Author Topic: FastPebLock  (Read 3192 times)

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
FastPebLock
« on: July 02, 2014, 05:10:23 AM »
FastPebLock

FastPebLock is a lock used by Windows to synchronize access to the PEB (Process Environment Block). This lock is actually a CRITICAL_SECTION, and is stored in the ntdll!_PEB structure.

_PEB structure snippet from an 32 bit Windows 2003 Server:
ntdll!_PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 BitField         : UChar
   +0x003 ImageUsesLargePages : Pos 0, 1 Bit
   +0x003 SpareBits        : Pos 1, 7 Bits
   +0x004 Mutant           : Ptr32 Void
   +0x008 ImageBaseAddress : Ptr32 Void
   +0x00c Ldr              : Ptr32 _PEB_LDR_DATA
   +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : Ptr32 Void
   +0x018 ProcessHeap      : Ptr32 Void
   +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION
   +0x020 AtlThunkSListPtr : Ptr32 Void
   ..........................................
   ..........................................
   +0x218 FlsBitmap        : Ptr32 Void
   +0x21c FlsBitmapBits    : [4] Uint4B
   +0x22c FlsHighIndex     : Uint4B


Code inside ntdll will be acquiring whenever it tries to access any field in the PEB structure, common scenarios will be when the process tries to Set/Get the CurrentWorkingDirectory, getting the process environment block or operations like loading a new dll.

The code inside ntdll, doesn't follow any single way of acquiring the lock. Some of the functions in ntdll uses another ntdll function RtlAcquirePebLock() to acquire the lock, and others directly uses the address to FastPebLock passing it to RtlEnterCriticalSection.


int  RtlAcquirePebLock()
{
  return RtlEnterCriticalSection(NtCurrentTeb()->ProcessEnvironmentBlock->FastPebLock);
}


Although in normal circumstances we need not bother about this internal lock, if you are looking to hook any internal Windows API's it is a good idea to keep in mind of this lock, so that you won't enter into unwarranted deadlocks scenarios.

Reference: Debugging on Windows
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

peter_asm

  • Regular Member
  • *
  • Posts: 46
Re: FastPebLock
« Reply #1 on: July 02, 2014, 10:44:29 AM »
Have you ever looked at how heap memory allocation works in PEB?

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
Re: FastPebLock
« Reply #2 on: July 02, 2014, 01:31:06 PM »
Yes, this is what i´m working for right now. I´m rewriting CreateToolhelp32Snapshot Api to allow work in WinNT, and also to provide to others another source of information of the Internal Apis usage.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com