Windbg查看进程PEB

2022年4月13日 90点热度 0人点赞 0条评论

0:014> .process
Implicit process is now 7fe5f000
0:014> dt _PEB 7fe5f000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 BitField         : 0x4 ''
   +0x003 ImageUsesLargePages : 0y0
   +0x003 IsProtectedProcess : 0y0
   +0x003 IsImageDynamicallyRelocated : 0y1
   +0x003 SkipPatchingUser32Forwarders : 0y0
   +0x003 IsPackagedProcess : 0y0
   +0x003 IsAppContainer   : 0y0
   +0x003 IsProtectedProcessLight : 0y0
   +0x003 SpareBits        : 0y0
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x011c0000 Void
   +0x00c Ldr              : 0x77ab8440 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x005f0da8 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x005f0000 Void
   +0x01c FastPebLock      : 0x77ab83a0 _RTL_CRITICAL_SECTION
   +0x020 AtlThunkSListPtr : (null) 
   +0x024 IFEOKey          : (null) 
   +0x028 CrossProcessFlags : 0
   +0x028 ProcessInJob     : 0y0
   +0x028 ProcessInitializing : 0y0
   +0x028 ProcessUsingVEH  : 0y0
   +0x028 ProcessUsingVCH  : 0y0
   +0x028 ProcessUsingFTH  : 0y0
   +0x028 ReservedBits0    : 0y000000000000000000000000000 (0)
   +0x02c KernelCallbackTable : 0x77896428 Void
   +0x02c UserSharedInfoPtr : 0x77896428 Void
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0
   +0x038 ApiSetMap        : 0x00530000 Void
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x77ab83e0 Void
   +0x044 TlsBitmapBits    : [2] 0x1ffffff
   +0x04c ReadOnlySharedMemoryBase : 0x7fd20000 Void
   +0x050 SparePvoid0      : (null) 
   +0x054 ReadOnlyStaticServerData : 0x7fd204a0  -> (null) 
   +0x058 AnsiCodePageData : 0x7fe20000 Void
   +0x05c OemCodePageData  : 0x7fe20000 Void
   +0x060 UnicodeCaseTableData : 0x7fe50024 Void
   +0x064 NumberOfProcessors : 4
   +0x068 NtGlobalFlag     : 0
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 5
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x77ab7520  -> 0x005f0000 Void
   +0x094 GdiSharedHandleTable : 0x00c10000 Void
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x77ab43c8 _RTL_CRITICAL_SECTION
   +0x0a4 OSMajorVersion   : 6
   +0x0a8 OSMinorVersion   : 3
   +0x0ac OSBuildNumber    : 0x2580
   +0x0ae OSCSDVersion     : 0
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 2
   +0x0b8 ImageSubsystemMajorVersion : 6
   +0x0bc ImageSubsystemMinorVersion : 3
   +0x0c0 ActiveProcessAffinityMask : 0xf
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x77ab83f8 Void
   +0x154 TlsExpansionBitmapBits : [32] 1
   +0x1d4 SessionId        : 0
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
   +0x1e8 pShimData        : 0x005a0000 Void
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : _UNICODE_STRING ""
   +0x1f8 ActivationContextData : 0x00590000 _ACTIVATION_CONTEXT_DATA
   +0x1fc ProcessAssemblyStorageMap : (null) 
   +0x200 SystemDefaultActivationContextData : 0x00580000 _ACTIVATION_CONTEXT_DATA
   +0x204 SystemAssemblyStorageMap : 0x006786e8 _ASSEMBLY_STORAGE_MAP
   +0x208 MinimumStackCommit : 0
   +0x20c FlsCallback      : 0x005fc068 _FLS_CALLBACK_INFO
   +0x210 FlsListHead      : _LIST_ENTRY [ 0x5fbe58 - 0x6285b8 ]
   +0x218 FlsBitmap        : 0x77ab8420 Void
   +0x21c FlsBitmapBits    : [4] 7
   +0x22c FlsHighIndex     : 2
   +0x230 WerRegistrationData : (null) 
   +0x234 WerShipAssertPtr : (null) 
   +0x238 pUnused          : (null) 
   +0x23c pImageHeaderHash : (null) 
   +0x240 TracingFlags     : 0
   +0x240 HeapTracingEnabled : 0y0
   +0x240 CritSecTracingEnabled : 0y0
   +0x240 LibLoaderTracingEnabled : 0y0
   +0x240 SpareTracingBits : 0y00000000000000000000000000000 (0)
   +0x248 CsrServerReadOnlySharedMemoryBase : 0x7f800000

0×18 默认堆的地址

0×78 默认堆的默认大小

0x7c 默认堆的初始提交大小

0×80 与堆释放有关的阈值

0×84 与堆释放有关的阈值

0×88 程序中堆的数量

0x8c 程序中最大的堆的数量

0×90 存储所有堆地址的数组

https://www.freebuf.com/articles/system/156174.html

Stupid

一个人用自己的船将他人送到彼岸,那他自己也到达了彼岸。

文章评论