Some special commands encountered in Disassembly

1. CDQ expands the original EAX to EDX: EAX (with positive and negative values). This Command copies 31st bits of EAX to each bit of EDX. For example, assume that EAX is FFFFFFFB (-5) and its 31st bit (leftmost) is 1. After CDQ is executed, CDQ copies 31st bit to all EDX bit to FFFFFFFF, EDX: EAX is changed to FFFFFFFF fffffb. It is a 64-bit large number and the value is still-5. 2. If the FS program is in the debugger, in the PEB structure, a beingDegug flag will be set, and you can directly read it to determine whether it is in the debugger. In fact, IsDebuggerPresent does this. /* Description: TEB (Thread Environment Block, Thread Environment Block) Stores frequently used Thread-related data in TEB. Located in the user address space, which is lower than the address of PEB. Each thread in the process has its own TEB. All tebs of a process are stored in a stack in linear memory starting from 0x7FFDE000. Each 4 kb is a complete TEB, but the memory area is expanded downward. In user mode, the TEB of the current thread is located in an independent 4 kb segment and can be accessed through the FS register of the CPU, which is generally stored in [FS: 0]. In the user mode, the $ thread command can be used in WinDbg to obtain the TEB address. The PEB (Process Environment Block) Stores Process information. Each Process has its own PEB information. Located in the user address space. In Win 2000, the address of the process environment block is fixed for each process. At 0x7FFDF000, This is the user address space, so the program can directly access it. The exact PEB address should be obtained from the 0x1 B0 offset of the system's EPROCESS structure. However, because EPROCESS is in the system address space, the ring0 permission is required to access this structure. You can also obtain the PEB position through the offset 0x30 of the TEB structure. The FS segment register points to the current TEB structure: mov eax, fs: [0x30] mov PEB, the eax FS register points to the TEB structure of the current active thread (thread structure) offset description 000 points to SEH chain pointer 004 thread stack top 008 thread stack bottom 00C SubSystemTib 010 FiberData 014 ArbitraryUserPointer 018 FS segment register mirror address in memory 020 process PID 024 thread ID 02C points to Thread Local storage pointer 030 PEB structure address (process structure) 034 last error code fs: [0] is the header of TEB in this thread. What about fs: [18 h? Continue to let windbg tell us: 0: 000> dt-B ntdll! _ TEB + 0x000 NtTib: _ NT_TIB + 0x000 predictionlist: Ptr32 + 0x004 StackBase: Ptr32 + 0x008 StackLimit: Ptr32 + 0x00c SubSystemTib: ptr32 + 0x010 FiberData: Ptr32 + 0x010 Version: Uint4B + 0x014 labels: Ptr32 + 0x018 Self: Ptr32 + 0x01c EnvironmentPointer: Ptr32 + 0x020 ClientId: _ CLIENT_ID + 0x000 UniqueProcess: Ptr32 + 0x004 UniqueThread: Ptr32 + 0x028 ActiveRpcHandle: Ptr32 + 0x02c Th ReadLocalStoragePointer: Ptr32 + 0x030 ProcessEnvironmentBlock: Ptr32 + 0x034 LastErrorValue: Uint4B is omitted. Obviously, fs: [18 h] is a pointer to itself, then [eax + 30 h] is to get the PEB address. Let's look at the PEB structure: 0: 000> dt-B ntdll! _ PEB www.2cto.com + 0x000 InheritedAddressSpace: UChar + 0x001 ReadImageFileExecOptions: UChar + 0x002 BeingDebugged: UChar + 0x003 SpareBool: UChar + 0x004 Mutant: ptr32 + 0x008 ImageBaseAddress: Ptr32 + 0x00c Ldr: Ptr32 + 0x010 ProcessParameters: Ptr32 for Ring3 applications, the address of fs: [0] points to the TEB structure, the structure starts with an NT_TIB structure. The 0x18 offset of the NT_TIB structure is a Self pointer pointing to the structure itself, that is, to the beginning of the TEB structure. The 0x30 offset of the TEB structure is a pointer to PEB. PEB is a structure. The 0x2 offset of this structure is a UChar named BeingDebugged. when the process is debugged, this value is 1, this value is 0 when debugging is not performed. Therefore, the following code is executed row by row: mov eax, dword ptr fs: [18 h]; eax = TEB pointer mov eax, dword ptr [eax + 30 h]; eax = PEB pointer movzx eax, byte ptr [eax + 2 h]; eax = PEB. beingDebugged (byte is extended to dword) for details about the TEB and PEB structures, run the dt _ TEB and dt _ peb commands in the windbg kernel debugging status. 3. setne cl if ZF = 1 then cl = 0if ZF = 0 then cl = 1