Wednesday, October 22, 2014

How to get PEB base address

Process Environment Block (PEB)

 PEB is located within the virtual address space of the loaded process. This address is most often, 7ffda000, but not always. There are different ways to get the PEB base address in the process VA space.

 Method 1: WinDbg provides pseudo registers like $peb which point to the base address of PEB data structure within the process VA sapce.

 0:000> dt @$peb
Symbol not found at address 7ffd9000.

Method 2: display the complete PEB data structure with values.

0:000> !peb
PEB at 7ffd9000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00680000
    Ldr                       77657880
    Ldr.Initialized:          Yes

Method 3: in kernel debugging mode.

lkd> !process -0 0
**** NT ACTIVE PROCESS DUMP ****
....................
PROCESS 8290b020 SessionId: 0 Cid: 081c Peb: 7ffd9000 ParentCid: 058c
DirBase: 0e6c0240 ObjectTable: e23f1388 HandleCount: 41.
Image: notepad.exe
....................

This will display the information about all the processes running on the local system right now. Along with other pieces of useful information like DirBase, it also displays the location of PEB.

Method 4: PEB is a data structure in the user mode and specific to an application process running in the user mode. In kernel mode, we have _EPROCESS which points to the PEB.
lkd> dt nt!_EPROCESS 8290b020

Method 5: When we are writing a shellcode, we have to find a way to reference the base address of PEB using assembly language code. This is done using the fact that, in any Windows NT OS, PEB is always located at an offset 30 to fs segment register. So,
mov eax, fs:[30]
we get a pointer to PEB in edx register.

Method 6:
0:000> !teb
TEB at 7ffdf000
    ExceptionList:        0019fb24
    StackBase:            001a0000
    StackLimit:           0018f000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ffdf000
    EnvironmentPointer:   00000000
    ClientId:             00000e2c . 0000085c
    RpcHandle:            00000000
    Tls Storage:          7ffdf02c
    PEB Address:          7ffd9000
    LastErrorValue:       0
    LastStatusValue:      0
    Count Owned Locks:    0
    HardErrorMode:        0

Method 7:
0:000> dt @$teb
Symbol not found at address 7ffdf000.
0:000> dt nt!_TEB @$teb
ntdll!_TEB
   +0x000 NtTib            : _NT_TIB
   +0x01c EnvironmentPointer : (null) 
   +0x020 ClientId         : _CLIENT_ID
   +0x028 ActiveRpcHandle  : (null) 
   +0x02c ThreadLocalStoragePointer : 0x7ffdf02c Void
   +0x030 ProcessEnvironmentBlock : 0x7ffd9000 _PEB
   +0x034 LastErrorValue   : 0
   +0x038 CountOfOwnedCriticalSections : 0
This also means that we can reference the TEB using fs:[0] and since we have PEB at offset 0x30 in the TEB, so PEB can be located using fs:[30].















Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)