WinDbg : !peb
kd> !peb
PEB at 7ffda000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00d90000
Ldr 77c77880
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00331718 . 003b81a8
Ldr.InLoadOrderModuleList: 00331688 . 003b8198
Ldr.InMemoryOrderModuleList: 00331690 . 003b81a0
Base TimeStamp Module
d90000 4a5bbf3e Jul 14 04:41:58 2009 C:\Windows\system32\lsass.exe
77ba0000 4ce7b96e Nov 20 17:35:02 2010 C:\Windows\SYSTEM32\ntdll.dll
76700000 4ce7b8ef Nov 20 17:32:55 2010 C:\Windows\system32\kernel32.dll
75d70000 4ce7b8f0 Nov 20 17:32:56 2010 C:\Windows\system32\KERNELBASE.dll
76a80000 4a5bda6f Jul 14 06:37:59 2009 C:\Windows\system32\msvcrt.dll
76970000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\RPCRT4.dll
75b30000 4ce7891f Nov 20 14:08:55 2010 C:\Windows\system32\SspiSrv.dll
75a30000 4ce7b86a Nov 20 17:30:42 2010 C:\Windows\system32\lsasrv.dll
76950000 4a5bdb04 Jul 14 06:40:28 2009 C:\Windows\SYSTEM32\sechost.dll
75bd0000 4ce7ba24 Nov 20 17:38:04 2010 C:\Windows\system32\SspiCli.dll
77850000 4ce7b706 Nov 20 17:24:46 2010 C:\Windows\system32\ADVAPI32.dll
778f0000 4ce7ba26 Nov 20 17:38:06 2010 C:\Windows\system32\USER32.dll
76510000 4ce7b80a Nov 20 17:29:06 2010 C:\Windows\system32\GDI32.dll
77ce0000 4a5bda19 Jul 14 06:36:33 2009 C:\Windows\system32\LPK.dll
76b30000 4ce7ba29 Nov 20 17:38:09 2010 C:\Windows\system32\USP10.dll
759a0000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\SAMSRV.dll
75980000 4a5bda3a Jul 14 06:37:06 2009 C:\Windows\system32\cryptdll.dll
75d60000 4ce7b8c9 Nov 20 17:32:17 2010 C:\Windows\system32\MSASN1.dll
75930000 4a5bdb2d Jul 14 06:41:09 2009 C:\Windows\system32\wevtapi.dll
76000000 4ce7b845 Nov 20 17:30:05 2010 C:\Windows\system32\IMM32.DLL
76880000 4a5bda69 Jul 14 06:37:53 2009 C:\Windows\system32\MSCTF.dll
75920000 4a5bc425 Jul 14 05:02:53 2009 C:\Windows\system32\cngaudit.dll
75900000 4a5bd98c Jul 14 06:34:12 2009 C:\Windows\system32\AUTHZ.dll
758c0000 4a5bda79 Jul 14 06:38:09 2009 C:\Windows\system32\ncrypt.dll
758a0000 4a5bd986 Jul 14 06:34:06 2009 C:\Windows\system32\bcrypt.dll
75870000 4a5bda4d Jul 14 06:37:25 2009 C:\Windows\system32\msprivs.DLL
75840000 4ce7b902 Nov 20 17:33:14 2010 C:\Windows\system32\netjoin.dll
75820000 4a5bda82 Jul 14 06:38:18 2009 C:\Windows\system32\negoexts.DLL
75bb0000 4ce7b9d1 Nov 20 17:36:41 2010 C:\Windows\system32\Secur32.dll
75c40000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\cryptbase.dll
75790000 4ce7b8ee Nov 20 17:32:54 2010 C:\Windows\system32\kerberos.DLL
75770000 4a5bda3d Jul 14 06:37:09 2009 C:\Windows\system32\CRYPTSP.dll
779c0000 4ce7ba68 Nov 20 17:39:12 2010 C:\Windows\system32\WS2_32.dll
77dc0000 4a5bdad9 Jul 14 06:39:45 2009 C:\Windows\system32\NSI.dll
75730000 4ce7b8e8 Nov 20 17:32:48 2010 C:\Windows\system32\mswsock.dll
75720000 4a5bdb56 Jul 14 06:41:50 2009 C:\Windows\System32\wship6.dll
756d0000 4ce7b8dc Nov 20 17:32:36 2010 C:\Windows\system32\msv1_0.DLL
75640000 4ce7b903 Nov 20 17:33:15 2010 C:\Windows\system32\netlogon.DLL
755f0000 4ce7b7e6 Nov 20 17:28:30 2010 C:\Windows\system32\DNSAPI.dll
755c0000 4ce7b865 Nov 20 17:30:37 2010 C:\Windows\system32\logoncli.dll
75580000 4ce7b9b0 Nov 20 17:36:08 2010 C:\Windows\system32\schannel.DLL
75e10000 4ce7b841 Nov 20 17:30:01 2010 C:\Windows\system32\CRYPT32.dll
75550000 4a5bdb29 Jul 14 06:41:05 2009 C:\Windows\system32\wdigest.DLL
75510000 4a5bdae0 Jul 14 06:39:52 2009 C:\Windows\system32\rsaenh.dll
754f0000 4ce7ba1e Nov 20 17:37:58 2010 C:\Windows\system32\tspkg.DLL
754b0000 4a5bdaea Jul 14 06:40:02 2009 C:\Windows\system32\pku2u.DLL
75470000 4a5bd987 Jul 14 06:34:07 2009 C:\Windows\system32\bcryptprimitives.dll
75ce0000 4ce7992f Nov 20 15:17:27 2010 C:\Windows\system32\RpcRtRemote.dll
75460000 4a5bc461 Jul 14 05:03:53 2009 C:\Windows\system32\efslsaext.dll
753e0000 4ce7b9ad Nov 20 17:36:05 2010 C:\Windows\system32\scecli.DLL
75440000 4ce7b83d Nov 20 17:29:57 2010 C:\Windows\system32\credssp.dll
75cb0000 4ce7ba4e Nov 20 17:38:46 2010 C:\Windows\system32\WINSTA.dll
73fb0000 4ce7b859 Nov 20 17:30:25 2010 C:\Windows\system32\IPHLPAPI.DLL
73fa0000 4a5bdb43 Jul 14 06:41:31 2009 C:\Windows\system32\WINNSI.DLL
74570000 4ce795a6 Nov 20 15:02:22 2010 C:\Windows\system32\netutils.dll
75280000 4a5bdb5a Jul 14 06:41:54 2009 C:\Windows\System32\wshtcpip.dll
75350000 4ce7ba28 Nov 20 17:38:08 2010 C:\Windows\system32\USERENV.dll
75cf0000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\profapi.dll
6fa60000 4ce7b781 Nov 20 17:26:49 2010 C:\Windows\system32\certpoleng.dll
74560000 4ce795a7 Nov 20 15:02:23 2010 C:\Windows\system32\wkscli.dll
SubSystemData: 00000000
ProcessHeap: 00330000
ProcessParameters: 00330f18
CurrentDirectory: 'C:\Windows\system32\'
WindowTitle: 'C:\Windows\system32\lsass.exe'
ImageFile: 'C:\Windows\system32\lsass.exe'
CommandLine: 'C:\Windows\system32\lsass.exe'
DllPath: 'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'
Environment: 003307f0
ALLUSERSPROFILE=C:\ProgramData
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VM-OG3S62HCORJH
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\System32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 26 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1a05
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
USERNAME=SYSTEM
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
Now, lets try to get the PEB and type case it to the structure it represents. For he sake of example I have used the process explorer.exe here.
kd> !process 0 0 explorer.exe
PROCESS 8513fd40 SessionId: 1 Cid: 0138 Peb: 7ffda000 ParentCid: 07e0
DirBase: 1eed3380 ObjectTable: 90d3d0d8 HandleCount: 845.
Image: explorer.exe
kd> .process /p /r 8513fd40
Implicit process is now 8513fd40
Loading User Symbols
................................................................
................................................................
...........
************* Symbol Loading Error Summary **************
Module name Error
myfault The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
The address of the PEB is also available to us in a pseudo-register called $peb. We are going to use this for the following examples. We are also going to use the dt command, which is described in detail here.
kd> dt nt!_PEB @$peb
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0 ''
+0x003 BitField : 0x8 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsLegacyProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 SpareBits : 0y000
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x000e0000 Void
+0x00c Ldr : 0x77c77880 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00440000 Void
+0x01c FastPebLock : 0x77c77380 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 0
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y0
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ReservedBits0 : 0y000000000000000000000000000 (0)
+0x02c KernelCallbackTable : 0x7790d568 Void
+0x02c UserSharedInfoPtr : 0x7790d568 Void
+0x030 SystemReserved : [1] 0
+0x034 AtlThunkSListPtr32 : 0x3245aa0
+0x038 ApiSetMap : 0x77de0000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x77c77260 Void
+0x044 TlsBitmapBits : [2] 0xffffffff
+0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
+0x050 HotpatchInformation : (null)
+0x054 ReadOnlyStaticServerData : 0x7f6f0590 -> (null)
+0x058 AnsiCodePageData : 0x7ffb0000 Void
+0x05c OemCodePageData : 0x7ffc0224 Void
+0x060 UnicodeCaseTableData : 0x7ffd0648 Void
+0x064 NumberOfProcessors : 1
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 0xd
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x77c77500 -> 0x00440000 Void
+0x094 GdiSharedHandleTable : 0x00630000 Void
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0x14
+0x0a0 LoaderLock : 0x77c77340 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : 6
+0x0a8 OSMinorVersion : 1
+0x0ac OSBuildNumber : 0x1db1
+0x0ae OSCSDVersion : 0x100
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 6
+0x0bc ImageSubsystemMinorVersion : 1
+0x0c0 ActiveProcessAffinityMask : 1
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x77c77268 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING "Service Pack 1"
+0x1f8 ActivationContextData : 0x00040000 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : 0x00030000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : 0x004510b0 _ASSEMBLY_STORAGE_MAP
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : 0x00452af8 _FLS_CALLBACK_INFO
+0x210 FlsListHead : _LIST_ENTRY [ 0x4527e0 - 0x469d1c8 ]
+0x218 FlsBitmap : 0x77c77270 Void
+0x21c FlsBitmapBits : [4] 0xf
+0x22c FlsHighIndex : 3
+0x230 WerRegistrationData : 0x018e0000 Void
+0x234 WerShipAssertPtr : (null)
+0x238 pContextData : 0x00050000 Void
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)
kd> dt nt!_PEB @$peb -y Proc*
+0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
+0x018 ProcessHeap : 0x00440000 Void
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y0
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x090 ProcessHeaps : 0x77c77500 -> 0x00440000 Void
+0x098 ProcessStarterHelper : (null)
+0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP
The ProcessParameters is the structure that is of interest to us. So lets dereference it to see that is contains.
kd> dt nt!_PEB @$peb ProcessParameters->*
+0x010 ProcessParameters :
+0x000 MaximumLength : 0x6c4
+0x004 Length : 0x6c4
+0x008 Flags : 0x6001
+0x00c DebugFlags : 0
+0x010 ConsoleHandle : (null)
+0x014 ConsoleFlags : 0
+0x018 StandardInput : (null)
+0x01c StandardOutput : (null)
+0x020 StandardError : (null)
+0x024 CurrentDirectory : _CURDIR
+0x030 DllPath : _UNICODE_STRING "C:\Windows;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\"
+0x038 ImagePathName : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x040 CommandLine : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x048 Environment : 0x00500c18 Void
+0x04c StartingX : 0
+0x050 StartingY : 0
+0x054 CountX : 0
+0x058 CountY : 0
+0x05c CountCharsX : 0
+0x060 CountCharsY : 0x409
+0x064 FillAttribute : 0x440000
+0x068 WindowFlags : 1
+0x06c ShowWindowFlags : 1
+0x070 WindowTitle : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x078 DesktopInfo : _UNICODE_STRING "Winsta0\Default"
+0x080 ShellInfo : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x088 RuntimeData : _UNICODE_STRING ""
+0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
+0x290 EnvironmentSize : 0x93c
+0x294 EnvironmentVersion : 0x13
Other fields are also of interest. For example the Processheap and ProcessHeaps fields. These are discussed in detail in the post about process heaps.
The process environment block (PEB) is one of the most critical data structures used by Windows to track processes. The PEB is the user mode portion of MS Windows process control structures.
Note: For a kernel dump PEB wont be available this is because PEB is in NTDLL and we need a full dump to view it.
Note: For a kernel dump PEB wont be available this is because PEB is in NTDLL and we need a full dump to view it.
Since PEB is a user mode context, using this command while debugging user mode processes by attaching through them would mean that PEB would point to the current process. However in kernel mode PEB would be pointing to the current execution context. Kernel mode threads do not always run in the context of any process, in such cases the !peb command would error out. We would then need to explicitly set the PEB to the right context by supplying the command with the address of the PEB.
My blog post here would help you understand how to set a process context.
The below output is for lsass.exe.
kd> !peb
PEB at 7ffda000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00d90000
Ldr 77c77880
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00331718 . 003b81a8
Ldr.InLoadOrderModuleList: 00331688 . 003b8198
Ldr.InMemoryOrderModuleList: 00331690 . 003b81a0
Base TimeStamp Module
d90000 4a5bbf3e Jul 14 04:41:58 2009 C:\Windows\system32\lsass.exe
77ba0000 4ce7b96e Nov 20 17:35:02 2010 C:\Windows\SYSTEM32\ntdll.dll
76700000 4ce7b8ef Nov 20 17:32:55 2010 C:\Windows\system32\kernel32.dll
75d70000 4ce7b8f0 Nov 20 17:32:56 2010 C:\Windows\system32\KERNELBASE.dll
76a80000 4a5bda6f Jul 14 06:37:59 2009 C:\Windows\system32\msvcrt.dll
76970000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\RPCRT4.dll
75b30000 4ce7891f Nov 20 14:08:55 2010 C:\Windows\system32\SspiSrv.dll
75a30000 4ce7b86a Nov 20 17:30:42 2010 C:\Windows\system32\lsasrv.dll
76950000 4a5bdb04 Jul 14 06:40:28 2009 C:\Windows\SYSTEM32\sechost.dll
75bd0000 4ce7ba24 Nov 20 17:38:04 2010 C:\Windows\system32\SspiCli.dll
77850000 4ce7b706 Nov 20 17:24:46 2010 C:\Windows\system32\ADVAPI32.dll
778f0000 4ce7ba26 Nov 20 17:38:06 2010 C:\Windows\system32\USER32.dll
76510000 4ce7b80a Nov 20 17:29:06 2010 C:\Windows\system32\GDI32.dll
77ce0000 4a5bda19 Jul 14 06:36:33 2009 C:\Windows\system32\LPK.dll
76b30000 4ce7ba29 Nov 20 17:38:09 2010 C:\Windows\system32\USP10.dll
759a0000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\SAMSRV.dll
75980000 4a5bda3a Jul 14 06:37:06 2009 C:\Windows\system32\cryptdll.dll
75d60000 4ce7b8c9 Nov 20 17:32:17 2010 C:\Windows\system32\MSASN1.dll
75930000 4a5bdb2d Jul 14 06:41:09 2009 C:\Windows\system32\wevtapi.dll
76000000 4ce7b845 Nov 20 17:30:05 2010 C:\Windows\system32\IMM32.DLL
76880000 4a5bda69 Jul 14 06:37:53 2009 C:\Windows\system32\MSCTF.dll
75920000 4a5bc425 Jul 14 05:02:53 2009 C:\Windows\system32\cngaudit.dll
75900000 4a5bd98c Jul 14 06:34:12 2009 C:\Windows\system32\AUTHZ.dll
758c0000 4a5bda79 Jul 14 06:38:09 2009 C:\Windows\system32\ncrypt.dll
758a0000 4a5bd986 Jul 14 06:34:06 2009 C:\Windows\system32\bcrypt.dll
75870000 4a5bda4d Jul 14 06:37:25 2009 C:\Windows\system32\msprivs.DLL
75840000 4ce7b902 Nov 20 17:33:14 2010 C:\Windows\system32\netjoin.dll
75820000 4a5bda82 Jul 14 06:38:18 2009 C:\Windows\system32\negoexts.DLL
75bb0000 4ce7b9d1 Nov 20 17:36:41 2010 C:\Windows\system32\Secur32.dll
75c40000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\cryptbase.dll
75790000 4ce7b8ee Nov 20 17:32:54 2010 C:\Windows\system32\kerberos.DLL
75770000 4a5bda3d Jul 14 06:37:09 2009 C:\Windows\system32\CRYPTSP.dll
779c0000 4ce7ba68 Nov 20 17:39:12 2010 C:\Windows\system32\WS2_32.dll
77dc0000 4a5bdad9 Jul 14 06:39:45 2009 C:\Windows\system32\NSI.dll
75730000 4ce7b8e8 Nov 20 17:32:48 2010 C:\Windows\system32\mswsock.dll
75720000 4a5bdb56 Jul 14 06:41:50 2009 C:\Windows\System32\wship6.dll
756d0000 4ce7b8dc Nov 20 17:32:36 2010 C:\Windows\system32\msv1_0.DLL
75640000 4ce7b903 Nov 20 17:33:15 2010 C:\Windows\system32\netlogon.DLL
755f0000 4ce7b7e6 Nov 20 17:28:30 2010 C:\Windows\system32\DNSAPI.dll
755c0000 4ce7b865 Nov 20 17:30:37 2010 C:\Windows\system32\logoncli.dll
75580000 4ce7b9b0 Nov 20 17:36:08 2010 C:\Windows\system32\schannel.DLL
75e10000 4ce7b841 Nov 20 17:30:01 2010 C:\Windows\system32\CRYPT32.dll
75550000 4a5bdb29 Jul 14 06:41:05 2009 C:\Windows\system32\wdigest.DLL
75510000 4a5bdae0 Jul 14 06:39:52 2009 C:\Windows\system32\rsaenh.dll
754f0000 4ce7ba1e Nov 20 17:37:58 2010 C:\Windows\system32\tspkg.DLL
754b0000 4a5bdaea Jul 14 06:40:02 2009 C:\Windows\system32\pku2u.DLL
75470000 4a5bd987 Jul 14 06:34:07 2009 C:\Windows\system32\bcryptprimitives.dll
75ce0000 4ce7992f Nov 20 15:17:27 2010 C:\Windows\system32\RpcRtRemote.dll
75460000 4a5bc461 Jul 14 05:03:53 2009 C:\Windows\system32\efslsaext.dll
753e0000 4ce7b9ad Nov 20 17:36:05 2010 C:\Windows\system32\scecli.DLL
75440000 4ce7b83d Nov 20 17:29:57 2010 C:\Windows\system32\credssp.dll
75cb0000 4ce7ba4e Nov 20 17:38:46 2010 C:\Windows\system32\WINSTA.dll
73fb0000 4ce7b859 Nov 20 17:30:25 2010 C:\Windows\system32\IPHLPAPI.DLL
73fa0000 4a5bdb43 Jul 14 06:41:31 2009 C:\Windows\system32\WINNSI.DLL
74570000 4ce795a6 Nov 20 15:02:22 2010 C:\Windows\system32\netutils.dll
75280000 4a5bdb5a Jul 14 06:41:54 2009 C:\Windows\System32\wshtcpip.dll
75350000 4ce7ba28 Nov 20 17:38:08 2010 C:\Windows\system32\USERENV.dll
75cf0000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\profapi.dll
6fa60000 4ce7b781 Nov 20 17:26:49 2010 C:\Windows\system32\certpoleng.dll
74560000 4ce795a7 Nov 20 15:02:23 2010 C:\Windows\system32\wkscli.dll
SubSystemData: 00000000
ProcessHeap: 00330000
ProcessParameters: 00330f18
CurrentDirectory: 'C:\Windows\system32\'
WindowTitle: 'C:\Windows\system32\lsass.exe'
ImageFile: 'C:\Windows\system32\lsass.exe'
CommandLine: 'C:\Windows\system32\lsass.exe'
DllPath: 'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'
Environment: 003307f0
ALLUSERSPROFILE=C:\ProgramData
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VM-OG3S62HCORJH
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\System32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 26 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1a05
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
USERNAME=SYSTEM
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
Now, lets try to get the PEB and type case it to the structure it represents. For he sake of example I have used the process explorer.exe here.
kd> !process 0 0 explorer.exe
PROCESS 8513fd40 SessionId: 1 Cid: 0138 Peb: 7ffda000 ParentCid: 07e0
DirBase: 1eed3380 ObjectTable: 90d3d0d8 HandleCount: 845.
Image: explorer.exe
kd> .process /p /r 8513fd40
Implicit process is now 8513fd40
Loading User Symbols
................................................................
................................................................
...........
************* Symbol Loading Error Summary **************
Module name Error
myfault The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
The address of the PEB is also available to us in a pseudo-register called $peb. We are going to use this for the following examples. We are also going to use the dt command, which is described in detail here.
kd> dt nt!_PEB @$peb
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0 ''
+0x003 BitField : 0x8 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsLegacyProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 SpareBits : 0y000
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x000e0000 Void
+0x00c Ldr : 0x77c77880 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00440000 Void
+0x01c FastPebLock : 0x77c77380 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 0
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y0
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ReservedBits0 : 0y000000000000000000000000000 (0)
+0x02c KernelCallbackTable : 0x7790d568 Void
+0x02c UserSharedInfoPtr : 0x7790d568 Void
+0x030 SystemReserved : [1] 0
+0x034 AtlThunkSListPtr32 : 0x3245aa0
+0x038 ApiSetMap : 0x77de0000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x77c77260 Void
+0x044 TlsBitmapBits : [2] 0xffffffff
+0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
+0x050 HotpatchInformation : (null)
+0x054 ReadOnlyStaticServerData : 0x7f6f0590 -> (null)
+0x058 AnsiCodePageData : 0x7ffb0000 Void
+0x05c OemCodePageData : 0x7ffc0224 Void
+0x060 UnicodeCaseTableData : 0x7ffd0648 Void
+0x064 NumberOfProcessors : 1
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 0xd
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x77c77500 -> 0x00440000 Void
+0x094 GdiSharedHandleTable : 0x00630000 Void
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0x14
+0x0a0 LoaderLock : 0x77c77340 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : 6
+0x0a8 OSMinorVersion : 1
+0x0ac OSBuildNumber : 0x1db1
+0x0ae OSCSDVersion : 0x100
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 6
+0x0bc ImageSubsystemMinorVersion : 1
+0x0c0 ActiveProcessAffinityMask : 1
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x77c77268 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING "Service Pack 1"
+0x1f8 ActivationContextData : 0x00040000 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : 0x00030000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : 0x004510b0 _ASSEMBLY_STORAGE_MAP
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : 0x00452af8 _FLS_CALLBACK_INFO
+0x210 FlsListHead : _LIST_ENTRY [ 0x4527e0 - 0x469d1c8 ]
+0x218 FlsBitmap : 0x77c77270 Void
+0x21c FlsBitmapBits : [4] 0xf
+0x22c FlsHighIndex : 3
+0x230 WerRegistrationData : 0x018e0000 Void
+0x234 WerShipAssertPtr : (null)
+0x238 pContextData : 0x00050000 Void
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)
The output of dt command a lot more information that the !peb extension. Lets see if we can extract the actual environment variables from it. We have previously learnt how to use the dt command to expand substructures inside structures, in case you have missed that post, it can be found here.
kd> dt nt!_PEB @$peb -y Proc*
+0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
+0x018 ProcessHeap : 0x00440000 Void
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y0
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x090 ProcessHeaps : 0x77c77500 -> 0x00440000 Void
+0x098 ProcessStarterHelper : (null)
+0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP
The ProcessParameters is the structure that is of interest to us. So lets dereference it to see that is contains.
kd> dt nt!_PEB @$peb ProcessParameters->*
+0x010 ProcessParameters :
+0x000 MaximumLength : 0x6c4
+0x004 Length : 0x6c4
+0x008 Flags : 0x6001
+0x00c DebugFlags : 0
+0x010 ConsoleHandle : (null)
+0x014 ConsoleFlags : 0
+0x018 StandardInput : (null)
+0x01c StandardOutput : (null)
+0x020 StandardError : (null)
+0x024 CurrentDirectory : _CURDIR
+0x030 DllPath : _UNICODE_STRING "C:\Windows;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\"
+0x038 ImagePathName : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x040 CommandLine : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x048 Environment : 0x00500c18 Void
+0x04c StartingX : 0
+0x050 StartingY : 0
+0x054 CountX : 0
+0x058 CountY : 0
+0x05c CountCharsX : 0
+0x060 CountCharsY : 0x409
+0x064 FillAttribute : 0x440000
+0x068 WindowFlags : 1
+0x06c ShowWindowFlags : 1
+0x070 WindowTitle : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x078 DesktopInfo : _UNICODE_STRING "Winsta0\Default"
+0x080 ShellInfo : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x088 RuntimeData : _UNICODE_STRING ""
+0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
+0x290 EnvironmentSize : 0x93c
+0x294 EnvironmentVersion : 0x13
Other fields are also of interest. For example the Processheap and ProcessHeaps fields. These are discussed in detail in the post about process heaps.
No comments:
Post a Comment