Peb Module Lists


Author: David Zimmer
Date: 04.16.11 - 2:45pm



Article link:
Understanding the PEB Loader Data Lists

So for the last couple days I have been fighting with creating some code which will generate a complete peb module list data structure for scdbg.

The PEB routines which were there, worked well, but every once in a while I would get a sample which did something weird and would grab the wrong module from the list.

I ended up making a seperate pebBuilder project to dynamically create the peb_ldr_data and ldr_module linked list structures, and let me test them with asm shellcode extracts.

It turned out pretty well. I build a mock peb in a virtuallAlloc section, and link all the lists for that VA. I then modify the shellcode extracts so that they get their PEB_LDR_DATA base address from my virtually alloced memory section.

This way I could build the peb at an arbitray offset and still test it with known examples. To run it live in scdbg, I then generated a patch file and loaded it with the -patch option. Worked out pretty slick!

Anyway, on to the point of this post. I didnt really understand the peb module lists until I had to replicate them...which was not a very fun task with all of those forward and back links, and specific load orders.

Since the task kinda sucked, and I couldnt find any docs other than struct listings, i figured I would write a short article on how to navigate the lists and some of the nuances I found along the way.

The pebBuilder project is now a part of the vs_libemu git repository.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 87 + 25 = ? followed by the letter: P 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2020 ( 6 )
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 ( 11 )
2009 ( 1 )