티스토리 뷰
728x90
반응형
[Reversing] PEB Structure
kd> dt _PEB
nt!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA - 링크
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap : Ptr32 Void
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
+0x020 FastPebLockRoutine : Ptr32 Void
+0x024 FastPebUnlockRoutine : Ptr32 Void
+0x028 EnvironmentUpdateCount : Uint4B
+0x02c KernelCallbackTable : Ptr32 Void
+0x030 SystemReserved : [1] Uint4B
+0x034 AtlThunkSListPtr32 : Uint4B
+0x038 FreeList : Ptr32 _PEB_FREE_BLOCK
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap : Ptr32 Void
+0x044 TlsBitmapBits : [2] Uint4B
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void
+0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
+0x058 AnsiCodePageData : Ptr32 Void
+0x05c OemCodePageData : Ptr32 Void
+0x060 UnicodeCaseTableData : Ptr32 Void
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
+0x078 HeapSegmentReserve : Uint4B
+0x07c HeapSegmentCommit : Uint4B
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B
+0x088 NumberOfHeaps : Uint4B
+0x08c MaximumNumberOfHeaps : Uint4B
+0x090 ProcessHeaps : Ptr32 Ptr32 Void
+0x094 GdiSharedHandleTable : Ptr32 Void
+0x098 ProcessStarterHelper : Ptr32 Void
+0x09c GdiDCAttributeList : Uint4B
+0x0a0 LoaderLock : Ptr32 Void
+0x0a4 OSMajorVersion : Uint4B
+0x0a8 OSMinorVersion : Uint4B
+0x0ac OSBuildNumber : Uint2B
+0x0ae OSCSDVersion : Uint2B
+0x0b0 OSPlatformId : Uint4B
+0x0b4 ImageSubsystem : Uint4B
+0x0b8 ImageSubsystemMajorVersion : Uint4B
+0x0bc ImageSubsystemMinorVersion : Uint4B
+0x0c0 ImageProcessAffinityMask : Uint4B
+0x0c4 GdiHandleBuffer : [34] Uint4B
+0x14c PostProcessInitRoutine : Ptr32 void
+0x150 TlsExpansionBitmap : Ptr32 Void
+0x154 TlsExpansionBitmapBits : [32] Uint4B
+0x1d4 SessionId : Uint4B
+0x1d8 AppCompatFlags : _ULARGE_INTEGER
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x1e8 pShimData : Ptr32 Void
+0x1ec AppCompatInfo : Ptr32 Void
+0x1f0 CSDVersion : _UNICODE_STRING
+0x1f8 ActivationContextData : Ptr32 Void
+0x1fc ProcessAssemblyStorageMap : Ptr32 Void
+0x200 SystemDefaultActivationContextData : Ptr32 Void
+0x204 SystemAssemblyStorageMap : Ptr32 Void
+0x208 MinimumStackCommit : Uint4B
TEB
0x30 : PEB
PEB
0x0C : PEB_LDR_DATA
PEB_LDR_DATA
0x0C : ( InLoadOrderModuleList )
0x14 : ( InMemoryOrderModuleList )
0x1C : LDR_MODULE ( InInitializationOrderModuleList )
( InLoadOrderModuleList )
( 바이너리 -> ntdll.dll -> kernel32.dll -> kernelbase.dll )
0x00 : Next Module
0x04 : Previous Module
0x18 : ImgBase
0x1C : EP
0x20 : Size of Img
0x30 : Name
( InMemoryOrderModuleList )
( 바이너리 -> ntdll.dll -> kernel32.dll -> kernelbase.dll )
0x00 : Next Module
0x04 : Previous Module
0x10 : ImgBase
0x14 : EP
0x18 : Size of Img
0x20 : Path
LDR_MODULE ( InInitializationOrderModuleList )
( ntdll.dll -> kernelbase.dll -> kernel32.dll )
0x00 : Next Module
0x04 : Previous Module
0x08 : ImgBase
0x0C : EP
0x10 : Size of Img
0x20 : Name
728x90
반응형
'Reversing > ETC' 카테고리의 다른 글
| [Reversing] CSIDL Values (0) | 2019.11.28 |
|---|---|
| [Reversing] API 동적 로딩 기법, PEB의 LDR 이용 (0) | 2019.11.25 |
| [Reversing] RaiseException dwExceptionCode_SEH (0) | 2019.10.21 |
| [Reversing] 패킹(Compressor, Protector), Packer, Crypter (0) | 2019.07.20 |
| [Reversing] Printf()함수 스택프레임(Stack Frame) (0) | 2019.06.30 |
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
250x250