Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Modules loaded by a exe
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-14-2004, 23:34
volodya
 
Posts: n/a
PEB is present starting from NT+.
The exact implementation of the structure is different. You can extract it from PDB-files using pdb-dump by de Quency.
Reply With Quote
  #2  
Old 05-15-2004, 01:04
JMI JMI is offline
Leader
  
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 98 Times in 96 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
Here's a little searching project for you all. The de Quincy article is available on "Searchlore" and his utility is available on "Sourceforge."

Regards,
__________________
JMI
Reply With Quote
  #3  
Old 05-15-2004, 01:17
phax
 
Posts: n/a
PEB detection
As opposed in a concurrent thread (initial register values), the PEB can easily be retrieved with the following (VC) C++ code:
void *PEB = NULL;
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
On windows 2000 it is constantly 0x7ffdf000
regards, PHaX
Reply With Quote
  #4  
Old 05-15-2004, 02:53
volodya
 
Posts: n/a
My dear JMI, no need to go to Sourceforge
http://wasm.ru/tools/21/pdbdump.zip
+ DIA SDK:
http://wasm.ru/tools/4/dia.zip
Reply With Quote
  #5  
Old 05-15-2004, 03:10
JMI JMI is offline
Leader
  
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 98 Times in 96 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
volodya:

I already knew that these utilities were available in many places. I was merely intending to encourage people to learn better how to search. I also thought some might like to actually read de Quincy's article.

Regards,
__________________
JMI
Last edited by JMI; 05-15-2004 at 03:14.
Reply With Quote
  #6  
Old 05-15-2004, 10:53
TQN TQN is offline
VIP
  
Join Date: Apr 2003
Location: Vietnam
Posts: 358
Rept. Given: 143
Rept. Rcvd 24 Times in 13 Posts
Thanks Given: 196
Thanks Rcvd at 168 Times in 51 Posts
TQN Reputation: 24
Hi volodya !
I have try to use pdbdump with ntdll.dbg and ntdll.pdb, but the output is only the name of public, import, export symbols... We don't have the layout or struct define of PEB.
Regards
Reply With Quote
  #7  
Old 05-15-2004, 22:40
volodya
 
Posts: n/a
Try ntoskrnl.pdb.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Patch (IL Edit) of Assembles loaded from Resource cracki General Discussion 18 01-14-2024 00:26
Olly Crash when this simple app loaded... kunam General Discussion 6 10-10-2023 21:00
Working with multiple modules when reversing maktm General Discussion 2 04-19-2015 06:46
Runtime Error R6002 - Floating point not loaded MrGneissGuy's General Discussion 1 09-14-2009 03:08
Detection/Signature for Corba/Com/Dcom/Activex Modules nulli General Discussion 2 11-27-2005 18:41


All times are GMT +8. The time now is 21:26.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )