peb中的事

CreateProcess->NtCreateProcess->NtCreateThread->NotifyRoutine
父进程把子进程参数设置好，子进程随后会再次自己处理数据。ImageFile的
buffer是ProcessParameters的偏移。

kd> ba r4 nt!PspCreateProcessNotifyRoutineCount

kd> .process /i 81477020
You need to continue execution (press 'g' ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.

kd> !peb
PEB at 7ffdf000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00400000
Ldr 00000000
*** unable to read Ldr table at 00000000
SubSystemData: 00000000
ProcessHeap: 00000000
ProcessParameters: 00020000
WindowTitle: 'C:\Program Files\Internet Explorer\iexplore.exe'
ImageFile: 'C:\Program Files\Internet Explorer\iexplore.exe'
CommandLine: '"C:\Program Files\Internet Explorer\iexplore.exe"'
DllPath: 'C:\Program Files\Internet Explorer;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Internet Explorer;'
Environment: 00010000
=::=::\
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DEBUG
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\DEBUG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Internet Explorer;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f08
ProgramFiles=C:\Program Files
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=DEBUG
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
kd> dt -r -v nt!_PEB 7ffdf000
struct _PEB, 66 elements, 0x210 bytes
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0 ''
+0x003 SpareBool : 0 ''
+0x004 Mutant : 0xffffffff
+0x008 ImageBaseAddress : 0x00400000
+0x00c Ldr : (null)
+0x010 ProcessParameters : 0x00020000 struct _RTL_USER_PROCESS_PARAMETERS, 28 elements, 0x290 bytes
+0x000 MaximumLength : 0x1000
+0x004 Length : 0x744
+0x008 Flags : 0
+0x00c DebugFlags : 0
+0x010 ConsoleHandle : 0xfffffffe
+0x014 ConsoleFlags : 0
+0x018 StandardInput : (null)
+0x01c StandardOutput : 0x00010001
+0x020 StandardError : (null)
+0x024 CurrentDirectory : struct _CURDIR, 2 elements, 0xc bytes
+0x000 DosPath : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"--- memory read error at address 0x00000290 ---"
+0x008 Handle : (null)
+0x030 DllPath : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"--- memory read error at address 0x00000498 ---"
+0x000 Length : 0x162
+0x002 MaximumLength : 0x164
+0x004 Buffer : 0x00000498 "--- memory read error at address 0x00000498 ---"
+0x038 ImagePathName : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"--- memory read error at address 0x000005fc ---"
+0x000 Length : 0x5e
+0x002 MaximumLength : 0x60
+0x004 Buffer : 0x000005fc "--- memory read error at address 0x000005fc ---"
+0x040 CommandLine : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"--- memory read error at address 0x0000065c ---"
+0x000 Length : 0x62
+0x002 MaximumLength : 0x64
+0x004 Buffer : 0x0000065c "--- memory read error at address 0x0000065c ---"
+0x048 Environment : 0x00010000
+0x04c StartingX : 0
+0x050 StartingY : 0
+0x054 CountX : 0
+0x058 CountY : 0
+0x05c CountCharsX : 0
+0x060 CountCharsY : 0
+0x064 FillAttribute : 0
+0x068 WindowFlags : 0x401
+0x06c ShowWindowFlags : 1
+0x070 WindowTitle : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"--- memory read error at address 0x000006c0 ---"
+0x000 Length : 0x5e
+0x002 MaximumLength : 0x60
+0x004 Buffer : 0x000006c0 "--- memory read error at address 0x000006c0 ---"
+0x078 DesktopInfo : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"--- memory read error at address 0x00000720 ---"
+0x000 Length : 0x1e
+0x002 MaximumLength : 0x20
+0x004 Buffer : 0x00000720 "--- memory read error at address 0x00000720 ---"
+0x080 ShellInfo : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"--- memory read error at address 0x00000740 ---" +0x000 Length : 0
+0x002 MaximumLength : 2
+0x004 Buffer : 0x00000740 "--- memory read error at address 0x00000740 ---"
+0x088 RuntimeData : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"" +0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x090 CurrentDirectores : [32] struct _RTL_DRIVE_LETTER_CURDIR, 4 elements, 0x10 bytes
+0x000 Flags : 0
+0x002 Length : 0
+0x004 TimeStamp : 0
+0x008 DosPath : struct _STRING, 3 elements, 0x8 bytes
"" +0x014 SubSystemData : (null)
+0x018 ProcessHeap : (null)
+0x01c FastPebLock : (null)
+0x020 FastPebLockRoutine : (null)
+0x024 FastPebUnlockRoutine : (null)
+0x028 EnvironmentUpdateCount : 0
+0x02c KernelCallbackTable : (null)