Nytro Posted January 2, 2013 Report Posted January 2, 2013 [h=1]KERNEL: Creation of Thread Environment Block (TEB)[/h] //http://waleedassar.blogspot.com //http://www.twitter.com/waleedassar The following demonstrates the allocation and creation of Thread Environment Blocks (TEB) in 64-bit versions of Windows e.g. Windows 7. This takes place in the "MmCreateTeb" function. This function is responsible for most of the TEB stuff, which is as follows: A) It determines whether the process is native (64-bit) or Wow64 (32-bit) by querying the "Wow64Process" field of the "_EPROCESS" structure. In case of Wow64 Processes, this field holds the address of the process's 32-bit Process Environment Block (PEB). On the other hand, this field is zero in case of native 64-bit processes. N.B. In case of Wow64 Processes, each process has two Process Environment Blocks (PEB), a 64-bit PEB and a 32-bit PEB. And each thread has two Thread Environment Blocks (TEB), a 64-bit TEB and a 32-bit TEB. fffff800`035cf2d2 4c8bb920030000 mov r15,qword ptr [rcx+320h] It attaches to the address space of the target process by calling the "KeStackAttachProcess" function. fffff800`035cf2e4 488d542428 lea rdx,[rsp+28h] fffff800`035cf2e9 e8c23cd4ff call nt!KeStackAttachProcess (fffff800`03312fb0) C) It calls the "MiCreatePebOrTeb" function to allocate space. Either 0x2000 (2 pages, in case of native64 thread) or 0x3000 (3 pages, in case of Wow64 thread). The characteristics of new pages are: Allocation Type : MEM_COMMIT Memory Type : MEM_PRIVATE Protection : PAGE_READWRITE Protection Changeable: FALSE fffff800`035cf2ee 4c8d8c2490000000 lea r9,[rsp+90h] fffff800`035cf2f6 448bc3 mov r8d,ebx fffff800`035cf2f9 488bd7 mov rdx,rdi fffff800`035cf2fc 498bce mov rcx,r14 fffff800`035cf2ff e8fc0e0000 call nt!MiCreatePebOrTeb (fffff800`035d0200) D) It stores the following info. in fields of the 64-bit TEB. 1) 0x1E00 in the "Version" field of the "_NT_TIB" structure. 2) Self pointer in the "Self" field of the "_NT_TIB" structure. 3) Pointer to corresponding 64-bit PEB in the "ProcessEnvironmentBlock" field. 4) Client ID (Process Id + Thread Id) in the "ClientId" field. 5) Client ID (Process Id + Thread Id) in the "RealClientId" field. 6) Value of stack base in the "StackBase" field of the "_NT_TIB" structure. 7) Value Of stack limit in the "StackLimit" field of the "_NT_TIB" structure. 8) Address at which stack has been allocated in the "DeallocationStack" field. 9) Initializes the "StaticUnicodeString" UNICODE_STRING with 0x020A as maximum length. 10) The value of nt!BBTBuffer in the "ReservedForPerf" field. 11) TXF_MINIVERSION_DEFAULT_VIEW in the "TxFsContext" field. 12) If it is a native64 process, zero is written to the "ExceptionList" field of "NT_TIB". else if it is a Wow64 process, the address of 32-bit TEB is written to the "ExceptionList" field and then starts to copy/write to the 32-bit TEB the following info: 1') 0xFFFFFFFF in the "ExceptionList" field of NT_TIB since no handlers have been set. 2') Copy the "Version" field from the 64-bit TEB. 3') Self pointer in the "Self" field of the "_NT_TIB" structure. 4') Pointer to corresponding 32-bit PEB in the "ProcessEnvironmentBlock" field. 5') Copy Client ID (Process Id + Thread Id) from 64-bit TEB. 6') Copy Client ID (Process Id + Thread Id) from 64-bit TEB. 7') Initializes the "StaticUnicodeString" UNICODE_STRING with 0x020A as maximum length. 8') Store the address of corresponding 64-bit TEB at offset 0xF70. 9') Copy the "Vdm" field from the 64-bit TEB. 10') TXF_MINIVERSION_DEFAULT_VIEW in the "TxFsContext" field. 11') Value of stack base in the "StackBase" field of the "_NT_TIB" structure. 12') Value Of stack limit in the "StackLimit" field of the "_NT_TIB" structure. 13') Address at which 32-bitstack has been allocated in the "DeallocationStack" field. E) It detaches from the address space of the target process by calling the "KeUnstackDetachProcess" function.Sursa: KERNEL: Creation of Thread Environment Block (TEB) - Pastebin.com Quote
