FS Tib Teb peb

Author: winwang
Time: 2009-10-27,17: 19
Chain: http://bbs.pediy.com/showthread.php? T = 100190

I have read the books of many Daniel in this school, and I have sorted out some of the structures (a little incomplete )....
All are user-mode Structures
Thank you for providing such a good learning environment.
Statement: the following content is entirely taken from watching Snow.
Attachment: A small program for you to read...

FS: 7ffdf000
NT! _ Teb
Teb at FS: 7ffdf000

+ 0x000 nttib // _ nt_tib
+ 0x01c environmentpointer // ptr32 void
+ 0x020 clientid // _ client_id
+ 0x028 activerpchandle // ptr32 void
+ 0x02c threadlocalstoragepointer // ptr32 void
+ 0x030 processenvironmentblock // ptr32 _ peb point to the peb table, that is, the process environment block.
Lasterrorvalue
Laststatusvalue
Count owned locks
Harderrorsmode
**************************************** ***
Typedef struct _ nt_tib // sizeof 1ch
{
00 h struct _ prediction_registration * predictionlist; // seh link entry
04 H pvoid stackbase; // stack base address
08 h pvoid stacklimit; // stack size
0ch pvoid subsystemtib;
Union {
Pvoid fiberdata;
10 h DWORD version;
};
14 h pvoid arbitraryuserpointer;
18 h struct _ nt_tib * self; // linear address of the nt_tib Structure
} Nt_tib;

Typedef nt_tib * pnt_tib;
**************************************** ****************
Seh link entry

FS [0]-> * predictionlist

Typedef struc _ exception_registration
{
Struc prediction_registration * Prev; // The previous _ prediction_registration Structure
DWORD handler; // address of the exception handling process
Struct scopetable_entry * scopetable;
Int trylevel;
Int _ EBP;
Pexception_pointers xpointers;
}
Prediction_registration,
* Pexception_registration;
//////////////////////////////////////// ////////
Typedef struct _ prediction_pointers
{
Pexception_record exceptionrecord; // point to a prediction_record Structure
Pcontext contextrecord; // point to a context structure
}
Prediction_pointers,
* Pexception_pointers;
//////////////////////////////////////// /////////
Typedef struct _ exception_record
{
00 h DWORD exceptioncode; // exception Event code
04 h dword exceptionflags; // flag
08 h struct _ prediction_record * predictionrecord; // The next prediction_record structure address
0ch pvoid exceptionaddress; // address where an exception occurs
10 h DWORD numberparameters; // Number of Dwords for predictioninformation
14 h ulong_ptr predictioninformation [prediction_maximum_parameters];
} 1ch
Prediction_record;

Typedef exception_record * pexception_record;
# Define exception_maximum_parameters 15
//////////////////////////////////////// /////////////////////////
Typedef struct _ context {
DWORD contextflags //-| + 00 h
DWORD dr0 // | + 04 H
DWORD DR1 // | + 08 h
DWORD DR2 //> debug register + 0ch
DWORD dr3 // | + 10 h
DWORD dr6 // | + 14 h
DWORD dr7 //-| + 18 h

Floating_save_area floatsave; // floating point register area + 1ch ~~~ 88 h

DWORD seggs //-| + 8ch
DWORD segfs // |/segment register + 90 h
DWORD seges // |/+ 94 H
DWORD segds //-| + 98 h

Dword edi // ________ + 9ch
Dword esi // | General + a0h
Dword ebx // | mail + a4h
DWORD edX // | storage + a8h
DWORD ECx // | Er + ach
DWORD eax // _ | ___ group _ + b0h

Dword ebp // ++ b4h
Dword eip // | Control + b8h
DWORD segcs // | storage + BCH
DWORD eflag // | group + c0h
Dword esp // | + c4h
DWORD segss // ++ c8h

Byte extendedregisters [maximum_supported_extension];
} Context;
Typedef context * pcontext;
# Define maximum_supported_extension 512
**************************************** ****************
FS: [30]-> peb
Typedef struct _ peb {// size: 0x1d8
000 h uchar inheritedaddressspace;
001 H uchar readimagefileexecoptions;
002 H uchar beingdebugged; // debug running flag
003 H uchar sparebool;
004 H handle mutant;
008 H hinstance imagebaseaddress; // base address loaded by the program
00ch struct _ peb_ldr_data * LDR // ptr32 _ peb_ldr_data
010 H struct _ rtl_user_process_parameters * processparameters;
014 H ulong subsystemdata;
018 H handle defaultheap;
01ch kspin_lock fastpeblock;
020 H ulong fastpeblockroutine;
024 H ulong fastpebunlockroutine;
028 H ulong environmentupdatecount;
02ch ulong kernelcallbacktable;
030 H large_integer systemreserved;
038 H struct _ peb_free_block * freelist
03ch ulong tlsexpansioncounter;
040 h ulong tlsbitmap;
044 H large_integer tlsbitmapbits;
04ch ulong readonlysharedmemorybase;
050 H ulong readonlysharedmemoryheap;
054 H ulong readonlystaticserverdata;
058 H ulong ansicodepagedata;
05ch ulong oemcodepagedata;
060 H ulong unicodecasetabledata;
064 H ulong numberofprocessors;
068 h large_integer ntglobalflag; // address of a local copy
070 H large_integer criticalsectiontimeout;
078 H ulong heapsegmentreserve;
07ch ulong heapsegmentcommit;
080 H ulong heapdecommittotalfreethreshold;
084 H ulong heapdecommitfreeblockthreshold;
088 H ulong numberofheaps;
08ch ulong maximumnumberofheaps;
090 H ulong processheaps;
094 H ulong gdisharedhandletable;
098 H ulong processstarterhelper;
09ch ulong gdidcattributelist;
0a0h kspin_lock loaderlock;
0a4h ulong osmajorversion;
0a8h ulong osminorversion;
0ach ushort osbuildnumber;
0aeh ushort oscsdversion;
0b0h ulong osplatformid;
0b4h ulong imagesubsystem;
0b8h ulong imagesubsystemmajorversion;
0bch ulong imagesubsystemminorversion;
0c0h ulong imageprocessaffinitymask;
0c4h ulong gdihandlebuffer [0x22];
14ch ulong postprocessinitroutine;
150 h ulong tlsexpansionbitmap;
154 H uchar tlsexpansionbitmapbits [0x80];
1d4h ulong sessionid;
} Peb, * ppeb;
**************************************** ***********
Peb [0C]-> peb_ldr_data

Typedef struct _ peb_ldr_data
{
Ulong length; // 00 h
Boolean initialized; // 04 H
Pvoid sshandle; // 08 h
List_entry inloadordermodulelist; // 0ch
List_entry inmemoryordermodulelist; // 14 h
List_entry ininitializationordermodulelist; // 1ch
}
Peb_ldr_data,
* Ppeb_ldr_data; // 24 h
**************************************** *****************
Peb_ldr_data []-> list_entry

NT! _ List_entry
+ 0x000 flink: ptr32 _ list_entry // indicates the front and back
+ 0x004 Blink: ptr32 _ list_entry // indicates the forward from the back
**************************************** ****************
List_entry [00]. ldr_module

Typedef struct _ ldr_module
{
List_entry inloadordermodulelist; // 00 h
List_entry inmemoryordermodulelist; // 08 h
List_entry ininitializationordermodulelist; // 10 h NTDLL
Pvoid baseaddress; // 18 h kernel32.dll
Pvoid entrypoint; // 1ch
Ulong sizeofimage; // 20 h
Unicode_string fulldllname; // 24 h
Unicode_string basedllname; // 2ch
Ulong flags; // 34 h
Short loadcount; // 38 H
Short tlsindex; // 3ah
Handle sectionhandle; // 3ch
Ulong checksum; // 40 h
Ulong timedatestamp; // 44 h
// 48 h
} Ldr_module, * pldr_module;
**************************************** ***************