Thread: Modules loaded by a exe
View Single Post
  #14  
Old 05-17-2004, 22:24
volodya
 
Posts: n/a
This is strange, my friend.
Dump from ntoskrnl.exe (Windows 2003):

struct _PEB {

// static data ------------------------------------

// non-static data --------------------------------
/*<thisrel this+0x0>*/ /*|0x1|*/ unsigned char InheritedAddressSpace;
/*<thisrel this+0x1>*/ /*|0x1|*/ unsigned char ReadImageFileExecOptions;
/*<thisrel this+0x2>*/ /*|0x1|*/ unsigned char BeingDebugged;
/*<thisrel this+0x3>*/ /*|0x1|*/ unsigned char SpareBool;
/*<thisrel this+0x4>*/ /*|0x4|*/ void* Mutant;
/*<thisrel this+0x8>*/ /*|0x4|*/ void* ImageBaseAddress;
/*<thisrel this+0xc>*/ /*|0x4|*/ struct _PEB_LDR_DATA* Ldr;
/*<thisrel this+0x10>*/ /*|0x4|*/ struct _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
/*<thisrel this+0x14>*/ /*|0x4|*/ void* SubSystemData;
/*<thisrel this+0x18>*/ /*|0x4|*/ void* ProcessHeap;
/*<thisrel this+0x1c>*/ /*|0x4|*/ struct _RTL_CRITICAL_SECTION* FastPebLock;
/*<thisrel this+0x20>*/ /*|0x4|*/ void* SparePtr1;
/*<thisrel this+0x24>*/ /*|0x4|*/ void* SparePtr2;
/*<thisrel this+0x28>*/ /*|0x4|*/ unsigned long EnvironmentUpdateCount;
/*<thisrel this+0x2c>*/ /*|0x4|*/ void* KernelCallbackTable;
/*<thisrel this+0x30>*/ /*|0x4|*/ unsigned long SystemReserved[1];
/*<bitfield this+0x34>*/ /*|0x4|*/ unsigned long ExecuteOptions:0:2;
/*<bitfield this+0x34>*/ /*|0x4|*/ unsigned long SpareBits:2:1e;
/*<thisrel this+0x38>*/ /*|0x4|*/ struct _PEB_FREE_BLOCK* FreeList;
/*<thisrel this+0x3c>*/ /*|0x4|*/ unsigned long TlsExpansionCounter;
/*<thisrel this+0x40>*/ /*|0x4|*/ void* TlsBitmap;
/*<thisrel this+0x44>*/ /*|0x8|*/ unsigned long TlsBitmapBits[2];
/*<thisrel this+0x4c>*/ /*|0x4|*/ void* ReadOnlySharedMemoryBase;
/*<thisrel this+0x50>*/ /*|0x4|*/ void* ReadOnlySharedMemoryHeap;
/*<thisrel this+0x54>*/ /*|0x4|*/ void** ReadOnlyStaticServerData;
/*<thisrel this+0x58>*/ /*|0x4|*/ void* AnsiCodePageData;
/*<thisrel this+0x5c>*/ /*|0x4|*/ void* OemCodePageData;
/*<thisrel this+0x60>*/ /*|0x4|*/ void* UnicodeCaseTableData;
/*<thisrel this+0x64>*/ /*|0x4|*/ unsigned long NumberOfProcessors;
/*<thisrel this+0x68>*/ /*|0x4|*/ unsigned long NtGlobalFlag;
/*<thisrel this+0x70>*/ /*|0x8|*/ union _LARGE_INTEGER CriticalSectionTimeout;
/*<thisrel this+0x78>*/ /*|0x4|*/ unsigned long HeapSegmentReserve;
/*<thisrel this+0x7c>*/ /*|0x4|*/ unsigned long HeapSegmentCommit;
/*<thisrel this+0x80>*/ /*|0x4|*/ unsigned long HeapDeCommitTotalFreeThreshold;
/*<thisrel this+0x84>*/ /*|0x4|*/ unsigned long HeapDeCommitFreeBlockThreshold;
/*<thisrel this+0x88>*/ /*|0x4|*/ unsigned long NumberOfHeaps;
/*<thisrel this+0x8c>*/ /*|0x4|*/ unsigned long MaximumNumberOfHeaps;
/*<thisrel this+0x90>*/ /*|0x4|*/ void** ProcessHeaps;
/*<thisrel this+0x94>*/ /*|0x4|*/ void* GdiSharedHandleTable;
/*<thisrel this+0x98>*/ /*|0x4|*/ void* ProcessStarterHelper;
/*<thisrel this+0x9c>*/ /*|0x4|*/ unsigned long GdiDCAttributeList;
/*<thisrel this+0xa0>*/ /*|0x4|*/ struct _RTL_CRITICAL_SECTION* LoaderLock;
/*<thisrel this+0xa4>*/ /*|0x4|*/ unsigned long OSMajorVersion;
/*<thisrel this+0xa8>*/ /*|0x4|*/ unsigned long OSMinorVersion;
/*<thisrel this+0xac>*/ /*|0x2|*/ unsigned short OSBuildNumber;
/*<thisrel this+0xae>*/ /*|0x2|*/ unsigned short OSCSDVersion;
/*<thisrel this+0xb0>*/ /*|0x4|*/ unsigned long OSPlatformId;
/*<thisrel this+0xb4>*/ /*|0x4|*/ unsigned long ImageSubsystem;
/*<thisrel this+0xb8>*/ /*|0x4|*/ unsigned long ImageSubsystemMajorVersion;
/*<thisrel this+0xbc>*/ /*|0x4|*/ unsigned long ImageSubsystemMinorVersion;
/*<thisrel this+0xc0>*/ /*|0x4|*/ unsigned long ImageProcessAffinityMask;
/*<thisrel this+0xc4>*/ /*|0x88|*/ unsigned long GdiHandleBuffer[34];
/*<thisrel this+0x14c>*/ /*|0x4|*/ void (PostProcessInitRoutine*)();
/*<thisrel this+0x150>*/ /*|0x4|*/ void* TlsExpansionBitmap;
/*<thisrel this+0x154>*/ /*|0x80|*/ unsigned long TlsExpansionBitmapBits[32];
/*<thisrel this+0x1d4>*/ /*|0x4|*/ unsigned long SessionId;
/*<thisrel this+0x1d8>*/ /*|0x8|*/ union _ULARGE_INTEGER AppCompatFlags;
/*<thisrel this+0x1e0>*/ /*|0x8|*/ union _ULARGE_INTEGER AppCompatFlagsUser;
/*<thisrel this+0x1e8>*/ /*|0x4|*/ void* pShimData;
/*<thisrel this+0x1ec>*/ /*|0x4|*/ void* AppCompatInfo;
/*<thisrel this+0x1f0>*/ /*|0x8|*/ struct _UNICODE_STRING CSDVersion;
/*<thisrel this+0x1f8>*/ /*|0x4|*/ struct _ACTIVATION_CONTEXT_DATA* ActivationContextData;
/*<thisrel this+0x1fc>*/ /*|0x4|*/ struct _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap;
/*<thisrel this+0x200>*/ /*|0x4|*/ struct _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData;
/*<thisrel this+0x204>*/ /*|0x4|*/ struct _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap;
/*<thisrel this+0x208>*/ /*|0x4|*/ unsigned long MinimumStackCommit;
/*<thisrel this+0x20c>*/ /*|0x4|*/ void** FlsCallback;
/*<thisrel this+0x210>*/ /*|0x8|*/ struct _LIST_ENTRY FlsListHead;
/*<thisrel this+0x218>*/ /*|0x4|*/ void* FlsBitmap;
/*<thisrel this+0x21c>*/ /*|0x10|*/ unsigned long FlsBitmapBits[4];
/*<thisrel this+0x22c>*/ /*|0x4|*/ unsigned long FlsHighIndex;

// base classes -----------------------------------

// friends ----------------------------------------

// static functions -------------------------------

// non-virtual functions --------------------------

// virtual functions ------------------------------
};
// <size 0x230>
Reply With Quote