Loading... 在64位系统下 gs:[0x30] 指向TEB gs:[0x60] 指向PEB ## PEB64 ``` //0x7c8 bytes (sizeof) struct _PEB64 { UCHAR InheritedAddressSpace; //0x0 UCHAR ReadImageFileExecOptions; //0x1 UCHAR BeingDebugged; //0x2 union { UCHAR BitField; //0x3 struct { UCHAR ImageUsesLargePages:1; //0x3 UCHAR IsProtectedProcess:1; //0x3 UCHAR IsImageDynamicallyRelocated:1; //0x3 UCHAR SkipPatchingUser32Forwarders:1; //0x3 UCHAR IsPackagedProcess:1; //0x3 UCHAR IsAppContainer:1; //0x3 UCHAR IsProtectedProcessLight:1; //0x3 UCHAR IsLongPathAwareProcess:1; //0x3 }; }; UCHAR Padding0[4]; //0x4 ULONGLONG Mutant; //0x8 ULONGLONG ImageBaseAddress; //0x10 ULONGLONG Ldr; //0x18 ULONGLONG ProcessParameters; //0x20 ULONGLONG SubSystemData; //0x28 ULONGLONG ProcessHeap; //0x30 ULONGLONG FastPebLock; //0x38 ULONGLONG AtlThunkSListPtr; //0x40 ULONGLONG IFEOKey; //0x48 union { ULONG CrossProcessFlags; //0x50 struct { ULONG ProcessInJob:1; //0x50 ULONG ProcessInitializing:1; //0x50 ULONG ProcessUsingVEH:1; //0x50 ULONG ProcessUsingVCH:1; //0x50 ULONG ProcessUsingFTH:1; //0x50 ULONG ProcessPreviouslyThrottled:1; //0x50 ULONG ProcessCurrentlyThrottled:1; //0x50 ULONG ProcessImagesHotPatched:1; //0x50 ULONG ReservedBits0:24; //0x50 }; }; UCHAR Padding1[4]; //0x54 union { ULONGLONG KernelCallbackTable; //0x58 ULONGLONG UserSharedInfoPtr; //0x58 }; ULONG SystemReserved; //0x60 ULONG AtlThunkSListPtr32; //0x64 ULONGLONG ApiSetMap; //0x68 ULONG TlsExpansionCounter; //0x70 UCHAR Padding2[4]; //0x74 ULONGLONG TlsBitmap; //0x78 ULONG TlsBitmapBits[2]; //0x80 ULONGLONG ReadOnlySharedMemoryBase; //0x88 ULONGLONG SharedData; //0x90 ULONGLONG ReadOnlyStaticServerData; //0x98 ULONGLONG AnsiCodePageData; //0xa0 ULONGLONG OemCodePageData; //0xa8 ULONGLONG UnicodeCaseTableData; //0xb0 ULONG NumberOfProcessors; //0xb8 ULONG NtGlobalFlag; //0xbc union _LARGE_INTEGER CriticalSectionTimeout; //0xc0 ULONGLONG HeapSegmentReserve; //0xc8 ULONGLONG HeapSegmentCommit; //0xd0 ULONGLONG HeapDeCommitTotalFreeThreshold; //0xd8 ULONGLONG HeapDeCommitFreeBlockThreshold; //0xe0 ULONG NumberOfHeaps; //0xe8 ULONG MaximumNumberOfHeaps; //0xec ULONGLONG ProcessHeaps; //0xf0 ULONGLONG GdiSharedHandleTable; //0xf8 ULONGLONG ProcessStarterHelper; //0x100 ULONG GdiDCAttributeList; //0x108 UCHAR Padding3[4]; //0x10c ULONGLONG LoaderLock; //0x110 ULONG OSMajorVersion; //0x118 ULONG OSMinorVersion; //0x11c USHORT OSBuildNumber; //0x120 USHORT OSCSDVersion; //0x122 ULONG OSPlatformId; //0x124 ULONG ImageSubsystem; //0x128 ULONG ImageSubsystemMajorVersion; //0x12c ULONG ImageSubsystemMinorVersion; //0x130 UCHAR Padding4[4]; //0x134 ULONGLONG ActiveProcessAffinityMask; //0x138 ULONG GdiHandleBuffer[60]; //0x140 ULONGLONG PostProcessInitRoutine; //0x230 ULONGLONG TlsExpansionBitmap; //0x238 ULONG TlsExpansionBitmapBits[32]; //0x240 ULONG SessionId; //0x2c0 UCHAR Padding5[4]; //0x2c4 union _ULARGE_INTEGER AppCompatFlags; //0x2c8 union _ULARGE_INTEGER AppCompatFlagsUser; //0x2d0 ULONGLONG pShimData; //0x2d8 ULONGLONG AppCompatInfo; //0x2e0 struct _STRING64 CSDVersion; //0x2e8 ULONGLONG ActivationContextData; //0x2f8 ULONGLONG ProcessAssemblyStorageMap; //0x300 ULONGLONG SystemDefaultActivationContextData; //0x308 ULONGLONG SystemAssemblyStorageMap; //0x310 ULONGLONG MinimumStackCommit; //0x318 ULONGLONG SparePointers[4]; //0x320 ULONG SpareUlongs[5]; //0x340 ULONGLONG WerRegistrationData; //0x358 ULONGLONG WerShipAssertPtr; //0x360 ULONGLONG pUnused; //0x368 ULONGLONG pImageHeaderHash; //0x370 union { ULONG TracingFlags; //0x378 struct { ULONG HeapTracingEnabled:1; //0x378 ULONG CritSecTracingEnabled:1; //0x378 ULONG LibLoaderTracingEnabled:1; //0x378 ULONG SpareTracingBits:29; //0x378 }; }; UCHAR Padding6[4]; //0x37c ULONGLONG CsrServerReadOnlySharedMemoryBase; //0x380 ULONGLONG TppWorkerpListLock; //0x388 struct LIST_ENTRY64 TppWorkerpList; //0x390 ULONGLONG WaitOnAddressHashTable[128]; //0x3a0 ULONGLONG TelemetryCoverageHeader; //0x7a0 ULONG CloudFileFlags; //0x7a8 ULONG CloudFileDiagFlags; //0x7ac CHAR PlaceholderCompatibilityMode; //0x7b0 CHAR PlaceholderCompatibilityModeReserved[7]; //0x7b1 ULONGLONG LeapSecondData; //0x7b8 union { ULONG LeapSecondFlags; //0x7c0 struct { ULONG SixtySecondEnabled:1; //0x7c0 ULONG Reserved:31; //0x7c0 }; }; ULONG NtGlobalFlag2; //0x7c4 }; ``` ## TEB64 ``` //0x1838 bytes (sizeof) struct _TEB64 { struct _NT_TIB64 NtTib; //0x0 ULONGLONG EnvironmentPointer; //0x38 struct _CLIENT_ID64 ClientId; //0x40 ULONGLONG ActiveRpcHandle; //0x50 ULONGLONG ThreadLocalStoragePointer; //0x58 ULONGLONG ProcessEnvironmentBlock; //0x60 ULONG LastErrorValue; //0x68 ULONG CountOfOwnedCriticalSections; //0x6c ULONGLONG CsrClientThread; //0x70 ULONGLONG Win32ThreadInfo; //0x78 ULONG User32Reserved[26]; //0x80 ULONG UserReserved[5]; //0xe8 ULONGLONG WOW32Reserved; //0x100 ULONG CurrentLocale; //0x108 ULONG FpSoftwareStatusRegister; //0x10c ULONGLONG ReservedForDebuggerInstrumentation[16]; //0x110 ULONGLONG SystemReserved1[30]; //0x190 CHAR PlaceholderCompatibilityMode; //0x280 UCHAR PlaceholderHydrationAlwaysExplicit; //0x281 CHAR PlaceholderReserved[10]; //0x282 ULONG ProxiedProcessId; //0x28c struct _ACTIVATION_CONTEXT_STACK64 _ActivationStack; //0x290 UCHAR WorkingOnBehalfTicket[8]; //0x2b8 LONG ExceptionCode; //0x2c0 UCHAR Padding0[4]; //0x2c4 ULONGLONG ActivationContextStackPointer; //0x2c8 ULONGLONG InstrumentationCallbackSp; //0x2d0 ULONGLONG InstrumentationCallbackPreviousPc; //0x2d8 ULONGLONG InstrumentationCallbackPreviousSp; //0x2e0 ULONG TxFsContext; //0x2e8 UCHAR InstrumentationCallbackDisabled; //0x2ec UCHAR UnalignedLoadStoreExceptions; //0x2ed UCHAR Padding1[2]; //0x2ee struct _GDI_TEB_BATCH64 GdiTebBatch; //0x2f0 struct _CLIENT_ID64 RealClientId; //0x7d8 ULONGLONG GdiCachedProcessHandle; //0x7e8 ULONG GdiClientPID; //0x7f0 ULONG GdiClientTID; //0x7f4 ULONGLONG GdiThreadLocalInfo; //0x7f8 ULONGLONG Win32ClientInfo[62]; //0x800 ULONGLONG glDispatchTable[233]; //0x9f0 ULONGLONG glReserved1[29]; //0x1138 ULONGLONG glReserved2; //0x1220 ULONGLONG glSectionInfo; //0x1228 ULONGLONG glSection; //0x1230 ULONGLONG glTable; //0x1238 ULONGLONG glCurrentRC; //0x1240 ULONGLONG glContext; //0x1248 ULONG LastStatusValue; //0x1250 UCHAR Padding2[4]; //0x1254 struct _STRING64 StaticUnicodeString; //0x1258 WCHAR StaticUnicodeBuffer[261]; //0x1268 UCHAR Padding3[6]; //0x1472 ULONGLONG DeallocationStack; //0x1478 ULONGLONG TlsSlots[64]; //0x1480 struct LIST_ENTRY64 TlsLinks; //0x1680 ULONGLONG Vdm; //0x1690 ULONGLONG ReservedForNtRpc; //0x1698 ULONGLONG DbgSsReserved[2]; //0x16a0 ULONG HardErrorMode; //0x16b0 UCHAR Padding4[4]; //0x16b4 ULONGLONG Instrumentation[11]; //0x16b8 struct _GUID ActivityId; //0x1710 ULONGLONG SubProcessTag; //0x1720 ULONGLONG PerflibData; //0x1728 ULONGLONG EtwTraceData; //0x1730 ULONGLONG WinSockData; //0x1738 ULONG GdiBatchCount; //0x1740 union { struct _PROCESSOR_NUMBER CurrentIdealProcessor; //0x1744 ULONG IdealProcessorValue; //0x1744 struct { UCHAR ReservedPad0; //0x1744 UCHAR ReservedPad1; //0x1745 UCHAR ReservedPad2; //0x1746 UCHAR IdealProcessor; //0x1747 }; }; ULONG GuaranteedStackBytes; //0x1748 UCHAR Padding5[4]; //0x174c ULONGLONG ReservedForPerf; //0x1750 ULONGLONG ReservedForOle; //0x1758 ULONG WaitingOnLoaderLock; //0x1760 UCHAR Padding6[4]; //0x1764 ULONGLONG SavedPriorityState; //0x1768 ULONGLONG ReservedForCodeCoverage; //0x1770 ULONGLONG ThreadPoolData; //0x1778 ULONGLONG TlsExpansionSlots; //0x1780 ULONGLONG DeallocationBStore; //0x1788 ULONGLONG BStoreLimit; //0x1790 ULONG MuiGeneration; //0x1798 ULONG IsImpersonating; //0x179c ULONGLONG NlsCache; //0x17a0 ULONGLONG pShimData; //0x17a8 ULONG HeapData; //0x17b0 UCHAR Padding7[4]; //0x17b4 ULONGLONG CurrentTransactionHandle; //0x17b8 ULONGLONG ActiveFrame; //0x17c0 ULONGLONG FlsData; //0x17c8 ULONGLONG PreferredLanguages; //0x17d0 ULONGLONG UserPrefLanguages; //0x17d8 ULONGLONG MergedPrefLanguages; //0x17e0 ULONG MuiImpersonation; //0x17e8 union { volatile USHORT CrossTebFlags; //0x17ec USHORT SpareCrossTebBits:16; //0x17ec }; union { USHORT SameTebFlags; //0x17ee struct { USHORT SafeThunkCall:1; //0x17ee USHORT InDebugPrint:1; //0x17ee USHORT HasFiberData:1; //0x17ee USHORT SkipThreadAttach:1; //0x17ee USHORT WerInShipAssertCode:1; //0x17ee USHORT RanProcessInit:1; //0x17ee USHORT ClonedThread:1; //0x17ee USHORT SuppressDebugMsg:1; //0x17ee USHORT DisableUserStackWalk:1; //0x17ee USHORT RtlExceptionAttached:1; //0x17ee USHORT InitialThread:1; //0x17ee USHORT SessionAware:1; //0x17ee USHORT LoadOwner:1; //0x17ee USHORT LoaderWorker:1; //0x17ee USHORT SkipLoaderInit:1; //0x17ee USHORT SpareSameTebBits:1; //0x17ee }; }; ULONGLONG TxnScopeEnterCallback; //0x17f0 ULONGLONG TxnScopeExitCallback; //0x17f8 ULONGLONG TxnScopeContext; //0x1800 ULONG LockCount; //0x1808 LONG WowTebOffset; //0x180c ULONGLONG ResourceRetValue; //0x1810 ULONGLONG ReservedForWdf; //0x1818 ULONGLONG ReservedForCrt; //0x1820 struct _GUID EffectiveContainerId; //0x1828 }; ``` ## 汇编 ASM ``` .CODE GetPc64 proc ;利用函数call 获取当前代码的大概地址 并对后三位舍去,即可获取正常基址 mov rax,[rsp] mov rbx,0FFFFFFFFFFFFF000h and rax,rbx ret GetPc64 endp GetPeb PROC mov rax,gs:[60h] ret GetPeb ENDP END ``` ## C++ ``` #include<windows.h> extern "C" PVOID64 _cdecl GetPeb(); typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; }UNICODE_STRING, *PUNICODE_STRING; int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { PVOID64 Peb = GetPeb(); PVOID64 LDR_DATA_Addr = *(PVOID64**)((BYTE*)Peb+0x018); //0x018是LDR相对于PEB偏移 存放着LDR的基地址 UNICODE_STRING* FullName; HMODULE hKernel32 = NULL; LIST_ENTRY* pNode = NULL; pNode =(LIST_ENTRY*)(*(PVOID64**)((BYTE*)LDR_DATA_Addr+0x30)); //偏移到InInitializationOrderModuleList while(true) { FullName = (UNICODE_STRING*)((BYTE*)pNode+0x38);//BaseDllName基于InInitialzationOrderModuList的偏移 if(*(FullName->Buffer+12)=='\0') { hKernel32 = (HMODULE)(*((ULONG64*)((BYTE*)pNode+0x10)));//DllBase break; } pNode = pNode->Flink; } printf("%p",hKernel32); return 0; } ``` 最后修改:2021 年 05 月 27 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏