo;
BE4h PVOID glSection;
BE8h PVOID glTable;
BECh PVOID glCurrentRC;
BF0h PVOID glContext;
BF4h NTSTATUS LastStatusValue;
BF8h UNICODE_STRING StaticUnicodeString;
C00h WCHAR StaticUnicodeBuffer[0x105];
E0Ch PVOID DeallocationStack;
E10h PVOID TlsSlots[0x40];
F10h LIST_ENTRY TlsLinks;
F18h PVOID Vdm;
F1Ch PVOID ReservedForNtRpc;
F20h PVOID DbgSsReserved[0x2];
F28h ULONG HardErrorDisabled;
F2Ch PVOID Instrumentation[0x10];
F6Ch PVOID WinSockData;
F70h ULONG GdiBatchCount;
F74h ULONG Spare2;
F78h ULONG Spare3;
F7Ch ULONG Spare4;
F80h PVOID ReservedForOle;
F84h ULONG WaitingOnLoaderLock;
F88h PVOID StackCommit;
F8Ch PVOID StackCommitMax;
F90h PVOID StackReserve;
???h PVOID MessageQueue;
}NT_TEB, *PNT_TEB;
但是用windbg查看是下面的:
kd> dt _TEB
nt!_TEB
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : Ptr32 Void
+0x02c ThreadLocalStoragePointer : Ptr32 Void
+0x030 ProcessEnvironmentBlock : Ptr32 _PEB
+0x034 LastErrorValue : Uint4B
+0x038 CountOfOwnedCriticalSections : Uint4B
+0x03c CsrClientThread : Ptr32 Void
+0x040 Win32ThreadInfo : Ptr32 Void
+0x044 User32Reserved : [26] Uint4B
+0x0ac UserReserved : [5] Uint4B
+0x0c0 WOW32Reserved : Ptr32 Void
+0x0c4 CurrentLocale : Uint4B
+0x0c8 FpSoftwareStatusRegister : Uint4B
+0x0cc SystemReserved1 : [54] Ptr32 Void
+0x1a4 ExceptionCode : Int4B
+0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK
+0x1bc SpareBytes1 : [24] UChar
+0x1d4 GdiTebBatch : _GDI_TEB_BATCH
+0x6b4 RealClientId : _CLIENT_ID
+0x6bc GdiCachedProcessHandle : Ptr32 Void
+0x6c0 GdiClientPID : Uint4B
+0x6c4 GdiClientTID : Uint4B
+0x6c8 GdiThreadLocalInfo : Ptr32 Void
+0x6cc Win32ClientInfo : [62] Uint4B
+0x7c4 glDispatchTable : [233] Ptr32 Void
+0xb68 glReserved1 : [29] Uint4B
+0xbdc glReserved2 : Ptr32 Void
+0xbe0 glSectionInfo : Ptr32 Void
+0xbe4 glSection : Ptr32 Void
+0xbe8 glTable : Ptr32 Void
+0xbec glCurrentRC : Ptr32 Void
+0xbf0 glContext : Ptr32 Void
+0xbf4 LastStatusValue : Uint4B
+0xbf8 StaticUnicodeString : _UNICODE_STRING
+0xc00 StaticUnicodeBuffer : [261] Uint2B
+0xe0c DeallocationStack : Ptr32 Void
+0xe10 TlsSlots : [64] Ptr32 Void
+0xf10 TlsLinks : _LIST_ENTRY
+0xf18 Vdm : Ptr32 Void
+0xf1c ReservedForNtRpc : Ptr32 Void
+0xf20 DbgSsReserved : [2] Ptr32 Void
+0xf28 HardErrorsAreDisabled : Uint4B
+0xf2c Instrumentation : [16] Ptr32 Void
+0xf6c WinSockData : Ptr32 Void
+0xf70 GdiBatchCount : Uint4B
+0xf74 InDbgPrint : UChar
+0xf75 FreeStackOnTermination : UChar
+0xf76 HasFiberData : UChar
+0xf77 IdealProcessor : UChar
+0xf78 Spare3 : Uint4B
+0xf7c ReservedForPerf : Ptr32 Void
+0xf80 ReservedForOle : Ptr32 Void
+0xf84 WaitingOnLoaderLock : Uint4B
+0xf88 Wx86Thread : _Wx86ThreadState
+0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
+0xf98 ImpersonationLocale : Uint4B
+0xf9c IsImpersonating : Uint4B
+0xfa0 NlsCache : Ptr32 Void
+0xfa4 pShimData : Ptr32 Void
+0xfa8 HeapVirtualAffinity : Uint4B
+0xfac CurrentTransactionHandle : Ptr32 Void
+0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
应该以哪一个为准呢?后面的定义明显不同。。不仅仅是TEB还有PEB等结构也不完全相同,为何?
还有TIB:
typedef struct _NT_TIB{ //TIB=>Thread Information Block
00h _EXCEPTION_REGISTRATION *ExceptionList; 04h PVOID StackBase;
08h PVOID StackLimit;
0Ch PVOID SubSystemTib;
union {
PVOID FiberData;
10h DWORD Version;
};
14h PVOID ArbitraryUserPointer;
18h struct _NT_TIB *Self;
}NT_TIB,*PNT_TIB;
第一个元素说是_EXCEPTION_REGISTRATION结构,而在windbg中dt _EXCEPTION_REGISTRATION会出现没有
Symbol _EXCEPTION_REGISTRATION not found.
而在windbg中的TIB结构是:
nt!_NT_TIB
+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 StackBase : Ptr32 Void
+0x008 StackLimit : Ptr32 Void
+0x00c SubSystemTib : Ptr32 Void
+0x010 FiberData : Ptr32 Void
+0x010 Version : Uint4B
+0x014 ArbitraryUserPointer : Ptr32 Void
+0x018 Self : Ptr32 _NT_TIB
第一个元素是_EXCEPTION_REGISTRATION_RECORD而非_EXCEPTION_REGISTRATION。真是头大了。到底哪个才对啊?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
