Inquiry in internal data structure in Windows NT / 2000
Webcrazy
TSU00@263.net)
Note: This article is initially found
Www.nsfocus.com
The Windows system implies a lot of internal data structures, which record all important information related to the system such as thread, process, kernel call, etc. Or the Dependency Walker, which is tested by Visual Studio, is just pointed out that the current Windows's build number (such as Softice can use the DW command to find the 0893h in my machine); the latter is the following data Structure pointer:
Struct _ServiceDescriptorentry {
Unsigned Int * ServiceTableBase;
Unsigned int * ServiceCountertableBase;
Unsigned int numberofservices;
Unsigned char * paramtablebase;
ServiceDescriptAblentry
Its typical application is the Regmon of Mark Russinovich and Bryce Cogswell, you can see
Www.sysinternals.com.
This article only introduces TEB (Thread Environment Block) in the Windows 2000 Server (Build 2195) of Intel i386.
TEB is called Tib (Thread Information Block) in the Windows 9x series, and she records important information about threads, each thread corresponding to a TEB structure. The format is as follows (from the Under the hood column of Matt Pietrek - MSJ 1996):
Typedef struct_tib
{
PEXCEPTION_REGISTRATION_RECORD PVEXCEPT; // 00h Head of Exception Record List
Pvoid PvStackUsertop; // 04h Top of User Stack
Pvoid PvStackuserBase; // 08H Base of User Stack
Union // 0ch (NT / WIN95 DIFFERENCES)
{
Struct // Win95 Fields
{
Word pvtdb; // 0ch TDB
Word pvthunkss; // 0eh ss selector used for thunking to 16 bits
DWORD UNKNOWN1; // 10h
} WIN95;
Struct // Winnt Fields
{
Pvoid subsystemtib; // 0ch
Ulong fiberdata; // 10h
Winnt;
} TIB_Union1;
PVOID PVARBITRARY; / / 14H Available for Application USE
Struct_tib * ptibself; // 18h Linear Address of Tib Structure
Union // 1CH (NT / Win95 Differences)
{
Struct // Win95 Fields
{
Word Tibflags; // 1ch
Word win16mutexcount; // 1eh
DWORD DebugContext; // 20h
DWORD PCURRENTPRIORITY; / / 24H
DWORD PVQUEUE; // 28h Message Queue Selector
} WIN95;
Struct // Winnt Fields
{
DWORD UNKNOWN1; // 1chdword processId; // 20h
DWORD thREADID; // 24h
DWORD UNKNOWN2; / / 28H
Winnt;
} TIB_Union2;
PVOID * PVTLSARRAY; // 2ch thread local storage array
Union // 30h (NT / WIN95 DIFFERENCES)
{
Struct // Win95 Fields
{
PVOID * PPRocess; // 30h Pointer to Owning Process Database
} WIN95;
} TIB_UNION3;
} TIB, * PTIB;
Defined in Windows 2000 DDK as:
Typedef struct _nt_tib
{
Struct_exception_registration_record * ExceptionList;
Pvoid stackbase;
Pvoid stacklimit;
PVOID SUBSYSTEMTIB;
Union {
PVOID FIBERDATA;
Ulong Version;
}
Pvoid ArbitraryUserPointer;
Struct _nt_tib * Self;
} Nt_tib;
Fortunately, Windows is transferred to the process. When you create a thread, the operating system allocates TEB for each thread, and the FS segment selector (i386) points to the TEB data of the current thread (single CPU machine in any time system There is only one thread in execution), which provides us with a way to access TEB data. In fact, Windows is to provide information on your app through this method, let us look at an example! Everyone knows with the GetCurrentThreadID API to get the current thread ID, which is implemented as follows by kernel32.dll:
GetCurrentThreadID:
Mov Eax, FS: [00000018]; 18H LINEAR ADDRESS OF TIB STRUCTURE (TIB Structure Linear Address)
Mov Eax, [EAX 24]; 24h ThreadID
Ret; return the value in EAX to the caller
Because the TEB structure is too large, I only talk about the offshine struct _Exception_registration_record * ExceptionList, and combined with the CIH 1.3 source code to talk about it. ExceptionList is mainly used to process SEH (Structured Exception Handling). If you add new _try, _except with _finally in the C language, it is recommended to see the << Advanced Windows NT >> or like Jeffery Richter.
Let's take a look at the _exception_registration_record structure, in the CRT (C Runtime Library source code), as follows:
// ExsuP.inc --- Microsoft Visual C CRT Source File
_EXCEPTION_REGISTRAC STRUC
PREV DD?
Handler DD?
_EXCEPTION_REGISTRATION ENDS
Where PREV is a pointer to the forward _exception_registration, form a chain structure, which will be defined in Exception_Continue_Search in Except.h (see & T;
CiH is using this mechanism and pointing Handler to its own program. There is the following code at its entrance:.
.
.
*********************************************************** *********
; * Ring3 Virus Game Initial Program *
*********************************************************** *********
MyvirusStart:; Ring3 Code Entry Point
Push EBP
**********************************************
; * Let's modify structured exception *
; * Handing, prevent exception error *
; * Occurrence, especially in nt. *
**********************************************
Lea Eax, [ESP-04H * 2]; assign 8 bytes in the stack _Exception_registration structure
; Equivalent to the data based on the stack in C, that is, local variables (completed in the C compiler)
In this way, EAX is pointing to the pointer of _exception_registration, but at this time
_EXCEPTION_REGISTRATION structure is not initialized
; Specific implementation mechanisms can read compilation principles books and Matt Pietrek master articles
XOR EBX, EBX; 0-> EBX
XCHG EAX, FS: [EBX]; fs: [0] <-> eax; at this time, EAX is stored in an exception handling code, fs: [0] points to TEB
ExceptionList (fs pointing to teb, ExceptionList offset is 0, ie fs: [0])
Call @ 0
@ 0:
POP EBX; This three-line calculation code entry, then EBX is the address of @ 0
Lea ECX, StoptorUnviruscode- @ 0 [EBX]; pointing ECX to its own internal code
Push ECX; Handler, filling_exception_registration structure
When an abnormality occurs, the operating system will be called automatically, and this time is CIH code.
Push Eax; EAX is the original exception handling code
; Fill the _EXCEPTION_REGISTRATION structure
.
.
.
This post-CIH call INT 3 makes the system abnormally, and can still enter the code, which can be confirmed from the following note from the CIH source code:
**********************************************
* Generate Exception to get ring0 *
**********************************************
Int hookexceptionNumber; generateException
HookExceptionNumber is defined as 3, this code will produce an exception, please refer to the CIH source code.
Because the above code is more abstract, I deliberately modified it for understanding (PE format can be executed directly under Windows):
// Testcih.c has any questions
Tsu00@263.net
#include
#include
