!peb和PEB結構

原創 阻无雨风 2020-06-18 21:56

本文轉自:http://blog.csdn.net/hgy413/article/details/8490918

 

調試器用戶經常會需要查看在啓動調試目標時使用了哪些命令行參數,這個信息是保存在PEB中的,可以通過!peb來獲取,這個命令將解析PEB並給出完整的命令行,所有已加載DLL的位置,以及環境變量等.

 

0:000> !peb
PEB at 7ffdf000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         008f0000
    Ldr                       77847880
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00312798 . 0036bd70
    Ldr.InLoadOrderModuleList:           003126f8 . 0036bd60
    Ldr.InMemoryOrderModuleList:         00312700 . 0036bd68
            Base TimeStamp                     Module
          8f0000 4ce7979d Nov 20 17:40:45 2010 C:\Windows\System32\calc.exe
        77770000 4ec49b60 Nov 17 13:28:00 2011 C:\windows\SYSTEM32\ntdll.dll
        77490000 506dbd3e Oct 05 00:45:50 2012 C:\windows\system32\kernel32.dll
        75a30000 506dbd3f Oct 05 00:45:51 2012 C:\windows\system32\KERNELBASE.dll
        76240000 4fd2d1d9 Jun 09 12:32:25 2012 C:\windows\system32\SHELL32.dll
        75c30000 4eeaf722 Dec 16 15:45:38 2011 C:\windows\system32\msvcrt.dll
        76e90000 4ce7b9e2 Nov 20 20:06:58 2010 C:\windows\system32\SHLWAPI.dll
        75be0000 4ce7b80a Nov 20 19:59:06 2010 C:\windows\system32\GDI32.dll
        76020000 4ce7ba26 Nov 20 20:08:06 2010 C:\windows\system32\USER32.dll
        758e0000 4a5bda19 Jul 14 09:06:33 2009 C:\Windows\System32\LPK.dll
        75f60000 4ce7ba29 Nov 20 20:08:09 2010 C:\windows\system32\USP10.dll
        74090000 4f9235ab Apr 21 12:20:59 2012 C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll
        77200000 4ce7b96f Nov 20 20:05:03 2010 C:\windows\system32\ole32.dll
        773e0000 4ce7b9a2 Nov 20 20:05:54 2010 C:\windows\system32\RPCRT4.dll
        75df0000 4ce7b706 Nov 20 19:54:46 2010 C:\windows\system32\ADVAPI32.dll
        76000000 4a5bdb04 Jul 14 09:10:28 2009 C:\windows\SYSTEM32\sechost.dll
        770f0000 4e58702a Aug 27 12:18:50 2011 C:\windows\system32\OLEAUT32.dll
        745c0000 4a5bdb38 Jul 14 09:11:20 2009 C:\Windows\System32\UxTheme.dll
        74220000 4ce7b71c Nov 20 19:55:08 2010 C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
        73710000 4ce7ba42 Nov 20 20:08:34 2010 C:\Windows\System32\WINMM.dll
        74ea0000 4a5bdb2b Jul 14 09:11:07 2009 C:\Windows\System32\VERSION.dll
        778b0000 4ce7b845 Nov 20 20:00:05 2010 C:\windows\system32\IMM32.DLL
        75e90000 4a5bda69 Jul 14 09:07:53 2009 C:\windows\system32\MSCTF.dll
        73d30000 4ce7ba3a Nov 20 20:08:26 2010 C:\Windows\System32\WindowsCodecs.dll
        651e0000 50910787 Oct 31 19:12:07 2012 C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT
        75de0000 4a5bdace Jul 14 09:09:34 2009 C:\windows\system32\PSAPI.DLL
        75ce0000 508b7cf0 Oct 27 14:19:28 2012 C:\windows\system32\WININET.dll
        76100000 508b7cdb Oct 27 14:19:07 2012 C:\windows\system32\urlmon.dll
        75a80000 4fc99664 Jun 02 12:28:20 2012 C:\windows\system32\CRYPT32.dll
        75940000 4ce7b8c9 Nov 20 20:02:17 2010 C:\windows\system32\MSASN1.dll
        77570000 508b7ba3 Oct 27 14:13:55 2012 C:\windows\system32\iertutil.dll
        757f0000 4ce7b73e Nov 20 19:55:42 2010 C:\Windows\System32\apphelp.dll
        73900000 3b7d84df Aug 18 04:55:59 2001 C:\windows\system32\JPWB.IME
        77180000 4ce7b82d Nov 20 19:59:41 2010 C:\windows\system32\comdlg32.dll
        73e60000 4a5bda07 Jul 14 09:06:15 2009 C:\Windows\System32\dwmapi.dll
        75840000 4a5bbf41 Jul 14 07:12:01 2009 C:\Windows\System32\CRYPTBASE.dll
        778d0000 4a5bd9b1 Jul 14 09:04:49 2009 C:\windows\system32\CLBCatQ.DLL
        10000000 4ffa45cd Jul 09 10:45:33 2012 C:\Users\guoyouhuang\AppData\Local\Youdao\Dict\Application\5.1.36.3166\WordStrokeHelper32.dll
        73610000 4e587028 Aug 27 12:18:48 2011 C:\Windows\system32\oleacc.dll
    SubSystemData:     00000000
    ProcessHeap:       00310000
    ProcessParameters: 00311b48
    WindowTitle:  'C:\Windows\System32\calc.exe'
    ImageFile:    'C:\Windows\System32\calc.exe'
    CommandLine:  'C:\Windows\System32\calc.exe'
    DllPath:      'C:\Windows\System32;;C:\windows\system32;C:\windows\system;C:\windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\'
    Environment:  00310810
        =::=::\
        ALLUSERSPROFILE=C:\ProgramData
        APPDATA=C:\Users\guoyouhuang\AppData\Roaming
        Basemake=D:\Program Files\Microsoft SDK\Include\BKOffice.Mak
        Bkoffice=D:\Program Files\Microsoft SDK\.
        CommonProgramFiles=C:\Program Files\Common Files
        COMPUTERNAME=GUOYOUHUANG-PC0
        ComSpec=C:\windows\system32\cmd.exe
        configsetroot=C:\windows\ConfigSetRoot
        DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (June 2010)\
        FP_NO_HOST_CHECK=NO
        HOMEDRIVE=C:
        HOMEPATH=\Users\guoyouhuang
        INCLUDE=D:\Program Files\Microsoft SDK\Include\.;D:\Program Files\VC98\atl\include;D:\Program Files\VC98\mfc\include;D:\Program Files\VC98\include
        INETSDK=D:\Program Files\Microsoft SDK\.
        LIB=D:\Program Files\Microsoft SDK\Lib\.;D:\Program Files\VC98\mfc\lib;D:\Program Files\VC98\lib
        LOCALAPPDATA=C:\Users\guoyouhuang\AppData\Local
        LOGONSERVER=\\GM-CADILLAC
        MSDevDir=D:\Program Files\Vc6\MSDev98
        MSSdk=D:\Program Files\Microsoft SDK\.
        Mstools=D:\Program Files\Microsoft SDK\.
        NUMBER_OF_PROCESSORS=4
        OS=Windows_NT
        Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=x86
        PROCESSOR_IDENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
        PROCESSOR_LEVEL=6
        PROCESSOR_REVISION=2a07
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        PSModulePath=C:\windows\system32\WindowsPowerShell\v1.0\Modules\
        PUBLIC=C:\Users\Public
        SESSIONNAME=Console
        SystemDrive=C:
        SystemRoot=C:\windows
        TEMP=C:\Users\GUOYOU~1\AppData\Local\Temp
        TMP=C:\Users\GUOYOU~1\AppData\Local\Temp
        USERDNSDOMAIN=TENCENT.COM
        USERDOMAIN=TENCENT
        USERNAME=guoyouhuang
        USERPROFILE=C:\Users\guoyouhuang
        VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
        WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86)
        windir=C:\windows
        windows_tracing_flags=3
        windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log


手工自己分析下:


 

直接分析ldr:

 

 +0x00c Ldr              : 0x77847880 _PEB_LDR_DATA

 

0:000> dt 0x77847880 _PEB_LDR_DATA
ntdll!_PEB_LDR_DATA
   +0x000 Length           : 0x30
   +0x004 Initialized      : 0x1 ''
   +0x008 SsHandle         : (null) 
   +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3126f8 - 0x36bd60 ]
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x312700 - 0x36bd68 ]
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x312798 - 0x36bd70 ]
   +0x024 EntryInProgress  : (null) 
   +0x028 ShutdownInProgress : 0 ''
   +0x02c ShutdownThreadId : (null)


對比!peb的內容:

 

    Ldr                       77847880
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00312798 . 0036bd70
    Ldr.InLoadOrderModuleList:           003126f8 . 0036bd60
    Ldr.InMemoryOrderModuleList:         00312700 . 0036bd68

一樣的~~~~,不一樣就不正常了!

爲什麼有三個list:其實三個都一樣,順序不同而已.

 

_LIST_ENTRY的結構如下:

 
0:000> dt _LIST_ENTRY
ntdll!_LIST_ENTRY
   +0x000 Flink            : Ptr32 _LIST_ENTRY
   +0x004 Blink            : Ptr32 _LIST_ENTRY


按MSDN解釋是:

Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure,雙向循環鏈表吧,從一個方向開始,不停的循環,就回到初始位了,就相當於遍歷了一次

 

0:000> dt _LDR_DATA_TABLE_ENTRY 
ole32!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x008 InMemoryOrderLinks : _LIST_ENTRY
   +0x010 InInitializationOrderLinks : _LIST_ENTRY
   +0x018 DllBase          : Ptr32 Void
   +0x01c EntryPoint       : Ptr32 Void
   +0x020 SizeOfImage      : Uint4B
   +0x024 FullDllName      : _UNICODE_STRING
   +0x02c BaseDllName      : _UNICODE_STRING
   +0x034 Flags            : Uint4B
   +0x038 LoadCount        : Uint2B
   +0x03a TlsIndex         : Uint2B
   +0x03c HashLinks        : _LIST_ENTRY
   +0x03c SectionPointer   : Ptr32 Void
   +0x040 CheckSum         : Uint4B
   +0x044 TimeDateStamp    : Uint4B
   +0x044 LoadedImports    : Ptr32 Void
   +0x048 EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT
   +0x04c PatchInformation : Ptr32 Void
   +0x050 ForwarderLinks   : _LIST_ENTRY
   +0x058 ServiceTagLinks  : _LIST_ENTRY
   +0x060 StaticLinks      : _LIST_ENTRY
   +0x068 ContextInformation : Ptr32 Void
   +0x06c OriginalBase     : Uint4B
   +0x070 LoadTime         : _LARGE_INTEGER

可以看到頭部開始就是個_LIST_ENTRY

我們來做次循環查詢吧:

 

0:000> dt 0x77847880+0x00c _LIST_ENTRY
ole32!_LIST_ENTRY
 [ 0x3126f8 - 0x36bd60 ]
   +0x000 Flink            : 0x003126f8 _LIST_ENTRY [ 0x312788 - 0x7784788c ]
   +0x004 Blink            : 0x0036bd60 _LIST_ENTRY [ 0x7784788c - 0x354a80 ]

對比上面的顯示:

 

   +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3126f8 - 0x36bd60 ]

可以看出,windbg這裏是在後面括號裏顯示Flink和Blink,那麼我們向着Flink循環吧:

 

0:000> dt _LDR_DATA_TABLE_ENTRY 0x003126f8 
ole32!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312788 - 0x7784788c ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312790 - 0x77847894 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x018 DllBase          : 0x008f0000 
   +0x01c EntryPoint       : 0x00902d6c 
   +0x020 SizeOfImage      : 0xc0000
   +0x024 FullDllName      : _UNICODE_STRING "C:\Windows\System32\calc.exe"
   +0x02c BaseDllName      : _UNICODE_STRING "calc.exe"
   +0x034 Flags            : 0x4000
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x31382c - 0x7784a6a8 ]
   +0x03c SectionPointer   : 0x0031382c 
   +0x040 CheckSum         : 0x7784a6a8
   +0x044 TimeDateStamp    : 0x4ce7979d
   +0x044 LoadedImports    : 0x4ce7979d 
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x312748 - 0x312748 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x312750 - 0x312750 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x315768 - 0x313cf0 ]
   +0x068 ContextInformation : 0x777e0534 
   +0x06c OriginalBase     : 0
   +0x070 LoadTime         : _LARGE_INTEGER 0x0
0:000> dt _LDR_DATA_TABLE_ENTRY 0x312788
ole32!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312ab0 - 0x3126f8 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312ab8 - 0x312700 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x312bd8 - 0x7784789c ]
   +0x018 DllBase          : 0x77770000 
   +0x01c EntryPoint       : (null) 
   +0x020 SizeOfImage      : 0x13c000
   +0x024 FullDllName      : _UNICODE_STRING "C:\windows\SYSTEM32\ntdll.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "ntdll.dll"
   +0x034 Flags            : 0x4004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x32384c - 0x7784a680 ]
   +0x03c SectionPointer   : 0x0032384c 
   +0x040 CheckSum         : 0x7784a680
   +0x044 TimeDateStamp    : 0x4ec49b60
   +0x044 LoadedImports    : 0x4ec49b60 
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x3127d8 - 0x3127d8 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x3127e0 - 0x3127e0 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x3127e8 - 0x3127e8 ]
   +0x068 ContextInformation : (null) 
   +0x06c OriginalBase     : 0x77ec0000
   +0x070 LoadTime         : _LARGE_INTEGER 0x0
0:000> dt _LDR_DATA_TABLE_ENTRY 0x312ab0 
ole32!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x312bc8 - 0x312788 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x312bd0 - 0x312790 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x3134e0 - 0x312bd8 ]
   +0x018 DllBase          : 0x77490000 
   +0x01c EntryPoint       : 0x774dcd6f 
   +0x020 SizeOfImage      : 0xd4000
   +0x024 FullDllName      : _UNICODE_STRING "C:\windows\system32\kernel32.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "kernel32.dll"
   +0x034 Flags            : 0x84004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x31558c - 0x7784a640 ]
   +0x03c SectionPointer   : 0x0031558c 
   +0x040 CheckSum         : 0x7784a640
   +0x044 TimeDateStamp    : 0x506dbd3e
   +0x044 LoadedImports    : 0x506dbd3e 
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x3136b8 - 0x3136b8 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x312b08 - 0x312b08 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x312c80 - 0x312b40 ]
   +0x068 ContextInformation : 0x777e0534 
   +0x06c OriginalBase     : 0x77de0000
   +0x070 LoadTime         : _LARGE_INTEGER 0x1cdef13`ea902171
0:000> dt _LDR_DATA_TABLE_ENTRY 0x312bc8 
ole32!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3133e8 - 0x312ab0 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3133f0 - 0x312ab8 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x312ac0 - 0x312798 ]
   +0x018 DllBase          : 0x75a30000 
   +0x01c EntryPoint       : 0x75a37e90 
   +0x020 SizeOfImage      : 0x4b000
   +0x024 FullDllName      : _UNICODE_STRING "C:\windows\system32\KERNELBASE.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "KERNELBASE.dll"
   +0x034 Flags            : 0x84004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x31ba9c - 0x7784a690 ]
   +0x03c SectionPointer   : 0x0031ba9c 
   +0x040 CheckSum         : 0x7784a690
   +0x044 TimeDateStamp    : 0x506dbd3f
   +0x044 LoadedImports    : 0x506dbd3f 
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x312c18 - 0x312c18 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x312c20 - 0x312c20 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x312c58 - 0x312c58 ]
   +0x068 ContextInformation : 0x777e0534 
   +0x06c OriginalBase     : 0xdce0000
   +0x070 LoadTime         : _LARGE_INTEGER 0x1cdef13`ea902171
0:000> dt _LDR_DATA_TABLE_ENTRY 0x3133e8 
ole32!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3134d0 - 0x312bc8 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3134d8 - 0x312bd0 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x314578 - 0x3136f0 ]
   +0x018 DllBase          : 0x76240000 
   +0x01c EntryPoint       : 0x762c1621 
   +0x020 SizeOfImage      : 0xc4a000
   +0x024 FullDllName      : _UNICODE_STRING "C:\windows\system32\SHELL32.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "SHELL32.dll"
   +0x034 Flags            : 0xc4004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x316554 - 0x7784a688 ]
   +0x03c SectionPointer   : 0x00316554 
   +0x040 CheckSum         : 0x7784a688
   +0x044 TimeDateStamp    : 0x4fd2d1d9
   +0x044 LoadedImports    : 0x4fd2d1d9 
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x313438 - 0x313438 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x313440 - 0x313440 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x313cc8 - 0x3135d8 ]
   +0x068 ContextInformation : 0x777e0534 
   +0x06c OriginalBase     : 0x73800000
   +0x070 LoadTime         : _LARGE_INTEGER 0x1cdef13`ea9282d2


對比!peb的輸出:

 

    8f0000 4ce7979d Nov 20 17:40:45 2010 C:\Windows\System32\calc.exe
        77770000 4ec49b60 Nov 17 13:28:00 2011 C:\windows\SYSTEM32\ntdll.dll
        77490000 506dbd3e Oct 05 00:45:50 2012 C:\windows\system32\kernel32.dll
        75a30000 506dbd3f Oct 05 00:45:51 2012 C:\windows\system32\KERNELBASE.dll
        76240000 4fd2d1d9 Jun 09 12:32:25 2012 C:\windows\system32\SHELL32.dll

當然是一樣的~~~

下一步是怎麼直接得到進程的cmdline:我們注意到PEB0x10處的偏移

 

+0x010 ProcessParameters : 0x00311b48 _RTL_USER_PROCESS_PARAMETERS

dt一下試試:

 

0:000> dt 0x00311b48 _RTL_USER_PROCESS_PARAMETERS
ole32!_RTL_USER_PROCESS_PARAMETERS
   +0x000 MaximumLength    : 0xaf2
   +0x004 Length           : 0xaf2
   +0x008 Flags            : 0x2001
   +0x00c DebugFlags       : 0
   +0x010 ConsoleHandle    : (null) 
   +0x014 ConsoleFlags     : 0
   +0x018 StandardInput    : (null) 
   +0x01c StandardOutput   : (null) 
   +0x020 StandardError    : (null) 
   +0x024 CurrentDirectory : _CURDIR
   +0x030 DllPath          : _UNICODE_STRING "C:\Windows\System32;;C:\windows\system32;C:\windows\system;C:\windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\TortoiseSVN\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;D:\Program Files\Vc6\Tools\WinNT;D:\Program Files\Vc6\MSDev98\Bin;D:\Program Files\Vc6\Tools;D:\Program Files\VC98\bin;D:\Program Files\Microsoft SDK\Bin\.;D:\Program Files\Microsoft SDK\Bin\WinNT\.;C:\Program Files\IDM Computer Solutions\UltraCompare\"
   +0x038 ImagePathName    : _UNICODE_STRING "C:\Windows\System32\calc.exe"
   +0x040 CommandLine      : _UNICODE_STRING "C:\Windows\System32\calc.exe"
   +0x048 Environment      : 0x00310810 
   +0x04c StartingX        : 0
   +0x050 StartingY        : 0
   +0x054 CountX           : 0
   +0x058 CountY           : 0
   +0x05c CountCharsX      : 0
   +0x060 CountCharsY      : 0
   +0x064 FillAttribute    : 0
   +0x068 WindowFlags      : 0
   +0x06c ShowWindowFlags  : 0
   +0x070 WindowTitle      : _UNICODE_STRING "C:\Windows\System32\calc.exe"
   +0x078 DesktopInfo      : _UNICODE_STRING "Winsta0\Default"
   +0x080 ShellInfo        : _UNICODE_STRING ""
   +0x088 RuntimeData      : _UNICODE_STRING ""
   +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
   +0x290 EnvironmentSize  : 0x131e
   +0x294 EnvironmentVersion : 1


都出來了~~~~~~~~~

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

!analyze 擴展

本文轉自:http://hi.baidu.com/litomboy/item/1332cb96a8ac67f128164727   調試一個當機的目標計算機或應用程序,第一步是使用 !analyze 擴展命令。 該擴展執行大量的自動分析。

阻无雨风 2020-06-18 21:56:50

WinDbg之Page Heap實踐

這是一個32位控制檯程序,使用AppVerifier啓用了Heaps(即Full Page Heap),主要看pszBuffer1和pszBuffer2,pszBuffer1申請0xe個字節,即14字節,而pszBuffer2比pszBu

PunCha 2020-06-12 23:03:55

淺談C/C++堆棧指引

PunCha 2020-02-24 02:38:34

WinDbg 之 SOS擴展命令

PunCha 2020-02-24 02:38:34

WinDBG大部分命令在MSDN的鏈接

PunCha 2020-02-24 02:38:34

WinDBG之SOSEX擴展

PunCha 2020-02-24 02:38:34

WinDbg 簡單說明

agan4014 2020-02-23 07:15:36

Windows用戶態程序高效排錯 -- 彙編,CPU執行指令的最小單元

agan4014 2020-02-23 07:15:36

Windows用戶態程序高效排錯 -- Heap和Stack

agan4014 2020-02-23 07:15:36

Windows用戶態程序高效排錯 -- 異常(Exception)和通知(Debug Event)

agan4014 2020-02-23 07:15:36

Windows用戶態程序高效排錯 -- 排錯的工具:調試器Windbg

agan4014 2020-02-23 07:15:36

WinDbg入門

AKSPD2016 2019-04-03 13:26:43

解決CDB調試速度慢的問題

        在windows平臺上,當Qt使用 CDB調試器工具調試程序時,常常有調試卡半天的情況,出現該問題的原因有2個:         原因一:程序開啓了增量連接功能;         原因二:Qt在後臺從微軟Symbo

sanqima 2020-07-04 02:11:52

windows保護模式(一)

段寄存器 CPU通過段和頁的機制來限制內存訪問,共8個分別爲ES CS SS DS FS GS LDTR TR     段寄存器結構 當我們用匯編讀寫某一個地址時: mov dword ptr ds:[0x123456],eax 我們真

吃了只鸡 2020-07-02 21:03:14

WinDbg Tutorial

原文:http://blog.csdn.net/kofshower/article/details/5888810 Windows Debuggers: Part 1: A WinDbg Tutorial Original Artic

maomao171314 2020-07-02 04:27:36