flat assembler
Message board for the users of flat assembler.

Index > Windows > Process Environment Block

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 03 Dec 2010, 14:56
Overflowz,

2+1+1+2*4==12 (i.e. 0xC). Don't guess, use tools provided:
Code:
#include <stddef.h>
#include <stdio.h>
#include <windows.h>

typedef void *PPEB_LDR_DATA, *PRTL_USER_PROCESS_PARAMETERS, *PPS_POST_PROCESS_INIT_ROUTINE;
typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  BYTE                          Reserved4[104];
  PVOID                         Reserved5[52];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved6[128];
  PVOID                         Reserved7[1];
  ULONG                         SessionId;
} PEB, *PPEB;

int main() {
    PEB p;
    printf("offsetof(PEB, Ldr) == %i (%#x)\n", offsetof(PEB, Ldr), offsetof(PEB, Ldr));
    printf("sizeof(PEB.Ldr) == %i (%#x)\n", sizeof(p.Ldr), sizeof(p.Ldr));
}    
Structures in C are subjects for alignment and/or size issues. You may read standard or just compile & run test sample.
Post 03 Dec 2010, 14:56
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 03 Dec 2010, 18:21
baldr
I'm not using C Sad
Post 03 Dec 2010, 18:21
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 03 Dec 2010, 21:48
Hmm.. I'll explain better now. I know sizes are BIT, BYTE, WORD, DWORD, QWORD etc etc.. I don't know what size is "PVOID" for example. Where I can get size of that things ? (Ex. PVOID, LPVOID, ULONG) Thank you.
Post 03 Dec 2010, 21:48
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 03 Dec 2010, 22:40
Overflowz,

Those structures are defined in C, why should anyone expect anything different?

Windows-esque style is to prepend «P» to anything that is pointer.
Post 03 Dec 2010, 22:40
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 03 Dec 2010, 22:53
baldr
I know its defined in C but where I can get that ?
Post 03 Dec 2010, 22:53
View user's profile Send private message Reply with quote
Fyyre



Joined: 07 Jan 2009
Posts: 1
Fyyre 12 Jan 2011, 19:41
That is _PEB structure from MSDN, or something...

Here is real one:

Code:
struct _PEB {

  /*<thisrel this+0x0>*/ /*|0x1|*/ UCHAR InheritedAddressSpace;
  /*<thisrel this+0x1>*/ /*|0x1|*/ UCHAR ReadImageFileExecOptions;
  /*<thisrel this+0x2>*/ /*|0x1|*/ UCHAR BeingDebugged;
  /*<thisrel this+0x3>*/ /*|0x1|*/ UCHAR BitField;
  /*<bitfield this+0x3>*/ /*|0x1|*/ UCHAR ImageUsesLargePages:0:1;
  /*<bitfield this+0x3>*/ /*|0x1|*/ UCHAR IsProtectedProcess:1:1;
  /*<bitfield this+0x3>*/ /*|0x1|*/ UCHAR IsLegacyProcess:2:1;
  /*<bitfield this+0x3>*/ /*|0x1|*/ UCHAR IsImageDynamicallyRelocated:3:1;
  /*<bitfield this+0x3>*/ /*|0x1|*/ UCHAR SkipPatchingUser32Forwarders:4:1;
  /*<bitfield this+0x3>*/ /*|0x1|*/ UCHAR SpareBits:5:3;
  /*<thisrel this+0x8>*/ /*|0x8|*/ void* Mutant;
  /*<thisrel this+0x10>*/ /*|0x8|*/ void* ImageBaseAddress;
  /*<thisrel this+0x18>*/ /*|0x8|*/ struct _PEB_LDR_DATA* Ldr;
  /*<thisrel this+0x20>*/ /*|0x8|*/ struct _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
  /*<thisrel this+0x28>*/ /*|0x8|*/ void* SubSystemData;
  /*<thisrel this+0x30>*/ /*|0x8|*/ void* ProcessHeap;
  /*<thisrel this+0x38>*/ /*|0x8|*/ struct _RTL_CRITICAL_SECTION* FastPebLock;
  /*<thisrel this+0x40>*/ /*|0x8|*/ void* AtlThunkSListPtr;
  /*<thisrel this+0x48>*/ /*|0x8|*/ void* IFEOKey;
  /*<thisrel this+0x50>*/ /*|0x4|*/ unsigned long CrossProcessFlags;
  /*<bitfield this+0x50>*/ /*|0x4|*/ unsigned long ProcessInJob:0:1;
  /*<bitfield this+0x50>*/ /*|0x4|*/ unsigned long ProcessInitializing:1:1;
  /*<bitfield this+0x50>*/ /*|0x4|*/ unsigned long ProcessUsingVEH:2:1;
  /*<bitfield this+0x50>*/ /*|0x4|*/ unsigned long ProcessUsingVCH:3:1;
  /*<bitfield this+0x50>*/ /*|0x4|*/ unsigned long ProcessUsingFTH:4:1;
  /*<bitfield this+0x50>*/ /*|0x4|*/ unsigned long ReservedBits0:5:1b;
  /*<thisrel this+0x58>*/ /*|0x8|*/ void* KernelCallbackTable;
  /*<thisrel this+0x58>*/ /*|0x8|*/ void* UserSharedInfoPtr;
  /*<thisrel this+0x60>*/ /*|0x4|*/ unsigned long SystemReserved[1];
  /*<thisrel this+0x64>*/ /*|0x4|*/ unsigned long AtlThunkSListPtr32;
  /*<thisrel this+0x68>*/ /*|0x8|*/ void* ApiSetMap;
  /*<thisrel this+0x70>*/ /*|0x4|*/ unsigned long TlsExpansionCounter;
  /*<thisrel this+0x78>*/ /*|0x8|*/ void* TlsBitmap;
  /*<thisrel this+0x80>*/ /*|0x8|*/ unsigned long TlsBitmapBits[2];
  /*<thisrel this+0x88>*/ /*|0x8|*/ void* ReadOnlySharedMemoryBase;
  /*<thisrel this+0x90>*/ /*|0x8|*/ void* HotpatchInformation;
  /*<thisrel this+0x98>*/ /*|0x8|*/ void** ReadOnlyStaticServerData;
  /*<thisrel this+0xa0>*/ /*|0x8|*/ void* AnsiCodePageData;
  /*<thisrel this+0xa8>*/ /*|0x8|*/ void* OemCodePageData;
  /*<thisrel this+0xb0>*/ /*|0x8|*/ void* UnicodeCaseTableData;
  /*<thisrel this+0xb8>*/ /*|0x4|*/ unsigned long NumberOfProcessors;
  /*<thisrel this+0xbc>*/ /*|0x4|*/ unsigned long NtGlobalFlag;
  /*<thisrel this+0xc0>*/ /*|0x8|*/ union _LARGE_INTEGER CriticalSectionTimeout;
  /*<thisrel this+0xc8>*/ /*|0x8|*/ unsigned __int64 HeapSegmentReserve;
  /*<thisrel this+0xd0>*/ /*|0x8|*/ unsigned __int64 HeapSegmentCommit;
  /*<thisrel this+0xd8>*/ /*|0x8|*/ unsigned __int64 HeapDeCommitTotalFreeThreshold;
  /*<thisrel this+0xe0>*/ /*|0x8|*/ unsigned __int64 HeapDeCommitFreeBlockThreshold;
  /*<thisrel this+0xe8>*/ /*|0x4|*/ unsigned long NumberOfHeaps;
  /*<thisrel this+0xec>*/ /*|0x4|*/ unsigned long MaximumNumberOfHeaps;
  /*<thisrel this+0xf0>*/ /*|0x8|*/ void** ProcessHeaps;
  /*<thisrel this+0xf8>*/ /*|0x8|*/ void* GdiSharedHandleTable;
  /*<thisrel this+0x100>*/ /*|0x8|*/ void* ProcessStarterHelper;
  /*<thisrel this+0x108>*/ /*|0x4|*/ unsigned long GdiDCAttributeList;
  /*<thisrel this+0x110>*/ /*|0x8|*/ struct _RTL_CRITICAL_SECTION* LoaderLock;
  /*<thisrel this+0x118>*/ /*|0x4|*/ unsigned long OSMajorVersion;
  /*<thisrel this+0x11c>*/ /*|0x4|*/ unsigned long OSMinorVersion;
  /*<thisrel this+0x120>*/ /*|0x2|*/ unsigned short OSBuildNumber;
  /*<thisrel this+0x122>*/ /*|0x2|*/ unsigned short OSCSDVersion;
  /*<thisrel this+0x124>*/ /*|0x4|*/ unsigned long OSPlatformId;
  /*<thisrel this+0x128>*/ /*|0x4|*/ unsigned long ImageSubsystem;
  /*<thisrel this+0x12c>*/ /*|0x4|*/ unsigned long ImageSubsystemMajorVersion;
  /*<thisrel this+0x130>*/ /*|0x4|*/ unsigned long ImageSubsystemMinorVersion;
  /*<thisrel this+0x138>*/ /*|0x8|*/ unsigned __int64 ActiveProcessAffinityMask;
  /*<thisrel this+0x140>*/ /*|0xf0|*/ unsigned long GdiHandleBuffer[60];
  /*<thisrel this+0x230>*/ /*|0x8|*/ void  (PostProcessInitRoutine*)();
  /*<thisrel this+0x238>*/ /*|0x8|*/ void* TlsExpansionBitmap;
  /*<thisrel this+0x240>*/ /*|0x80|*/ unsigned long TlsExpansionBitmapBits[32];
  /*<thisrel this+0x2c0>*/ /*|0x4|*/ unsigned long SessionId;
  /*<thisrel this+0x2c8>*/ /*|0x8|*/ union _ULARGE_INTEGER AppCompatFlags;
  /*<thisrel this+0x2d0>*/ /*|0x8|*/ union _ULARGE_INTEGER AppCompatFlagsUser;
  /*<thisrel this+0x2d8>*/ /*|0x8|*/ void* pShimData;
  /*<thisrel this+0x2e0>*/ /*|0x8|*/ void* AppCompatInfo;
  /*<thisrel this+0x2e8>*/ /*|0x10|*/ struct _UNICODE_STRING CSDVersion;
  /*<thisrel this+0x2f8>*/ /*|0x8|*/ struct _ACTIVATION_CONTEXT_DATA* ActivationContextData;
  /*<thisrel this+0x300>*/ /*|0x8|*/ struct _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap;
  /*<thisrel this+0x308>*/ /*|0x8|*/ struct _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData;
  /*<thisrel this+0x310>*/ /*|0x8|*/ struct _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap;
  /*<thisrel this+0x318>*/ /*|0x8|*/ unsigned __int64 MinimumStackCommit;
  /*<thisrel this+0x320>*/ /*|0x8|*/ struct _FLS_CALLBACK_INFO* FlsCallback;
  /*<thisrel this+0x328>*/ /*|0x10|*/ struct _LIST_ENTRY FlsListHead;
  /*<thisrel this+0x338>*/ /*|0x8|*/ void* FlsBitmap;
  /*<thisrel this+0x340>*/ /*|0x10|*/ unsigned long FlsBitmapBits[4];
  /*<thisrel this+0x350>*/ /*|0x4|*/ unsigned long FlsHighIndex;
  /*<thisrel this+0x358>*/ /*|0x8|*/ void* WerRegistrationData;
  /*<thisrel this+0x360>*/ /*|0x8|*/ void* WerShipAssertPtr;
  /*<thisrel this+0x368>*/ /*|0x8|*/ void* pContextData;
  /*<thisrel this+0x370>*/ /*|0x8|*/ void* pImageHeaderHash;
  /*<thisrel this+0x378>*/ /*|0x4|*/ unsigned long TracingFlags;
  /*<bitfield this+0x378>*/ /*|0x4|*/ unsigned long HeapTracingEnabled:0:1;
  /*<bitfield this+0x378>*/ /*|0x4|*/ unsigned long CritSecTracingEnabled:1:1;
  /*<bitfield this+0x378>*/ /*|0x4|*/ unsigned long SpareTracingBits:2:1e;
};
// <size 0x380>
    


via pdbdump

-Fyyre

Overflowz wrote:
baldr
I think you don't understand me. I know everything but I don't know how people are counting where PPEB_LDR_DATA is. I'll write what I'm thinking.
this is PEB struct:
Code:
typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  BYTE                          Reserved4[104];
  PVOID                         Reserved5[52];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved6[128];
  PVOID                         Reserved7[1];
  ULONG                         SessionId;
} PEB, *PPEB;    

PPEB_LDR_DATA located at fs:0x30+0x0c.. WHY ? I'm counting like this:
BYTE Reserved[2] = 2 BYTE
BYTE BeingDebugged = 1 BYTE
BYTE Reserved2[1] = 1 BYTE
PVOID Reserved3[2] = 2 BYTE
PPEB_LDR_DATA = 2+1+1+2 = fs:0x30+6. How should I count I'm asking that. and when I am at PPEB_LDR_DATA, when adding like fs:0x30+0x0c+0x1c(InitOrderModuleList) why I'm not going next from PEB structure ? and how shoild I go in ProcessParameters ? I don't know how to write I'm speaking like idiot on English.. If someone will understand what I mean then reply.. Thank you.
Code:
    

_________________
Be well,

-Fyyre
http://fyyre.l2-fashion.de/
Post 12 Jan 2011, 19:41
View user's profile Send private message Reply with quote
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung 13 Jan 2011, 04:35
Overflowz
Quote:

I've wrote simple program without using user32.dll and shows messagebox

what is this :
Quote:

mov dword [ebp-16],0x72657375 ;user
mov dword [ebp-12],0x642e3233 ;32.d
mov word [ebp-8],0x6c6c ;ll
mov byte [ebp-6],0 ;null

Quote:

mov dword [ebp-16],0x7373654d ;Mess
mov dword [ebp-12],0x42656761 ;ageB
mov dword [ebp-8],0x0041786f ;oxA+null
mov byte [ebp-4],0 ;null

why you said 'without using user32.dll'

_________________
sorry for my english
Post 13 Jan 2011, 04:35
View user's profile Send private message Yahoo Messenger Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 13 Jan 2011, 11:31
MinhHung
Good question. I'm trying to load user32.dll from code not from main program. like, I'm trying to write shellcode things Smile
Post 13 Jan 2011, 11:31
View user's profile Send private message Reply with quote
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung 14 Jan 2011, 05:56
Quote:

Hmm.. I'll explain better now. I know sizes are BIT, BYTE, WORD, DWORD, QWORD etc etc.. I don't know what size is "PVOID" for example. Where I can get size of that things ? (Ex. PVOID, LPVOID, ULONG) Thank you.


All pointer it have 4 byte or 8 byte in size(4 byte for os32 bit, 8byte for os64 bit)
It only store address of memory it point to
ex:
if you have this struct
Code:
struct abc
{
     int a,b;
     char c,*d;
};
abc xxx;
    

xxx in your memory is(os 32bit):
Code:
[4byte int a][4byte int b][1byte char c]    

Code:
#include "stdio.h"
#include "conio.h"
struct abc 
{ 
     int a,b; 
     char c;
}; 
abc xxx;
int main()
{
       char *p=(char*)&xxx;
    *p=(int)1;       //xxx.a
    *(p+4)=(int)3; //xxx.b
      *(p+8)='A';     //xxx.c
   printf("%i %i %c",xxx.a,xxx.b,xxx.c);
     getch();
}    
Post 14 Jan 2011, 05:56
View user's profile Send private message Yahoo Messenger Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Jan 2011, 11:03
MinhHung
I got it, thank you. =)
Post 18 Jan 2011, 11:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.