Windbg
Windbg 进程环境块!peb
2021-07-01
200
0
!peb 查看当前进程环境块(PEB)
注意:在64位操作系统下,使用64位和32windbg调试32位进程时,看到的地址不一样。
如64位下的notepad内容如下:
0:001> !peb
PEB at 000007fffffd3000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00000000ff800000
Ldr 0000000077762e40
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00000000000a2f00 . 00000000000e1220
Ldr.InLoadOrderModuleList: 00000000000a2df0 . 00000000000e1200
Ldr.InMemoryOrderModuleList: 00000000000a2e00 . 00000000000e1210
Base TimeStamp Module
ff800000 559ea8be Jul 10 01:00:46 2015 C:\\Windows\\system32\\notepad.exe
77630000 5cb9356e Apr 19 10:41:50 2019 C:\\Windows\\SYSTEM32\\ntdll.dll
77510000 5cb935a6 Apr 19 10:42:46 2019 C:\\Windows\\system32\\kernel32.dll
7fefd8c0000 5cb935a7 Apr 19 10:42:47 2019 C:\\Windows\\system32\\KERNELBASE.dll
7feff840000 5cb934db Apr 19 10:39:23 2019 C:\\Windows\\system32\\ADVAPI32.dll
7feff390000 4eeb033f Dec 16 16:37:19 2011 C:\\Windows\\system32\\msvcrt.dll
7fefdb30000 4a5be05e Jul 14 09:33:18 2009 C:\\Windows\\SYSTEM32\\sechost.dll
7feff4a0000 5cb93517 Apr 19 10:40:23 2019 C:\\Windows\\system32\\RPCRT4.dll
7feff430000 5cb5ef3c Apr 16 23:05:32 2019 C:\\Windows\\system32\\GDI32.dll
77410000 5824a140 Nov 11 00:33:04 2016 C:\\Windows\\system32\\USER32.dll
7feff830000 5cb2c4a7 Apr 14 13:27:03 2019 C:\\Windows\\system32\\LPK.dll
7feff5d0000 5cb5ef6b Apr 16 23:06:19 2019 C:\\Windows\\system32\\USP10.dll
7feff2f0000 4ce7c635 Nov 20 20:59:33 2010 C:\\Windows\\system32\\COMDLG32.dll
7feff7b0000 4ce7c9ab Nov 20 21:14:19 2010 C:\\Windows\\system32\\SHLWAPI.dll
7fefba50000 5cb5ef1c Apr 16 23:05:00 2019 C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24440_none_e36f1bbf30ff0606\\COMCTL32.dll
7fefe030000 5cb5ef51 Apr 16 23:05:53 2019 C:\\Windows\\system32\\SHELL32.dll
7fef7ee0000 5c67a7b0 Feb 16 14:03:28 2019 C:\\Windows\\system32\\WINSPOOL.DRV
7fefd930000 5cb5ef5e Apr 16 23:06:06 2019 C:\\Windows\\system32\\ole32.dll
7fefde20000 5cb5ef62 Apr 16 23:06:10 2019 C:\\Windows\\system32\\OLEAUT32.dll
7fefc670000 4a5be082 Jul 14 09:33:54 2009 C:\\Windows\\system32\\VERSION.dll
7fefdf00000 4a5bdf40 Jul 14 09:28:32 2009 C:\\Windows\\system32\\IMM32.DLL
7feff6a0000 59b94ec5 Sep 13 23:29:09 2017 C:\\Windows\\system32\\MSCTF.dll
7fefd450000 5cb935c1 Apr 19 10:43:13 2019 C:\\Windows\\system32\\CRYPTBASE.dll
7fefab30000 4a5be093 Jul 14 09:34:11 2009 C:\\Windows\\system32\\uxtheme.dll
7fefa5d0000 4a5bdf27 Jul 14 09:28:07 2009 C:\\Windows\\system32\\dwmapi.dll
SubSystemData: 0000000000000000
ProcessHeap: 00000000000a0000
ProcessParameters: 00000000000a22f0
CurrentDirectory: 'C:\\Users\\Administrator\\'
WindowTitle: 'C:\\Windows\\system32\\notepad.exe'
ImageFile: 'C:\\Windows\\system32\\notepad.exe'
CommandLine: '"C:\\Windows\\system32\\notepad.exe" '
DllPath: 'C:\\Windows\\system32;;C:\\Windows\\system32;C:\\Windows\\system;C:\\Windows;.;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft SQL Server\\110\\Tools\\Binn\\;C:\\Program Files (x86)\\Microsoft SDKs\\TypeScript\\1.0\\;C:\\Program Files\\CMake\\bin;D:\\code\\depot_tools;C:\\Program Files\\dotnet\\;C:\\Program Files\\Microsoft SQL Server\\130\\Tools\\Binn\\;C:\\Program Files (x86)\\IncrediBuild'
Environment: 00000000000a1320
=::=::\\
ALLUSERSPROFILE=C:\\ProgramData
APPDATA=C:\\Users\\Administrator\\AppData\\Roaming
CEF_ARCHIVE_FORMAT=tar.bz2
CommonProgramFiles=C:\\Program Files\\Common Files
CommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files
CommonProgramW6432=C:\\Program Files\\Common Files
COMPUTERNAME=AS-PC
ComSpec=C:\\Windows\\system32\\cmd.exe
DEPOT_TOOLS_WIN_TOOLCHAIN=0
DXSDK_DIR=C:\\Program Files (x86)\\Microsoft DirectX SDK (February 2010)\\
FP_NO_HOST_CHECK=NO
GYP_DEFINES=buildtype=Official
GYP_MSVS_VERSION=2017
HOMEDRIVE=C:
HOMEPATH=\\Users\\Administrator
LOCALAPPDATA=C:\\Users\\Administrator\\AppData\\Local
LOGONSERVER=\\\\AS-PC
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft SQL Server\\110\\Tools\\Binn\\;C:\\Program Files (x86)\\Microsoft SDKs\\TypeScript\\1.0\\;C:\\Program Files\\CMake\\bin;D:\\code\\depot_tools;C:\\Program Files\\dotnet\\;C:\\Program Files\\Microsoft SQL Server\\130\\Tools\\Binn\\;C:\\Program Files (x86)\\IncrediBuild
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 60 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=3c03
ProgramData=C:\\ProgramData
ProgramFiles=C:\\Program Files
ProgramFiles(x86)=C:\\Program Files (x86)
ProgramW6432=C:\\Program Files
PSModulePath=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\
PUBLIC=C:\\Users\\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\\Windows
TEMP=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp
TMP=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp
USERDOMAIN=as-PC
USERNAME=Administrator
USERPROFILE=C:\\Users\\Administrator
VS110COMNTOOLS=C:\\Program Files (x86)\\Microsoft Visual Studio 11.0\\Common7\\Tools\\
VS120COMNTOOLS=C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\Tools\\
VS140COMNTOOLS=C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Common7\\Tools\\
windir=C:\\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log
