Skip to main content

Deep Dive to Windows, Part 3 (Extension)



This is the extension of part 3. I'd like to explain few things in details. 
In part 3 we started discussion on PEB_LDR_DATA structure. The more details 
on it can be referenced in following MSDN article:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa813708%28v=vs.85%29.aspx

As per MSDN, the structure looks like below: 
typedef struct _PEB_LDR_DATA {
  BYTE       Reserved1[8];
  PVOID      Reserved2[3];
  LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
 
The highlighted part according to MSDN, "The head of a doubly-linked list that 
contains the loaded modules for the process. Each item in the list is a pointer 
to an LDR_DATA_TABLE_ENTRY structure."
 
The data type is LIST_ENTRY. According to MSDN, the structure is like below:

typedef struct _LIST_ENTRY {
   struct _LIST_ENTRY *Flink;
   struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
 
Let's see what WinDbg says about it.
Executed following command in WinDbg:
 
0:000> dt nt!_LIST_ENTRY
ntdll!_LIST_ENTRY
   +0x000 Flink            : Ptr32 _LIST_ENTRY
   +0x004 Blink            : Ptr32 _LIST_ENTRY
 
So, it's a doubly link list. Let's see what items they are pointing to. 
To know that, executed following commands: 

a) 0:000> !peb
    PEB at 7efde000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00400000
    Ldr                       77c80200
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00883288 . 00884308
    Ldr.InLoadOrderModuleList:           008831e8 . 00884018
    Ldr.InMemoryOrderModuleList:         008831f0 . 00884020

b) 0:000> dt nt!_PEB_LDR_DATA 77c80200
   ntdll!_PEB_LDR_DATA
   +0x000 Length           : 0x30
   +0x004 Initialized      : 0x1 ''
   +0x008 SsHandle         : (null) 
   +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x8831e8 - 0x884018 ]
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x8831f0 - 0x884020 ]
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x883288 - 0x884308 ]
   +0x024 EntryInProgress  : (null) 
   +0x028 ShutdownInProgress : 0 ''
   +0x02c ShutdownThreadId : (null) 

c) 0:000> dt nt!_PEB_LDR_DATA 77c80200 InInitializationOrderModuleList.Flink /r1
   ntdll!_PEB_LDR_DATA
   +0x01c InInitializationOrderModuleList    :  [ 0x883288 - 0x884308 ]
   +0x000 Flink                              : 0x00883288 _LIST_ENTRY [ 0x883720 - 0x77c8021c ]






d) 0:000> lm
start    end        module name
00400000 0041c000   Sample_Hello   (deferred)             
65140000 65261000   MSVCR80D   (deferred)             
65270000 6536e000   MSVCP80D   (deferred)             
75a10000 75b20000   kernel32   (deferred)             
75bf0000 75c37000   KERNELBASE   (deferred)             
76b10000 76bbc000   msvcrt     (deferred)             
77b80000 77d00000   ntdll      (pdb symbols)

Now Expanding Flink gives following results (matches with start 
address of respective module displayed by lm):
0:000> dd 00883288
00883288  00883720 77c8021c 77b80000 00000000 77b80000 ==> ntdll
00883298  00180000 003c003a 00883308 00140012
008832a8  77bc5b74 00004004 0000ffff 77c848c0
008832b8  77c848c0 4ec49b8f 00000000 00000000
008832c8  008832c8 008832c8 008832d0 008832d0
008832d8  008832d8 008832d8 00000000 7de70000
008832e8  00000000 00000000 abababab abababab
008832f8  00000000 00000000 7fbbcb78 1c00fea9

0:000> dd 00883720 
00883720  00883608 00883288 75bf0000 75bf74b1 75bf0000 ==> KERNELBASE
00883730  00047000 00460044 008836b0 001e001c
00883740  008836d8 00084004 0000ffff 77c848d0
00883750  77c848d0 506dbe50 00000000 00000000
00883760  00883760 00883760 00883768 00883768
00883770  008837a0 008837a0 77bbc960 7d850000
00883780  2f96faba 01cde9d0 abababab abababab
00883790  00000000 00000000 71bbcb76 1800fea9

0:000> dd 00883608 
00883608  00884028 00883720 75a10000 75a232b3 75a10000 ==> kernel32
00883618  00110000 00420040 00883598 001a0018
00883628  008835c0 00084004 0000ffff 77c84880
00883638  77c84880 506dbe4f 00000000 00000000
00883648  00883648 00883648 00883650 00883650
00883658  008837c8 00883688 77bbc960 7dd60000
00883668  2f8b13d9 01cde9d0 abababab abababab
00883678  00000000 00000000 71bbcb76 1800fea9

0:000> dd 00884028
00884028  00884498 00883608 76b10000 76b1a472 76b10000 ==> msvcrt
00884038  000ac000 003e003c 00883fc0 00160014
00884048  00883fe8 00000004 0000ffff 77c848b8
00884058  77c848b8 4eeaf722 00000000 00000000
00884068  00884068 00884068 00884070 00884070
00884078  008840f8 008840a8 77bbc960 6ff50000
00884088  300b9e28 01cde9d0 abababab abababab
00884098  00000000 00000000 71bbcb76 1800fea9

0:000> dd 00884498
00884498  00884308 00884028 65140000 65142f90 65140000 ==> MSVCR80D
008844a8  00121000 00e200e0 00884388 001a0018
008844b8  00884450 10000004 0000ffff 77c848f8
008844c8  77c848f8 4dcddbed 00000000 00000000
008844d8  008844d8 008844d8 008844e0 008844e0
008844e8  00884148 00884120 77bbc944 10200000
008844f8  300b9e28 01cde9d0 abababab abababab
00884508  00000000 00000000 71bbcb76 1800fea9

0:000> dd 00884308 
00884308  77c8021c 00884498 65270000 652f1450 65270000 ==> MSVCP80D
00884318  000fe000 00e200e0 008841f8 001a0018
00884328  008842c0 10000004 0000ffff 77c84808
00884338  77c84808 4dcddc5b 00000000 00000000
00884348  00884348 00884348 00884350 00884350
00884358  00884198 00884170 77bbc944 10480000
00884368  2fd73fe2 01cde9d0 abababab abababab
00884378  00000000 00000000 54bbcb53 1e00fea9

0:000> dd 77c8021c 
77c8021c  00883288 00884308 00000000 00000000 00000000 ==> No module
77c8022c  00000000 00000000 00000000 00000000
77c8023c  00000000 00000000 00000000 00000000
77c8024c  00000000 00000000 00000000 00000000
77c8025c  00000000 00000000 00000000 00000000
77c8026c  00000000 00000000 00000000 00000000
77c8027c  00000000 00000000 00000000 00000000
77c8028c  00000000 00000000 00000000 00000000

More to follow

Happy debugging

Comments

Popular posts from this blog

Reversing char array without splitting the array to tokens

 I was reading about strdup, a C++ function and suddenly an idea came to my mind if this can be leveraged to aid in reversing a character array without splitting the array into words and reconstructing it again by placing spaces and removing trailing spaces. Again, I wanted an array to be passed as a function argument and an array size to be passed implicitly with the array to the function. Assumed, a well-formed char array has been passed into the function. No malformed array checking is done inside the function. So, the function signature and definition are like below: Below is the call from the client code to reverse the array without splitting tokens and reconstructing it. Finally, copy the reversed array to the destination.  For GNU C++, we should use strdup instead _strdup . On run, we get the following output: Demo code

A simple approach to generate Fibonacci series via multi-threading

T his is a very simple approach taken to generate the Fibonacci series through multithreading. Here instead of a function, used a function object. The code is very simple and self-explanatory.  #include <iostream> #include <mutex> #include <thread> class Fib { public:     Fib() : _num0(1), _num1(1) {}     unsigned long operator()(); private:     unsigned long _num0, _num1;     std::mutex mu; }; unsigned long Fib::operator()() {     mu.lock(); // critical section, exclusive access to the below code by locking the mutex     unsigned long  temp = _num0;     _num0 = _num1;     _num1 = temp + _num0;     mu.unlock();     return temp; } int main() {     Fib f;          int i = 0;     unsigned long res = 0, res2= 0, res3 = 0;     std::cout << "Fibonacci series: ";     while (i <= 15) {         std::thread t1([&] { res = f(); }); // Capturing result to respective variable via lambda         std::thread t2([&] { res2 = f(); });         std::thread t3(

Close a Window Application from another application.

 This is just a demo application code to show how the WM_CLOSE message can be sent to the target process which has a titled window to close the application. To achieve this, either we can use SendMessage or PostMessage APIs to send required Windows messages to the target application. Though both the APIs are dispatching WM_XXXXX message to target application two APIs has some differences, these are as below: 1. SendMessage () call is a blocking call but PostMessage is a non-blocking call(Asynchronous) 2. SendMessage() APIs return type is LRESULT (LONG_PTR) but PostMessage() APIs return type is BOOL(typedef int). In Short, SendMessage () APIs return type depends on what message has been sent to the Windowed target process. For the other one, it's always a non-zero value, which indicates the message has been successfully placed on the target process message queue. Now let's see how can I close a target windowed application "Solitaire & Casual Games" from my custom-