peb获取进程加载模块

重要结构体 typedef struct _PEB { // Size: 0x1D8/*000*/ UCHAR InheritedAddressSpace;/*001*/ UCHAR ReadImageFileExecOptions;/*002*/ UCHAR BeingDebugged;/*003*/ UCHAR SpareBool; // Allocation size/*004*/ HANDLE Mutant;/*008*/ HINSTANCE ImageBaseAddress; // Instance/*00C*/ VOID *DllList; //_PEB_LDR_DATA ;进程加载的模块链表/*010*/ PPROCESS_PARAMETERS *ProcessParameters;/*014*/ ULONG SubSystemData;/*018*/ HANDLE DefaultHeap;/*01C*/ KSPIN_LOCK FastPebLock;/*020*/ ULONG FastPebLockRoutine;/*024*/ ULONG FastPebUnlockRoutine;/*028*/ ULONG EnvironmentUpdateCount;/*02C*/ ULONG KernelCallbackTable;/*030*/ LARGE_INTEGER SystemReserved;/*038*/ ULONG FreeList;/*03C*/ ULONG TlsExpansionCounter;/*040*/ ULONG TlsBitmap;/*044*/ LARGE_INTEGER TlsBitmapBits;/*04C*/ ULONG ReadOnlySharedMemoryBase;/*050*/ ULONG ReadOnlySharedMemoryHeap;/*054*/ ULONG ReadOnlyStaticServerData;/*058*/ ULONG AnsiCodePageData;/*05C*/ ULONG OemCodePageData;/*060*/ ULONG UnicodeCaseTableData;/*064*/ ULONG NumberOfProcessors;/*068*/ LARGE_INTEGER NtGlobalFlag; // Address of a local copy/*070*/ LARGE_INTEGER CriticalSectionTimeout;/*078*/ ULONG HeapSegmentReserve;/*07C*/ ULONG HeapSegmentCommit;/*080*/ ULONG HeapDeCommitTotalFreeThreshold;/*084*/ ULONG HeapDeCommitFreeBlockThreshold;/*088*/ ULONG NumberOfHeaps;/*08C*/ ULONG MaximumNumberOfHeaps;/*090*/ ULONG ProcessHeaps;/*094*/ ULONG GdiSharedHandleTable;/*098*/ ULONG ProcessStarterHelper;/*09C*/ ULONG GdiDCAttributeList;/*0A0*/ KSPIN_LOCK LoaderLock;/*0A4*/ ULONG OSMajorVersion;/*0A8*/ ULONG OSMinorVersion;/*0AC*/ USHORT OSBuildNumber;/*0AE*/ USHORT OSCSDVersion;/*0B0*/ ULONG OSPlatformId;/*0B4*/ ULONG ImageSubsystem;/*0B8*/ ULONG ImageSubsystemMajorVersion;/*0BC*/ ULONG ImageSubsystemMinorVersion;/*0C0*/ ULONG ImageProcessAffinityMask;/*0C4*/ ULONG GdiHandleBuffer[0x22];/*14C*/ ULONG PostProcessInitRoutine;/*150*/ ULONG TlsExpansionBitmap;/*154*/ UCHAR TlsExpansionBitmapBits[0x80];/*1D4*/ ULONG SessionId;} PEB, *PPEB;typedef struct _PEB_LDR_DATA{　ULONG Length; // +0x00　BOOLEAN Initialized; // +0x04　PVOID SsHandle; // +0x08　LIST_ENTRY InLoadOrderModuleList; // +0x0c　LIST_ENTRY InMemoryOrderModuleList; // +0x14　LIST_ENTRY InInitializationOrderModuleList;// +0x1c} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; // +0x00 LIST_ENTRY InMemoryOrderLinks; //+0x08 LIST_ENTRY InInitializationOrderLinks; //+0x10 PVOID DllBase; // +0x18 PVOID EntryPoint; //+0x1c DWORD SizeOfImage; //+0x20 UNICODE_STRING FullDllName;// +0x24 UNICODE_STRING BaseDllName; // +0x2c DWORD Flags; WORD LoadCount; WORD TlsIndex; LIST_ENTRY HashLinks; PVOID SectionPointer; DWORD CheckSum; 典雅的天空; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; }LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY; typedef struct _LSA_UNICODE_STRING{USHORT Length;USHORT MaximumLength;PWSTR Buffer;} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;USHORT:2 Bytestypedef struct _LIST_ENTRY{struct _LIST_ENTRY *Flink;struct _LIST_ENTRY *Blink;} LIST_ENTRY, *PLIST_ENTRY; ShellCode //find base addr of kernel32.dll//fs:[0]--> TEB//fs:[30]--> PEB//[PEB+0c]--> Ldr(ptr32 _PEB_LDR_DATA)//[Ldr+1c]--> InInitializationOrderModuleList(LIST_ENTRY)//[LIST_ENTRY] = second_LIST_ENTRY//[second_LIST_ENTRY] = third_LIST_ENTRY//[third_LIST_ENTRY+0x8]-->kernel32 module base addressxor edx, edxmov ebx, fs:[edx + 0x30]//PEBmov ecx, [ebx + 0x0c]//ldrmov ecx, [ecx + 0x1c]//IninitializationOrderModuleListmov ecx, [ecx]//ntdllmov ecx, [ecx]//kernel basemov ebp, [ecx + 0x08]//kernel32