{"id":187226,"date":"2013-07-20T15:58:04","date_gmt":"2013-07-20T11:58:04","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=187226"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=187226","title":{"rendered":"\u0420\u0430\u0431\u043e\u0442\u0430 \u0441 PEB \u0438 TEB<\/span>"},"content":{"rendered":"
\tPEB \u2014 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u0432 windows, \u0437\u0430\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u0437\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a\u043e\u043c \u043d\u0430 \u044d\u0442\u0430\u043f\u0435 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u0438, \u0437\u0430\u0433\u0440\u0443\u0436\u0435\u043d\u043d\u044b\u0445 \u043c\u043e\u0434\u0443\u043b\u044f\u0445 (LDR_DATA), \u0431\u0430\u0437\u043e\u0432\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043f\u043e \u0442\u0435\u043a\u0443\u0449\u0435\u043c\u0443 \u043c\u043e\u0434\u0443\u043b\u044e \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u044b\u0435 \u0434\u043b\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430. \u041c\u043d\u043e\u0433\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0435 api windows, \u043f\u043e\u043b\u0443\u0447\u0430\u044e\u0449\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043c\u043e\u0434\u0443\u043b\u044f\u0445 (\u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430\u0445) \u0432 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435, \u0432\u044b\u0437\u044b\u0432\u0430\u044e\u0442 ReadProcessMemory \u0434\u043b\u044f \u0441\u0447\u0438\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0438\u0437 PEB \u043d\u0443\u0436\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430.
<\/a>
TEB \u2014 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430 \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0434\u043b\u044f \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u043f\u043e\u0442\u043e\u043a\u0430\u0445 \u0432 \u0442\u0435\u043a\u0443\u0449\u0435\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435, \u043a\u0430\u0436\u0434\u044b\u0439 \u043f\u043e\u0442\u043e\u043a \u0438\u043c\u0435\u0435\u0442 \u0441\u0432\u043e\u0439 TEB. Wow64 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u044b \u0432 Windows \u0438\u043c\u0435\u044e\u0442 \u0434\u0432\u0430 Process Environment Blocks \u0438 \u0434\u0432\u0430 Thread Environment Blocks. TEB \u0441\u043e\u0437\u0434\u0430\u0435\u0442\u0441\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u0435\u0439 MmCreateTeb, PEB \u0441\u043e\u0437\u0434\u0430\u0435\u0442\u0441\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u0435\u0439 MmCreatePeb, \u0435\u0441\u043b\u0438 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u0435\u043d \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f, \u0442\u043e \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0438\u0441\u0445\u043e\u0434\u043d\u0438\u043a\u0438 ReactOS, \u0438\u043b\u0438 \u0432\u0437\u044f\u0442\u044c WinDBG \u0438 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u044c \u0441\u0430\u043c\u043e\u0441\u0442\u043e\u044f\u0442\u0435\u043b\u044c\u043d\u043e.<\/p>\n

TEB \u0438\u043c\u0435\u0435\u0442 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0432\u0438\u0434:<\/p>\n

typedef struct _CLIENT_ID {     DWORD UniqueProcess;     DWORD UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef struct _THREAD_BASIC_INFORMATION { typedef PVOID KPRIORITY; NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; KAFFINITY AffinityMask; KPRIORITY Priority; KPRIORITY BasePriority;  } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; <\/code><\/pre>\n
[TEB+0] \u0423\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u043d\u0430 \u043f\u0435\u0440\u0432\u044b\u0439 SEH \u043d\u0430 \u0441\u0442\u044d\u043a\u0435. [TEB+4] \u0423\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u043d\u0430 \u043a\u043e\u043d\u0435\u0446 \u043e\u0431\u043b\u0430\u0441\u0442\u0438 \u043f\u0430\u043c\u044f\u0442\u0438, \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0445 \u043d\u0430 \u0441\u0442\u0435\u043a\u0435. [TEB+8] \u0423\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u043d\u0430 \u043d\u0430\u0447\u0430\u043b\u043e \u043e\u0431\u043b\u0430\u0441\u0442\u0438 \u043f\u0430\u043c\u044f\u0442\u0438 \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0445 \u043d\u0430 \u0441\u0442\u0435\u043a\u0435, \u0434\u043b\u044f \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0439 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0441\u0442\u0435\u043a\u0430. [TEB+18] \u0410\u0434\u0440\u0435\u0441 \u0442\u0435\u043a\u0443\u0449\u0435\u0439 TEB. [TEB+30] \u0410\u0434\u0440\u0435\u0441 PEB. <\/code><\/pre>\n
  \u0414\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f TEB \u043a\u043e\u043d\u043a\u0440\u0435\u0442\u043d\u043e\u0433\u043e \u043f\u043e\u0442\u043e\u043a\u0430 \u043c\u043e\u0436\u043d\u043e \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f NtQueryInformationThread.<\/p>\n
#include <Windows.h> #include <stdio.h> #pragma comment(lib,"ntdll.lib") typedef struct _CLIENT_ID {     DWORD UniqueProcess;     DWORD UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef struct _THREAD_BASIC_INFORMATION { typedef PVOID KPRIORITY; NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; KAFFINITY AffinityMask; KPRIORITY Priority; KPRIORITY BasePriority;  } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; typedef   enum   _THREADINFOCLASS {     ThreadBasicInformation,     ThreadTimes,     ThreadPriority,     ThreadBasePriority,     ThreadAffinityMask,     ThreadImpersonationToken,     ThreadDescriptorTableEntry,     ThreadEnableAlignmentFaultFixup,     ThreadEventPair_Reusable,     ThreadQuerySetWin32StartAddress,     ThreadZeroTlsCell,     ThreadPerformanceCount,     ThreadAmILastThread,     ThreadIdealProcessor,     ThreadPriorityBoost,     ThreadSetTlsArrayAddress,     ThreadIsIoPending,     ThreadHideFromDebugger,     ThreadBreakOnTermination,     MaxThreadInfoClass }   THREADINFOCLASS; THREADINFOCLASS   ThreadInformationClass;   extern "C"   {   NTSTATUS WINAPI NtQueryInformationThread(   _In_       HANDLE ThreadHandle,   _In_       THREADINFOCLASS ThreadInformationClass,   _Inout_    PVOID ThreadInformation,   _In_       ULONG ThreadInformationLength,   _Out_opt_  PULONG ReturnLength ); } THREAD_BASIC_INFORMATION ThreadInfo; DWORD ntstatus = NtQueryInformationThread( \t        GetCurrentThread(), \/\/ \u0445\u044d\u043d\u0434\u043b \u043d\u0430 \u043f\u043e\u0442\u043e\u043a \t\t\tThreadBasicInformation, \t\t\t&ThreadInfo, \/\/ThreadInfo.TebBaseAddress \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0430\u0434\u0440\u0435\u0441 \u0442\u0435\u0431\u0430 \u0434\u043b\u044f \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u0442\u043e\u043a\u0430. \t\t\tsizeof(THREAD_BASIC_INFORMATION), \t\t\t0 \t\t\t); \/\/ \u0415\u0441\u043b\u0438 \u043d\u0443\u0436\u0435\u043d teb \u0442\u043e\u043b\u044c\u043a\u043e \u0441\u0432\u043e\u0435\u0433\u043e \u043f\u043e\u0442\u043e\u043a\u0430, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c  __readfsdword(0x18)  \u0432 32 \u0431\u0438\u0442 \u0438\u043b\u0438 __readgsqword(0x30) \u0432 \u044564. <\/code><\/pre>\n
  \u043d\u0430 MSDN PEB \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u0434\u043b\u044f 32 \u0431\u0438\u0442\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430:<\/p>\n
typedef struct _PEB {   BYTE                          Reserved1[2];   BYTE                          BeingDebugged;   BYTE                          Reserved2[1];   PVOID                         Reserved3[2];   PPEB_LDR_DATA                 Ldr;   PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;   BYTE                          Reserved4[104];   PVOID                         Reserved5[52];   PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;   BYTE                          Reserved6[128];   PVOID                         Reserved7[1];   ULONG                         SessionId; } PEB, *PPEB; <\/code><\/pre>\n
  \u0438 \u0434\u043b\u044f 64 \u0431\u0438\u0442\u043d\u043e\u0433\u043e:<\/p>\n
typedef struct _PEB {     BYTE Reserved1[2];     BYTE BeingDebugged;     BYTE Reserved2[21];     PPEB_LDR_DATA LoaderData;     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;     BYTE Reserved3[520];     PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;     BYTE Reserved4[136];     ULONG SessionId; } PEB; <\/code><\/pre>\n
  <\/p>\n
\u0432 \u043c\u043e\u0435\u043c \u043f\u0440\u043e\u0435\u043a\u0442\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0430\u044f \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430 \u0434\u043b\u044f 32 \u0438 64 \u0431\u0438\u0442<\/b><\/p>\n
\n
\/\/\u0430\u0432\u0442\u043e\u0440 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b - http:\/\/blog.rewolf.pl\/blog\/?p=573 #pragma pack(push) #pragma pack(1) template <class T> struct LIST_ENTRY_T { \tT Flink; \tT Blink; };   template <class T> struct UNICODE_STRING_T { \tunion \t{ \t\tstruct \t\t{ \t\t\tWORD Length; \t\t\tWORD MaximumLength; \t\t}; \t\tT dummy; \t}; \tT _Buffer; };   template <class T, class NGF, int A> struct _PEB_T { \tunion \t{ \t\tstruct \t\t{ \t\t\tBYTE InheritedAddressSpace; \t\t\tBYTE ReadImageFileExecOptions; \t\t\tBYTE BeingDebugged; \t\t\tBYTE _SYSTEM_DEPENDENT_01; \t\t}; \t\tT dummy01; \t}; \tT Mutant; \tT ImageBaseAddress; \tT Ldr; \tT ProcessParameters; \tT SubSystemData; \tT ProcessHeap; \tT FastPebLock; \tT _SYSTEM_DEPENDENT_02; \tT _SYSTEM_DEPENDENT_03; \tT _SYSTEM_DEPENDENT_04; \tunion \t{ \t\tT KernelCallbackTable; \t\tT UserSharedInfoPtr; \t}; \tDWORD SystemReserved; \tDWORD _SYSTEM_DEPENDENT_05; \tT _SYSTEM_DEPENDENT_06; \tT TlsExpansionCounter; \tT TlsBitmap; \tDWORD TlsBitmapBits[2]; \tT ReadOnlySharedMemoryBase; \tT _SYSTEM_DEPENDENT_07; \tT ReadOnlyStaticServerData; \tT AnsiCodePageData; \tT OemCodePageData; \tT UnicodeCaseTableData; \tDWORD NumberOfProcessors; \tunion \t{ \t\tDWORD NtGlobalFlag; \t\tNGF dummy02; \t}; \tLARGE_INTEGER CriticalSectionTimeout; \tT HeapSegmentReserve; \tT HeapSegmentCommit; \tT HeapDeCommitTotalFreeThreshold; \tT HeapDeCommitFreeBlockThreshold; \tDWORD NumberOfHeaps; \tDWORD MaximumNumberOfHeaps; \tT ProcessHeaps; \tT GdiSharedHandleTable; \tT ProcessStarterHelper; \tT GdiDCAttributeList; \tT LoaderLock; \tDWORD OSMajorVersion; \tDWORD OSMinorVersion; \tWORD OSBuildNumber; \tWORD OSCSDVersion; \tDWORD OSPlatformId; \tDWORD ImageSubsystem; \tDWORD ImageSubsystemMajorVersion; \tT ImageSubsystemMinorVersion; \tunion \t{ \t\tT ImageProcessAffinityMask; \t\tT ActiveProcessAffinityMask; \t}; \tT GdiHandleBuffer[A]; \tT PostProcessInitRoutine; \tT TlsExpansionBitmap; \tDWORD TlsExpansionBitmapBits[32]; \tT SessionId; \tULARGE_INTEGER AppCompatFlags; \tULARGE_INTEGER AppCompatFlagsUser; \tT pShimData; \tT AppCompatInfo; \tUNICODE_STRING_T<T> CSDVersion; \tT ActivationContextData; \tT ProcessAssemblyStorageMap; \tT SystemDefaultActivationContextData; \tT SystemAssemblyStorageMap; \tT MinimumStackCommit; };   typedef _PEB_T<DWORD, DWORD64, 34> PEB32; typedef _PEB_T<DWORD64, DWORD, 30> PEB64;  #pragma pack(pop) <\/code><\/pre>\n
  <\/div>\n<\/div>\n
  PEB \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c:<\/p>\n
\/\/ \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0441\u044f  intrinsics \u0444\u0443\u043d\u043a\u0446\u0438\u044f\u043c\u0438, \u0442\u0430\u043a \u043a\u0430\u043a \u0432 12 \u0441\u0442\u0443\u0434\u0438\u0438 \u0438\u043d\u043b\u0430\u0439\u043d \u0430\u0441\u043c \u0434\u043b\u044f \u044564 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0446\u0438\u0438 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442. \/\/ \u0430\u0434\u0440\u0435\u0441 PEB - \u043a\u043e\u043d\u0441\u0442\u0430\u043d\u0442\u0430 \u0434\u043b\u044f \u0432\u0441\u0435\u0445 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0432 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0435. #if defined _M_IX86 int offset = 0x30; DWORD peb __readfsdword(PEB) \/\/mov eax, fs:[0x30] #elif defined _M_X64 \/\/\u041d\u0430 64 \u0431\u0438\u0442\u043d\u044b\u0445 windows \u0441\u0435\u0433\u043c\u0435\u043d\u0442\u043d\u044b\u0439 \u0440\u0435\u0433\u0438\u0441\u0442\u0440 GS \u0445\u0440\u0430\u043d\u0438\u0442 \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u043d\u0430 PEB \u0432 GS:[0x60] int offset = 0x60; DWORD64 peb =__readgsqword(PEB); \/\/mov rax, gs:[0x60] <\/code><\/pre>\n
  \u041f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 \u0431\u0430\u0437\u044b \u0434\u043b\u044f kernel32 \u0438 \u0430\u0434\u0440\u0435\u0441 GetProcAddress:<\/p>\n
\/\/\u044564, \u043f\u0440\u043e\u0432\u0435\u0440\u0435\u043d\u043e, \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0431\u0443\u0434\u0435\u0442 \u043d\u0430\u0447\u0438\u043d\u0430\u044f \u0441 xp x64 sp2 \u0434\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 win 8. typedef FARPROC (WINAPI * GetProcAddress_t) (HMODULE, const char *); struct LDR_MODULE   {    LIST_ENTRY e[3];    HMODULE    base;    void      *entry;    UINT       size;    UNICODE_STRING dllPath;    UNICODE_STRING dllname;   };    int offset = 0x60;    int ModuleList = 0x18;    int ModuleListFlink = 0x18;    int KernelBaseAddr = 0x10;     INT_PTR peb    =__readgsqword(offset);    INT_PTR mdllist=*(INT_PTR*)(peb+ ModuleList);    INT_PTR mlink  =*(INT_PTR*)(mdllist+ ModuleListFlink);    INT_PTR krnbase=*(INT_PTR*)(mlink+ KernelBaseAddr);     LDR_MODULE *mdl=(LDR_MODULE*)mlink;    do     {       mdl=(LDR_MODULE*)mdl->e[0].Flink;        if(mdl->base!=NULL)         {          if(!lstrcmpiW(mdl->dllname.Buffer,L"kernel32.dll")) \/\/\u0441\u0440\u0430\u0432\u043d\u0438\u0432\u0430\u0435\u043c \u0438\u043c\u044f \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0432 \u0431\u0443\u0444\u0435\u0440\u0435 \u0441 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u044b\u043c            {             break;            }         }    } while (mlink!=(INT_PTR)mdl);  \tkernel32base = (HMODULE)mdl->base; \tULONG_PTR base = (ULONG_PTR) kernel32base; \tIMAGE_NT_HEADERS * pe = PIMAGE_NT_HEADERS(base + PIMAGE_DOS_HEADER(base)->e_lfanew); \tIMAGE_EXPORT_DIRECTORY * exportDir = PIMAGE_EXPORT_DIRECTORY(base + pe->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); \tDWORD * namePtr = (DWORD *) (base + exportDir->AddressOfNames); \/\/ \u0410\u0434\u0440\u0435\u0441 \u0438\u043c\u0435\u043d \u0444\u0443\u043d\u043a\u0446\u0438\u0439. \tWORD * ordPtr = (WORD *) (base + exportDir->AddressOfNameOrdinals); \/\/\u0410\u0434\u0440\u0435\u0441 \u0438\u043c\u0435\u043d\u0438 \u0434\u043b\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u0438. \tfor(;_stricmp((const char *) (base +*namePtr), "GetProcAddress"); ++namePtr, ++ordPtr); \tDWORD funcRVA = *(DWORD *) (base + exportDir->AddressOfFunctions + *ordPtr * 4);  \tauto myGetProcAddress = (GetProcAddress_t) (base + funcRVA); \/\/\u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0430\u0434\u0440\u0435\u0441 GetProcAddress. <\/code><\/pre>\n
  \u0411\u0430\u0437\u043e\u0432\u044b\u0439 \u0430\u0434\u0440\u0435\u0441 PEB \u0434\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0442\u0430\u043a:<\/p>\n
typedef enum _PROCESSINFOCLASS { \tProcessBasicInformation = 0 } PROCESSINFOCLASS;     status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &dwLength);          if(status != 0x0)     {         printf("NtQueryInformationProcess Error  0x%x\\n", status); \t\texit(EXIT_FAILURE);     }          printf("PEB address : 0x%x\\n", pbi.PebBaseAddress); <\/code><\/pre>\n
  \u0418\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0435 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u0435, \u0447\u0442\u043e \u0435\u0441\u043b\u0438 \u043d\u0435\u043c\u043d\u043e\u0433\u043e \u00ab\u0438\u0441\u043f\u043e\u0440\u0442\u0438\u0442\u044c\u00bb LDR_DATA, \u0442\u0430\u043a\u0438\u0435 api \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u043a\u0430\u043a GetModuleHandleEx \u0438 EnumProcessModules, QueryFullProcessImageName \u043d\u0435 \u0431\u0443\u0434\u0443\u0442 \u0432\u044b\u0434\u0430\u0432\u0430\u0442\u044c \u043d\u0443\u0436\u043d\u044b\u0439 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442, \u0442\u0430\u043a \u043a\u0430\u043a \u043e\u043d\u0438 \u0432\u044b\u0437\u044b\u0432\u0430\u044e\u0442 ReadProcessMemory \u0434\u043b\u044f \u0447\u0442\u0435\u043d\u0438\u044f PEB. \u041a\u043e\u0434\u0430 \u043c\u043d\u043e\u0433\u043e, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043c\u0430\u043d\u0438\u043f\u0443\u043b\u044f\u0446\u0438\u0438 \u0441 PEB \u043e\u0444\u043e\u0440\u043c\u043b\u0435\u043d\u044b \u0432 \u0432\u0438\u0434\u0435 \u043f\u0440\u043e\u0441\u0442\u043e\u0433\u043e \u0442\u0435\u0441\u0442\u043e\u0432\u043e\u0433\u043e \u043a\u043b\u0430\u0441\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u0442\u0443\u0442<\/a>.    \t<\/p>\n
<\/div>\n<\/p><\/div>\n
 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438  http:\/\/habrahabr.ru\/post\/187226\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
   \tPEB \u2014 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u0432 windows, \u0437\u0430\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u0437\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a\u043e\u043c \u043d\u0430 \u044d\u0442\u0430\u043f\u0435 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u0438, \u0437\u0430\u0433\u0440\u0443\u0436\u0435\u043d\u043d\u044b\u0445 \u043c\u043e\u0434\u0443\u043b\u044f\u0445 (LDR_DATA), \u0431\u0430\u0437\u043e\u0432\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043f\u043e \u0442\u0435\u043a\u0443\u0449\u0435\u043c\u0443 \u043c\u043e\u0434\u0443\u043b\u044e \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u044b\u0435 \u0434\u043b\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430. \u041c\u043d\u043e\u0433\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0435 api windows, \u043f\u043e\u043b\u0443\u0447\u0430\u044e\u0449\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043c\u043e\u0434\u0443\u043b\u044f\u0445 (\u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430\u0445) \u0432 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435, \u0432\u044b\u0437\u044b\u0432\u0430\u044e\u0442 ReadProcessMemory \u0434\u043b\u044f \u0441\u0447\u0438\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0438\u0437 PEB \u043d\u0443\u0436\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430.  <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-187226","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/187226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=187226"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/187226\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=187226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=187226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=187226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}