Windows 流程环境块的成员是如何初始化的?
我希望了解进程的NLS数据是如何在PEB结构中初始化的。 特别是AnsiCodePageData、OemCodePageData和UnicodeCatableData的成员。我怀疑Winload的CmpFindNlsData负责填充这些字符串,但我缺少从在CmpFindNlsData中初始化字符串到在每个进程的PEB中填充字符串的链接Windows 流程环境块的成员是如何初始化的?,windows,process,Windows,Process,我希望了解进程的NLS数据是如何在PEB结构中初始化的。 特别是AnsiCodePageData、OemCodePageData和UnicodeCatableData的成员。我怀疑Winload的CmpFindNlsData负责填充这些字符串,但我缺少从在CmpFindNlsData中初始化字符串到在每个进程的PEB中填充字符串的链接 dt _PEB 002b0000 ntdll!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 Read
dt _PEB 002b0000
ntdll!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y0
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 IsPackagedProcess : 0y0
+0x003 IsAppContainer : 0y0
+0x003 IsProtectedProcessLight : 0y0
+0x003 IsLongPathAwareProcess : 0y0
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x66200000 Void
+0x00c Ldr : 0x7753cb80 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x00441d18 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00440000 Void
+0x01c FastPebLock : 0x7753c940 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 2
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y1
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ProcessPreviouslyThrottled : 0y0
+0x028 ProcessCurrentlyThrottled : 0y0
+0x028 ProcessImagesHotPatched : 0y0
+0x028 ReservedBits0 : 0y000000000000000000000000 (0)
+0x02c KernelCallbackTable : (null)
+0x02c UserSharedInfoPtr : (null)
+0x030 SystemReserved : 0
+0x034 AtlThunkSListPtr32 : (null)
+0x038 ApiSetMap : 0x00030000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x7753cb28 Void
+0x044 TlsBitmapBits : [2] 0x10001
+0x04c ReadOnlySharedMemoryBase : 0x7fe80000 Void
+0x050 SharedData : (null)
+0x054 ReadOnlyStaticServerData : 0x7fe804b0 -> (null)
+0x058 AnsiCodePageData : 0x7ffb0000 Void
+0x05c OemCodePageData : 0x7ffc0224 Void
+0x060 UnicodeCaseTableData : 0x7ffd0648 Void
+0x064 NumberOfProcessors : 2
+0x068 NtGlobalFlag : 0x70
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 2
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x7753b6c0 -> 0x00440000 Void
+0x094 GdiSharedHandleTable : (null)
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0
+0x0a0 LoaderLock : 0x7753a378 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : 0xa
+0x0a8 OSMinorVersion : 0
+0x0ac OSBuildNumber : 0x47bb
+0x0ae OSCSDVersion : 0
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 3
+0x0b8 ImageSubsystemMajorVersion : 6
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ActiveProcessAffinityMask : 3
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x7753cb18 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : 0x00160000 Void
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING ""
+0x1f8 ActivationContextData : (null)
+0x1fc ProcessAssemblyStorageMap : (null)
+0x200 SystemDefaultActivationContextData : 0x00150000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x20c SparePointers : [4] (null)
+0x21c SpareUlongs : [5] 0
+0x230 WerRegistrationData : (null)
+0x234 WerShipAssertPtr : (null)
+0x238 pUnused : (null)
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 LibLoaderTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y00000000000000000000000000000 (0)
+0x248 CsrServerReadOnlySharedMemoryBase : 0x7fbe0000
+0x250 TppWorkerpListLock : 0
+0x254 TppWorkerpList : _LIST_ENTRY [ 0x2b0254 - 0x2b0254 ]
+0x25c WaitOnAddressHashTable : [128] (null)
+0x45c TelemetryCoverageHeader : (null)
+0x460 CloudFileFlags : 0
+0x464 CloudFileDiagFlags : 0
+0x468 PlaceholderCompatibilityMode : 0 ''
+0x469 PlaceholderCompatibilityModeReserved : [7] ""
+0x470 LeapSecondData : 0x7ffa0000 _LEAP_SECOND_DATA
+0x474 LeapSecondFlags : 0
+0x474 SixtySecondEnabled : 0y0
+0x474 Reserved : 0y0000000000000000000000000000000 (0)
+0x478 NtGlobalFlag2 : 0
以ReactOS为例,了解如何创建NLS部分并将其映射到流程中,尤其是和。请注意,Windows 10支持将UTF-8设置为系统或应用程序级别的活动代码页,在这种情况下,
AnsiCodePageData
和OemCodePageData
字段将为NULL
。