8

When reversing shellcode, we see the PEB walk fairly often at various stages. I am curious however, if there is any pre-defined standard structure for this in IDA? If so, what is it called? After looking and googling around I haven't been able to find anything. I would also be very interested in definitions for PEB_LDR_DATA and RTL_USER_PROCESS_PARAMETERS.

I could create them myself and export them somehow (would have to figure out how). But before doing that I am really curious if there is just something I am missing amongst the standard structure definitions in IDA.

Improve this question

2 Answers 2

Reset to default
9

The structures for the PEB are _PEB and PEB_LDR_DATA. You need to have the ntapi type library loaded, you can add it by going in the Type Libraries view (Shift+F11) and then press Ins.

Improve this answer
6

if you are using IDA FREE then this and several other type libraries are not available

and if you intend to 

create them yourself and export them somehow (would have to figure out how).

this walk through provides few hints on how to accomplish it

os winxp sp3 vm 

(all opaque structures like EPROCESS can vary from os to os / hotfix to hotfix patch tuesday to patch tuesday )

supposing you are reversing PsGetProcessId() in ntkrnlpa.exe 

 ; Exported entry 872. PsGetProcessId ; Attributes: bp-based frame ; __stdcall PsGetProcessId(x) public _PsGetProcessId@4 _PsGetProcessId@4 proc near 8B FF mov edi, edi 55 push ebp 8B EC mov ebp, esp 8B 45 08 mov eax, [ebp+8] 8B 80 84 00 00 00 mov eax, [eax+84h] <----- 5D pop ebp C2 04 00 retn 4 _PsGetProcessId@4 endp

and you find out 84 is EPROCESS->Pid and want to impart this information to the disassembly

make a text file named EPROCESS.h

type the following in the text file and save it for accessing it later

typedef struct EPROCESS { BYTE unknown[0x84]; DWORD Pid; } EPROCESS, *EPROCESS;

go to ida free ->File->Load File->Parse Header File or shortcut ctrl+f9 browse to the EPROCESS.h

you should see this is ida information window on being successful

The initial autoanalysis has been finished. C:\Documents and Settings\Admin\Desktop\EPROCESS.h: `successfully compiled`

view->open subviews->structures or shortcut shift+f9 press insert key click add standard structure start typing peb and you should see the window scrolling and showing you the structure you just added

00000000 EPROCESS struc ; (sizeof=0x88, standard type) 00000000 unknown db 132 dup(?) 00000084 Pid dd ? 00000088 EPROCESS ends

go to idaview select 84h / right click->select structure offset

and apply the Eprocess.Pid

disassembly will become a bit more readable

8B 80 84 00 00 00 mov eax, [eax+EPROCESS.Pid]

start adding other discovered offset to this eprocess.h and load it again for updated structure definitions

many of the structures definitions can be viewed via windbg

for example peb and peb_ldr_data can be viewed like this

dt nt!_PEB dt nt!_PEB_LDR_DATA

Additional Details

if you modify the .h file to add another structure member like this

typedef struct EPROCESS { BYTE unknown[0x84]; DWORD Pid; BYTE unk2[0xbc-0x88]; DWORD DebugPort; BYTE unknown1[0x174-0xc0]; BYTE ImageFileName[16]; } EPROCESS, *PEPROCESS;

Be Aware you would need to delete the earlier definitions before parsing the header file again and this implies all your earlier work will be lost on reloading so save your work

Improve this answer
1
  • Thanks for this! I was using IDA Pro, but this information is helpful in situations where the definition I am looking for is indeed absent. Commented Aug 10, 2013 at 23:02

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.