能力值:
( LV9,RANK:610 )
|
-
-
2 楼
加载好符号之后,用dt 命令就可以了。
以下是Win7 x86的PEB:
0:000> dt _PEB 7efde000
ntdll!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0x8 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsLegacyProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 SpareBits : 0y000
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x00940000 Void
+0x00c Ldr : 0x77230200 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x00271de0 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00270000 Void
+0x01c FastPebLock : 0x77232100 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 2
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y1
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ReservedBits0 : 0y000000000000000000000000000 (0)
+0x02c KernelCallbackTable : (null)
+0x02c UserSharedInfoPtr : (null)
+0x030 SystemReserved : [1] 0
+0x034 AtlThunkSListPtr32 : 0
+0x038 ApiSetMap : 0x00040000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x77234250 Void
+0x044 TlsBitmapBits : [2] 1
+0x04c ReadOnlySharedMemoryBase : 0x7efe0000 Void
+0x050 HotpatchInformation : (null)
+0x054 ReadOnlyStaticServerData : 0x7efe0a90 -> (null)
+0x058 AnsiCodePageData : 0x7efa0000 Void
+0x05c OemCodePageData : 0x7efa0000 Void
+0x060 UnicodeCaseTableData : 0x7efd0028 Void
+0x064 NumberOfProcessors : 4
+0x068 NtGlobalFlag : 0x70
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 1
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x77234760 -> 0x00270000 Void
+0x094 GdiSharedHandleTable : (null)
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0
+0x0a0 LoaderLock : 0x772320c0 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : 6
+0x0a8 OSMinorVersion : 1
+0x0ac OSBuildNumber : 0x1db1
+0x0ae OSCSDVersion : 0x100
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 5
+0x0bc ImageSubsystemMinorVersion : 1
+0x0c0 ActiveProcessAffinityMask : 0xf
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x77234248 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING "Service Pack 1"
+0x1f8 ActivationContextData : (null)
+0x1fc ProcessAssemblyStorageMap : (null)
+0x200 SystemDefaultActivationContextData : 0x00090000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : 0x00275f58 _ASSEMBLY_STORAGE_MAP
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : (null)
+0x210 FlsListHead : _LIST_ENTRY [ 0x7efde210 - 0x7efde210 ]
+0x218 FlsBitmap : 0x77234240 Void
+0x21c FlsBitmapBits : [4] 1
+0x22c FlsHighIndex : 0
+0x230 WerRegistrationData : (null)
+0x234 WerShipAssertPtr : (null)
+0x238 pContextData : 0x000e0000 Void
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)
但是好像没有464h这么大的偏移啊。。。
这个具体要看你的是什么系统了,PEB结构虽说没怎么变化,但是后面的东西还是不太一样的
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
谢谢。
我这是Win10系统,我也在想为什么是这么大的偏移。
另外,_PEB这个符号是在哪个dll的符号文件中呢,我这加载的模块也有点不太清楚:
0:000:x86> lm
start end module name
00aa0000 00abf000 CPP_LookUpCallKernell C (private pdb symbols) E:\VS_project\CPP_LookUpCallKernell\Debug\CPP_LookUpCallKernell.pdb
0f8c0000 0fa33000 ucrtbased (pdb symbols) e:\cc\ucrtbased.pdb\C3C357E16477406983DE76EB3EB41A312\ucrtbased.pdb
550e0000 550fc000 VCRUNTIME140D (private pdb symbols) e:\cc\vcruntime140d.i386.pdb\E4A012F66E4A4FC4BA4A2387FD6793DB1\vcruntime140d.i386.pdb
56d00000 56d08000 wow64cpu (pdb symbols) e:\cc\wow64cpu.pdb\666EBAE52A22494A8A142D6E8EE333791\wow64cpu.pdb
56d10000 56d60000 wow64 (pdb symbols) e:\cc\wow64.pdb\54C5F671CAD041FD90DE8A1E330886CC1\wow64.pdb
56d60000 56dda000 wow64win (pdb symbols) e:\cc\wow64win.pdb\EE103FD05A844EDF820E5EA220B798C41\wow64win.pdb
741c0000 74252000 apphelp (pdb symbols) e:\cc\apphelp.pdb\611DD7511DC74EB385827C209C704E4B1\apphelp.pdb
74780000 74860000 KERNEL32 (private pdb symbols) e:\cc\wkernel32.pdb\3886D90B46544A42B146E6AB1BF7A3781\wkernel32.pdb
756a0000 7581e000 KERNELBASE (pdb symbols) e:\cc\wkernelbase.pdb\5487284F31FA4704ACA66F46B1F0390A1\wkernelbase.pdb
77a40000 77bbb000 ntdll_77a40000 (private pdb symbols) e:\cc\wntdll.pdb\94FD57A20B2B4917A44938FAF1F214811\wntdll.pdb
f3c90000 f3e51000 ntdll (private pdb symbols) e:\cc\ntdll.pdb\BDAB16703FB64772AA5FE54FEBDE6F3F1\ntdll.pdb
像ntdll_77a40000这个模块不知道为什么显示成这样。
|
能力值:
( LV9,RANK:610 )
|
-
-
4 楼
PEB这个结构是在ntdll中的,你的系统是64位的,所以32位进程中有两个ntdll.dll,一个32位的一个64位的,你看到的ntdll_77a40000就是32位的那个,也就是syswow64目录下的那个
以下是我这里Win10上看到的,依然没有你说的那个偏移
0:000> dt _PEB 7fbb4000
ntdll!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0x4 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 IsPackagedProcess : 0y0
+0x003 IsAppContainer : 0y0
+0x003 IsProtectedProcessLight : 0y0
+0x003 SpareBits : 0y0
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x00160000 Void
+0x00c Ldr : 0x774e9aa0 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x03930f68 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x03930000 Void
+0x01c FastPebLock : 0x774e98a0 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 3
+0x028 ProcessInJob : 0y1
+0x028 ProcessInitializing : 0y1
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ReservedBits0 : 0y000000000000000000000000000 (0)
+0x02c KernelCallbackTable : (null)
+0x02c UserSharedInfoPtr : (null)
+0x030 SystemReserved : [1] 0
+0x034 AtlThunkSListPtr32 : 0
+0x038 ApiSetMap : 0x03740000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x774e9a58 Void
+0x044 TlsBitmapBits : [2] 0x10001
+0x04c ReadOnlySharedMemoryBase : 0x7fa80000 Void
+0x050 SparePvoid0 : (null)
+0x054 ReadOnlyStaticServerData : 0x7fa804a0 -> (null)
+0x058 AnsiCodePageData : 0x7fb80000 Void
+0x05c OemCodePageData : 0x7fb80000 Void
+0x060 UnicodeCaseTableData : 0x7fbb0024 Void
+0x064 NumberOfProcessors : 1
+0x068 NtGlobalFlag : 0x70
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 2
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x774e85e0 -> 0x03930000 Void
+0x094 GdiSharedHandleTable : (null)
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0
+0x0a0 LoaderLock : 0x774e7410 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : 0xa
+0x0a8 OSMinorVersion : 0
+0x0ac OSBuildNumber : 0x2800
+0x0ae OSCSDVersion : 0
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 0xa
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ActiveProcessAffinityMask : 1
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x774e9a68 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : 0x037c0000 Void
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING ""
+0x1f8 ActivationContextData : 0x037b0000 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : 0x03933fa0 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : 0x037a0000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : (null)
+0x210 FlsListHead : _LIST_ENTRY [ 0x7fbb4210 - 0x7fbb4210 ]
+0x218 FlsBitmap : 0x774e9a80 Void
+0x21c FlsBitmapBits : [4] 1
+0x22c FlsHighIndex : 0
+0x230 WerRegistrationData : (null)
+0x234 WerShipAssertPtr : (null)
+0x238 pUnused : (null)
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 LibLoaderTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y00000000000000000000000000000 (0)
+0x248 CsrServerReadOnlySharedMemoryBase : 0x7f700000
|
能力值:
( LV3,RANK:20 )
|
-
-
5 楼
参考 这里
win10 10586 WaitOnAddressHashTable 也只到0x45C
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
谢谢。
我在64位机上跟踪x86程序,跟到NTDll.dll中,本来查看系统调用的,结果看到了这个,跟踪的函数是CreateFile。不确定这个偏移的位置的意义,好奇心驱使。
|
|
|
|
