[求助]谁知道fs:[18]+0xFB4是什么(已解决)-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]谁知道fs:[18]+0xFB4是什么(已解决)

发表于: 2006-12-27 11:56 10470

[求助]谁知道fs:[18]+0xFB4是什么(已解决)

skylly

2006-12-27 11:56

10470

最近在调一个程序，当它走完OnInitDialog后回来到user32.dll中，看到这样的代码，请问  byte ptr [ecx+FB4]处是什么？

77D18734       64:8B0D 1800000>mov    ecx, dword ptr fs:[18]
77D1873B       80A1 B40F0000 0>and    byte ptr [ecx+FB4], 0
77D18742       817C24 04 CDABB>cmp    dword ptr [esp+4], DCBAABCD
77D1874A       0F85 387C0200 jnz    77D40388
77D18750       83C4 08       add    esp, 8
77D18753       5B             pop    ebx
77D18754       5F             pop    edi
77D18755       5E             pop    esi
77D18756       5D             pop    ebp
77D18757       C2 1400       retn 14

[课程]Linux pwn 探索篇！

收藏・1

免费・0

支持

最新回复 (16)
RegKiller 雪币： 191 活跃值： (335) 能力值： ( LV9，RANK：450 ) 在线值：发帖 132 回帖 762 粉丝 2 关注私信	RegKiller 10 2 楼 byte ptr [ecx+FB4], 0 就是ecx+f4b地址中的内容相当与 p p代表指针，p就是指针指向的内容。 byte ptr 就是1个字节 2006-12-27 12:32 0
testttt 雪币： 209 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 118 粉丝 0 关注私信	testttt 3 楼最初由 RegKiller* 发布* byte ptr [ecx+FB4], 0 就是ecx+f4b地址中的内容相当与 p p代表指针，p就是指针指向的内容。 byte ptr 就是1个字节又来了一个搞笑高手 2006-12-27 12:39 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 4 楼最初由 RegKiller* 发布* byte ptr [ecx+FB4], 0 就是ecx+f4b地址中的内容相当与 p p代表指针，p就是指针指向的内容。 byte ptr 就是1个字节 2006-12-27 12:41 0
kanxue 雪币： 44229 活跃值： (19960) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 5 楼不懂 mov ecx, dword ptr fs:[18] //获得当前线程的TEB地址 TEB最大F88 typedef struct _TEB { // Size: 0xF88 /000/ NT_TIB NtTib; /01C/ VOID EnvironmentPointer; /020/ CLIENT_ID ClientId; // PROCESS id, THREAD id /028/ HANDLE ActiveRpcHandle; /02C/ VOID ThreadLocalStoragePointer; /030/ PEB ProcessEnvironmentBlock; // PEB …… /F7C/ ULONG Spare4; /F80/ ULONG ReservedForOle; /F84/ ULONG WaitingOnLoaderLock; } TEB, PTEB; 2006-12-27 13:01 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 6 楼很有可能我们拿到的文档不全。我手上的是这样子: PVOID ReservedForOle; ULONG WaitingOnLoaderLock; PVOID StackCommit; PVOID StackCommitMax; PVOID StackReserved; } TEB, *PTEB; 2006-12-27 13:09 0
堀北真希雪币： 207 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 403 粉丝 0 关注私信	堀北真希 1 7 楼从字面意思看仅仅是个标记当TRUE的时候,表示正在用户代码的消息循环中当FALSE的时候,表示用户代码处理完,回到user32的消息循环中 2006-12-27 13:14 0
heXer 雪币： 254 活跃值： (126) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 802 粉丝 2 关注私信	heXer 3 8 楼 // // Thread Environment Block (TEB) // typedef struct _TEB { NT_TIB Tib; /* 00h / PVOID EnvironmentPointer; / 1Ch / CLIENT_ID Cid; / 20h / PVOID ActiveRpcHandle; / 28h / PVOID ThreadLocalStoragePointer; / 2Ch / struct _PEB ProcessEnvironmentBlock; /* 30h / ULONG LastErrorValue; / 34h / ULONG CountOfOwnedCriticalSections; / 38h / PVOID CsrClientThread; / 3Ch / struct _W32THREAD Win32ThreadInfo; /* 40h / ULONG User32Reserved[0x1A]; / 44h / ULONG UserReserved[5]; / ACh / PVOID WOW32Reserved; / C0h / LCID CurrentLocale; / C4h / ULONG FpSoftwareStatusRegister; / C8h / PVOID SystemReserved1[0x36]; / CCh / LONG ExceptionCode; / 1A4h / struct _ACTIVATION_CONTEXT_STACK ActivationContextStackPointer; /* 1A8h / UCHAR SpareBytes1[0x28]; / 1ACh / GDI_TEB_BATCH GdiTebBatch; / 1D4h / CLIENT_ID RealClientId; / 6B4h / PVOID GdiCachedProcessHandle; / 6BCh / ULONG GdiClientPID; / 6C0h / ULONG GdiClientTID; / 6C4h / PVOID GdiThreadLocalInfo; / 6C8h / ULONG Win32ClientInfo[62]; / 6CCh / PVOID glDispatchTable[0xE9]; / 7C4h / ULONG glReserved1[0x1D]; / B68h / PVOID glReserved2; / BDCh / PVOID glSectionInfo; / BE0h / PVOID glSection; / BE4h / PVOID glTable; / BE8h / PVOID glCurrentRC; / BECh / PVOID glContext; / BF0h / NTSTATUS LastStatusValue; / BF4h / UNICODE_STRING StaticUnicodeString; / BF8h / WCHAR StaticUnicodeBuffer[0x105]; / C00h / PVOID DeallocationStack; / E0Ch / PVOID TlsSlots[0x40]; / E10h / LIST_ENTRY TlsLinks; / F10h / PVOID Vdm; / F18h / PVOID ReservedForNtRpc; / F1Ch / PVOID DbgSsReserved[0x2]; / F20h / ULONG HardErrorDisabled; / F28h / PVOID Instrumentation[14]; / F2Ch / PVOID SubProcessTag; / F64h / PVOID EtwTraceData; / F68h / PVOID WinSockData; / F6Ch / ULONG GdiBatchCount; / F70h / BOOLEAN InDbgPrint; / F74h / BOOLEAN FreeStackOnTermination; / F75h / BOOLEAN HasFiberData; / F76h / UCHAR IdealProcessor; / F77h / ULONG GuaranteedStackBytes; / F78h / PVOID ReservedForPerf; / F7Ch / PVOID ReservedForOle; / F80h / ULONG WaitingOnLoaderLock; / F84h / ULONG SparePointer1; / F88h / ULONG SoftPatchPtr1; / F8Ch / ULONG SoftPatchPtr2; / F90h / PVOID TlsExpansionSlots; /* F94h / ULONG ImpersionationLocale; / F98h / ULONG IsImpersonating; / F9Ch / PVOID NlsCache; / FA0h / PVOID pShimData; / FA4h / ULONG HeapVirualAffinity; / FA8h / PVOID CurrentTransactionHandle; / FACh / PTEB_ACTIVE_FRAME ActiveFrame; / FB0h / PVOID FlsData; / FB4h / UCHAR SafeThunkCall; / FB8h / UCHAR BooleanSpare[3]; / FB9h / } TEB, PTEB; 2006-12-27 13:55 0
ViperDodge 雪币： 257 活跃值： (11) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 168 粉丝 0 关注私信	ViperDodge 1 9 楼真全，MSDN上写的只是这样的 typedef struct _TEB { BYTE Reserved1[1952]; PVOID Reserved2[412]; PVOID TlsSlots[64]; BYTE Reserved3[8]; PVOID Reserved4[26]; PVOID ReservedForOle; PVOID Reserved5[4]; PVOID TlsExpansionSlots; } TEB, *PTEB; 长度只有0F98 2006-12-27 14:03 0
xIkUg 雪币： 116 活跃值： (220) 能力值： ( LV12，RANK：370 ) 在线值：发帖 27 回帖 675 粉丝 4 关注私信	xIkUg 9 10 楼 heXer的结构是什么版本的操作系统上的？我的xp sp2在teb偏移0xfb4的地方是SafeThunkCall，有点出入 2006-12-27 14:21 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 21 关注私信	笨笨雄 14 11 楼全都是用WINDBG提取的结构信息？ 2006-12-27 14:56 0
xzchina 雪币： 615 活跃值： (1132) 能力值： ( LV4，RANK：50 ) 在线值：发帖 42 回帖 843 粉丝 0 关注私信	xzchina 1 12 楼 kd> dt nt!_teb nt!_TEB +0x000 NtTib : _NT_TIB +0x01c EnvironmentPointer : Ptr32 Void +0x020 ClientId : _CLIENT_ID +0x028 ActiveRpcHandle : Ptr32 Void +0x02c ThreadLocalStoragePointer : Ptr32 Void +0x030 ProcessEnvironmentBlock : Ptr32 _PEB +0x034 LastErrorValue : Uint4B +0x038 CountOfOwnedCriticalSections : Uint4B +0x03c CsrClientThread : Ptr32 Void +0x040 Win32ThreadInfo : Ptr32 Void +0x044 User32Reserved : [26] Uint4B +0x0ac UserReserved : [5] Uint4B +0x0c0 WOW32Reserved : Ptr32 Void +0x0c4 CurrentLocale : Uint4B +0x0c8 FpSoftwareStatusRegister : Uint4B +0x0cc SystemReserved1 : [54] Ptr32 Void +0x1a4 ExceptionCode : Int4B +0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK +0x1bc SpareBytes1 : [24] UChar +0x1d4 GdiTebBatch : _GDI_TEB_BATCH +0x6b4 RealClientId : _CLIENT_ID +0x6bc GdiCachedProcessHandle : Ptr32 Void +0x6c0 GdiClientPID : Uint4B +0x6c4 GdiClientTID : Uint4B +0x6c8 GdiThreadLocalInfo : Ptr32 Void +0x6cc Win32ClientInfo : [62] Uint4B +0x7c4 glDispatchTable : [233] Ptr32 Void +0xb68 glReserved1 : [29] Uint4B +0xbdc glReserved2 : Ptr32 Void +0xbe0 glSectionInfo : Ptr32 Void +0xbe4 glSection : Ptr32 Void +0xbe8 glTable : Ptr32 Void +0xbec glCurrentRC : Ptr32 Void +0xbf0 glContext : Ptr32 Void +0xbf4 LastStatusValue : Uint4B +0xbf8 StaticUnicodeString : _UNICODE_STRING +0xc00 StaticUnicodeBuffer : [261] Uint2B +0xe0c DeallocationStack : Ptr32 Void +0xe10 TlsSlots : [64] Ptr32 Void +0xf10 TlsLinks : _LIST_ENTRY +0xf18 Vdm : Ptr32 Void +0xf1c ReservedForNtRpc : Ptr32 Void +0xf20 DbgSsReserved : [2] Ptr32 Void +0xf28 HardErrorsAreDisabled : Uint4B +0xf2c Instrumentation : [16] Ptr32 Void +0xf6c WinSockData : Ptr32 Void +0xf70 GdiBatchCount : Uint4B +0xf74 InDbgPrint : UChar +0xf75 FreeStackOnTermination : UChar +0xf76 HasFiberData : UChar +0xf77 IdealProcessor : UChar +0xf78 Spare3 : Uint4B +0xf7c ReservedForPerf : Ptr32 Void +0xf80 ReservedForOle : Ptr32 Void +0xf84 WaitingOnLoaderLock : Uint4B +0xf88 Wx86Thread : _Wx86ThreadState +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void +0xf98 ImpersonationLocale : Uint4B +0xf9c IsImpersonating : Uint4B +0xfa0 NlsCache : Ptr32 Void +0xfa4 pShimData : Ptr32 Void +0xfa8 HeapVirtualAffinity : Uint4B +0xfac CurrentTransactionHandle : Ptr32 Void +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME +0xfb4 SafeThunkCall : UChar +0xfb5 BooleanSpare : [3] UChar 0xfb4 SafeThunkCall : UChar 2006-12-27 17:22 0
heXer 雪币： 254 活跃值： (126) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 802 粉丝 2 关注私信	heXer 3 13 楼我也不知道我贴的什么版本的，抄来的，看来有些偏差 2006-12-27 19:25 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 14 楼谢谢各位的回答，我在微软的lib库文件中找到了TEB的全部定义,和xzChina贴的基本一致。 2006-12-28 12:22 0
qiweixue 雪币： 258 活跃值： (230) 能力值： ( LV12，RANK：770 ) 在线值：发帖 47 回帖 1136 粉丝 3 关注私信	qiweixue 19 15 楼 Undocumented functions of NTDLL2OO1, 2 March TEB TEB typedef struct _TEB { NT_TIB Tib; PVOID EnvironmentPointer; CLIENT_ID Cid; PVOID ActiveRpcInfo; PVOID ThreadLocalStoragePointer; PPEB Peb; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; PVOID CsrClientThread; PVOID Win32ThreadInfo; ULONG Win32ClientInfo[0x1F]; PVOID WOW32Reserved; ULONG CurrentLocale; ULONG FpSoftwareStatusRegister; PVOID SystemReserved1[0x36]; PVOID Spare1; ULONG ExceptionCode; ULONG SpareBytes1[0x28]; PVOID SystemReserved2[0xA]; ULONG GdiRgn; ULONG GdiPen; ULONG GdiBrush; CLIENT_ID RealClientId; PVOID GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocaleInfo; PVOID UserReserved[5]; PVOID GlDispatchTable[0x118]; ULONG GlReserved1[0x1A]; PVOID GlReserved2; PVOID GlSectionInfo; PVOID GlSection; PVOID GlTable; PVOID GlCurrentRC; PVOID GlContext; NTSTATUS LastStatusValue; UNICODE_STRING StaticUnicodeString; WCHAR StaticUnicodeBuffer[0x105]; PVOID DeallocationStack; PVOID TlsSlots[0x40]; LIST_ENTRY TlsLinks; PVOID Vdm; PVOID ReservedForNtRpc; PVOID DbgSsReserved[0x2]; ULONG HardErrorDisabled; PVOID Instrumentation[0x10]; PVOID WinSockData; ULONG GdiBatchCount; ULONG Spare2; ULONG Spare3; ULONG Spare4; PVOID ReservedForOle; ULONG WaitingOnLoaderLock; PVOID StackCommit; PVOID StackCommitMax; PVOID StackReserved; } TEB, *PTEB; Structure TEB (Thread Environment Block) is memory block containing system variables placed in User-Mode memory. Every created thread have own TEB block. User can get address of TEB by call NtCurrentTeb function. -------------------------------------------------------------------------------- Tib Structure NT_TIB is avaiable in <WinNT.h> header file. EnvironmentPointer Cid ActiveRpcInfo ThreadLocalStoragePointer Peb Pointer to PEB structure contains Process Environment Block. LastErrorValue CountOfOwnedCriticalSections CsrClientThread Win32ThreadInfo Win32ClientInfo[0x1F] WOW32Reserved CurrentLocale FpSoftwareStatusRegister SystemReserved1[0x36] Spare1 ExceptionCode SpareBytes1[0x28] SystemReserved2[0xA] GdiRgn GdiPen GdiBrush RealClientId GdiCachedProcessHandle GdiClientPID GdiClientTID GdiThreadLocaleInfo UserReserved[5] GlDispatchTable[0x118] GlReserved1[0x1A] GlReserved2 GlSectionInfo GlSection GlTable GlCurrentRC GlContext LastStatusValue StaticUnicodeString StaticUnicodeBuffer[0x105] DeallocationStack TlsSlots[0x40] TlsLinks Vdm ReservedForNtRpc DbgSsReserved[0x2] HardErrorDisabled Instrumentation[0x10] WinSockData GdiBatchCount Spare2 Spare3 Spare4 ReservedForOle WaitingOnLoaderLock StackCommit StackCommitMax StackReserved Documented by: Reactos Tomasz Nowak Requirements: Library: ntdll.lib See also: NtCurrentTeb PEB THREAD_BASIC_INFORMATION 在nt.lib中找到的 .text:00000026 public __stdcall NtCurrentTeb() .text:00000026 __stdcall NtCurrentTeb() proc near .text:00000026 mov eax, large fs:18h .text:0000002C retn .text:0000002C .text:0000002C __stdcall NtCurrentTeb() endp .text:0000002C .text:0000002C _text ends TEB 全部结构我没有在ntdll.lib中各个的obj找到.是否在其他lib, ntdll.lib版本：xp,sp2 存放路径：WINDDK\3790.1830\lib\wxp\i386 skylly能否解释一下. 2006-12-28 13:52 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 16 楼 AUX_ULIB.lib 附安装文件。上传的附件： auxlib32.rar （133.06kb，12次下载） 2006-12-28 14:16 0
qiweixue 雪币： 258 活跃值： (230) 能力值： ( LV12，RANK：770 ) 在线值：发帖 47 回帖 1136 粉丝 3 关注私信	qiweixue 19 17 楼速度好块,多谢skylly兄. 签名暂时禁用_____________________________@ 2006-12-28 14:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

skylly

发帖

1087

回帖

170

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (16)
RegKiller 雪币： 191 活跃值： (335) 能力值： ( LV9，RANK：450 ) 在线值：发帖 132 回帖 762 粉丝 2 关注私信	RegKiller 10 2 楼 byte ptr [ecx+FB4], 0 就是ecx+f4b地址中的内容相当与 p p代表指针，p就是指针指向的内容。 byte ptr 就是1个字节 2006-12-27 12:32 0
testttt 雪币： 209 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 118 粉丝 0 关注私信	testttt 3 楼最初由 RegKiller* 发布* byte ptr [ecx+FB4], 0 就是ecx+f4b地址中的内容相当与 p p代表指针，p就是指针指向的内容。 byte ptr 就是1个字节又来了一个搞笑高手 2006-12-27 12:39 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 4 楼最初由 RegKiller* 发布* byte ptr [ecx+FB4], 0 就是ecx+f4b地址中的内容相当与 p p代表指针，p就是指针指向的内容。 byte ptr 就是1个字节 2006-12-27 12:41 0
kanxue 雪币： 44229 活跃值： (19960) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 5 楼不懂 mov ecx, dword ptr fs:[18] //获得当前线程的TEB地址 TEB最大F88 typedef struct _TEB { // Size: 0xF88 /000/ NT_TIB NtTib; /01C/ VOID EnvironmentPointer; /020/ CLIENT_ID ClientId; // PROCESS id, THREAD id /028/ HANDLE ActiveRpcHandle; /02C/ VOID ThreadLocalStoragePointer; /030/ PEB ProcessEnvironmentBlock; // PEB …… /F7C/ ULONG Spare4; /F80/ ULONG ReservedForOle; /F84/ ULONG WaitingOnLoaderLock; } TEB, PTEB; 2006-12-27 13:01 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 6 楼很有可能我们拿到的文档不全。我手上的是这样子: PVOID ReservedForOle; ULONG WaitingOnLoaderLock; PVOID StackCommit; PVOID StackCommitMax; PVOID StackReserved; } TEB, *PTEB; 2006-12-27 13:09 0
堀北真希雪币： 207 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 403 粉丝 0 关注私信	堀北真希 1 7 楼从字面意思看仅仅是个标记当TRUE的时候,表示正在用户代码的消息循环中当FALSE的时候,表示用户代码处理完,回到user32的消息循环中 2006-12-27 13:14 0
heXer 雪币： 254 活跃值： (126) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 802 粉丝 2 关注私信	heXer 3 8 楼 // // Thread Environment Block (TEB) // typedef struct _TEB { NT_TIB Tib; /* 00h / PVOID EnvironmentPointer; / 1Ch / CLIENT_ID Cid; / 20h / PVOID ActiveRpcHandle; / 28h / PVOID ThreadLocalStoragePointer; / 2Ch / struct _PEB ProcessEnvironmentBlock; /* 30h / ULONG LastErrorValue; / 34h / ULONG CountOfOwnedCriticalSections; / 38h / PVOID CsrClientThread; / 3Ch / struct _W32THREAD Win32ThreadInfo; /* 40h / ULONG User32Reserved[0x1A]; / 44h / ULONG UserReserved[5]; / ACh / PVOID WOW32Reserved; / C0h / LCID CurrentLocale; / C4h / ULONG FpSoftwareStatusRegister; / C8h / PVOID SystemReserved1[0x36]; / CCh / LONG ExceptionCode; / 1A4h / struct _ACTIVATION_CONTEXT_STACK ActivationContextStackPointer; /* 1A8h / UCHAR SpareBytes1[0x28]; / 1ACh / GDI_TEB_BATCH GdiTebBatch; / 1D4h / CLIENT_ID RealClientId; / 6B4h / PVOID GdiCachedProcessHandle; / 6BCh / ULONG GdiClientPID; / 6C0h / ULONG GdiClientTID; / 6C4h / PVOID GdiThreadLocalInfo; / 6C8h / ULONG Win32ClientInfo[62]; / 6CCh / PVOID glDispatchTable[0xE9]; / 7C4h / ULONG glReserved1[0x1D]; / B68h / PVOID glReserved2; / BDCh / PVOID glSectionInfo; / BE0h / PVOID glSection; / BE4h / PVOID glTable; / BE8h / PVOID glCurrentRC; / BECh / PVOID glContext; / BF0h / NTSTATUS LastStatusValue; / BF4h / UNICODE_STRING StaticUnicodeString; / BF8h / WCHAR StaticUnicodeBuffer[0x105]; / C00h / PVOID DeallocationStack; / E0Ch / PVOID TlsSlots[0x40]; / E10h / LIST_ENTRY TlsLinks; / F10h / PVOID Vdm; / F18h / PVOID ReservedForNtRpc; / F1Ch / PVOID DbgSsReserved[0x2]; / F20h / ULONG HardErrorDisabled; / F28h / PVOID Instrumentation[14]; / F2Ch / PVOID SubProcessTag; / F64h / PVOID EtwTraceData; / F68h / PVOID WinSockData; / F6Ch / ULONG GdiBatchCount; / F70h / BOOLEAN InDbgPrint; / F74h / BOOLEAN FreeStackOnTermination; / F75h / BOOLEAN HasFiberData; / F76h / UCHAR IdealProcessor; / F77h / ULONG GuaranteedStackBytes; / F78h / PVOID ReservedForPerf; / F7Ch / PVOID ReservedForOle; / F80h / ULONG WaitingOnLoaderLock; / F84h / ULONG SparePointer1; / F88h / ULONG SoftPatchPtr1; / F8Ch / ULONG SoftPatchPtr2; / F90h / PVOID TlsExpansionSlots; /* F94h / ULONG ImpersionationLocale; / F98h / ULONG IsImpersonating; / F9Ch / PVOID NlsCache; / FA0h / PVOID pShimData; / FA4h / ULONG HeapVirualAffinity; / FA8h / PVOID CurrentTransactionHandle; / FACh / PTEB_ACTIVE_FRAME ActiveFrame; / FB0h / PVOID FlsData; / FB4h / UCHAR SafeThunkCall; / FB8h / UCHAR BooleanSpare[3]; / FB9h / } TEB, PTEB; 2006-12-27 13:55 0
ViperDodge 雪币： 257 活跃值： (11) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 168 粉丝 0 关注私信	ViperDodge 1 9 楼真全，MSDN上写的只是这样的 typedef struct _TEB { BYTE Reserved1[1952]; PVOID Reserved2[412]; PVOID TlsSlots[64]; BYTE Reserved3[8]; PVOID Reserved4[26]; PVOID ReservedForOle; PVOID Reserved5[4]; PVOID TlsExpansionSlots; } TEB, *PTEB; 长度只有0F98 2006-12-27 14:03 0
xIkUg 雪币： 116 活跃值： (220) 能力值： ( LV12，RANK：370 ) 在线值：发帖 27 回帖 675 粉丝 4 关注私信	xIkUg 9 10 楼 heXer的结构是什么版本的操作系统上的？我的xp sp2在teb偏移0xfb4的地方是SafeThunkCall，有点出入 2006-12-27 14:21 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 21 关注私信	笨笨雄 14 11 楼全都是用WINDBG提取的结构信息？ 2006-12-27 14:56 0
xzchina 雪币： 615 活跃值： (1132) 能力值： ( LV4，RANK：50 ) 在线值：发帖 42 回帖 843 粉丝 0 关注私信	xzchina 1 12 楼 kd> dt nt!_teb nt!_TEB +0x000 NtTib : _NT_TIB +0x01c EnvironmentPointer : Ptr32 Void +0x020 ClientId : _CLIENT_ID +0x028 ActiveRpcHandle : Ptr32 Void +0x02c ThreadLocalStoragePointer : Ptr32 Void +0x030 ProcessEnvironmentBlock : Ptr32 _PEB +0x034 LastErrorValue : Uint4B +0x038 CountOfOwnedCriticalSections : Uint4B +0x03c CsrClientThread : Ptr32 Void +0x040 Win32ThreadInfo : Ptr32 Void +0x044 User32Reserved : [26] Uint4B +0x0ac UserReserved : [5] Uint4B +0x0c0 WOW32Reserved : Ptr32 Void +0x0c4 CurrentLocale : Uint4B +0x0c8 FpSoftwareStatusRegister : Uint4B +0x0cc SystemReserved1 : [54] Ptr32 Void +0x1a4 ExceptionCode : Int4B +0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK +0x1bc SpareBytes1 : [24] UChar +0x1d4 GdiTebBatch : _GDI_TEB_BATCH +0x6b4 RealClientId : _CLIENT_ID +0x6bc GdiCachedProcessHandle : Ptr32 Void +0x6c0 GdiClientPID : Uint4B +0x6c4 GdiClientTID : Uint4B +0x6c8 GdiThreadLocalInfo : Ptr32 Void +0x6cc Win32ClientInfo : [62] Uint4B +0x7c4 glDispatchTable : [233] Ptr32 Void +0xb68 glReserved1 : [29] Uint4B +0xbdc glReserved2 : Ptr32 Void +0xbe0 glSectionInfo : Ptr32 Void +0xbe4 glSection : Ptr32 Void +0xbe8 glTable : Ptr32 Void +0xbec glCurrentRC : Ptr32 Void +0xbf0 glContext : Ptr32 Void +0xbf4 LastStatusValue : Uint4B +0xbf8 StaticUnicodeString : _UNICODE_STRING +0xc00 StaticUnicodeBuffer : [261] Uint2B +0xe0c DeallocationStack : Ptr32 Void +0xe10 TlsSlots : [64] Ptr32 Void +0xf10 TlsLinks : _LIST_ENTRY +0xf18 Vdm : Ptr32 Void +0xf1c ReservedForNtRpc : Ptr32 Void +0xf20 DbgSsReserved : [2] Ptr32 Void +0xf28 HardErrorsAreDisabled : Uint4B +0xf2c Instrumentation : [16] Ptr32 Void +0xf6c WinSockData : Ptr32 Void +0xf70 GdiBatchCount : Uint4B +0xf74 InDbgPrint : UChar +0xf75 FreeStackOnTermination : UChar +0xf76 HasFiberData : UChar +0xf77 IdealProcessor : UChar +0xf78 Spare3 : Uint4B +0xf7c ReservedForPerf : Ptr32 Void +0xf80 ReservedForOle : Ptr32 Void +0xf84 WaitingOnLoaderLock : Uint4B +0xf88 Wx86Thread : _Wx86ThreadState +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void +0xf98 ImpersonationLocale : Uint4B +0xf9c IsImpersonating : Uint4B +0xfa0 NlsCache : Ptr32 Void +0xfa4 pShimData : Ptr32 Void +0xfa8 HeapVirtualAffinity : Uint4B +0xfac CurrentTransactionHandle : Ptr32 Void +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME +0xfb4 SafeThunkCall : UChar +0xfb5 BooleanSpare : [3] UChar 0xfb4 SafeThunkCall : UChar 2006-12-27 17:22 0
heXer 雪币： 254 活跃值： (126) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 802 粉丝 2 关注私信	heXer 3 13 楼我也不知道我贴的什么版本的，抄来的，看来有些偏差 2006-12-27 19:25 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 14 楼谢谢各位的回答，我在微软的lib库文件中找到了TEB的全部定义,和xzChina贴的基本一致。 2006-12-28 12:22 0
qiweixue 雪币： 258 活跃值： (230) 能力值： ( LV12，RANK：770 ) 在线值：发帖 47 回帖 1136 粉丝 3 关注私信	qiweixue 19 15 楼 Undocumented functions of NTDLL2OO1, 2 March TEB TEB typedef struct _TEB { NT_TIB Tib; PVOID EnvironmentPointer; CLIENT_ID Cid; PVOID ActiveRpcInfo; PVOID ThreadLocalStoragePointer; PPEB Peb; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; PVOID CsrClientThread; PVOID Win32ThreadInfo; ULONG Win32ClientInfo[0x1F]; PVOID WOW32Reserved; ULONG CurrentLocale; ULONG FpSoftwareStatusRegister; PVOID SystemReserved1[0x36]; PVOID Spare1; ULONG ExceptionCode; ULONG SpareBytes1[0x28]; PVOID SystemReserved2[0xA]; ULONG GdiRgn; ULONG GdiPen; ULONG GdiBrush; CLIENT_ID RealClientId; PVOID GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocaleInfo; PVOID UserReserved[5]; PVOID GlDispatchTable[0x118]; ULONG GlReserved1[0x1A]; PVOID GlReserved2; PVOID GlSectionInfo; PVOID GlSection; PVOID GlTable; PVOID GlCurrentRC; PVOID GlContext; NTSTATUS LastStatusValue; UNICODE_STRING StaticUnicodeString; WCHAR StaticUnicodeBuffer[0x105]; PVOID DeallocationStack; PVOID TlsSlots[0x40]; LIST_ENTRY TlsLinks; PVOID Vdm; PVOID ReservedForNtRpc; PVOID DbgSsReserved[0x2]; ULONG HardErrorDisabled; PVOID Instrumentation[0x10]; PVOID WinSockData; ULONG GdiBatchCount; ULONG Spare2; ULONG Spare3; ULONG Spare4; PVOID ReservedForOle; ULONG WaitingOnLoaderLock; PVOID StackCommit; PVOID StackCommitMax; PVOID StackReserved; } TEB, *PTEB; Structure TEB (Thread Environment Block) is memory block containing system variables placed in User-Mode memory. Every created thread have own TEB block. User can get address of TEB by call NtCurrentTeb function. -------------------------------------------------------------------------------- Tib Structure NT_TIB is avaiable in <WinNT.h> header file. EnvironmentPointer Cid ActiveRpcInfo ThreadLocalStoragePointer Peb Pointer to PEB structure contains Process Environment Block. LastErrorValue CountOfOwnedCriticalSections CsrClientThread Win32ThreadInfo Win32ClientInfo[0x1F] WOW32Reserved CurrentLocale FpSoftwareStatusRegister SystemReserved1[0x36] Spare1 ExceptionCode SpareBytes1[0x28] SystemReserved2[0xA] GdiRgn GdiPen GdiBrush RealClientId GdiCachedProcessHandle GdiClientPID GdiClientTID GdiThreadLocaleInfo UserReserved[5] GlDispatchTable[0x118] GlReserved1[0x1A] GlReserved2 GlSectionInfo GlSection GlTable GlCurrentRC GlContext LastStatusValue StaticUnicodeString StaticUnicodeBuffer[0x105] DeallocationStack TlsSlots[0x40] TlsLinks Vdm ReservedForNtRpc DbgSsReserved[0x2] HardErrorDisabled Instrumentation[0x10] WinSockData GdiBatchCount Spare2 Spare3 Spare4 ReservedForOle WaitingOnLoaderLock StackCommit StackCommitMax StackReserved Documented by: Reactos Tomasz Nowak Requirements: Library: ntdll.lib See also: NtCurrentTeb PEB THREAD_BASIC_INFORMATION 在nt.lib中找到的 .text:00000026 public __stdcall NtCurrentTeb() .text:00000026 __stdcall NtCurrentTeb() proc near .text:00000026 mov eax, large fs:18h .text:0000002C retn .text:0000002C .text:0000002C __stdcall NtCurrentTeb() endp .text:0000002C .text:0000002C _text ends TEB 全部结构我没有在ntdll.lib中各个的obj找到.是否在其他lib, ntdll.lib版本：xp,sp2 存放路径：WINDDK\3790.1830\lib\wxp\i386 skylly能否解释一下. 2006-12-28 13:52 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 16 楼 AUX_ULIB.lib 附安装文件。上传的附件： auxlib32.rar （133.06kb，12次下载） 2006-12-28 14:16 0
qiweixue 雪币： 258 活跃值： (230) 能力值： ( LV12，RANK：770 ) 在线值：发帖 47 回帖 1136 粉丝 3 关注私信	qiweixue 19 17 楼速度好块,多谢skylly兄. 签名暂时禁用_____________________________@ 2006-12-28 14:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复