Explain the Windows PEB process environment block structure with isdebuggerpesent

First introduce the concepts of PEB and TEB:
PEB (Process environment Block. Process environment block) holds process information. Each process has its own PEB information. is located in the user address space.

TEB (Thread environment Block. Thread environment block) The system saves frequently used thread-related data in this teb. is located in the user address space. Where the address is lower than the PEB location.

Each thread in the process has its own teb.

Write a Windows program that uses the Isdebuggerpesent function. Open with OD, breakpoint isdebuggerpesent function

OD goes inside the isdebuggerpesent function

74E23789 >  64:a1 18000000   mov     eax, DWORD ptr fs:[18]74e2378f    8b40          -mov     eax, DWORD ptr [EAX +30]74e23792    0fb640        movzx   eax, byte ptr [eax+2]74e23796    C3               retn

Track to 3rd Step

74E23792    0fb640        movzx   eax, byte ptr [eax+2]

View the form to see

ds:[7efde002]=01eax=7efde000

Data form tracking ds:[7efde002] can see

7efde002  01                                               

Since we open with OD, so the detection to be in the debug state, the value of the 7efde002 address is 01, if not debugged, it is 00. (Assuming you change this value, you can isdebuggerpesent the test)

7efde002 Address 01 is the isdebuggerpesent in memory to infer the flag bit

In the csdn of this friend blog This article we can see http://blog.csdn.net/waveradio/article/details/2681346

struct _PEB structure: typedef struct _PEB {//size:0x1d8/*000*/UCHAR inheritedaddressspace;/*001*/UCHAR Readimagefileexecop tions;/*002*/UCHAR beingdebugged;/*003*/UCHAR sparebool; Allocation size/*004*/HANDLE mutant;/*008*/hinstance imagebaseaddress; instance/*00c*/VOID *dlllist;/*010*/pprocess_parameters *processparameters;/*014*/ULONG SubSystemData;/*018*/ HANDLE defaultheap;/*01c*/kspin_lock fastpeblock;/*020*/ulong fastpeblockroutine;/*024*/ULONG Fastpebunlockroutine ;/*028*/ulong environmentupdatecount;/*02c*/ulong kernelcallbacktable;/*030*/Large_integer SystemReserved;/*038*/ ULONG freelist;/*03c*/ULONG tlsexpansioncounter;/*040*/ulong tlsbitmap;/*044*/Large_integer tlsbitmapbits;/*04c*/ ULONG readonlysharedmemorybase;/*050*/ULONG readonlysharedmemoryheap;/*054*/ULONG readonlystaticserverdata;/*058* /ULONG ansicodepagedata;/*05c*/ULONG oemcodepagedata;/*060*/ULONG unicodecasetabledata;/*064*/ULONG numberofprocessors;/*068*/Large_integer Ntglobalflag; //Address of a local copy/*070*/large_integer criticalsectiontimeout;/*078*/ulong heapsegmentreserve;/*07c*/ULONG heapsegmentcommit;/*080*/ULONG heapdecommittotalfreethreshold;/*084*/ULONG heapdecommitfreeblockthreshold;/*088* /ULONG numberofheaps;/*08c*/ULONG maximumnumberofheaps;/*090*/ULONG processheaps;/*094*/ULONG gdisharedhandletable ;/*098*/ulong processstarterhelper;/*09c*/ulong gdidcattributelist;/*0a0*/kspin_lock loaderlock;/*0a4*/ULONG osmajorversion;/*0a8*/ulong osminorversion;/*0ac*/USHORT osbuildnumber;/*0ae*/USHORT oscsdversion;/*0b0*/ULONG osplatformid;/*0b4*/ULONG imagesubsystem;/*0b8*/ULONG imagesubsystemmajorversion;/*0bc*/ULONG imagesubsystemminorversion;/*0c0*/ULONG imageprocessaffinitymask;/*0c4*/ULONG gdihandlebuffer[0x22];/*14c*/ULONG postprocessinitroutine;/*150*/ulong tlsexpansionbitmap;/*154*/UCHAR tlsexpansionbitmapbits[0x80];/*1d4*/ULONG SessionId;} PEB, *PPEB;

The 7efde002 address corresponds to the PEB structure.

/*002*/UCHAR beingdebugged;

So the starting address of PEB is the 7efde002 address minus 2. Getting 7efde000 is the starting address of PEB.

You can also tell that the Ntglobalflag address is

/*068*/Large_integer Ntglobalflag; Address of a local copy

7efde068 is the address of Ntglobalflag

Data forms are trailing

7efde068                                               P

Since we are debugging with OD, the value in the 7efde068 address is 70, and changes can be detected

Explain the Windows PEB process environment block structure with isdebuggerpesent