PEB / TEB の覚書

2017年7月21日

TEB アドレスの取得

mov eax,fs:[00000018h]

テーブルの内容

//
// Thread Environment Block (TEB)
//
typedef struct _TEB
{
NT_TIB Tib;                             /* 00h */ 
    EXCEPTION_REGISTRATION *ExceptionList;      //0x0000
void *StackBase;          //0x0004
void *StackLimit;         //0x0008
void *SubSystemTib;       //0x000C
void *FiberData;          //0x0010
//DWORD Version;          //0x0010
void* ArbitraryUserPointer; //0x0014
TEB* Self;                              //0x0018
    PVOID EnvironmentPointer;               /* 1Ch */
CLIENT_ID Cid;                          /* 20h */
PVOID ActiveRpcHandle;                  /* 28h */
PVOID ThreadLocalStoragePointer;        /* 2Ch */
struct _PEB *ProcessEnvironmentBlock;   /* 30h */
ULONG LastErrorValue;                   /* 34h */
ULONG CountOfOwnedCriticalSections;     /* 38h */
PVOID CsrClientThread;                  /* 3Ch */
PVOID Win32ThreadInfo;                  /* 40h */
ULONG User32Reserved[0x1A];             /* 44h */
ULONG UserReserved[5];                  /* ACh */
PVOID WOW32Reserved;                    /* C0h */
LCID CurrentLocale;                     /* C4h */
ULONG FpSoftwareStatusRegister;         /* C8h */
PVOID SystemReserved1[0x36];            /* CCh */
LONG ExceptionCode;                     /* 1A4h */
struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /* 1A8h */
UCHAR SpareBytes1[0x28];                /* 1ACh */
GDI_TEB_BATCH GdiTebBatch;              /* 1D4h */
CLIENT_ID RealClientId;                 /* 6B4h */
PVOID GdiCachedProcessHandle;           /* 6BCh */
ULONG GdiClientPID;                     /* 6C0h */
ULONG GdiClientTID;                     /* 6C4h */
PVOID GdiThreadLocalInfo;               /* 6C8h */
ULONG Win32ClientInfo[62];              /* 6CCh */
PVOID glDispatchTable[0xE9];            /* 7C4h */
ULONG glReserved1[0x1D];                /* B68h */
PVOID glReserved2;                      /* BDCh */
PVOID glSectionInfo;                    /* BE0h */
PVOID glSection;                        /* BE4h */
PVOID glTable;                          /* BE8h */
PVOID glCurrentRC;                      /* BECh */
PVOID glContext;                        /* BF0h */
NTSTATUS LastStatusValue;               /* BF4h */
UNICODE_STRING StaticUnicodeString;     /* BF8h */
WCHAR StaticUnicodeBuffer[0x105];       /* C00h */
PVOID DeallocationStack;                /* E0Ch */
PVOID TlsSlots[0x40];                   /* E10h */
LIST_ENTRY TlsLinks;                    /* F10h */
PVOID Vdm;                              /* F18h */
PVOID ReservedForNtRpc;                 /* F1Ch */
PVOID DbgSsReserved[0x2];               /* F20h */
ULONG HardErrorDisabled;                /* F28h */
PVOID Instrumentation[14];              /* F2Ch */
PVOID SubProcessTag;                    /* F64h */
PVOID EtwTraceData;                     /* F68h */
PVOID WinSockData;                      /* F6Ch */
ULONG GdiBatchCount;                    /* F70h */
BOOLEAN InDbgPrint;                     /* F74h */
BOOLEAN FreeStackOnTermination;         /* F75h */
BOOLEAN HasFiberData;                   /* F76h */
UCHAR IdealProcessor;                   /* F77h */
ULONG GuaranteedStackBytes;             /* F78h */
PVOID ReservedForPerf;                  /* F7Ch */
PVOID ReservedForOle;                   /* F80h */
ULONG WaitingOnLoaderLock;              /* F84h */
//    Wx86ThreadState Wx86Thread;         /* F88h */
    ULONG SparePointer1;                    /* F88h */
ULONG SoftPatchPtr1;                    /* F8Ch */
ULONG SoftPatchPtr2;                    /* F90h */
PVOID *TlsExpansionSlots;               /* F94h */
ULONG ImpersionationLocale;             /* F98h */
ULONG IsImpersonating;                  /* F9Ch */
PVOID NlsCache;                         /* FA0h */
//W2k

    PVOID pShimData;                        /* FA4h */
ULONG HeapVirualAffinity;               /* FA8h */
PVOID CurrentTransactionHandle;         /* FACh */
PTEB_ACTIVE_FRAME ActiveFrame;          /* FB0h */
PVOID FlsData;                          /* FB4h */
UCHAR SafeThunkCall;                    /* FB8h */
UCHAR BooleanSpare[3];                  /* FB9h */ 
//XP
/*
     PVOID FlsData;
PVOID PreferredLanguages;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
WORD CrossTebFlags;
ULONG SpareCrossTebBits: 16;
WORD SameTebFlags;
ULONG DbgSafeThunkCall: 1;
ULONG DbgInDebugPrint: 1;
ULONG DbgHasFiberData: 1;
ULONG DbgSkipThreadAttach: 1;
ULONG DbgWerInShipAssertCode: 1;
ULONG DbgRanProcessInit: 1;
ULONG DbgClonedThread: 1;
ULONG DbgSuppressDebugMsg: 1;
ULONG SpareSameTebBits: 8;
PVOID TxnScopeEnterCallback;
PVOID TxnScopeExitCallback;
     DWORD LockCount;                                  //0x0FD8
DWORD SpareUlong0;                                //0x0FDC (Win7-Win8)
void* ResourceRetValue;                           //0x0FE0 (Win7+)
*/
 } TEB, *PTEB;

typedef struct _Wx86ThreadState {
    PULONG  CallBx86Eip;
    PVOID   DeallocationCpu;
    UCHAR   UseKnownWx86Dll; // 0x8
    UCHAR   OleStubInvoked; // 0x9
} Wx86ThreadState, *PWx86ThreadState;

typedef struct _W32THREAD
{
    PETHREAD pEThread;
    ULONG RefCount;
    PTL ptlW32;
    PVOID pgdiDcattr;
    PVOID pgdiBrushAttr;
    PVOID pUMPDObjs;
    PVOID pUMPDHeap;
    DWORD dwEngAcquireCount;
    PVOID pSemTable;
    PVOID pUMPDObj;
} W32THREAD, *PW32THREAD;

BYTE* / Undocumented 32-bit PEB and TEB Structures

PEB(Process Environment Block)

PEB アドレスの取得

mov eax,fs:[00000018h] // TEB取得
mov eax,[eax+30]

または

mov eax,fs:[00000030h]

テーブルの内容

typedef struct _PEB
{
UCHAR InheritedAddressSpace;                     /* 00h */
UCHAR ReadImageFileExecOptions;                  /* 01h */
UCHAR BeingDebugged;                             /* 02h */
BOOLEAN SpareBool;                               /* 03h */
HANDLE Mutant;                                   /* 04h */
PVOID ImageBaseAddress;                          /* 08h */
PPEB_LDR_DATA Ldr;                               /* 0Ch */
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;  /* 10h */
PVOID SubSystemData;                             /* 14h */
PVOID ProcessHeap;                               /* 18h */
PVOID FastPebLock;                               /* 1Ch */
PPEBLOCKROUTINE FastPebLockRoutine;              /* 20h */
PPEBLOCKROUTINE FastPebUnlockRoutine;            /* 24h */
ULONG EnvironmentUpdateCount;                    /* 28h */
PVOID* KernelCallbackTable;                      /* 2Ch */
PVOID EventLogSection;                           /* 30h */
PVOID EventLog;                                  /* 34h */
PPEB_FREE_BLOCK FreeList;                        /* 38h */
ULONG TlsExpansionCounter;                       /* 3Ch */
PVOID TlsBitmap;                                 /* 40h */
ULONG TlsBitmapBits[0x2];                        /* 44h */
PVOID ReadOnlySharedMemoryBase;                  /* 4Ch */
PVOID ReadOnlySharedMemoryHeap;                  /* 50h */
PVOID* ReadOnlyStaticServerData;                 /* 54h */
PVOID AnsiCodePageData;                          /* 58h */
PVOID OemCodePageData;                           /* 5Ch */
PVOID UnicodeCaseTableData;                      /* 60h */
ULONG NumberOfProcessors;                        /* 64h */
ULONG NtGlobalFlag;                              /* 68h */
LARGE_INTEGER CriticalSectionTimeout;            /* 70h */
ULONG HeapSegmentReserve;                        /* 78h */
ULONG HeapSegmentCommit;                         /* 7Ch */
ULONG HeapDeCommitTotalFreeThreshold;            /* 80h */
ULONG HeapDeCommitFreeBlockThreshold;            /* 84h */
ULONG NumberOfHeaps;                             /* 88h */
ULONG MaximumNumberOfHeaps;                      /* 8Ch */
PVOID* ProcessHeaps;                             /* 90h */
PVOID GdiSharedHandleTable;                      /* 94h */
PVOID ProcessStarterHelper;                      /* 98h */
PVOID GdiDCAttributeList;                        /* 9Ch */
PVOID LoaderLock;                                /* A0h */
ULONG OSMajorVersion;                            /* A4h */
ULONG OSMinorVersion;                            /* A8h */
USHORT OSBuildNumber;                            /* ACh */
USHORT OSCSDVersion;                             /* AEh */
ULONG OSPlatformId;                              /* B0h */
ULONG ImageSubSystem;                            /* B4h */
ULONG ImageSubSystemMajorVersion;                /* B8h */
ULONG ImageSubSystemMinorVersion;                /* BCh */
ULONG ImageProcessAffinityMask;                  /* C0h */
ULONG GdiHandleBuffer[0x22];                     /* C4h */
PVOID PostProcessInitRoutine;                    /* 14Ch */
struct _RTL_BITMAP *TlsExpansionBitmap;          /* 150h */
ULONG TlsExpansionBitmapBits[0x20];              /* 154h */
ULONG SessionId;                                 /* 1D4h */
PVOID AppCompatInfo;                             /* 1D8h */
UNICODE_STRING CSDVersion;                       /* 1DCh */
} PEB, *PPEB;

利用可能な TEBのサイズ

SUB_L004D7F4C:
        push   esi
       push   edi
       mov   edi,[esp+0Ch]
       push   edi
       call   KeAttachProcess
       push   00000FA4h
       push   edi
       call   SUB_L004D7D9A
       mov   esi,eax
       xor   edx,edx
       or   dword ptr [esi],FFFFFFFFh
       mov   [esi+0Ch],edx
       mov   dword ptr [esi+10h],00001E00h

Win2000 SP4

SUB_L004AE0F5:
       push   00000014h
       push   L00423B50
       call   SUB_L0040BDF3
       mov   esi,[ebp+08h]
       push   esi
       call   KeAttachProcess
       lea   eax,[ebp-1Ch]
       push   eax
       push   00000FB8h
       push   esi
       call   SUB_L004AE20F
       mov   edi,eax
       test   edi,edi
       jl    L005256DA
       and   dword ptr [ebp-04h],00000000h
       mov   eax,[ebp-1Ch]
       or   dword ptr [eax],FFFFFFFFh
       mov   eax,[ebp-1Ch]
       mov   dword ptr [eax+10h],00001E00h

XP SP3

SUB_L006600D7:
       push   0000002Ch
       push   L0044D160
       call   SUB_L00454C60
       mov   edi,ecx
       mov   ebx,[ebp+0Ch]
       lea   eax,[ebp-3Ch]
       push   eax
       push   [ebp+08h]
       call   KeStackAttachProcess
       lea   eax,[ebp-20h]
       push   eax
       push   00000FE4h
       push   00000000h
       push   [ebp+08h]
       call   SUB_L00618BDF
       mov   [ebp+0Ch],eax
       test   eax,eax
       jge   L0066011F
       lea   eax,[ebp-3Ch]
       push   eax
       call   KeUnstackDetachProcess
       mov   eax,[ebp+0Ch]
       jmp   L006601ED
L0066011F:
       and   dword ptr [ebp-04h],00000000h
       mov   esi,[ebp-20h]
       or   dword ptr [esi],FFFFFFFFh
       mov   dword ptr [esi+10h],00001E00h

Win7SP1

コメントを残すコメントをキャンセル

Word Press の Search Regexと言うPluginで記事及びコメントがロストしました。
記事はおおよそ復旧できましたが、2023年7月に書き込まれたコメントのうち消えてしまったものの復旧が不可能です
2023年5月のルート証明書の更新プログラムのインストールチェックに不具合があり、インストールに成功してもエラーが表示される問題がありましたのでファイルを差し替えました

PEB / TEB の覚書

おすすめ

コメントを残すコメントをキャンセル

重要なお知らせ

Article Search

Recent Articles

Article Archives

Comments

Google Search

category

Calendar

お知らせ

おすすめリンク

Information

Windows 2000 おすすめ記事

2017年7月
月	火	水	木	金	土	日
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

PEB / TEB の覚書

おすすめ

【Win2000/XP/2003用】アプリを特定しないOSバージョン偽装ツール

woff2をttf に変換してみた

BLUE PROTOCOL の負荷テスト参加。アプリがスタックオーバーフローで起動できなかった件

コメントを残す コメントをキャンセル

重要なお知らせ

Article Search

Recent Articles

Article Archives

Comments

Google Search

category

Calendar

お知らせ

おすすめリンク

Information

Windows 2000 おすすめ記事

コメントを残すコメントをキャンセル