导入表内注入代码（二）

核心提示： 14. CONTEXT Context;15. LDT_ENTRY SelEntry;16.17. Context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;18. GetThreadContext(hThread,&Con

14. CONTEXT Context;
15. LDT_ENTRY SelEntry;
16.
17. Context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
18. GetThreadContext(hThread,&Context);
19.
20. // Calculate the base address of FS
21. GetThreadSelectorEntry(hThread, Context.SegFs, &SelEntry);
22. DWORD dwFSBase = ( SelEntry.HighWord.Bits.BaseHi << 24) |
23. (SelEntry.HighWord.Bits.BaseMid << 16) |
24. SelEntry.BaseLow;25. Thread Environment Block (线程环境块TEB)通过读取目标进程的虚拟内存内部它的位置来获得。该线程和进程环境块，图 12，在"Undocumented Windows 2000 secrets" [4]中有详尽解释，另外NTInternals team[5]展示了完整的TEB 和 PEB定义。正如我猜测的，Microsoft team（微软开发团队）忘记提供关于它们的信息或无意于让它们公之于众！正是这个原因让我喜欢Linux team:)

26. PTEB pteb = new TEB;
27. PPEB ppeb = new PEB;
28. DWORD dwBytes;
29.
30. ReadProcessMemory( hProcess, (LPCVOID)dwFSBase, pteb, sizeof(TEB), &dwBytes);
31. ReadProcessMemory( hProcess, (LPCVOID)pteb->Peb, ppeb, sizeof(PEB), &dwBytes);

图 12 - The Thread Environment Blocks and the Process Environment Block

32. 从进程环境块信息中可以发现当前进程的内存中的PE image的image base（基址）。

33. DWORD dwImageBase = (DWORD)ppeb->ImageBaseAddress;34. ReadProcessMemory()帮助我们来读取PE文件的完整image。