📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Needed updated PEB Information, please

Topic created on: December 27, 2007 23:19 CST by VLaaD .

I have two different versions of PEB structure definition (Microsoft's version is useless), one from French Reverse Engineering Team and the second is from ntinternals; however something is fishy - regardless of the OS - after the NTGlobalFlag (offset 0x68, I drow this conclusion by examining some should-be-obvious values - like ProcessHeaps and PostProcessInitRoutine where I'm getting 100% non-pointer values). Is there some good soul to share the info?

  Kasperle   December 28, 2007 09:54.05 CST
I found WinDbg to be pretty helpful for this kind of stuff. This is Windows XP SP2, English:

lkd> dt _PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 SpareBool        : UChar
   +0x004 Mutant           : Ptr32 Void
   +0x008 ImageBaseAddress : Ptr32 Void
   +0x00c Ldr              : Ptr32 _PEB_LDR_DATA
   +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : Ptr32 Void
   +0x018 ProcessHeap      : Ptr32 Void
   +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION
   +0x020 FastPebLockRoutine : Ptr32 Void
   +0x024 FastPebUnlockRoutine : Ptr32 Void
   +0x028 EnvironmentUpdateCount : Uint4B
   +0x02c KernelCallbackTable : Ptr32 Void
   +0x030 SystemReserved   : [1] Uint4B
   +0x034 AtlThunkSListPtr32 : Uint4B
   +0x038 FreeList         : Ptr32 _PEB_FREE_BLOCK
   +0x03c TlsExpansionCounter : Uint4B
   +0x040 TlsBitmap        : Ptr32 Void
   +0x044 TlsBitmapBits    : [2] Uint4B
   +0x04c ReadOnlySharedMemoryBase : Ptr32 Void
   +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
   +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
   +0x058 AnsiCodePageData : Ptr32 Void
   +0x05c OemCodePageData  : Ptr32 Void
   +0x060 UnicodeCaseTableData : Ptr32 Void
   +0x064 NumberOfProcessors : Uint4B
   +0x068 NtGlobalFlag     : Uint4B
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER
   +0x078 HeapSegmentReserve : Uint4B
   +0x07c HeapSegmentCommit : Uint4B
   +0x080 HeapDeCommitTotalFreeThreshold : Uint4B
   +0x084 HeapDeCommitFreeBlockThreshold : Uint4B
   +0x088 NumberOfHeaps    : Uint4B
   +0x08c MaximumNumberOfHeaps : Uint4B
   +0x090 ProcessHeaps     : Ptr32 Ptr32 Void
   +0x094 GdiSharedHandleTable : Ptr32 Void
   +0x098 ProcessStarterHelper : Ptr32 Void
   +0x09c GdiDCAttributeList : Uint4B
   +0x0a0 LoaderLock       : Ptr32 Void
   +0x0a4 OSMajorVersion   : Uint4B
   +0x0a8 OSMinorVersion   : Uint4B
   +0x0ac OSBuildNumber    : Uint2B
   +0x0ae OSCSDVersion     : Uint2B
   +0x0b0 OSPlatformId     : Uint4B
   +0x0b4 ImageSubsystem   : Uint4B
   +0x0b8 ImageSubsystemMajorVersion : Uint4B
   +0x0bc ImageSubsystemMinorVersion : Uint4B
   +0x0c0 ImageProcessAffinityMask : Uint4B
   +0x0c4 GdiHandleBuffer  : [34] Uint4B
   +0x14c PostProcessInitRoutine : Ptr32    
   +0x150 TlsExpansionBitmap : Ptr32 Void
   +0x154 TlsExpansionBitmapBits : [32] Uint4B
   +0x1d4 SessionId        : Uint4B
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
   +0x1e8 pShimData        : Ptr32 Void
   +0x1ec AppCompatInfo    : Ptr32 Void
   +0x1f0 CSDVersion       : _UNICODE_STRING
   +0x1f8 ActivationContextData : Ptr32 Void
   +0x1fc ProcessAssemblyStorageMap : Ptr32 Void
   +0x200 SystemDefaultActivationContextData : Ptr32 Void
   +0x204 SystemAssemblyStorageMap : Ptr32 Void
   +0x208 MinimumStackCommit : Uint4B

  anonymouse     December 28, 2007 10:13.11 CST
kasperle wont the race :)
well you cant beat windbg for documented Ms structures
and some times undocumented as well


0:000> dt -r3 ntdll!_peb 7ffde000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0x1 ''
   +0x003 SpareBool        : 0 ''
   +0x004 Mutant           : 0xffffffff
   +0x008 ImageBaseAddress : 0x01000000
   +0x00c Ldr              : 0x00191ea0 _PEB_LDR_DATA
      +0x000 Length           : 0x28
      +0x004 Initialized      : 0x1 ''
      +0x008 SsHandle         : (null)
      +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x191ee0 - 0x192a58 ]
         +0x000 Flink            : 0x00191ee0 _LIST_ENTRY [ 0x191f48 - 0x191eac ]
            +0x000 Flink            : 0x00191f48 _LIST_ENTRY [ 0x192010 - 0x191ee0 ]
            +0x004 Blink            : 0x00191eac _LIST_ENTRY [ 0x191ee0 - 0x192a58 ]
         +0x004 Blink            : 0x00192a58 _LIST_ENTRY [ 0x191eac - 0x1929a0 ]
            +0x000 Flink            : 0x00191eac _LIST_ENTRY [ 0x191ee0 - 0x192a58 ]
            +0x004 Blink            : 0x001929a0 _LIST_ENTRY [ 0x192a58 - 0x192838 ]
      +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x191ee8 - 0x192a60 ]
         +0x000 Flink            : 0x00191ee8 _LIST_ENTRY [ 0x191f50 - 0x191eb4 ]
            +0x000 Flink            : 0x00191f50 _LIST_ENTRY [ 0x192018 - 0x191ee8 ]
            +0x004 Blink            : 0x00191eb4 _LIST_ENTRY [ 0x191ee8 - 0x192a60 ]
         +0x004 Blink            : 0x00192a60 _LIST_ENTRY [ 0x191eb4 - 0x1929a8 ]
            +0x000 Flink            : 0x00191eb4 _LIST_ENTRY [ 0x191ee8 - 0x192a60 ]
            +0x004 Blink            : 0x001929a8 _LIST_ENTRY [ 0x192a60 - 0x192840 ]
      +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x191f58 - 0x192a68 ]
         +0x000 Flink            : 0x00191f58 _LIST_ENTRY [ 0x192020 - 0x191ebc ]
            +0x000 Flink            : 0x00192020 _LIST_ENTRY [ 0x1921a8 - 0x191f58 ]
            +0x004 Blink            : 0x00191ebc _LIST_ENTRY [ 0x191f58 - 0x192a68 ]
         +0x004 Blink            : 0x00192a68 _LIST_ENTRY [ 0x191ebc - 0x1929b0 ]
            +0x000 Flink            : 0x00191ebc _LIST_ENTRY [ 0x191f58 - 0x192a68 ]
            +0x004 Blink            : 0x001929b0 _LIST_ENTRY [ 0x192a68 - 0x192788 ]
      +0x024 EntryInProgress  : (null)
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
      +0x000 MaximumLength    : 0x1000
      +0x004 Length           : 0x65c
      +0x008 Flags            : 0x2001
      +0x00c DebugFlags       : 0
      +0x010 ConsoleHandle    : (null)
      +0x014 ConsoleFlags     : 0
      +0x018 StandardInput    : 0x00000003
      +0x01c StandardOutput   : 0x00000007
      +0x020 StandardError    : 0x0000000b
      +0x024 CurrentDirectory : _CURDIR
         +0x000 DosPath          : _UNICODE_STRING "E:\windbg\"
            +0x000 Length           : 0x14
            +0x002 MaximumLength    : 0x208
            +0x004 Buffer           : 0x00020290  "E:\windbg\"
         +0x008 Handle           : 0x0000000d
      +0x030 DllPath          : _UNICODE_STRING "E:\windbg;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;E:\windbg\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem"
         +0x000 Length           : 0x118
         +0x002 MaximumLength    : 0x11a
         +0x004 Buffer           : 0x00020498  "E:\windbg;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;E:\windbg\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem"
      +0x038 ImagePathName    : _UNICODE_STRING "E:\windbg\windbg.exe"
         +0x000 Length           : 0x28
         +0x002 MaximumLength    : 0x2a
         +0x004 Buffer           : 0x000205b4  "E:\windbg\windbg.exe"
      +0x040 CommandLine      : _UNICODE_STRING "E:\windbg\windbg.exe"
         +0x000 Length           : 0x28
         +0x002 MaximumLength    : 0x2a
         +0x004 Buffer           : 0x000205e0  "E:\windbg\windbg.exe"
      +0x048 Environment      : 0x00010000
      +0x04c StartingX        : 0
      +0x050 StartingY        : 0
      +0x054 CountX           : 0
      +0x058 CountY           : 0
      +0x05c CountCharsX      : 0
      +0x060 CountCharsY      : 0
      +0x064 FillAttribute    : 0
      +0x068 WindowFlags      : 0
      +0x06c ShowWindowFlags  : 0
      +0x070 WindowTitle      : _UNICODE_STRING "E:\windbg\windbg.exe"
         +0x000 Length           : 0x28
         +0x002 MaximumLength    : 0x2a
         +0x004 Buffer           : 0x0002060c  "E:\windbg\windbg.exe"
      +0x078 DesktopInfo      : _UNICODE_STRING "WinSta0\Default"
         +0x000 Length           : 0x1e
         +0x002 MaximumLength    : 0x20
         +0x004 Buffer           : 0x00020638  "WinSta0\Default"
      +0x080 ShellInfo        : _UNICODE_STRING ""
         +0x000 Length           : 0
         +0x002 MaximumLength    : 2
         +0x004 Buffer           : 0x00020658  ""
      +0x088 RuntimeData      : _UNICODE_STRING ""
         +0x000 Length           : 0
         +0x002 MaximumLength    : 0
         +0x004 Buffer           : (null)
      +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
         +0x000 Flags            : 0
         +0x002 Length           : 0
         +0x004 TimeStamp        : 0
         +0x008 DosPath          : _STRING ""
            +0x000 Length           : 0
            +0x002 MaximumLength    : 0
            +0x004 Buffer           : (null)
   +0x014 SubSystemData    : (null)
   +0x018 ProcessHeap      : 0x00090000
   +0x01c FastPebLock      : 0x7c97e4c0 _RTL_CRITICAL_SECTION
      +0x000 DebugInfo        : 0x7c97c460 _RTL_CRITICAL_SECTION_DEBUG
         +0x000 Type             : 0
         +0x002 CreatorBackTraceIndex : 0
         +0x004 CriticalSection  : 0x7c97e4c0 _RTL_CRITICAL_SECTION
            +0x000 DebugInfo        : 0x7c97c460 _RTL_CRITICAL_SECTION_DEBUG
            +0x004 LockCount        : -1
            +0x008 RecursionCount   : 0
            +0x00c OwningThread     : (null)
            +0x010 LockSemaphore    : (null)
            +0x014 SpinCount        : 0
         +0x008 ProcessLocksList : _LIST_ENTRY [ 0x7c97c488 - 0x7c97c108 ]
            +0x000 Flink            : 0x7c97c488 _LIST_ENTRY [ 0x7c97c4a8 - 0x7c97c468 ]
            +0x004 Blink            : 0x7c97c108 _LIST_ENTRY [ 0x7c97c468 - 0x7c97c448 ]
         +0x010 EntryCount       : 0
         +0x014 ContentionCount  : 0
         +0x018 Spare            : [2] 0
      +0x004 LockCount        : -1
      +0x008 RecursionCount   : 0
      +0x00c OwningThread     : (null)
      +0x010 LockSemaphore    : (null)
      +0x014 SpinCount        : 0
   +0x020 FastPebLockRoutine : 0x7c901005
   +0x024 FastPebUnlockRoutine : 0x7c9010ed
   +0x028 EnvironmentUpdateCount : 1
   +0x02c KernelCallbackTable : (null)
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0
   +0x038 FreeList         : (null)
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x7c97e480
   +0x044 TlsBitmapBits    : [2] 1
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000
   +0x050 ReadOnlySharedMemoryHeap : 0x7f6f0000
   +0x054 ReadOnlyStaticServerData : 0x7f6f0688  -> (null)
   +0x058 AnsiCodePageData : 0x7ffb0000
   +0x05c OemCodePageData  : 0x7ffc1000
   +0x060 UnicodeCaseTableData : 0x7ffd2000
   +0x064 NumberOfProcessors : 2
   +0x068 NtGlobalFlag     : 0x70
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
      +0x000 LowPart          : 0x79b8000
      +0x004 HighPart         : -6035
      +0x000 u                : __unnamed
         +0x000 LowPart          : 0x79b8000
         +0x004 HighPart         : -6035
      +0x000 QuadPart         : -25920000000000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 3
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x7c97de80  -> 0x00090000
   +0x094 GdiSharedHandleTable : (null)
   +0x098 ProcessStarterHelper : (null)
   +0x09c GdiDCAttributeList : 0
   +0x0a0 LoaderLock       : 0x7c97c0d8
   +0x0a4 OSMajorVersion   : 5
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0xa28
   +0x0ae OSCSDVersion     : 0x200
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 2
   +0x0b8 ImageSubsystemMajorVersion : 4
   +0x0bc ImageSubsystemMinorVersion : 0
   +0x0c0 ImageProcessAffinityMask : 0
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null)
   +0x150 TlsExpansionBitmap : 0x7c97e478
   +0x154 TlsExpansionBitmapBits : [32] 0
   +0x1d4 SessionId        : 0
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0
      +0x000 LowPart          : 0
      +0x004 HighPart         : 0
      +0x000 u                : __unnamed
         +0x000 LowPart          : 0
         +0x004 HighPart         : 0
      +0x000 QuadPart         : 0
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
      +0x000 LowPart          : 0
      +0x004 HighPart         : 0
      +0x000 u                : __unnamed
         +0x000 LowPart          : 0
         +0x004 HighPart         : 0
      +0x000 QuadPart         : 0
   +0x1e8 pShimData        : (null)
   +0x1ec AppCompatInfo    : (null)
   +0x1f0 CSDVersion       : _UNICODE_STRING "Service Pack 2"
      +0x000 Length           : 0x1c
      +0x002 MaximumLength    : 0x1e
      +0x004 Buffer           : 0x7f6f06c2  "Service Pack 2"
   +0x1f8 ActivationContextData : 0x00080000
   +0x1fc ProcessAssemblyStorageMap : 0x000929b8
   +0x200 SystemDefaultActivationContextData : 0x00070000
   +0x204 SystemAssemblyStorageMap : (null)
   +0x208 MinimumStackCommit : 0

  VLaaD     December 28, 2007 10:29.06 CST
Thanks guys :)

I'm trying to break myself to actually use it, but I'm pretty heavy addict on SoftICE (regarding the AMD "EcoSystem", we'll be soon blessed by x64 version of it :)

Thanks again!

  MohammadHosein     December 28, 2007 10:42.20 CST
excuse me for OT , x64 version of what ? softice is dead

  VLaaD     December 30, 2007 07:54.44 CST
> MohammadHosein: excuse me for OT , x64 version of what ? softice is dead

Hey, don't shoot the MSN :)
I didn't know that DevPartner64 even existed :( it seems that they'll just update existing suite. I've read the news on developer.amd.com

  smidgeonsoft     December 30, 2007 10:42.23 CST
The structure descriptions (and many other important ones) are also buried in the debug symbols for NTDLL, NTOSKRNL, and WIN32K.SYS, presumably to facilitate kernel debugging.

  Sirmabus     January 1, 2008 09:56.02 CST

Check out "LiveKd v3.0":
http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx

  YoLeJedi     January 17, 2008 07:40.40 CST
Hello,

I developed a tool which allows to obtain the structures defined in the symbols.
This should help you to obtain the exact structures of the version of OS.
http://www.openrce.org/blog/view/1007/Symbol_Type_Viewer_32Bit/64Bit_v1.0.0.2_beta

Moreover, you will be able to take part in beta test ;)

Thanks,
Lionel

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit