Peb Module Lists
Author: David Zimmer
Date: 04.16.11 - 2:45pm
Understanding the PEB Loader Data Lists
So for the last couple days I have been fighting with creating some code which will generate a complete peb module list data structure for scdbg.
The PEB routines which were there, worked well, but every once in a while I would get a sample which did something weird and would grab the wrong module from the list.
I ended up making a seperate pebBuilder project to dynamically create the peb_ldr_data and ldr_module linked list structures, and let me test them with asm shellcode extracts.
It turned out pretty well. I build a mock peb in a virtuallAlloc section, and link all the lists for that VA. I then modify the shellcode extracts so that they get their PEB_LDR_DATA base address from my virtually alloced memory section.
This way I could build the peb at an arbitray offset and still test it with known examples. To run it live in scdbg, I then generated a patch file and loaded it with the -patch option. Worked out pretty slick!
Anyway, on to the point of this post. I didnt really understand the peb module lists until I had to replicate them...which was not a very fun task with all of those forward and back links, and specific load orders.
Since the task kinda sucked, and I couldnt find any docs other than struct listings, i figured I would write a short article on how to navigate the lists and some of the nuances I found along the way.
The pebBuilder project is now a part of the vs_libemu git repository.