PEB(进程环境块)无效的 DllBase 地址 [英] PEB (Process Environment Block) invalid DllBase address
问题描述
我试图获得我自己的 PEB 并获得我自己的模块地址.我写了一个这样的简单代码:
I trying to get my own PEB and get my own module address. i wrote a simple code like this:
PLIST_ENTRY myModule = (PLIST_ENTRY)pebLdr->InMemoryOrderModuleList.Flink;
PLDR_DATA_TABLE_ENTRY myImageBase = (PLDR_DATA_TABLE_ENTRY)myModule;
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)myImageBase->DllBase;
但是我在 dosHeader
中没有看到正确的 PE 标头.这是我在 dosHeader
变量中的 MSVC 调试器中看到的: e_magic=???,e_cblp=???
.为什么我不能得到我自己的标题?我检查了所有内容,我按照文档进行了所有操作,并且可以在 pData->FullDllName
中看到我的 exe 名称,一切似乎都是正确的,并且 DllBase
有意义它不是 null 或类似 ffffff
的东西.有什么具体需要做的事情吗,也许是地址计算?
But i dont see a proper PE header in dosHeader
. This is what i see in the MSVC debugger in dosHeader
variable : e_magic=???,e_cblp=???
. Why cant i get my own header? I checked everything, im doing everything as documented, and i can see my exe name in a pData->FullDllName
, everything seem to be correct, and the DllBase
makes sense its not null or anything like ffffff
. Is there any specific thing need to bee done, maybe address calculation?
推荐答案
你做不到
PLDR_DATA_TABLE_ENTRY myImageBase = (PLDR_DATA_TABLE_ENTRY)myModule;
因为 InMemoryOrderLinks
不是 LDR_DATA_TABLE_ENTRY
中的第一个字段.相反,您应该使用 CONTAINING_RECORD()
宏:
since InMemoryOrderLinks
is not the first field in LDR_DATA_TABLE_ENTRY
. Instead you should involve CONTAINING_RECORD()
macro:
PLIST_ENTRY le = (PLIST_ENTRY)pebLdr->InMemoryOrderModuleList.Flink;
PLDR_DATA_TABLE_ENTRY mainModule = CONTAINING_RECORD(le, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)mainModule->DllBase;
最重要的是:您可以自由地遍历 LIST_ENTRY
的双向链接循环列表并获取实际节点数据,您应该使用 CONTAINING_RECORD()
.请注意,驻留在 PEB_LDR_DATA
中的节点是专用的,没有关联数据.您应该仅将其用作您已经浏览过整个列表的标志.
To top it off: you can freely iterate through doubly-linked circular list of LIST_ENTRY
'es and to obtain actual node data you should use CONTAINING_RECORD()
. Note, that node which resides in PEB_LDR_DATA
is dedicated and has no associated data. You should use it only as sign that you have walked through whole list.
这篇关于PEB(进程环境块)无效的 DllBase 地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!