/* 0x2C */ULONGFlags;/* 0x34 */union{UCHARFlagGroup[4];ULONGFlags;struct{/* bit fields, see below */};};WORDLoadCount;/* 0x38 */WORDTlsIndex;/* 0x3A */union/* 0x3C */{LIST_ENTRYHashLinks;struct{PVOIDSectionPointer;ULONGCheckSum;};};union{ULONGTimeDateStamp;PVOIDLoadedImports;...
typedefstruct_LDR_DATA_TABLE_ENTRY {//Start from Windows XPLIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount;...
//0x68 ULONG InExceptionTable:1; //0x68 ULONG ReservedFlags1:2; //0x68 ULONG LoadInProgress:1; //0x68 ULONG LoadConfigProcessed:1; //0x68 ULONG EntryProcessed:1; //0x68 ULONG ProtectDelayLoad:1; //0x68 ULONG ReservedFlags3:2; //0x68 ULONG DontCallForThreads:1; //0x68 ULONG Pro...
思路便是:通过双向链表来遍历_LDR_DATA_TABLE_ENTRY结构体,匹配模块名称,获取模块基址。 如果你不幸...,根据上面讲解的思路,接下来的故事就顺理成章了,忘记思路的同学,看这里: 思路便是:通过双向链表来遍历_LDR_DATA_TABLE_ENTRY结构体,匹配模块名称,获取模块基址。 MOV EAX ...
经过研究,其实Ldr链表得第一项为头结点,为PEB_LDR_DATA结构,而其他所有项均为LDR_DATA_TABLE_ENTRY结构 Ldr的创建:ldrinit.c -> LdrpInitializeProcess PEB_LDR_DATA PebLdr LdrpInitializeProcess 初始化进程时用空项PebLdr创建Ldr Peb->Ldr = &PebLdr; ...
ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY HashLinks; PVOID SectionPointer; }; ULONG CheckSum; union { ULONG TimeDateStamp; PVOID LoadedImports; }; PVOID EntryPointActivationContext; PVOID PatchInformation; } LDR_DATA_TABLE_ENTRY * PLDR_DATA_TABLE_ENTRY; ...
在NT内核系统中fs寄存器指向TEB结构,TEB+0x30处指向PEB结构,PEB+0x0c处指向PEB_LDR_DATA结构,PEB_LDR_DATA+0x1c处存放一些指向动态链接库信息的链表地址,win7下第一个指向ntdl.dll,第三个就是kernel32.dll的。 typedef struct _TEB { NT_TIB Tib; /* 00h */ ...
LDR_DATA_TABLE_ENTRY结构定义如下: syntax typedef struct _LDR_DATA_TABLE_ENTRY { PVOID Reserved1[2]; LIST_ENTRY InMemoryOrderLinks; PVOID Reserved2[2]; PVOID DllBase; PVOID EntryPoint; PVOID Reserved3; UNICODE_STRING FullDllName; BYTE Reserved4[8]; PVOID Reserved5[3]; union { ULONG ...
经过研究,其实Ldr链表得第一项为头结点,为PEB_LDR_DATA结构,而其他所有项均为LDR_DATA_TABLE_ENTRY...
ULONG Flags; SHORT LoadCount; SHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, *PLDR_MODULE; VOID HideModule(HMODULE hLibrary) { PPEB_LDR_DATA pLdr = NULL; PLDR_MODULE FirstModule = NULL; PLDR_MODULE GurrentModule = NULL; ...