API tools faq
paste
Advertisement
waliedassar

KERNEL: Creation of Thread Environment Block (TEB)

waliedassar
Dec 31st, 2012
2,419
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.16 KB | None | 0 0
raw download clone embed print report
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. The following demonstrates the allocation and creation of Thread Environment Blocks (TEB) in
  5. 64-bit versions of Windows e.g. Windows 7.
  6.  
  7. This takes place in the "MmCreateTeb" function. This function is responsible for most of the
  8. TEB stuff, which is as follows:
  9.  
  10. A) It determines whether the process is native (64-bit) or Wow64 (32-bit) by querying the
  11. "Wow64Process" field of the "_EPROCESS" structure. In case of Wow64 Processes, this field
  12. holds the address of the process's 32-bit Process Environment Block (PEB). On the other hand,
  13. this field is zero in case of native 64-bit processes.
  14.  
  15. N.B. In case of Wow64 Processes, each process has two Process Environment Blocks (PEB),
  16. a 64-bit PEB and a 32-bit PEB. And each thread has two Thread Environment Blocks (TEB),
  17. a 64-bit TEB and a 32-bit TEB.
  18.  
  19. fffff800`035cf2d2 4c8bb920030000 mov r15,qword ptr [rcx+320h]
  20.  
  21. B) It attaches to the address space of the target process by calling the
  22. "KeStackAttachProcess" function.
  23.  
  24. fffff800`035cf2e4 488d542428 lea rdx,[rsp+28h]
  25. fffff800`035cf2e9 e8c23cd4ff call nt!KeStackAttachProcess (fffff800`03312fb0)
  26.  
  27. C) It calls the "MiCreatePebOrTeb" function to allocate space.
  28. Either 0x2000 (2 pages, in case of native64 thread) or 0x3000
  29. (3 pages, in case of Wow64 thread).
  30.  
  31. The characteristics of new pages are:
  32. Allocation Type : MEM_COMMIT
  33. Memory Type : MEM_PRIVATE
  34. Protection : PAGE_READWRITE
  35. Protection Changeable: FALSE
  36.  
  37. fffff800`035cf2ee 4c8d8c2490000000 lea r9,[rsp+90h]
  38. fffff800`035cf2f6 448bc3 mov r8d,ebx
  39. fffff800`035cf2f9 488bd7 mov rdx,rdi
  40. fffff800`035cf2fc 498bce mov rcx,r14
  41. fffff800`035cf2ff e8fc0e0000 call nt!MiCreatePebOrTeb (fffff800`035d0200)
  42.  
  43. D) It stores the following info. in fields of the 64-bit TEB.
  44. 1) 0x1E00 in the "Version" field of the "_NT_TIB" structure.
  45.  
  46. 2) Self pointer in the "Self" field of the "_NT_TIB" structure.
  47. 3) Pointer to corresponding 64-bit PEB in the "ProcessEnvironmentBlock" field.
  48.  
  49. 4) Client ID (Process Id + Thread Id) in the "ClientId" field.
  50. 5) Client ID (Process Id + Thread Id) in the "RealClientId" field.
  51.  
  52. 6) Value of stack base in the "StackBase" field of the "_NT_TIB" structure.
  53. 7) Value Of stack limit in the "StackLimit" field of the "_NT_TIB" structure.
  54. 8) Address at which stack has been allocated in the "DeallocationStack" field.
  55.  
  56. 9) Initializes the "StaticUnicodeString" UNICODE_STRING with 0x020A as maximum length.
  57.  
  58. 10) The value of nt!BBTBuffer in the "ReservedForPerf" field.
  59.  
  60. 11) TXF_MINIVERSION_DEFAULT_VIEW in the "TxFsContext" field.
  61.  
  62. 12) If it is a native64 process, zero is written to the "ExceptionList" field of "NT_TIB".
  63. else if it is a Wow64 process, the address of 32-bit TEB is written to the "ExceptionList"
  64. field and then starts to copy/write to the 32-bit TEB the following info:
  65. 1') 0xFFFFFFFF in the "ExceptionList" field of NT_TIB since no handlers have been set.
  66. 2') Copy the "Version" field from the 64-bit TEB.
  67. 3') Self pointer in the "Self" field of the "_NT_TIB" structure.
  68. 4') Pointer to corresponding 32-bit PEB in the "ProcessEnvironmentBlock" field.
  69. 5') Copy Client ID (Process Id + Thread Id) from 64-bit TEB.
  70. 6') Copy Client ID (Process Id + Thread Id) from 64-bit TEB.
  71. 7') Initializes the "StaticUnicodeString" UNICODE_STRING with 0x020A as maximum length.
  72. 8') Store the address of corresponding 64-bit TEB at offset 0xF70.
  73. 9') Copy the "Vdm" field from the 64-bit TEB.
  74. 10') TXF_MINIVERSION_DEFAULT_VIEW in the "TxFsContext" field.
  75. 11') Value of stack base in the "StackBase" field of the "_NT_TIB" structure.
  76. 12') Value Of stack limit in the "StackLimit" field of the "_NT_TIB" structure.
  77. 13') Address at which 32-bitstack has been allocated in the "DeallocationStack" field.
  78.  
  79.  
  80. E) It detaches from the address space of the target process by calling the "KeUnstackDetachProcess"
  81. function.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!