WinDBG 技巧：显示进程/线程环境参数(!peb 和 !teb 命令)

首先介绍PEB和TEB概念：

PEB（Process Environment Block，进程环境块）存放进程信息，每个进程都有自己的PEB信息。位于用户地址空间。

TEB（Thread Environment Block，线程环境块）系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间，在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。

调试的程序的时候，了解PEB和TEB往往对分析很有帮助。 WinDBG中 !peb 和 !teb 命令可以用来显示PEB和TEB：

0:000> !peb
PEB at 7ffd6000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         01000000
    Ldr                       001a1ea0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2850
    Ldr.InLoadOrderModuleList:           001a1ee0 . 001a2840
    Ldr.InMemoryOrderModuleList:         001a1ee8 . 001a2848
            Base TimeStamp                     Module
         1000000 3b7d8475 Aug 17 13:54:13 2001 C:\WINDOWS\system32\winmine.exe
        7c900000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\ntdll.dll
        7c800000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\kernel32.dll
        77c10000 4802a188 Apr 13 17:12:56 2008 C:\WINDOWS\system32\msvcrt.dll
        77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:\WINDOWS\system32\ADVAPI32.dll
        77e70000 4802a106 Apr 13 17:10:46 2008 C:\WINDOWS\system32\RPCRT4.dll
        77fe0000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\Secur32.dll
        77f10000 49006fbe Oct 23 05:36:14 2008 C:\WINDOWS\system32\GDI32.dll
        7e410000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\USER32.dll
        7c9c0000 48e1c4d9 Sep 29 23:19:05 2008 C:\WINDOWS\system32\SHELL32.dll
        77f60000 4802a116 Apr 13 17:11:02 2008 C:\WINDOWS\system32\SHLWAPI.dll
        76b40000 4802a13c Apr 13 17:11:40 2008 C:\WINDOWS\system32\WINMM.dll
        773d0000 4802a094 Apr 13 17:08:52 2008 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
    SubSystemData:     00000000
    ProcessHeap:       000a0000
    ProcessParameters: 00020000
    WindowTitle:  'C:\WINDOWS\system32\winmine.exe'
    ImageFile:    'C:\WINDOWS\system32\winmine.exe'
    CommandLine:  'winmine'
    DllPath:      'C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\Program Files\WinDbg\winext\arcade;C:\Tools\Perl\site\bin;C:\Tools\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\CA\eTrust Antivirus;C:\Program Files\Java\jdk1.5.0_14\bin;C:\Program Files\Apache-ant\bin;C:\Program Files\WinDbg;C:\Tools;C:\Program Files\TortoiseSVN\bin'
    Environment:  00010000
        =::=::\
        ALLUSERSPROFILE=C:\Documents and Settings\All Users
        ANT_HOME=C:\Program Files\Apache-ant
        APPDATA=C:\Documents and Settings\WinGeek\Application Data
        AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
        CommonProgramFiles=C:\Program Files\Common Files
        COMPUTERNAME=QI
        ComSpec=C:\WINDOWS\system32\cmd.exe
        FP_NO_HOST_CHECK=NO
        HOMEDRIVE=C:
        HOMEPATH=\Documents and Settings\WinGeek
        INOCULAN=C:\Program Files\CA\eTrust Antivirus
        JAVA_HOME=C:\Program Files\Java\jdk1.5.0_14
        LOGONSERVER=\\QI
        NUMBER_OF_PROCESSORS=2
        OS=Windows_NT
        Path=C:\Program Files\WinDbg\winext\arcade;C:\Tools\Perl\site\bin;C:\Tools\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\CA\eTrust Antivirus;C:\Program Files\Java\jdk1.5.0_14\bin;C:\Program Files\Apache-ant\bin;C:\Program Files\WinDbg;C:\Tools;C:\Program Files\TortoiseSVN\bin
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
        PROCESSOR_ARCHITECTURE=x86
        PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
        PROCESSOR_LEVEL=6
        PROCESSOR_REVISION=0f02
        ProgramFiles=C:\Program Files
        SESSIONNAME=Console
        SystemDrive=C:
        SystemRoot=C:\WINDOWS
        TEMP=C:\DOCUME~1\WinGeek\LOCALS~1\Temp
        TMP=C:\DOCUME~1\WinGeek\LOCALS~1\Temp
        USERDOMAIN=QI
        USERNAME=WinGeek
        USERPROFILE=C:\Documents and Settings\WinGeek
        VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
        VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
        WINDBG_DIR=C:\Program Files\WinDbg
        windir=C:\WINDOWS

从以上!PEB输出结果，我们可以了解到进程的ImageBaseAddress，进程的堆（Heap）起始地址， 装载了那些DLL，命令行参数，系统的环境变量等等 。。。

 

0:000> !teb
TEB at 7ffdf000
    ExceptionList:        0007fd0c
    StackBase:            00080000
    StackLimit:           0007c000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ffdf000
    EnvironmentPointer:   00000000
    ClientId:             000014a8 . 000014ac
    RpcHandle:            00000000
    Tls Storage:          00000000
    PEB Address:          7ffd6000
    LastErrorValue:       0
    LastStatusValue:      0
    Count Owned Locks:    0
    HardErrorMode:        0

从以上!TEB输出结果，我们可以了解到栈（stack)的起始地址，Tls Storage 的地址， 异常处理的地址，LastError的值等等。。。