Notebook

In this post, I'd like to explore Loader Data which is part of Process Environment Block ( PEB ). This structure tells us what are the dlls are loaded by the process. To start with, I've loaded my sample program through WinDbg and all symbol paths are set. Then I've executed following command: !peb and received following output. (I've trimmed the output) for readability purpose. If we look at the PEB structure below, the highlighted one is important to us. This is basically a NT structure known as _PEB_LDR_DATA . PEB at 7efde000     InheritedAddressSpace:    No     ReadImageFileExecOptions: No     BeingDebugged:            Yes     ImageBaseAddress:         00400000     Ldr                       775f0200      <=========_PEB_LDR _DATA at 775f0200     Ldr.Initialized:          Yes     Ldr.InInitializationOrderModuleList: 00593288 . 00594308     Ldr.InLoadOrderModuleList:           005931e8 . 00594018     Ldr.InMemoryOrderModuleList:         005931f0 . 0

Microsoft has given ability to its development tool to suit the requirement as per developer wish. I had a requirement which needs to play multiple instances of media player on a single monitor. As a feature we know Media player can have only one instance running at a time. So I was scratching my head and finally a solution struck me, which is embedding multiple Media player instances on a single Win Form. I've used C#.net and Windows Media Player library to solve the problem. Let's a have a look in the below sample program, the code is quite self explanatory. This sample code created an array of 2 Windows Media player instances and playing two audio (mp3) files simultaneously. The Recreate button destroys the previous instances and creates two more new one. This is a very basic code and it can be modified as per more complex requirement. However, running large number of multiple instances of Windows Media Player isn't advisable. using System; using System.Collections

In this section, I’d like to disassemble our main function which we’ve written in series 1 and would like to see how it looks like. Also would like to see if we can see the string “Hello World”. I’ve launched my sample executable using WinDbg. Then Issued following command: x sample_hello!*main* *** WARNING: Unable to verify checksum for Sample_Hello.exe 00419048           Sample_Hello!__native_dllmain_reason = 0xffffffff 0041917c           Sample_Hello!mainret = 0n0 004114b0           Sample_Hello!wmain (int, wchar_t **) 004122b0           Sample_Hello!__tmainCRTStartup (void) 00412290           Sample_Hello!wmainCRTStartup (void) 00413592           Sample_Hello!__wgetmainargs ( ) 0041a3d8           Sample_Hello!_imp____wgetmainargs = Since we know my intended function is ‘main’ so I searched for it. The highlighted one is our main function. Then unassembled the function using following command: 0:000> uf Sample_Hello!wmain Sample_Hello!wmain

This part of the discussion will revolve more towards inside of Windows OS. I bet you’ll love the way it has been designed and evolved. Issues might be there while using the OS but it’s a matter of debate whether application has been designed the way windows expect etc. This is not the space for that debate. Also, it’s is a not aim to teach anyone about windows but some facts and figure and little bit stack analysis and more. This is the first attempt from my side to do little bit debugging (I’m not an experienced debugger without source code) for user mode. Note: Mark’s (Mark Russionovich, widely popular for his work in Windows Internals) work always been inspiring for me. Let’s start the journey : In this series target environment is x86. In this series, I’d like to cover: 1.        Thread Environment Block: It’s a data structure that stores info about the currently running thread of a process. 2.        How it looks and what’s the significance of it? Le