Search This Blog

Friday, 29 August 2014

WinDbg : the !peb Command

WinDbg : !peb

The process environment block (PEB) is one of the most critical data structures used by Windows to track processes. The PEB is the user mode portion of MS Windows process control structures. 

Note: For a kernel dump PEB wont be available this is because PEB is in NTDLL and we need a full dump to view it.

Since PEB is a user mode context, using this command while debugging user mode processes by attaching through them would mean that PEB would point to the current process. However in kernel mode PEB would be pointing to the current execution context. Kernel mode threads do not always run in the context of any process, in such cases the !peb command would error out. We would then need to explicitly set the PEB to the right context by supplying the command with the address of the PEB.

My blog post here would help you understand how to set a process context.

The below output is for lsass.exe.

kd> !peb
PEB at 7ffda000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00d90000
    Ldr                       77c77880
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00331718 . 003b81a8
    Ldr.InLoadOrderModuleList:           00331688 . 003b8198
    Ldr.InMemoryOrderModuleList:         00331690 . 003b81a0
            Base TimeStamp                     Module
          d90000 4a5bbf3e Jul 14 04:41:58 2009 C:\Windows\system32\lsass.exe
        77ba0000 4ce7b96e Nov 20 17:35:02 2010 C:\Windows\SYSTEM32\ntdll.dll
        76700000 4ce7b8ef Nov 20 17:32:55 2010 C:\Windows\system32\kernel32.dll
        75d70000 4ce7b8f0 Nov 20 17:32:56 2010 C:\Windows\system32\KERNELBASE.dll
        76a80000 4a5bda6f Jul 14 06:37:59 2009 C:\Windows\system32\msvcrt.dll
        76970000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\RPCRT4.dll
        75b30000 4ce7891f Nov 20 14:08:55 2010 C:\Windows\system32\SspiSrv.dll
        75a30000 4ce7b86a Nov 20 17:30:42 2010 C:\Windows\system32\lsasrv.dll
        76950000 4a5bdb04 Jul 14 06:40:28 2009 C:\Windows\SYSTEM32\sechost.dll
        75bd0000 4ce7ba24 Nov 20 17:38:04 2010 C:\Windows\system32\SspiCli.dll
        77850000 4ce7b706 Nov 20 17:24:46 2010 C:\Windows\system32\ADVAPI32.dll
        778f0000 4ce7ba26 Nov 20 17:38:06 2010 C:\Windows\system32\USER32.dll
        76510000 4ce7b80a Nov 20 17:29:06 2010 C:\Windows\system32\GDI32.dll
        77ce0000 4a5bda19 Jul 14 06:36:33 2009 C:\Windows\system32\LPK.dll
        76b30000 4ce7ba29 Nov 20 17:38:09 2010 C:\Windows\system32\USP10.dll
        759a0000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\SAMSRV.dll
        75980000 4a5bda3a Jul 14 06:37:06 2009 C:\Windows\system32\cryptdll.dll
        75d60000 4ce7b8c9 Nov 20 17:32:17 2010 C:\Windows\system32\MSASN1.dll
        75930000 4a5bdb2d Jul 14 06:41:09 2009 C:\Windows\system32\wevtapi.dll
        76000000 4ce7b845 Nov 20 17:30:05 2010 C:\Windows\system32\IMM32.DLL
        76880000 4a5bda69 Jul 14 06:37:53 2009 C:\Windows\system32\MSCTF.dll
        75920000 4a5bc425 Jul 14 05:02:53 2009 C:\Windows\system32\cngaudit.dll
        75900000 4a5bd98c Jul 14 06:34:12 2009 C:\Windows\system32\AUTHZ.dll
        758c0000 4a5bda79 Jul 14 06:38:09 2009 C:\Windows\system32\ncrypt.dll
        758a0000 4a5bd986 Jul 14 06:34:06 2009 C:\Windows\system32\bcrypt.dll
        75870000 4a5bda4d Jul 14 06:37:25 2009 C:\Windows\system32\msprivs.DLL
        75840000 4ce7b902 Nov 20 17:33:14 2010 C:\Windows\system32\netjoin.dll
        75820000 4a5bda82 Jul 14 06:38:18 2009 C:\Windows\system32\negoexts.DLL
        75bb0000 4ce7b9d1 Nov 20 17:36:41 2010 C:\Windows\system32\Secur32.dll
        75c40000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\cryptbase.dll
        75790000 4ce7b8ee Nov 20 17:32:54 2010 C:\Windows\system32\kerberos.DLL
        75770000 4a5bda3d Jul 14 06:37:09 2009 C:\Windows\system32\CRYPTSP.dll
        779c0000 4ce7ba68 Nov 20 17:39:12 2010 C:\Windows\system32\WS2_32.dll
        77dc0000 4a5bdad9 Jul 14 06:39:45 2009 C:\Windows\system32\NSI.dll
        75730000 4ce7b8e8 Nov 20 17:32:48 2010 C:\Windows\system32\mswsock.dll
        75720000 4a5bdb56 Jul 14 06:41:50 2009 C:\Windows\System32\wship6.dll
        756d0000 4ce7b8dc Nov 20 17:32:36 2010 C:\Windows\system32\msv1_0.DLL
        75640000 4ce7b903 Nov 20 17:33:15 2010 C:\Windows\system32\netlogon.DLL
        755f0000 4ce7b7e6 Nov 20 17:28:30 2010 C:\Windows\system32\DNSAPI.dll
        755c0000 4ce7b865 Nov 20 17:30:37 2010 C:\Windows\system32\logoncli.dll
        75580000 4ce7b9b0 Nov 20 17:36:08 2010 C:\Windows\system32\schannel.DLL
        75e10000 4ce7b841 Nov 20 17:30:01 2010 C:\Windows\system32\CRYPT32.dll
        75550000 4a5bdb29 Jul 14 06:41:05 2009 C:\Windows\system32\wdigest.DLL
        75510000 4a5bdae0 Jul 14 06:39:52 2009 C:\Windows\system32\rsaenh.dll
        754f0000 4ce7ba1e Nov 20 17:37:58 2010 C:\Windows\system32\tspkg.DLL
        754b0000 4a5bdaea Jul 14 06:40:02 2009 C:\Windows\system32\pku2u.DLL
        75470000 4a5bd987 Jul 14 06:34:07 2009 C:\Windows\system32\bcryptprimitives.dll
        75ce0000 4ce7992f Nov 20 15:17:27 2010 C:\Windows\system32\RpcRtRemote.dll
        75460000 4a5bc461 Jul 14 05:03:53 2009 C:\Windows\system32\efslsaext.dll
        753e0000 4ce7b9ad Nov 20 17:36:05 2010 C:\Windows\system32\scecli.DLL
        75440000 4ce7b83d Nov 20 17:29:57 2010 C:\Windows\system32\credssp.dll
        75cb0000 4ce7ba4e Nov 20 17:38:46 2010 C:\Windows\system32\WINSTA.dll
        73fb0000 4ce7b859 Nov 20 17:30:25 2010 C:\Windows\system32\IPHLPAPI.DLL
        73fa0000 4a5bdb43 Jul 14 06:41:31 2009 C:\Windows\system32\WINNSI.DLL
        74570000 4ce795a6 Nov 20 15:02:22 2010 C:\Windows\system32\netutils.dll
        75280000 4a5bdb5a Jul 14 06:41:54 2009 C:\Windows\System32\wshtcpip.dll
        75350000 4ce7ba28 Nov 20 17:38:08 2010 C:\Windows\system32\USERENV.dll
        75cf0000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\profapi.dll
        6fa60000 4ce7b781 Nov 20 17:26:49 2010 C:\Windows\system32\certpoleng.dll
        74560000 4ce795a7 Nov 20 15:02:23 2010 C:\Windows\system32\wkscli.dll
    SubSystemData:     00000000
    ProcessHeap:       00330000
    ProcessParameters: 00330f18
    CurrentDirectory:  'C:\Windows\system32\'
    WindowTitle:  'C:\Windows\system32\lsass.exe'
    ImageFile:    'C:\Windows\system32\lsass.exe'
    CommandLine:  'C:\Windows\system32\lsass.exe'
    DllPath:      'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'
    Environment:  003307f0
        ALLUSERSPROFILE=C:\ProgramData
        CommonProgramFiles=C:\Program Files\Common Files
        COMPUTERNAME=VM-OG3S62HCORJH
        ComSpec=C:\Windows\system32\cmd.exe
        FP_NO_HOST_CHECK=NO
        NUMBER_OF_PROCESSORS=1
        OS=Windows_NT
        Path=C:\Windows\System32
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=x86
        PROCESSOR_IDENTIFIER=x86 Family 6 Model 26 Stepping 5, GenuineIntel
        PROCESSOR_LEVEL=6
        PROCESSOR_REVISION=1a05
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
        PUBLIC=C:\Users\Public
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\Windows\TEMP
        TMP=C:\Windows\TEMP
        USERNAME=SYSTEM
        USERPROFILE=C:\Windows\system32\config\systemprofile
        windir=C:\Windows
        windows_tracing_flags=3
        windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

Now, lets try to get the PEB and type case it to the structure it represents. For he sake of example I have used the process explorer.exe here.

kd> !process 0 0 explorer.exe
PROCESS 8513fd40  SessionId: 1  Cid: 0138    Peb: 7ffda000  ParentCid: 07e0
    DirBase: 1eed3380  ObjectTable: 90d3d0d8  HandleCount: 845.
    Image: explorer.exe

kd> .process /p /r 8513fd40  
Implicit process is now 8513fd40
Loading User Symbols
................................................................
................................................................
...........


************* Symbol Loading Error Summary **************
Module name            Error
myfault                The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.

The address of the PEB is also available to us in a pseudo-register called $peb. We are going to use this for the following examples. We are also going to use the dt command, which is described in detail here.

kd> dt nt!_PEB @$peb
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 BitField         : 0x8 ''
   +0x003 ImageUsesLargePages : 0y0
   +0x003 IsProtectedProcess : 0y0
   +0x003 IsLegacyProcess  : 0y0
   +0x003 IsImageDynamicallyRelocated : 0y1
   +0x003 SkipPatchingUser32Forwarders : 0y0
   +0x003 SpareBits        : 0y000
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x000e0000 Void
   +0x00c Ldr              : 0x77c77880 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x00440000 Void
   +0x01c FastPebLock      : 0x77c77380 _RTL_CRITICAL_SECTION
   +0x020 AtlThunkSListPtr : (null) 
   +0x024 IFEOKey          : (null) 
   +0x028 CrossProcessFlags : 0
   +0x028 ProcessInJob     : 0y0
   +0x028 ProcessInitializing : 0y0
   +0x028 ProcessUsingVEH  : 0y0
   +0x028 ProcessUsingVCH  : 0y0
   +0x028 ProcessUsingFTH  : 0y0
   +0x028 ReservedBits0    : 0y000000000000000000000000000 (0)
   +0x02c KernelCallbackTable : 0x7790d568 Void
   +0x02c UserSharedInfoPtr : 0x7790d568 Void
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0x3245aa0
   +0x038 ApiSetMap        : 0x77de0000 Void
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x77c77260 Void
   +0x044 TlsBitmapBits    : [2] 0xffffffff
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
   +0x050 HotpatchInformation : (null) 
   +0x054 ReadOnlyStaticServerData : 0x7f6f0590  -> (null) 
   +0x058 AnsiCodePageData : 0x7ffb0000 Void
   +0x05c OemCodePageData  : 0x7ffc0224 Void
   +0x060 UnicodeCaseTableData : 0x7ffd0648 Void
   +0x064 NumberOfProcessors : 1
   +0x068 NtGlobalFlag     : 0
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 0xd
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x77c77500  -> 0x00440000 Void
   +0x094 GdiSharedHandleTable : 0x00630000 Void
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x77c77340 _RTL_CRITICAL_SECTION
   +0x0a4 OSMajorVersion   : 6
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0x1db1
   +0x0ae OSCSDVersion     : 0x100
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 2
   +0x0b8 ImageSubsystemMajorVersion : 6
   +0x0bc ImageSubsystemMinorVersion : 1
   +0x0c0 ActiveProcessAffinityMask : 1
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x77c77268 Void
   +0x154 TlsExpansionBitmapBits : [32] 1
   +0x1d4 SessionId        : 1
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
   +0x1e8 pShimData        : (null) 
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : _UNICODE_STRING "Service Pack 1"
   +0x1f8 ActivationContextData : 0x00040000 _ACTIVATION_CONTEXT_DATA
   +0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP
   +0x200 SystemDefaultActivationContextData : 0x00030000 _ACTIVATION_CONTEXT_DATA
   +0x204 SystemAssemblyStorageMap : 0x004510b0 _ASSEMBLY_STORAGE_MAP
   +0x208 MinimumStackCommit : 0
   +0x20c FlsCallback      : 0x00452af8 _FLS_CALLBACK_INFO
   +0x210 FlsListHead      : _LIST_ENTRY [ 0x4527e0 - 0x469d1c8 ]
   +0x218 FlsBitmap        : 0x77c77270 Void
   +0x21c FlsBitmapBits    : [4] 0xf
   +0x22c FlsHighIndex     : 3
   +0x230 WerRegistrationData : 0x018e0000 Void
   +0x234 WerShipAssertPtr : (null) 
   +0x238 pContextData     : 0x00050000 Void
   +0x23c pImageHeaderHash : (null) 
   +0x240 TracingFlags     : 0
   +0x240 HeapTracingEnabled : 0y0
   +0x240 CritSecTracingEnabled : 0y0

   +0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)


The output of dt command a lot more information that the !peb extension. Lets see if we can extract the actual environment variables from it. We have previously learnt how to use the dt command to expand substructures inside structures, in case you have missed that post, it can be found here.

kd> dt nt!_PEB @$peb -y Proc*
   +0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
   +0x018 ProcessHeap : 0x00440000 Void
   +0x028 ProcessInJob : 0y0
   +0x028 ProcessInitializing : 0y0
   +0x028 ProcessUsingVEH : 0y0
   +0x028 ProcessUsingVCH : 0y0
   +0x028 ProcessUsingFTH : 0y0
   +0x090 ProcessHeaps : 0x77c77500  -> 0x00440000 Void
   +0x098 ProcessStarterHelper : (null) 

   +0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP

The ProcessParameters is the structure that is of interest to us. So lets dereference it to see that is contains.

kd> dt nt!_PEB @$peb ProcessParameters->*
   +0x010 ProcessParameters   : 
      +0x000 MaximumLength       : 0x6c4
      +0x004 Length              : 0x6c4
      +0x008 Flags               : 0x6001
      +0x00c DebugFlags          : 0
      +0x010 ConsoleHandle       : (null) 
      +0x014 ConsoleFlags        : 0
      +0x018 StandardInput       : (null) 
      +0x01c StandardOutput      : (null) 
      +0x020 StandardError       : (null) 
      +0x024 CurrentDirectory    : _CURDIR
      +0x030 DllPath             : _UNICODE_STRING "C:\Windows;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\"
      +0x038 ImagePathName       : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x040 CommandLine         : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x048 Environment         : 0x00500c18 Void
      +0x04c StartingX           : 0
      +0x050 StartingY           : 0
      +0x054 CountX              : 0
      +0x058 CountY              : 0
      +0x05c CountCharsX         : 0
      +0x060 CountCharsY         : 0x409
      +0x064 FillAttribute       : 0x440000
      +0x068 WindowFlags         : 1
      +0x06c ShowWindowFlags     : 1
      +0x070 WindowTitle         : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x078 DesktopInfo         : _UNICODE_STRING "Winsta0\Default"
      +0x080 ShellInfo           : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x088 RuntimeData         : _UNICODE_STRING ""
      +0x090 CurrentDirectores   : [32] _RTL_DRIVE_LETTER_CURDIR
      +0x290 EnvironmentSize     : 0x93c

      +0x294 EnvironmentVersion  : 0x13

Other fields are also of interest. For example the Processheap and ProcessHeaps fields. These are discussed in detail in the post about process heaps.


No comments:

Post a comment