WinDBG 技巧：显示进程/线程环境参数(!peb 和 !teb 命令)

调试的程序的时候，了解PEB和TEB往往对分析很有帮助。 WinDBG中 !peb 和 !teb 命令可以用来显示PEB和TEB：

0:000> !peb
PEB at 7ffd6000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 01000000
Ldr 001a1ea0
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2850
Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2840
Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2848
Base TimeStamp Module
1000000 3b7d8475 Aug 17 13:54:13 2001 C:\WINDOWS\system32\winmine.exe
7c900000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\ntdll.dll
7c800000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\kernel32.dll
77c10000 4802a188 Apr 13 17:12:56 2008 C:\WINDOWS\system32\msvcrt.dll
77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 4802a106 Apr 13 17:10:46 2008 C:\WINDOWS\system32\RPCRT4.dll
77fe0000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\Secur32.dll
77f10000 49006fbe Oct 23 05:36:14 2008 C:\WINDOWS\system32\GDI32.dll
7e410000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\USER32.dll
7c9c0000 48e1c4d9 Sep 29 23:19:05 2008 C:\WINDOWS\system32\SHELL32.dll
77f60000 4802a116 Apr 13 17:11:02 2008 C:\WINDOWS\system32\SHLWAPI.dll
76b40000 4802a13c Apr 13 17:11:40 2008 C:\WINDOWS\system32\WINMM.dll
773d0000 4802a094 Apr 13 17:08:52 2008 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
SubSystemData: 00000000
ProcessHeap: 000a0000
ProcessParameters: 00020000
WindowTitle: 'C:\WINDOWS\system32\winmine.exe'
ImageFile: 'C:\WINDOWS\system32\winmine.exe'
CommandLine: 'winmine'
DllPath: 'C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\Program Files\WinDbg\winext\arcade;C:\Tools\Perl\site\bin;C:\Tools\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\CA\eTrust Antivirus;C:\Program Files\Java\jdk1.5.0_14\bin;C:\Program Files\Apache-ant\bin;C:\Program Files\WinDbg;C:\Tools;C:\Program Files\TortoiseSVN\bin'
Environment: 00010000
=::=::\
ALLUSERSPROFILE=C:\Documents and Settings\All Users
ANT_HOME=C:\Program Files\Apache-ant
APPDATA=C:\Documents and Settings\WinGeek\Application Data
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=QI
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\WinGeek
INOCULAN=C:\Program Files\CA\eTrust Antivirus
JAVA_HOME=C:\Program Files\Java\jdk1.5.0_14
LOGONSERVER=\\QI
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\WinDbg\winext\arcade;C:\Tools\Perl\site\bin;C:\Tools\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\CA\eTrust Antivirus;C:\Program Files\Java\jdk1.5.0_14\bin;C:\Program Files\Apache-ant\bin;C:\Program Files\WinDbg;C:\Tools;C:\Program Files\TortoiseSVN\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\WinGeek\LOCALS~1\Temp
TMP=C:\DOCUME~1\WinGeek\LOCALS~1\Temp
USERDOMAIN=QI
USERNAME=WinGeek
USERPROFILE=C:\Documents and Settings\WinGeek
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
WINDBG_DIR=C:\Program Files\WinDbg
windir=C:\WINDOWS

从以上!PEB输出结果，我们可以了解到进程的ImageBaseAddress，进程的堆（Heap）起始地址， 装载了那些DLL，命令行参数，系统的环境变量等等 。。。

0:000> !teb
TEB at 7ffdf000
ExceptionList: 0007fd0c
StackBase: 00080000
StackLimit: 0007c000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffdf000
EnvironmentPointer: 00000000
ClientId: 000014a8 . 000014ac
RpcHandle: 00000000
Tls Storage: 00000000
PEB Address: 7ffd6000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks: 0
HardErrorMode: 0

从以上!TEB输出结果，我们可以了解到栈（stack)的起始地址，Tls Storage 的地址， 异常处理的地址，LastError的值等等。。。