PEB(进程环境块)无效的 DllBase 地址 [英] PEB (Process Environment Block) invalid DllBase address

问题描述

我试图获得我自己的 PEB 并获得我自己的模块地址.我写了一个这样的简单代码:

I trying to get my own PEB and get my own module address. i wrote a simple code like this:

PLIST_ENTRY myModule = (PLIST_ENTRY)pebLdr->InMemoryOrderModuleList.Flink;

PLDR_DATA_TABLE_ENTRY myImageBase = (PLDR_DATA_TABLE_ENTRY)myModule;

PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)myImageBase->DllBase;

但是我在 dosHeader 中没有看到正确的 PE 标头.这是我在 dosHeader 变量中的 MSVC 调试器中看到的: e_magic=???,e_cblp=??? .为什么我不能得到我自己的标题?我检查了所有内容，我按照文档进行了所有操作，并且可以在 pData->FullDllName 中看到我的 exe 名称，一切似乎都是正确的，并且 DllBase 有意义它不是 null 或类似 ffffff 的东西.有什么具体需要做的事情吗，也许是地址计算?

But i dont see a proper PE header in dosHeader. This is what i see in the MSVC debugger in dosHeader variable : e_magic=???,e_cblp=??? . Why cant i get my own header? I checked everything, im doing everything as documented, and i can see my exe name in a pData->FullDllName, everything seem to be correct, and the DllBase makes sense its not null or anything like ffffff. Is there any specific thing need to bee done, maybe address calculation?

推荐答案

你做不到

PLDR_DATA_TABLE_ENTRY myImageBase = (PLDR_DATA_TABLE_ENTRY)myModule;

因为 InMemoryOrderLinks 不是 LDR_DATA_TABLE_ENTRY 中的第一个字段.相反，您应该使用 CONTAINING_RECORD() 宏:

since InMemoryOrderLinks is not the first field in LDR_DATA_TABLE_ENTRY. Instead you should involve CONTAINING_RECORD() macro:

PLIST_ENTRY le = (PLIST_ENTRY)pebLdr->InMemoryOrderModuleList.Flink;
PLDR_DATA_TABLE_ENTRY mainModule = CONTAINING_RECORD(le, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)mainModule->DllBase;

最重要的是:您可以自由地遍历 LIST_ENTRY 的双向链接循环列表并获取实际节点数据，您应该使用 CONTAINING_RECORD().请注意，驻留在 PEB_LDR_DATA 中的节点是专用的，没有关联数据.您应该仅将其用作您已经浏览过整个列表的标志.

To top it off: you can freely iterate through doubly-linked circular list of LIST_ENTRY'es and to obtain actual node data you should use CONTAINING_RECORD(). Note, that node which resides in PEB_LDR_DATA is dedicated and has no associated data. You should use it only as sign that you have walked through whole list.

这篇关于PEB(进程环境块)无效的 DllBase 地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！