PEB / TEB の覚書

TEB(Thread Environment Block)

TEB アドレスの取得

          mov    eax,fs:[00000018h]

テーブルの内容

//
// Thread Environment Block (TEB)
//
typedef struct _TEB
{
NT_TIB Tib;                             /* 00h */ 
    EXCEPTION_REGISTRATION *ExceptionList;      //0x0000
void *StackBase;          //0x0004
void *StackLimit;         //0x0008
void *SubSystemTib;       //0x000C
void *FiberData;          //0x0010
//DWORD Version;          //0x0010
void* ArbitraryUserPointer; //0x0014
TEB* Self;                              //0x0018
    PVOID EnvironmentPointer;               /* 1Ch */
CLIENT_ID Cid;                          /* 20h */
PVOID ActiveRpcHandle;                  /* 28h */
PVOID ThreadLocalStoragePointer;        /* 2Ch */
struct _PEB *ProcessEnvironmentBlock;   /* 30h */
ULONG LastErrorValue;                   /* 34h */
ULONG CountOfOwnedCriticalSections;     /* 38h */
PVOID CsrClientThread;                  /* 3Ch */
PVOID Win32ThreadInfo;                  /* 40h */
ULONG User32Reserved[0x1A];             /* 44h */
ULONG UserReserved[5];                  /* ACh */
PVOID WOW32Reserved;                    /* C0h */
LCID CurrentLocale;                     /* C4h */
ULONG FpSoftwareStatusRegister;         /* C8h */
PVOID SystemReserved1[0x36];            /* CCh */
LONG ExceptionCode;                     /* 1A4h */
struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /* 1A8h */
UCHAR SpareBytes1[0x28];                /* 1ACh */
GDI_TEB_BATCH GdiTebBatch;              /* 1D4h */
CLIENT_ID RealClientId;                 /* 6B4h */
PVOID GdiCachedProcessHandle;           /* 6BCh */
ULONG GdiClientPID;                     /* 6C0h */
ULONG GdiClientTID;                     /* 6C4h */
PVOID GdiThreadLocalInfo;               /* 6C8h */
ULONG Win32ClientInfo[62];              /* 6CCh */
PVOID glDispatchTable[0xE9];            /* 7C4h */
ULONG glReserved1[0x1D];                /* B68h */
PVOID glReserved2;                      /* BDCh */
PVOID glSectionInfo;                    /* BE0h */
PVOID glSection;                        /* BE4h */
PVOID glTable;                          /* BE8h */
PVOID glCurrentRC;                      /* BECh */
PVOID glContext;                        /* BF0h */
NTSTATUS LastStatusValue;               /* BF4h */
UNICODE_STRING StaticUnicodeString;     /* BF8h */
WCHAR StaticUnicodeBuffer[0x105];       /* C00h */
PVOID DeallocationStack;                /* E0Ch */
PVOID TlsSlots[0x40];                   /* E10h */
LIST_ENTRY TlsLinks;                    /* F10h */
PVOID Vdm;                              /* F18h */
PVOID ReservedForNtRpc;                 /* F1Ch */
PVOID DbgSsReserved[0x2];               /* F20h */
ULONG HardErrorDisabled;                /* F28h */
PVOID Instrumentation[14];              /* F2Ch */
PVOID SubProcessTag;                    /* F64h */
PVOID EtwTraceData;                     /* F68h */
PVOID WinSockData;                      /* F6Ch */
ULONG GdiBatchCount;                    /* F70h */
BOOLEAN InDbgPrint;                     /* F74h */
BOOLEAN FreeStackOnTermination;         /* F75h */
BOOLEAN HasFiberData;                   /* F76h */
UCHAR IdealProcessor;                   /* F77h */
ULONG GuaranteedStackBytes;             /* F78h */
PVOID ReservedForPerf;                  /* F7Ch */
PVOID ReservedForOle;                   /* F80h */
ULONG WaitingOnLoaderLock;              /* F84h */
//    Wx86ThreadState Wx86Thread;         /* F88h */
    ULONG SparePointer1;                    /* F88h */
ULONG SoftPatchPtr1;                    /* F8Ch */
ULONG SoftPatchPtr2;                    /* F90h */
PVOID *TlsExpansionSlots;               /* F94h */
ULONG ImpersionationLocale;             /* F98h */
ULONG IsImpersonating;                  /* F9Ch */
PVOID NlsCache;                         /* FA0h */
//W2k

    PVOID pShimData;                        /* FA4h */
ULONG HeapVirualAffinity;               /* FA8h */
PVOID CurrentTransactionHandle;         /* FACh */
PTEB_ACTIVE_FRAME ActiveFrame;          /* FB0h */
PVOID FlsData;                          /* FB4h */
UCHAR SafeThunkCall;                    /* FB8h */
UCHAR BooleanSpare[3];                  /* FB9h */ 
//XP
/*
     PVOID FlsData;
PVOID PreferredLanguages;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
WORD CrossTebFlags;
ULONG SpareCrossTebBits: 16;
WORD SameTebFlags;
ULONG DbgSafeThunkCall: 1;
ULONG DbgInDebugPrint: 1;
ULONG DbgHasFiberData: 1;
ULONG DbgSkipThreadAttach: 1;
ULONG DbgWerInShipAssertCode: 1;
ULONG DbgRanProcessInit: 1;
ULONG DbgClonedThread: 1;
ULONG DbgSuppressDebugMsg: 1;
ULONG SpareSameTebBits: 8;
PVOID TxnScopeEnterCallback;
PVOID TxnScopeExitCallback;
     DWORD LockCount;                                  //0x0FD8
DWORD SpareUlong0;                                //0x0FDC (Win7-Win8)
void* ResourceRetValue;                           //0x0FE0 (Win7+)
*/
 } TEB, *PTEB;

typedef struct _Wx86ThreadState {
    PULONG  CallBx86Eip;
    PVOID   DeallocationCpu;
    UCHAR   UseKnownWx86Dll; // 0x8
    UCHAR   OleStubInvoked; // 0x9
} Wx86ThreadState, *PWx86ThreadState;

typedef struct _W32THREAD
{
    PETHREAD pEThread;
    ULONG RefCount;
    PTL ptlW32;
    PVOID pgdiDcattr;
    PVOID pgdiBrushAttr;
    PVOID pUMPDObjs;
    PVOID pUMPDHeap;
    DWORD dwEngAcquireCount;
    PVOID pSemTable;
    PVOID pUMPDObj;
} W32THREAD, *PW32THREAD;

BYTE* / Undocumented 32-bit PEB and TEB Structures

PEB(Process Environment Block)

PEB アドレスの取得

          mov    eax,fs:[00000018h] // TEB取得
          mov    eax,[eax+30]

または

          mov    eax,fs:[00000030h]

テーブルの内容

typedef struct _PEB
{
UCHAR InheritedAddressSpace;                     /* 00h */
UCHAR ReadImageFileExecOptions;                  /* 01h */
UCHAR BeingDebugged;                             /* 02h */
BOOLEAN SpareBool;                               /* 03h */
HANDLE Mutant;                                   /* 04h */
PVOID ImageBaseAddress;                          /* 08h */
PPEB_LDR_DATA Ldr;                               /* 0Ch */
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;  /* 10h */
PVOID SubSystemData;                             /* 14h */
PVOID ProcessHeap;                               /* 18h */
PVOID FastPebLock;                               /* 1Ch */
PPEBLOCKROUTINE FastPebLockRoutine;              /* 20h */
PPEBLOCKROUTINE FastPebUnlockRoutine;            /* 24h */
ULONG EnvironmentUpdateCount;                    /* 28h */
PVOID* KernelCallbackTable;                      /* 2Ch */
PVOID EventLogSection;                           /* 30h */
PVOID EventLog;                                  /* 34h */
PPEB_FREE_BLOCK FreeList;                        /* 38h */
ULONG TlsExpansionCounter;                       /* 3Ch */
PVOID TlsBitmap;                                 /* 40h */
ULONG TlsBitmapBits[0x2];                        /* 44h */
PVOID ReadOnlySharedMemoryBase;                  /* 4Ch */
PVOID ReadOnlySharedMemoryHeap;                  /* 50h */
PVOID* ReadOnlyStaticServerData;                 /* 54h */
PVOID AnsiCodePageData;                          /* 58h */
PVOID OemCodePageData;                           /* 5Ch */
PVOID UnicodeCaseTableData;                      /* 60h */
ULONG NumberOfProcessors;                        /* 64h */
ULONG NtGlobalFlag;                              /* 68h */
LARGE_INTEGER CriticalSectionTimeout;            /* 70h */
ULONG HeapSegmentReserve;                        /* 78h */
ULONG HeapSegmentCommit;                         /* 7Ch */
ULONG HeapDeCommitTotalFreeThreshold;            /* 80h */
ULONG HeapDeCommitFreeBlockThreshold;            /* 84h */
ULONG NumberOfHeaps;                             /* 88h */
ULONG MaximumNumberOfHeaps;                      /* 8Ch */
PVOID* ProcessHeaps;                             /* 90h */
PVOID GdiSharedHandleTable;                      /* 94h */
PVOID ProcessStarterHelper;                      /* 98h */
PVOID GdiDCAttributeList;                        /* 9Ch */
PVOID LoaderLock;                                /* A0h */
ULONG OSMajorVersion;                            /* A4h */
ULONG OSMinorVersion;                            /* A8h */
USHORT OSBuildNumber;                            /* ACh */
USHORT OSCSDVersion;                             /* AEh */
ULONG OSPlatformId;                              /* B0h */
ULONG ImageSubSystem;                            /* B4h */
ULONG ImageSubSystemMajorVersion;                /* B8h */
ULONG ImageSubSystemMinorVersion;                /* BCh */
ULONG ImageProcessAffinityMask;                  /* C0h */
ULONG GdiHandleBuffer[0x22];                     /* C4h */
PVOID PostProcessInitRoutine;                    /* 14Ch */
struct _RTL_BITMAP *TlsExpansionBitmap;          /* 150h */
ULONG TlsExpansionBitmapBits[0x20];              /* 154h */
ULONG SessionId;                                 /* 1D4h */
PVOID AppCompatInfo;                             /* 1D8h */
UNICODE_STRING CSDVersion;                       /* 1DCh */
} PEB, *PPEB;

利用可能な TEBのサイズ

 SUB_L004D7F4C:
          push    esi
          push    edi
          mov    edi,[esp+0Ch]
          push    edi
          call    KeAttachProcess
          push    00000FA4h
          push    edi
          call    SUB_L004D7D9A
          mov    esi,eax
          xor    edx,edx
          or    dword ptr [esi],FFFFFFFFh
          mov    [esi+0Ch],edx
          mov    dword ptr [esi+10h],00001E00h

Win2000 SP4

 SUB_L004AE0F5:
          push    00000014h
          push    L00423B50
          call    SUB_L0040BDF3
          mov    esi,[ebp+08h]
          push    esi
          call    KeAttachProcess
          lea    eax,[ebp-1Ch]
          push    eax
          push    00000FB8h
          push    esi
          call    SUB_L004AE20F
          mov    edi,eax
          test    edi,edi
          jl     L005256DA
          and    dword ptr [ebp-04h],00000000h
          mov    eax,[ebp-1Ch]
          or    dword ptr [eax],FFFFFFFFh
          mov    eax,[ebp-1Ch]
          mov    dword ptr [eax+10h],00001E00h

XP SP3

 SUB_L006600D7:
          push    0000002Ch
          push    L0044D160
          call    SUB_L00454C60
          mov    edi,ecx
          mov    ebx,[ebp+0Ch]
          lea    eax,[ebp-3Ch]
          push    eax
          push    [ebp+08h]
          call    KeStackAttachProcess
          lea    eax,[ebp-20h]
          push    eax
          push    00000FE4h
          push    00000000h
          push    [ebp+08h]
          call    SUB_L00618BDF
          mov    [ebp+0Ch],eax
          test    eax,eax
          jge    L0066011F
          lea    eax,[ebp-3Ch]
          push    eax
          call    KeUnstackDetachProcess
          mov    eax,[ebp+0Ch]
          jmp    L006601ED
 L0066011F:
          and    dword ptr [ebp-04h],00000000h
          mov    esi,[ebp-20h]
          or    dword ptr [esi],FFFFFFFFh
          mov    dword ptr [esi+10h],00001E00h

Win7SP1

おすすめ

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です