从PEB遍历进程所有模块

int main(int argc, char* argv[]) { BYTE *pbytePEB = NULL; _asm { mov eax, dword ptr fs:[0x30] mov pbytePEB, eax } printf("PEB Addr: %x/n", pbytePEB); BYTE *pLdrData = pbytePEB + 0x0C; pLdrData = (BYTE *)*(DWORD *)pLdrData; printf("PEB_LDR_DATA Addr: %x/n", pLdrData); BYTE *pListEntry = pLdrData + 0x0C; // 改变此处的偏移量 BYTE *pFlink, *pBlink; pFlink = (BYTE *)*(DWORD *)pListEntry; printf("Flink: %x/n", pFlink); pBlink = (BYTE *)*(DWORD *)(pLdrData + 0x10); printf("Blink: %x/n/n", pBlink); DWORD *pdwFirstLdrMouduleAddr = (DWORD *)pFlink; for( ; ; ) { if(pdwFirstLdrMouduleAddr == (DWORD *)*(DWORD *)(pFlink)) break; printf("LDR_MODULE Addr: %x/n", (DWORD *)(pFlink)); printf("Flink: %x/n", *(DWORD *)(pFlink)); printf("Blink: %x/n", *(DWORD *)(pFlink + 0x4)); printf("BaseAddress: %x/n", *(DWORD *)(pFlink + 0x18)); printf("EntryPoint: %x/n", *(DWORD *)(pFlink + 0x1C)); printf("SizeOfImage: %x/n", *(DWORD *)(pFlink + 0x20)); printf("FullDllName: %ws/n", *(DWORD *)(pFlink + 0x28)); printf("BaseDllName: %ws/n", *(DWORD *)(pFlink + 0x30)); pFlink = (BYTE *)*(DWORD *)(pFlink); printf("Flink Addr %x/n/n", (DWORD *)pFlink); } system("pause"); return 0; } PEB进程信息块 fs:[30]->PEB typedef struct _PEB { // Size: 0x1D8 000h UCHAR InheritedAddressSpace; 001h UCHAR ReadImageFileExecOptions; 002h UCHAR BeingDebugged; //Debug运行标志 003h UCHAR SpareBool; 004h HANDLE Mutant; 008h HINSTANCE ImageBaseAddress; //程序加载的基地址 00Ch struct _PEB_LDR_DATA *Ldr //Ptr32 _PEB_LDR_DATA 010h struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; 014h ULONG SubSystemData; 018h HANDLE DefaultHeap; 01Ch KSPIN_LOCK FastPebLock; 020h ULONG FastPebLockRoutine; 024h ULONG FastPebUnlockRoutine; 028h ULONG EnvironmentUpdateCount; 02Ch ULONG KernelCallbackTable; 030h LARGE_INTEGER SystemReserved; 038h struct _PEB_FREE_BLOCK *FreeList 03Ch ULONG TlsExpansionCounter; 040h ULONG TlsBitmap; 044h LARGE_INTEGER TlsBitmapBits; 04Ch ULONG ReadOnlySharedMemoryBase; 050h ULONG ReadOnlySharedMemoryHeap; 054h ULONG ReadOnlyStaticServerData; 058h ULONG AnsiCodePageData; 05Ch ULONG OemCodePageData; 060h ULONG UnicodeCaseTableData; 064h ULONG NumberOfProcessors; 068h LARGE_INTEGER NtGlobalFlag; // Address of a local copy 070h LARGE_INTEGER CriticalSectionTimeout; 078h ULONG HeapSegmentReserve; 07Ch ULONG HeapSegmentCommit; 080h ULONG HeapDeCommitTotalFreeThreshold; 084h ULONG HeapDeCommitFreeBlockThreshold; 088h ULONG NumberOfHeaps; 08Ch ULONG MaximumNumberOfHeaps; 090h ULONG ProcessHeaps; 094h ULONG GdiSharedHandleTable; 098h ULONG ProcessStarterHelper; 09Ch ULONG GdiDCAttributeList; 0A0h KSPIN_LOCK LoaderLock; 0A4h ULONG OSMajorVersion; 0A8h ULONG OSMinorVersion; 0ACh USHORT OSBuildNumber; 0AEh USHORT OSCSDVersion; 0B0h ULONG OSPlatformId; 0B4h ULONG ImageSubsystem; 0B8h ULONG ImageSubsystemMajorVersion; 0BCh ULONG ImageSubsystemMinorVersion; 0C0h ULONG ImageProcessAffinityMask; 0C4h ULONG GdiHandleBuffer[0x22]; 14Ch ULONG PostProcessInitRoutine; 150h ULONG TlsExpansionBitmap; 154h UCHAR TlsExpansionBitmapBits[0x80]; 1D4h ULONG SessionId; } PEB, *PPEB; PEB[0C]->PEB_LDR_DATA typedef struct _PEB_LDR_DATA { 　ULONG Length; // 00h 　BOOLEAN Initialized; // 04h 　PVOID SsHandle; // 08h LIST_ENTRY InLoadOrderModuleList; // 0ch // 010h 　LIST_ENTRY InMemoryOrderModuleList; // 14h // 18h 　LIST_ENTRY InInitializationOrderModuleList; // 1Ch // 20h }PEB_LDR_DATA, *PPEB_LDR_DATA; typedef _LIST_ENTRY { void *pPre; // 指向LDR_MODULE结构体 void *pNext; // 指向LDR_MODULE结构体 }LIST_ENTRY, *PLIST_ENTRY; typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; // 00h // 004 LIST_ENTRY InMemoryOrderModuleList; // 08h // 0Ch LIST_ENTRY InInitializationOrderModuleList; // 10h // 14h PVOID BaseAddress; // 18h PVOID EntryPoint; // 1ch ULONG SizeOfImage; // 20h UNICODE_STRING FullDllName; // 28h UNICODE_STRING BaseDllName; // 30h ULONG Flags; // 34h SHORT LoadCount; // 38h SHORT TlsIndex; // 3ah HANDLE SectionHandle; // 3ch ULONG CheckSum; // 40h ULONG TimeDateStamp; // 44h // 48h } LDR_MODULE, *PLDR_MODULE;