Process Environment Block
Process Environment Block
PEB는 프로세스에 대한 정보를 포함하고 있는 구조체입니다.
프로세스 가상 메모리 영역에 존재하며, 다음과 같이 EPROCESS를 통해 PEB 주소 확인이 가능합니다.
1
2
3
19: kd> dt_eprocess
nt!_EPROCESS
+0x550 Peb : Ptr64 _PEB
유저 레벨에서는 Segment Register를 통해 PEB 주소 확인이 가능합니다.
1
2
// x64 architecture
mov rax,gs:[00000060]
1
2
// x86 architecture
mov eax,fs:[00000030]
Windbg에서는 !peb 명령을 통해서도 확인 가능합니다. (프로세스 컨텍스트 전환 필요)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
19: kd> !peb
PEB at 0000004622668000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00007ff71b340000
NtGlobalFlag: 0
NtGlobalFlag2: 0
Ldr 00007ff944436440
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00000176ad004000 . 00000176ad01d960
Ldr.InLoadOrderModuleList: 00000176ad004190 . 00000176ad01d940
Ldr.InMemoryOrderModuleList: 00000176ad0041a0 . 00000176ad01d950
Base TimeStamp Module
7ff71b340000 4cbea0d9 Oct 20 16:57:13 2010 C:\Windows\system32\csrss.exe
7ff9442b0000 518e67bb May 12 00:46:03 2013 C:\Windows\SYSTEM32\ntdll.dll
7ff9415b0000 ebac08d2 Apr 18 08:10:10 2095 C:\Windows\SYSTEM32\CSRSRV.dll
7ff941590000 62e3f734 Jul 30 00:05:24 2022 C:\Windows\system32\basesrv.DLL
7ff941570000 ae377355 Aug 15 21:13:09 2062 C:\Windows\system32\winsrv.DLL
7ff9424f0000 a9f358b9 May 09 12:04:25 2060 C:\Windows\SYSTEM32\kernel32.dll
7ff941790000 03c619d0 Jan 04 04:19:44 1972 C:\Windows\SYSTEM32\kernelbase.dll
7ff941540000 5d8ed6cf Sep 28 12:43:11 2019 C:\Windows\SYSTEM32\winsrvext.dll
7ff941e50000 95cdfd12 Aug 23 13:14:10 2049 C:\Windows\system32\win32u.dll
7ff9429d0000 533dc7aa Apr 04 05:42:18 2014 C:\Windows\system32\GDI32.dll
7ff941bc0000 3544f6a9 Apr 28 06:20:41 1998 C:\Windows\SYSTEM32\gdi32full.dll
7ff9416f0000 8e0806c9 Jul 06 03:04:57 2045 C:\Windows\system32\msvcp_win.dll
7ff9415d0000 10c46e71 Dec 01 06:19:45 1978 C:\Windows\SYSTEM32\ucrtbase.dll
7ff942750000 39c9fa6f Sep 21 21:09:19 2000 C:\Windows\system32\USER32.dll
7ff941530000 7102277e Jan 30 10:23:10 2030 C:\Windows\system32\sxssrv.DLL
7ff941440000 7afbeca6 May 21 12:21:10 2035 C:\Windows\system32\sxs.dll
7ff942130000 dcab4278 Apr 27 00:59:52 2087 C:\Windows\system32\ADVAPI32.dll
7ff9426a0000 657b2709 Dec 15 01:02:17 2023 C:\Windows\system32\msvcrt.dll
7ff941fe0000 9e92f56b Apr 22 09:40:11 2054 C:\Windows\SYSTEM32\sechost.dll
7ff943970000 045b6c12 Apr 26 10:38:26 1972 C:\Windows\system32\RPCRT4.dll
7ff941f40000 5a31de46 Dec 14 11:13:26 2017 C:\Windows\SYSTEM32\bcrypt.dll
7ff941340000 3c0c4b88 Dec 04 13:05:28 2001 C:\Windows\system32\ServicingCommon.dll
7ff941b40000 ee775c51 Oct 11 22:17:05 2096 C:\Windows\SYSTEM32\bcryptPrimitives.dll
SubSystemData: 0000000000000000
ProcessHeap: 00000176aceb0000
ProcessParameters: 00000176ad003670
CurrentDirectory: 'C:\Windows\system32\'
WindowTitle: '< Name not readable >'
ImageFile: 'C:\Windows\system32\csrss.exe'
CommandLine: '%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16'
DllPath: '< Name not readable >'
Environment: 00000176ad002b10
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
NUMBER_OF_PROCESSORS=22
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 170 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=aa04
PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
USERNAME=SYSTEM
windir=C:\Windows
ZES_ENABLE_SYSMAN=1
dt_PEB
Windbg를 통해 확인한 PEB 구조체는 다음과 같습니다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
19: kd> dt_PEB
nt!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit
+0x003 IsPackagedProcess : Pos 4, 1 Bit
+0x003 IsAppContainer : Pos 5, 1 Bit
+0x003 IsProtectedProcessLight : Pos 6, 1 Bit
+0x003 IsLongPathAwareProcess : Pos 7, 1 Bit
+0x004 Padding0 : [4] UChar
+0x008 Mutant : Ptr64 Void
+0x010 ImageBaseAddress : Ptr64 Void
+0x018 Ldr : Ptr64 _PEB_LDR_DATA
+0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
+0x028 SubSystemData : Ptr64 Void
+0x030 ProcessHeap : Ptr64 Void
+0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION
+0x040 AtlThunkSListPtr : Ptr64 _SLIST_HEADER
+0x048 IFEOKey : Ptr64 Void
+0x050 CrossProcessFlags : Uint4B
+0x050 ProcessInJob : Pos 0, 1 Bit
+0x050 ProcessInitializing : Pos 1, 1 Bit
+0x050 ProcessUsingVEH : Pos 2, 1 Bit
+0x050 ProcessUsingVCH : Pos 3, 1 Bit
+0x050 ProcessUsingFTH : Pos 4, 1 Bit
+0x050 ProcessPreviouslyThrottled : Pos 5, 1 Bit
+0x050 ProcessCurrentlyThrottled : Pos 6, 1 Bit
+0x050 ProcessImagesHotPatched : Pos 7, 1 Bit
+0x050 ReservedBits0 : Pos 8, 24 Bits
+0x054 Padding1 : [4] UChar
+0x058 KernelCallbackTable : Ptr64 Void
+0x058 UserSharedInfoPtr : Ptr64 Void
+0x060 SystemReserved : Uint4B
+0x064 AtlThunkSListPtr32 : Uint4B
+0x068 ApiSetMap : Ptr64 Void
+0x070 TlsExpansionCounter : Uint4B
+0x074 Padding2 : [4] UChar
+0x078 TlsBitmap : Ptr64 _RTL_BITMAP
+0x080 TlsBitmapBits : [2] Uint4B
+0x088 ReadOnlySharedMemoryBase : Ptr64 Void
+0x090 SharedData : Ptr64 Void
+0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
+0x0a0 AnsiCodePageData : Ptr64 Void
+0x0a8 OemCodePageData : Ptr64 Void
+0x0b0 UnicodeCaseTableData : Ptr64 Void
+0x0b8 NumberOfProcessors : Uint4B
+0x0bc NtGlobalFlag : Uint4B
+0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
+0x0c8 HeapSegmentReserve : Uint8B
+0x0d0 HeapSegmentCommit : Uint8B
+0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
+0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
+0x0e8 NumberOfHeaps : Uint4B
+0x0ec MaximumNumberOfHeaps : Uint4B
+0x0f0 ProcessHeaps : Ptr64 Ptr64 Void
+0x0f8 GdiSharedHandleTable : Ptr64 Void
+0x100 ProcessStarterHelper : Ptr64 Void
+0x108 GdiDCAttributeList : Uint4B
+0x10c Padding3 : [4] UChar
+0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION
+0x118 OSMajorVersion : Uint4B
+0x11c OSMinorVersion : Uint4B
+0x120 OSBuildNumber : Uint2B
+0x122 OSCSDVersion : Uint2B
+0x124 OSPlatformId : Uint4B
+0x128 ImageSubsystem : Uint4B
+0x12c ImageSubsystemMajorVersion : Uint4B
+0x130 ImageSubsystemMinorVersion : Uint4B
+0x134 Padding4 : [4] UChar
+0x138 ActiveProcessAffinityMask : Uint8B
+0x140 GdiHandleBuffer : [60] Uint4B
+0x230 PostProcessInitRoutine : Ptr64 void
+0x238 TlsExpansionBitmap : Ptr64 _RTL_BITMAP
+0x240 TlsExpansionBitmapBits : [32] Uint4B
+0x2c0 SessionId : Uint4B
+0x2c4 Padding5 : [4] UChar
+0x2c8 AppCompatFlags : _ULARGE_INTEGER
+0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x2d8 pShimData : Ptr64 Void
+0x2e0 AppCompatInfo : Ptr64 Void
+0x2e8 CSDVersion : _UNICODE_STRING
+0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x318 MinimumStackCommit : Uint8B
+0x320 SparePointers : [2] Ptr64 Void
+0x330 PatchLoaderData : Ptr64 Void
+0x338 ChpeV2ProcessInfo : Ptr64 _CHPEV2_PROCESS_INFO
+0x340 AppModelFeatureState : Uint4B
+0x344 SpareUlongs : [2] Uint4B
+0x34c ActiveCodePage : Uint2B
+0x34e OemCodePage : Uint2B
+0x350 UseCaseMapping : Uint2B
+0x352 UnusedNlsField : Uint2B
+0x358 WerRegistrationData : Ptr64 Void
+0x360 WerShipAssertPtr : Ptr64 Void
+0x368 EcCodeBitMap : Ptr64 Void
+0x370 pImageHeaderHash : Ptr64 Void
+0x378 TracingFlags : Uint4B
+0x378 HeapTracingEnabled : Pos 0, 1 Bit
+0x378 CritSecTracingEnabled : Pos 1, 1 Bit
+0x378 LibLoaderTracingEnabled : Pos 2, 1 Bit
+0x378 SpareTracingBits : Pos 3, 29 Bits
+0x37c Padding6 : [4] UChar
+0x380 CsrServerReadOnlySharedMemoryBase : Uint8B
+0x388 TppWorkerpListLock : Uint8B
+0x390 TppWorkerpList : _LIST_ENTRY
+0x3a0 WaitOnAddressHashTable : [128] Ptr64 Void
+0x7a0 TelemetryCoverageHeader : Ptr64 Void
+0x7a8 CloudFileFlags : Uint4B
+0x7ac CloudFileDiagFlags : Uint4B
+0x7b0 PlaceholderCompatibilityMode : Char
+0x7b1 PlaceholderCompatibilityModeReserved : [7] Char
+0x7b8 LeapSecondData : Ptr64 _LEAP_SECOND_DATA
+0x7c0 LeapSecondFlags : Uint4B
+0x7c0 SixtySecondEnabled : Pos 0, 1 Bit
+0x7c0 Reserved : Pos 1, 31 Bits
+0x7c4 NtGlobalFlag2 : Uint4B
+0x7c8 ExtendedFeatureDisableMask : Uint8B
BeingDebugged
디버깅 여부를 나타내는 값입니다. 현재 프로세스가 디버깅 중이라면 true, 아닌 경우 false로 세팅됩니다.
IsDebuggerPresent 함수에서는 해당 값을 참조하여 디버깅 여부를 반환합니다.
1
2
3
4
5
0:019> u KERNELBASE!IsDebuggerPresent
KERNELBASE!IsDebuggerPresent:
00007ffb`cf726800 65488b042560000000 mov rax,qword ptr gs:[60h]
00007ffb`cf726809 0fb64002 movzx eax,byte ptr [rax+2] // PEB.IsDebuggerPresent
00007ffb`cf72680d c3 ret
BitField
IsProtectedProcess
PP(Protected Process)으로 보호 중인 프로세스인 경우 true, 아닌 경우 false로 세팅됩니다.
일부 운영체제 프로세스는 해당 값이 true로 세팅되어 있습니다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
19: kd> !process 0 0 csrss.exe
PROCESS ffff950546e96140
SessionId: 1 Cid: 055c Peb: 4622668000 ParentCid: 054c
DirBase: 10e0ef000 ObjectTable: ffffc78eca851600 HandleCount: 181.
Image: csrss.exe
19: kd> dt_eprocess ffff950546e96140
ntdll!_EPROCESS
+0x550 Peb : 0x00000046`22668000 _PEB
19: kd> dx -id 0,0,ffff950546e96140 -r1 ((ntdll!_PEB *)0x4622668000)
((ntdll!_PEB *)0x4622668000) : 0x4622668000 [Type: _PEB *]
[+0x003] BitField : 0x46 [Type: unsigned char]
[+0x003 ( 1: 1)] IsProtectedProcess : 0x1 [Type: unsigned char]
[+0x003 ( 6: 6)] IsProtectedProcessLight : 0x1 [Type: unsigned char]
IsProtectedProcessLight
PPL(Protected Process Light)으로 보호 중인 프로세스인 경우 true, 아닌 경우 false로 세팅됩니다.
일부 운영체제 프로세스는 해당 값이 true로 세팅되어 있습니다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
19: kd> !process 0 0 csrss.exe
PROCESS ffff950546e96140
SessionId: 1 Cid: 055c Peb: 4622668000 ParentCid: 054c
DirBase: 10e0ef000 ObjectTable: ffffc78eca851600 HandleCount: 181.
Image: csrss.exe
19: kd> dt_eprocess ffff950546e96140
ntdll!_EPROCESS
+0x550 Peb : 0x00000046`22668000 _PEB
19: kd> dx -id 0,0,ffff950546e96140 -r1 ((ntdll!_PEB *)0x4622668000)
((ntdll!_PEB *)0x4622668000) : 0x4622668000 [Type: _PEB *]
[+0x003] BitField : 0x46 [Type: unsigned char]
[+0x003 ( 1: 1)] IsProtectedProcess : 0x1 [Type: unsigned char]
[+0x003 ( 6: 6)] IsProtectedProcessLight : 0x1 [Type: unsigned char]
ImageBaseAddress
해당 프로세스의 ImageBase 주소입니다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
19: kd> !peb
PEB at 0000004622668000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00007ff71b340000
NtGlobalFlag: 0
NtGlobalFlag2: 0
Ldr 00007ff944436440
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00000176ad004000 . 00000176ad01d960
Ldr.InLoadOrderModuleList: 00000176ad004190 . 00000176ad01d940
Ldr.InMemoryOrderModuleList: 00000176ad0041a0 . 00000176ad01d950
Base TimeStamp Module
7ff71b340000 4cbea0d9 Oct 20 16:57:13 2010 C:\Windows\system32\csrss.exe
Ldr
모듈 리스트 정보를 포함하고 있는 LDR에 대한 주소입니다.
1
2
3
4
5
6
7
8
9
10
11
19: kd> dx -id 0,0,ffff950546e96140 -r1 ((ntdll!_PEB_LDR_DATA *)0x7ff944436440)
((ntdll!_PEB_LDR_DATA *)0x7ff944436440) : 0x7ff944436440 [Type: _PEB_LDR_DATA *]
[+0x000] Length : 0x58 [Type: unsigned long]
[+0x004] Initialized : 0x1 [Type: unsigned char]
[+0x008] SsHandle : 0x0 [Type: void *]
[+0x010] InLoadOrderModuleList [Type: _LIST_ENTRY]
[+0x020] InMemoryOrderModuleList [Type: _LIST_ENTRY]
[+0x030] InInitializationOrderModuleList [Type: _LIST_ENTRY]
[+0x040] EntryInProgress : 0x0 [Type: void *]
[+0x048] ShutdownInProgress : 0x0 [Type: unsigned char]
[+0x050] ShutdownThreadId : 0x0 [Type: void *]
ProcessParameters
실행 이미지 경로 및 파라미터를 포함하고 있는 구조체입니다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
19: kd> dx -id 0,0,ffff950546e96140 -r1 ((ntdll!_RTL_USER_PROCESS_PARAMETERS *)0x176ad003670)
((ntdll!_RTL_USER_PROCESS_PARAMETERS *)0x176ad003670) : 0x176ad003670 [Type: _RTL_USER_PROCESS_PARAMETERS *]
[+0x000] MaximumLength : 0x884 [Type: unsigned long]
[+0x004] Length : 0x884 [Type: unsigned long]
[+0x008] Flags : 0x424001 [Type: unsigned long]
[+0x00c] DebugFlags : 0x0 [Type: unsigned long]
[+0x010] ConsoleHandle : 0x0 [Type: void *]
[+0x018] ConsoleFlags : 0x0 [Type: unsigned long]
[+0x020] StandardInput : 0x0 [Type: void *]
[+0x028] StandardOutput : 0x0 [Type: void *]
[+0x030] StandardError : 0x0 [Type: void *]
[+0x038] CurrentDirectory [Type: _CURDIR]
[+0x050] DllPath : "" [Type: _UNICODE_STRING]
[+0x060] ImagePathName : "C:\Windows\system32\csrss.exe" [Type: _UNICODE_STRING]
[+0x070] CommandLine : "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" [Type: _UNICODE_STRING]
[+0x080] Environment : 0x176ad002b10 [Type: void *]
[+0x088] StartingX : 0x0 [Type: unsigned long]
[+0x08c] StartingY : 0x0 [Type: unsigned long]
[+0x090] CountX : 0x0 [Type: unsigned long]
[+0x094] CountY : 0x0 [Type: unsigned long]
[+0x098] CountCharsX : 0x0 [Type: unsigned long]
[+0x09c] CountCharsY : 0x0 [Type: unsigned long]
[+0x0a0] FillAttribute : 0x0 [Type: unsigned long]
[+0x0a4] WindowFlags : 0x0 [Type: unsigned long]
[+0x0a8] ShowWindowFlags : 0x0 [Type: unsigned long]
[+0x0b0] WindowTitle : "" [Type: _UNICODE_STRING]
[+0x0c0] DesktopInfo : "" [Type: _UNICODE_STRING]
[+0x0d0] ShellInfo : "" [Type: _UNICODE_STRING]
[+0x0e0] RuntimeData : "" [Type: _UNICODE_STRING]
[+0x0f0] CurrentDirectores [Type: _RTL_DRIVE_LETTER_CURDIR [32]]
[+0x3f0] EnvironmentSize : 0x636 [Type: unsigned __int64]
[+0x3f8] EnvironmentVersion : 0x1 [Type: unsigned __int64]
[+0x400] PackageDependencyData : 0x0 [Type: void *]
[+0x408] ProcessGroupId : 0x55c [Type: unsigned long]
[+0x40c] LoaderThreads : 0x0 [Type: unsigned long]
[+0x410] RedirectionDllName : "" [Type: _UNICODE_STRING]
[+0x420] HeapPartitionName : "" [Type: _UNICODE_STRING]
[+0x430] DefaultThreadpoolCpuSetMasks : 0x0 [Type: unsigned __int64 *]
[+0x438] DefaultThreadpoolCpuSetMaskCount : 0x0 [Type: unsigned long]
[+0x43c] DefaultThreadpoolThreadMaximum : 0x0 [Type: unsigned long]
[+0x440] HeapMemoryTypeMask : 0x0 [Type: unsigned long]
ProcessHeap
Default Heap에 대한 주소 값입니다. GetProcessHeap 함수에서는 해당 값을 참조하여 힙 주소를 반환합니다.
1
2
3
4
5
0:019> u KERNELBASE!GetProcessHeap
KERNELBASE!GetProcessHeap:
00007ffb`cf7535e0 65488b042560000000 mov rax,qword ptr gs:[60h]
00007ffb`cf7535e9 488b4030 mov rax,qword ptr [rax+30h] // PEB.ProcessHeap
00007ffb`cf7535ed c3 ret
힙 데이터에서 Flags, ForceFlags라는 멤버는 디버깅 중인 경우에 0x40000060이 추가로 세팅됩니다.
이를 활용하여 디버깅 행위를 탐지할 수 있습니다.
(디버거로 실행된 케이스만 탐지 가능하며, 실행 중인 프로세스를 Attach한 경우 해당되지 않음)
1
2
3
4
5
6
7
8
9
10
11
// 디버거를 통해 실행된 경우
0:000> dt_heap 0x720000
ntdll!_HEAP
+0x040 Flags : 0x40000062
+0x044 ForceFlags : 0x40000060
// 실행 중인 프로세스를 Attach한 경우
0:009> dt_heap 0x005d0000
ntdll!_HEAP
+0x040 Flags : 2
+0x044 ForceFlags : 0
추가로 세팅되는 값은 다음과 같이 정의됩니다.
| Symbolic Name | Hexadecimal Value |
|---|---|
| HEAP_TAIL_CHECKING_ENABLED | 0x20 |
| HEAP_FREE_CHECKING_ENABLED | 0x40 |
| HEAP_VALIDATE_PARAMETERS_ENABLED | 0x40000000 |
CrossProcessFlags
ProcessUsingVEH
VEH(Vectored Exception Handler)가 사용 중이면 true, 아닌 경우 false로 세팅됩니다.
해당 값은 VEH 관련 함수 내부에서 참조되는 것으로 보입니다.
ProcessUsingVCH
VCH(Vectored Continue Handler)가 사용 중이면 true, 아닌 경우 false로 세팅됩니다.
해당 값은 VCH 관련 함수 내부에서 참조되는 것으로 보입니다.
KernelCallbackTable
USER32.dll를 참조하는 콜백 함수 테이블입니다. 해당 테이블을 하이재킹하여 Code Injection하는 기법이 존재합니다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
19: kd> dqs 0x7ff9427e6000
00007ff9`427e6000 00007ff9`4275dff0 USER32!_fnCOPYDATA
00007ff9`427e6008 00007ff9`427dd4f0 USER32!_fnCOPYGLOBALDATA
00007ff9`427e6010 00007ff9`42773090 USER32!_fnDWORD
00007ff9`427e6018 00007ff9`42776b70 USER32!_fnNCDESTROY
00007ff9`427e6020 00007ff9`42753830 USER32!_fnDWORDOPTINLPMSG
00007ff9`427e6028 00007ff9`427de230 USER32!_fnINOUTDRAG
00007ff9`427e6030 00007ff9`42752630 USER32!_fnGETTEXTLENGTHS
00007ff9`427e6038 00007ff9`427ddb50 USER32!_fnINCNTOUTSTRING
00007ff9`427e6040 00007ff9`427ddc20 USER32!_fnINCNTOUTSTRINGNULL
00007ff9`427e6048 00007ff9`427ddd50 USER32!_fnINLPCOMPAREITEMSTRUCT
00007ff9`427e6050 00007ff9`42775220 USER32!__fnINLPCREATESTRUCT
00007ff9`427e6058 00007ff9`427dddc0 USER32!_fnINLPDELETEITEMSTRUCT
00007ff9`427e6060 00007ff9`42784c00 USER32!_fnINLPDRAWITEMSTRUCT
00007ff9`427e6068 00007ff9`427dde30 USER32!_fnINLPHELPINFOSTRUCT
00007ff9`427e6070 00007ff9`427ddeb0 USER32!_fnINLPHLPSTRUCT
00007ff9`427e6078 00007ff9`427ddfd0 USER32!_fnINLPMDICREATESTRUCT
NtGlobalFlag
GFlags는 고급 디버깅, 진단 및 문제 해결 기능을 관리하는 플래그 값 입니다.
1
GFlags, the Global Flags Editor, enables and disables advanced debugging, diagnostic, and troubleshooting features. It's most often used to turn on indicators that other tools track, count, and log.
프로세스가 디버거를 통해 실행된 상태면 해당 값은 0x70으로 세팅됩니다. 해당 값을 비교하면 디버깅을 탐지할 수 있습니다.
(실행 중인 프로세스를 Attach한 케이스는 0x00으로 세팅됨)
| Symbolic Name | Hexadecimal Value | Description |
|---|---|---|
| FLG_HEAP_ENABLE_TAIL_CHECK | 0x10 | Enable heap tail checking |
| FLG_HEAP_ENABLE_FREE_CHECK | 0x20 | Enable heap free checking |
| FLG_HEAP_VALIDATE_PARAMETERS | 0x40 | Enable heap parameter checking |
ProcessHeaps
Default Heap를 포함한 프로세스 내 모든 힙 주소를 나타냅니다.
배열 구조로 이루어져 있으며, NumberOfHeaps는 할당된 힙의 개수입니다.
1
2
3
4
5
6
7
8
9
10
19: kd> dx -id 0,0,ffff950546e96140 -r1 ((ntdll!_PEB *)0x4622668000)
((ntdll!_PEB *)0x4622668000) : 0x4622668000 [Type: _PEB *]
[+0x0e8] NumberOfHeaps : 0x3 [Type: unsigned long]
[+0x0ec] MaximumNumberOfHeaps : 0x10 [Type: unsigned long]
[+0x0f0] ProcessHeaps : 0x7ff9444350c0 [Type: void * *]
19: kd> dqs 0x7ff9444350c0
00007ff9`444350c0 00000176`aceb0000 // default heap (PEB.ProcessHeap)
00007ff9`444350c8 00007df4`8cf60000
00007ff9`444350d0 00000176`aeab0000
References
This post is licensed under CC BY 4.0 by the author.