PEB及PEB_LDR_DATA结构

PEB结构如下：（比MSDN上详细多了http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx）

这个进程环境块就不罗嗦了，直接贴代码。

 typedef struct _PEB { // Size: 0x1D8
 /*000*/ UCHAR InheritedAddressSpace;
 /*001*/ UCHAR ReadImageFileExecOptions;
 /*002*/ UCHAR BeingDebugged;
 /*003*/ UCHAR SpareBool; // Allocation size
 /*004*/ HANDLE Mutant;
 /*008*/ HINSTANCE ImageBaseAddress; // Instance
 /*00C*/ VOID *DllList;
 /*010*/ PPROCESS_PARAMETERS *ProcessParameters;
 /*014*/ ULONG SubSystemData;
 /*018*/ HANDLE DefaultHeap;
 /*01C*/ KSPIN_LOCK FastPebLock;
 /*020*/ ULONG FastPebLockRoutine;
 /*024*/ ULONG FastPebUnlockRoutine;
 /*028*/ ULONG EnvironmentUpdateCount;
 /*02C*/ ULONG KernelCallbackTable;
 /*030*/ LARGE_INTEGER SystemReserved;
 /*038*/ ULONG FreeList;
 /*03C*/ ULONG TlsExpansionCounter;
 /*040*/ ULONG TlsBitmap;
 /*044*/ LARGE_INTEGER TlsBitmapBits;
 /*04C*/ ULONG ReadOnlySharedMemoryBase;
 /*050*/ ULONG ReadOnlySharedMemoryHeap;
 /*054*/ ULONG ReadOnlyStaticServerData;
 /*058*/ ULONG AnsiCodePageData;
 /*05C*/ ULONG OemCodePageData;
 /*060*/ ULONG UnicodeCaseTableData;
 /*064*/ ULONG NumberOfProcessors;
 /*068*/ LARGE_INTEGER NtGlobalFlag; // Address of a local copy
 /*070*/ LARGE_INTEGER CriticalSectionTimeout;
 /*078*/ ULONG HeapSegmentReserve;
 /*07C*/ ULONG HeapSegmentCommit;
 /*080*/ ULONG HeapDeCommitTotalFreeThreshold;
 /*084*/ ULONG HeapDeCommitFreeBlockThreshold;
 /*088*/ ULONG NumberOfHeaps;
 /*08C*/ ULONG MaximumNumberOfHeaps;
 /*090*/ ULONG ProcessHeaps;
 /*094*/ ULONG GdiSharedHandleTable;
 /*098*/ ULONG ProcessStarterHelper;
 /*09C*/ ULONG GdiDCAttributeList;
 /*0A0*/ KSPIN_LOCK LoaderLock;
 /*0A4*/ ULONG OSMajorVersion;
 /*0A8*/ ULONG OSMinorVersion;
 /*0AC*/ USHORT OSBuildNumber;
 /*0AE*/ USHORT OSCSDVersion;
 /*0B0*/ ULONG OSPlatformId;
 /*0B4*/ ULONG ImageSubsystem;
 /*0B8*/ ULONG ImageSubsystemMajorVersion;
 /*0BC*/ ULONG ImageSubsystemMinorVersion;
 /*0C0*/ ULONG ImageProcessAffinityMask;
 /*0C4*/ ULONG GdiHandleBuffer[0x22];
 /*14C*/ ULONG PostProcessInitRoutine;
 /*150*/ ULONG TlsExpansionBitmap;
 /*154*/ UCHAR TlsExpansionBitmapBits[0x80];
 /*1D4*/ ULONG SessionId;
 } PEB, *PPEB;

PEB_LDR_DATA结构：（MSDN再次保留了，http://msdn.microsoft.com/en-us/library/windows/desktop/aa813708(v=vs.85).aspx）

这个结构记录着进程加载的模块的信息，MSDN上指出该结构在未来的Windows版本可能更改。

 typedef struct _PEB_LDR_DATA
 {
 　ULONG Length; // +0x00
 　BOOLEAN Initialized; // +0x04
 　PVOID SsHandle; // +0x08
 　LIST_ENTRY InLoadOrderModuleList; // +0x0c
 　LIST_ENTRY InMemoryOrderModuleList; // +0x14
 　LIST_ENTRY InInitializationOrderModuleList;// +0x1c
 } PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24