Как в ТЕБ-е найти EntryPoint приложения?

intel_x128 · 21 окт 2009

САБЖ
Где хранится энтри-поинт, помимо РЕ-хидера?

Rustem · 21 окт 2009

Вроде тут
PEB -> PEB_LDR_DATA -> LDR_MODULE.EntryPoint

intel_x128 · 21 окт 2009

нет. Там двусвязнный список с информацией о загруженных модулях. Точки входа непосредственно ехе-шника там нет

Freeman · 21 окт 2009

1. Peb->ImageBaseAddress
2. Rustem тоже прав (см. LdrpInitializeProcess)

Flasher · 21 окт 2009

Первый модуль в списке и есть инфа о экзешнике.

Код (Text):

assume fs:nothing

mov eax,fs:[TEB.Peb]

mov eax,PEB.Ldr[eax]

mov eax,PEB_LDR_DATA.InLoadOrderModuleList.Flink[eax]

mov eax,LDR_DATA_TABLE_ENTRY.EntryPoint[eax]

RET · 21 окт 2009

Код (Text):

typedef struct _PEB

{

UCHAR InheritedAddressSpace; // 00h

UCHAR ReadImageFileExecOptions; // 01h

UCHAR BeingDebugged; // 02h

UCHAR Spare; // 03h

PVOID Mutant; // 04h

PVOID ImageBaseAddress; // 08h

PPEB_LDR_DATA Ldr; // 0Ch

PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h

PVOID SubSystemData; // 14h

PVOID ProcessHeap; // 18h

PVOID FastPebLock; // 1Ch

PPEBLOCKROUTINE FastPebLockRoutine; // 20h

PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h

ULONG EnvironmentUpdateCount; // 28h

PVOID* KernelCallbackTable; // 2Ch

PVOID EventLogSection; // 30h

PVOID EventLog; // 34h

PPEB_FREE_BLOCK FreeList; // 38h

ULONG TlsExpansionCounter; // 3Ch

PVOID TlsBitmap; // 40h

ULONG TlsBitmapBits[0x2]; // 44h

PVOID ReadOnlySharedMemoryBase; // 4Ch

PVOID ReadOnlySharedMemoryHeap; // 50h

PVOID* ReadOnlyStaticServerData; // 54h

PVOID AnsiCodePageData; // 58h

PVOID OemCodePageData; // 5Ch

PVOID UnicodeCaseTableData; // 60h

ULONG NumberOfProcessors; // 64h

ULONG NtGlobalFlag; // 68h

UCHAR Spare2[0x4]; // 6Ch

LARGE_INTEGER CriticalSectionTimeout; // 70h

ULONG HeapSegmentReserve; // 78h

ULONG HeapSegmentCommit; // 7Ch

ULONG HeapDeCommitTotalFreeThreshold; // 80h

ULONG HeapDeCommitFreeBlockThreshold; // 84h

ULONG NumberOfHeaps; // 88h

ULONG MaximumNumberOfHeaps; // 8Ch

PVOID** ProcessHeaps; // 90h

PVOID GdiSharedHandleTable; // 94h

PVOID ProcessStarterHelper; // 98h

PVOID GdiDCAttributeList; // 9Ch

PVOID LoaderLock; // A0h

ULONG OSMajorVersion; // A4h

ULONG OSMinorVersion; // A8h

ULONG OSBuildNumber; // ACh

ULONG OSPlatformId; // B0h

ULONG ImageSubSystem; // B4h

ULONG ImageSubSystemMajorVersion; // B8h

ULONG ImageSubSystemMinorVersion; // C0h

ULONG GdiHandleBuffer[0x22]; // C4h

} PEB, *PPEB;

---

Собственно и TEB до кучи:

// +++

// User-Mode Thread Environment Block (UTEB)

// Selector 0x3B: DPL=3, Base=0x7FFDE00 (1st thread), Lim=0x00000FFF

// Base is updated at every thread switch.

// Loaded into FS in User Mode

// ---

typedef struct _TEB

{

NT_TIB Tib; // 00h

PVOID EnvironmentPointer; // 1Ch

CLIENT_ID Cid; // 20h

PVOID ActiveRpcInfo; // 28h

PVOID ThreadLocalStoragePointer; // 2Ch

PPEB Peb; // 30h

ULONG LastErrorValue; // 34h

ULONG CountOfOwnedCriticalSections; // 38h

PVOID CsrClientThread; // 3Ch

struct _W32THREAD* Win32ThreadInfo; // 40h

ULONG Win32ClientInfo[0x1F]; // 44h

PVOID WOW32Reserved; // C0h

ULONG CurrentLocale; // C4h

ULONG FpSoftwareStatusRegister; // C8h

PVOID SystemReserved1[0x36]; // CCh

PVOID Spare1; // 1A4h

LONG ExceptionCode; // 1A8h

ULONG SpareBytes1[0x28]; // 1ACh

PVOID SystemReserved2[0xA]; // 1D4h

// GDI_TEB_BATCH GdiTebBatch; // 1FCh

ULONG gdiRgn; // 6DCh

ULONG gdiPen; // 6E0h

ULONG gdiBrush; // 6E4h

CLIENT_ID RealClientId; // 6E8h

PVOID GdiCachedProcessHandle; // 6F0h

ULONG GdiClientPID; // 6F4h

ULONG GdiClientTID; // 6F8h

PVOID GdiThreadLocaleInfo; // 6FCh

PVOID UserReserved[5]; // 700h

PVOID glDispatchTable[0x118]; // 714h

ULONG glReserved1[0x1A]; // B74h

PVOID glReserved2; // BDCh

PVOID glSectionInfo; // BE0h

PVOID glSection; // BE4h

PVOID glTable; // BE8h

PVOID glCurrentRC; // BECh

PVOID glContext; // BF0h

NTSTATUS LastStatusValue; // BF4h

UNICODE_STRING StaticUnicodeString; // BF8h

WCHAR StaticUnicodeBuffer[0x105]; // C00h

PVOID DeallocationStack; // E0Ch

PVOID TlsSlots[0x40]; // E10h

LIST_ENTRY TlsLinks; // F10h

PVOID Vdm; // F18h

PVOID ReservedForNtRpc; // F1Ch

PVOID DbgSsReserved[0x2]; // F20h

ULONG HardErrorDisabled; // F28h

PVOID Instrumentation[0x10]; // F2Ch

PVOID WinSockData; // F6Ch

ULONG GdiBatchCount; // F70h

ULONG Spare2; // F74h

ULONG Spare3; // F78h

ULONG Spare4; // F7Ch

PVOID ReservedForOle; // F80h

ULONG WaitingOnLoaderLock; // F84h

PVOID WineDebugInfo; // Needed for WINE DLL's

} TEB, *PTEB;

---

Для полноты картины еще и это:

typedef struct _NT_TIB {

struct _EXCEPTION_REGISTRATION_RECORD* ExceptionList; // 00h

PVOID StackBase; // 04h

PVOID StackLimit; // 08h

PVOID SubSystemTib; // 0Ch

union {

PVOID FiberData; // 10h

ULONG Version; // 10h

} Fib;

PVOID ArbitraryUserPointer; // 14h

struct _NT_TIB *Self; // 18h

} NT_TIB, *PNT_TIB;

typedef struct _GDI_TEB_BATCH

{

ULONG Offset;

ULONG HDC;

ULONG Buffer[0x136];

} GDI_TEB_BATCH, *PGDI_TEB_BATCH;

typedef struct _PEB_LDR_DATA

{

ULONG Length;

BOOLEAN Initialized;

PVOID SsHandle;

LIST_ENTRY InLoadOrderModuleList;

LIST_ENTRY InMemoryOrderModuleList;

LIST_ENTRY InInitializationOrderModuleList;

} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_MODULE

{

LIST_ENTRY InLoadOrderModuleList;

LIST_ENTRY InMemoryOrderModuleList; // not used

LIST_ENTRY InInitializationOrderModuleList; // not used

PVOID BaseAddress;

ULONG EntryPoint;

ULONG SizeOfImage;

UNICODE_STRING FullDllName;

UNICODE_STRING BaseDllName;

ULONG Flags;

SHORT LoadCount;

SHORT TlsIndex;

HANDLE SectionHandle;

ULONG CheckSum;

ULONG TimeDateStamp;

#ifdef KDBG

IMAGE_SYMBOL_INFO SymbolInfo;

#endif /* KDBG */

} LDR_MODULE, *PLDR_MODULE;

o14189 · 21 окт 2009

LdrSelfDataTable

Код (Text):

PTEB

NtGetCurrentTeb()

{

PTEB pTeb = NULL;

__asm

{

mov eax, fs:[0x18]

mov [Teb], eax

}

return pTeb;

}

PWCHAR

CurrentModuleName()

{

return LdrSelfDataTable()->FullDllName.Buffer;

}

PPEB_LDR_DATA

LdrProcess()

{

PPEB_LDR_DATA pLdrdata = NULL;

__try

{

Ldrdata = (PPEB_LDR_DATA)(NtGetCurrentTeb()->Peb->Ldr);

}

__except(EXCEPTION_EXECUTE_HANDLER)

{

}

return pLdrdata;

}

PLDR_DATA_TABLE_ENTRY

LdrDataTables()

{

PLDR_DATA_TABLE_ENTRY pModule = NULL;

PPEB_LDR_DATA pLdrdata = LdrProcess();

__try

{

pModule =

CONTAINING_RECORD(

pLdrdata->InLoadOrderModuleList.Flink,

LDR_DATA_TABLE_ENTRY,

InLoadOrderLinks

);

}

__except(EXCEPTION_EXECUTE_HANDLER)

{

}

return pModule;

}

PLDR_DATA_TABLE_ENTRY

LdrSelfDataTable()

{

PLDR_DATA_TABLE_ENTRY pSelf = NULL;

__try

{

pSelf = LdrDataTables();

}

__except(EXCEPTION_EXECUTE_HANDLER)

{

}

return pSelf;

}

PLDR_DATA_TABLE_ENTRY

LdrNtdllDataTable()

{

PLDR_DATA_TABLE_ENTRY pNtdll = NULL;

__try

{

pNtdll =

CONTAINING_RECORD(

LdrDataTables()->InLoadOrderLinks.Flink,

LDR_DATA_TABLE_ENTRY,

InLoadOrderLinks

);

}

__except(EXCEPTION_EXECUTE_HANDLER)

{

}

return pNtdll;

}

PWCHAR

LdrCommandLine()

{

PWCHAR pCmdLine = NULL;

PPEB pPeb = NULL;

__try

{

pPeb = NtGetCurrentTeb()->Peb;

pCmdLine = pPeb->ProcessParameters->CommandLine.Buffer;

}

__except(EXCEPTION_EXECUTE_HANDLER)

{

}

return pCmdLine;

}

svarogthepagan · 10 ноя 2009

del

Войти или зарегистрироваться

Как в ТЕБ-е найти EntryPoint приложения?

intel_x128 New Member

Rustem New Member

intel_x128 New Member

Freeman New Member

Flasher Member

RET Well-Known Member

o14189 New Member

svarogthepagan New Member

Войти или зарегистрироваться

Как в ТЕБ-е найти EntryPoint приложения?

intel_x128 New Member

Rustem New Member

intel_x128 New Member

Freeman New Member

Flasher Member

RET Well-Known Member

o14189 New Member

svarogthepagan New Member

Быстрый поиск