Peb Module ListsAuthor: David Zimmer Date: 04.16.11 - 2:45pm Article link: Understanding the PEB Loader Data Lists So for the last couple days I have been fighting with creating some code which will generate a complete peb module list data structure for scdbg. The PEB routines which were there, worked well, but every once in a while I would get a sample which did something weird and would grab the wrong module from the list. I ended up making a seperate pebBuilder project to dynamically create the peb_ldr_data and ldr_module linked list structures, and let me test them with asm shellcode extracts. It turned out pretty well. I build a mock peb in a virtuallAlloc section, and link all the lists for that VA. I then modify the shellcode extracts so that they get their PEB_LDR_DATA base address from my virtually alloced memory section. This way I could build the peb at an arbitray offset and still test it with known examples. To run it live in scdbg, I then generated a patch file and loaded it with the -patch option. Worked out pretty slick! Anyway, on to the point of this post. I didnt really understand the peb module lists until I had to replicate them...which was not a very fun task with all of those forward and back links, and specific load orders. Since the task kinda sucked, and I couldnt find any docs other than struct listings, i figured I would write a short article on how to navigate the lists and some of the nuances I found along the way. The pebBuilder project is now a part of the vs_libemu git repository. Comments: (0) |
About Me More Blogs Main Site |