Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Forensics > _PEB_LDR_DATA and _LDR_DATA_TABLE_ENTRY > Flashcards

_PEB_LDR_DATA and _LDR_DATA_TABLE_ENTRY Flashcards

1
Q

_PEB_LDR_DATA

A

All the linked lists contain the elements of type _LDR_DATA_TABLE_ENTRY. The term “module” here refers to any executable image, which includes the process executables and DLLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

_PEB_LDR_DATA - InLoadOrderModuleList

A

A linked list that organizes modules in the order in which they are loaded into a process. Because the process executable is always first to load in the process address space, its entry is first in this list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

_PEB_LDR_DATA - InMemoryOrderModuleList

A

A linked list that organizes modules in the order in which they appear in the process’ virtual memory layout. For example, the last DLL to load may end up at a lower base address than the first (due to address space layour randomization [ASLR] and other factors).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

_PEB_LDR_DATA - InInitializationOrderModuleList

A

A linked list that organizes modules in the order in which their DllMain function was exectuted. This is different from the load order list because a module’s DllMain isn’t always called immediately when it loads. Sometimes it’s never called, for example when you load a DLL as a data file or image resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

_LDR_DATA_TABLE_ENTRY - DllBase

A

This is the base address of the module in process memory. The DLL dumping plugins read this address to know where to start carving.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

_LDR_DATA_TABLE_ENTRY - EntryPoint

A

The first instruction executed by the module. In most cases, it is taken from the PE file’s AddressOfEntryPoint value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

_LDR_DATA_TABLE_ENTRY - SizeOfImage

A

The size of the module, in bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

_LDR_DATA_TABLE_ENTRY - FullDllName

A

The full path to the module’s file on disk (for example, System32/kernel32.dll)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

_LDR_DATA_TABLE_ENTRY - BaseDllName

A

The base portion of the module’s filename(for example, kernel32.dll)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

_LDR_DATA_TABLE_ENTRY - LoadCount

A

The number of times LoadLibrary was called for the module. It is used as a reference count to know when it is safe to unload a DLL from process memory. Used to determine how a DLL was loaded (via the import address table (IAT) or an explicit call to LoadLibrary)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Forensics (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions