[转载]JIURL玩玩Win2k进程线程篇 PEB
<P>文章作者:JIURL</P><P>
<TABLE height=29 cellSpacing=0 cellPadding=0 width="96%" border=0>
<TBODY>
<TR>
<TD class=title width="100%" height=41>
<P align=center><FONT face=宋体>JIURL玩玩Win2k进程线程篇 PEB </FONT></P></TD></TR>
<TR>
<TD class=author width="100%" height=9>
<P align=center><FONT face=宋体>作者: <A href="mailto:jiurl@mail.china.com">JIURL</A> </FONT></P></TD></TR>
<TR>
<TD class=author width="100%" height=6>
<P align=center><FONT face=宋体> 主页: <A href="http://jiurl.yeah.net/">[url]http://jiurl.yeah.net[/url]</A> </FONT></P></TD></TR>
<TR>
<TD class=author width="100%" height=2>
<P align=center><FONT face=宋体> 日期: 2003-7-30</FONT> </P></TD></TR></TBODY></TABLE></P>
<DIV align=center>
<CENTER>
<TABLE height=1 cellSpacing=0 cellPadding=0 width="96%" border=0>
<TBODY>
<TR>
<TD width="100%" height=1>
<HR color=#396da5 SIZE=3>
</TD></TR></TBODY></TABLE></CENTER></DIV>
<DIV align=center>
<TABLE class=content height=4300 cellSpacing=0 cellPadding=0 width="96%" border=0>
<TBODY>
<TR>
<TD vAlign=top width="131%" height=2132>
<P> PEB,Process Environment Block ,进程环境块。位于用户地址空间。在地址 0x7FFDF000 处。所以用户进程可以直接访问自己的 PEB 结构。Win2k Build 2195 中进程的 EPROCESS 结构偏移+1b0 处的 *Peb 也指向 PEB 结构。在 undocumented.ntinternals.net (需要注意的是这是个非官方的站点)我们可以找到 PEB 及其相关结构的定义。我们首先列出结构的定义,然后对一些内容进行说明。<BR><BR>typedef struct _PEB {<BR>BOOLEAN InheritedAddressSpace;<BR>BOOLEAN ReadImageFileExecOptions;<BR>BOOLEAN BeingDebugged;<BR>BOOLEAN Spare;<BR>HANDLE Mutant;<BR>PVOID ImageBaseAddress;<BR>PPEB_LDR_DATA LoaderData;<BR>PRTL_USER_PROCESS_PARAMETERS ProcessParameters;<BR>PVOID SubSystemData;<BR>PVOID ProcessHeap;<BR>PVOID FastPebLock;<BR>PPEBLOCKROUTINE FastPebLockRoutine;<BR>PPEBLOCKROUTINE FastPebUnlockRoutine;<BR>ULONG EnvironmentUpdateCount;<BR>PPVOID KernelCallbackTable;<BR>PVOID EventLogSection;<BR>PVOID EventLog;<BR>PPEB_FREE_BLOCK FreeList;<BR>ULONG TlsExpansionCounter;<BR>PVOID TlsBitmap;<BR>ULONG TlsBitmapBits[0x2];<BR>PVOID ReadOnlySharedMemoryBase;<BR>PVOID ReadOnlySharedMemoryHeap;<BR>PPVOID ReadOnlyStaticServerData;<BR>PVOID AnsiCodePageData;<BR>PVOID OemCodePageData;<BR>PVOID UnicodeCaseTableData;<BR>ULONG NumberOfProcessors;<BR>ULONG NtGlobalFlag;<BR>BYTE Spare2[0x4];<BR>LARGE_INTEGER CriticalSectionTimeout;<BR>ULONG HeapSegmentReserve;<BR>ULONG HeapSegmentCommit;<BR>ULONG HeapDeCommitTotalFreeThreshold;<BR>ULONG HeapDeCommitFreeBlockThreshold;<BR>ULONG NumberOfHeaps;<BR>ULONG MaximumNumberOfHeaps;<BR>PPVOID *ProcessHeaps;<BR>PVOID GdiSharedHandleTable;<BR>PVOID ProcessStarterHelper;<BR>PVOID GdiDCAttributeList;<BR>PVOID LoaderLock;<BR>ULONG OSMajorVersion;<BR>ULONG OSMinorVersion;<BR>ULONG OSBuildNumber;<BR>ULONG OSPlatformId;<BR>ULONG ImageSubSystem;<BR>ULONG ImageSubSystemMajorVersion;<BR>ULONG ImageSubSystemMinorVersion;<BR>ULONG GdiHandleBuffer[0x22];<BR>ULONG PostProcessInitRoutine;<BR>ULONG TlsExpansionBitmap;<BR>BYTE TlsExpansionBitmapBits[0x80];<BR>ULONG SessionId;<BR>} PEB, *PPEB;<BR><BR>typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);<BR><BR>typedef struct _PEB_LDR_DATA {<BR>ULONG Length;<BR>BOOLEAN Initialized;<BR>PVOID SsHandle;<BR>LIST_ENTRY InLoadOrderModuleList;<BR>LIST_ENTRY InMemoryOrderModuleList;<BR>LIST_ENTRY InInitializationOrderModuleList;<BR>} PEB_LDR_DATA, *PPEB_LDR_DATA;<BR><BR>typedef struct _LDR_MODULE {<BR>LIST_ENTRY InLoadOrderModuleList;<BR>LIST_ENTRY InMemoryOrderModuleList;<BR>LIST_ENTRY InInitializationOrderModuleList;<BR>PVOID BaseAddress;<BR>PVOID EntryPoint;<BR>ULONG SizeOfImage;<BR>UNICODE_STRING FullDllName;<BR>UNICODE_STRING BaseDllName;<BR>ULONG Flags;<BR>SHORT LoadCount;<BR>SHORT TlsIndex;<BR>LIST_ENTRY HashTableEntry;<BR>ULONG TimeDateStamp;<BR>} LDR_MODULE, *PLDR_MODULE;<BR><BR>typedef struct _UNICODE_STRING {<BR>USHORT Length;<BR>USHORT MaximumLength;<BR>PWSTR Buffer;<BR>} UNICODE_STRING, *PUNICODE_STRING;<BR><BR>typedef struct _RTL_USER_PROCESS_PARAMETERS {<BR>ULONG MaximumLength;<BR>ULONG Length;<BR>ULONG Flags;<BR>ULONG DebugFlags;<BR>PVOID ConsoleHandle;<BR>ULONG ConsoleFlags;<BR>HANDLE StdInputHandle;<BR>HANDLE StdOutputHandle;<BR>HANDLE StdErrorHandle;<BR>UNICODE_STRING CurrentDirectoryPath;<BR>HANDLE CurrentDirectoryHandle;<BR>UNICODE_STRING DllPath;<BR>UNICODE_STRING ImagePathName;<BR>UNICODE_STRING CommandLine;<BR>PVOID Environment;<BR>ULONG StartingPositionLeft;<BR>ULONG StartingPositionTop;<BR>ULONG Width;<BR>ULONG Height;<BR>ULONG CharWidth;<BR>ULONG CharHeight;<BR>ULONG ConsoleTextAttributes;<BR>ULONG WindowFlags;<BR>ULONG ShowWindowFlags;<BR>UNICODE_STRING WindowTitle;<BR>UNICODE_STRING DesktopName;<BR>UNICODE_STRING ShellInfo;<BR>UNICODE_STRING RuntimeData;<BR>RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];<BR>} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;<BR><BR>typedef struct _RTL_DRIVE_LETTER_CURDIR {<BR>USHORT Flags;<BR>USHORT Length;<BR>ULONG TimeStamp;<BR>UNICODE_STRING DosPath;<BR>} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;<BR><BR>typedef struct _PEB_FREE_BLOCK {<BR>_PEB_FREE_BLOCK *Next;<BR>ULONG Size;<BR>} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;<BR><BR>我写了一个叫 <A href="http://jiurl.nease.net/cn/document/JiurlPlayWin2k/JiurlPebSee.zip">JiurlPebSee</A> 的程序来分析指定进程的 PEB。下面我结合 <A href="http://jiurl.nease.net/cn/document/JiurlPlayWin2k/JiurlPebSee.zip">JiurlPebSee</A> 的输出来对 PEB 及其相关结构的一些内容进行说明。<BR><BR>ProcessId(Decimal): 516<BR>Explorer.exe:<BR><BR>PEB at 0x7ffdf000<BR><BR>LoaderData: 0x00071e90<BR>ProcessParameters: 0x00020000<BR>ProcessHeap: 0x00070000<BR>NumberOfHeaps: 11<BR>MaximumNumberOfHeaps: 16<BR>*ProcessHeaps: 0x77fce380<BR><BR>7ffdf000: 00000000 ffffffff 00400000 00071e90<BR>7ffdf010: 00020000 00000000 00070000 77fcd170<BR>7ffdf020: 77f8aa4c 77f8aa7d 00000001 77e14380<BR>7ffdf030: 00000000 00000000 00000000 00000000<BR>7ffdf040: 77fcd1a8 03cfffff 00000000 7f6f0000<BR>7ffdf050: 7f6f0000 7f6f0688 7ffa0000 7ffa0000<BR>7ffdf060: 7ffd1000 00000001 00000000 00000000<BR>7ffdf070: 079b8000 ffffe86d 00100000 00002000<BR>7ffdf080: 00010000 00001000 0000000b 00000010<BR>7ffdf090: 77fce380 00350000 00000000 00000014<BR>7ffdf0a0: 77fcd348 00000005 00000000 00000893<BR>7ffdf0b0: 00000002 00000002 00000004 00000000<BR>7ffdf0c0: 00000000 00000000 00000002 00000000<BR>7ffdf0d0: 00000004 00000000 b51003ba 391001e4<BR>7ffdf0e0: 00000000 00000000 00000000 00000000<BR>7ffdf0f0: 00000000 00000000 00000000 00000000<BR>7ffdf100: 00000000 00000000 00000000 00000000<BR>7ffdf110: 00000000 00000000 00000000 00000000<BR>7ffdf120: 8204019c 7004019b cf04019e a104019d<BR>7ffdf130: 00000000 00000000 00000000 00000000<BR>7ffdf140: 00000000 00000000 00000000 00000000<BR>7ffdf150: 77fcdcc0 00000000 00000000 00000000<BR>7ffdf160: 00000000 00000000 00000000 00000000<BR>7ffdf170: 00000000 00000000 00000000 00000000<BR>7ffdf180: 00000000 00000000 00000000 00000000<BR>7ffdf190: 00000000 00000000 00000000 00000000<BR>7ffdf1a0: 00000000 00000000 00000000 00000000<BR>7ffdf1b0: 00000000 00000000 00000000 00000000<BR>7ffdf1c0: 00000000 00000000 00000000 00000000<BR>7ffdf1d0: 00000000 00000000 00000000 00020000<BR>7ffdf1e0: 7f6f06c2 00000000 00000000 00000000<BR>7ffdf1f0: 00000000 00000000 00000000 00000000<BR>7ffdf200: 00000000 00000000 00000000 00000000<BR>...<BR><BR>我们以进程 Explorer.exe 进行分析。<BR>LoaderData 是指向 PEB_LDR_DATA 的指针,通过 PEB_LDR_DATA ,我们可以找到进程载入的所有模组。<BR>ProcessParameters 是指向 RTL_USER_PROCESS_PARAMETERS 的指针,RTL_USER_PROCESS_PARAMETERS 中是一些进程的参数。<BR>进程通常有多个用户堆。ProcessHeap 是进程堆(默认的那个)的首地址。NumberOfHeaps 是当前进程的堆的个数。MaximumNumberOfHeaps 是进程的堆的最大个数。*ProcessHeaps 是一个堆指针数组的首地址,每个数组元素长4个字节,是一个堆的指针。<BR><BR><BR>LoaderData at 0x00071e90<BR><BR>Length: 36 Bytes<BR>Initialized: 1<BR>SsHandle: 0x00000000<BR>InLoadOrderModuleList<BR>Flink: 0x00071ec0 Blink: 0x000a0508<BR>InMemoryOrderModuleList<BR>Flink: 0x00071ec8 Blink: 0x000a0510<BR>InInitializationOrderModuleList<BR>Flink: 0x00071f48 Blink: 0x000a0518<BR><BR>Module at 0x00071ec0<BR>FullDllName: D:\WINNT\Explorer.exe<BR>BaseDllName: Explorer.exe<BR>BaseAddress: 0x00400000<BR>SizeOfImage: 0x0003c000<BR><BR>Module at 0x00071f38<BR>FullDllName: D:\WINNT\System32\ntdll.dll<BR>BaseDllName: ntdll.dll<BR>BaseAddress: 0x77f80000<BR>SizeOfImage: 0x00079000<BR><BR>Module at 0x00072470<BR>FullDllName: D:\WINNT\system32\ADVAPI32.DLL<BR>BaseDllName: ADVAPI32.DLL<BR>BaseAddress: 0x77d90000<BR>SizeOfImage: 0x0005a000<BR><BR>...<BR><BR>从PEB可以找到 PEB_LDR_DATA ,PEB_LDR_DATA 中有三个双向循环链表的表头,分别是 InLoadOrderModuleList,InMemoryOrderModuleList,InInitializationOrderModuleList。<BR>每个链表项都是一个 LDR_MODULE 结构。<BR><BR>ProcessParameters at 0x00020000<BR><BR>MaximumLength: 0x00001000<BR>Length: 0x00000838<BR>...<BR><BR><BR>Environment at 0x00010000<BR><BR>00010000: 004c0041 0055004c 00450053 00530052 A.L.L.U.S.E.R.S.<BR>00010010: 00520050 0046004f 004c0049 003d0045 P.R.O.F.I.L.E.=.<BR>00010020: 003a0049 0044005c 0063006f 006d0075 I.:.\.D.o.c.u.m.<BR>00010030: 006e0065 00730074 00610020 0064006e e.n.t.s. .a.n.d.<BR>00010040: 00530020 00740065 00690074 0067006e .S.e.t.t.i.n.g.<BR>...<BR>00010340: 00640075 00000065 0069006c 003d0062 u.d.e...l.i.b.=.<BR>00010350: 003a0047 004d005c 00630069 006f0072 G.:.\.M.i.c.r.o.<BR>00010360: 006f0073 00740066 00560020 00730069 s.o.f.t. .V.i.s.<BR>00010370: 00610075 0020006c 00740053 00640075 u.a.l. .S.t.u.d.<BR>...<BR>00010a70: 005c0031 00650054 0070006d 00540000 1.\.T.e.m.p...T.<BR>...<BR>00010b80: 003a0044 0057005c 004e0049 0054004e D.:.\.W.I.N.N.T.<BR>00010b90: 00000000 00000000 00000000 00000000 ................<BR>...<BR>00010ff0: 00000000 00000000 00000000 00000000 ................<BR><BR>RTL_USER_PROCESS_PARAMETERS 中的 PVOID Environment; 指明了环境变量的地址。<BR><BR><BR>从结构定义中就可以看出 是象 StdInputHandle,ImagePathName 这样的参数。<BR><BR><BR>ProcessHeaps at 0x77fce380<BR><BR>ProcessHeaps[0]: 0x00070000<BR>ProcessHeaps[1]: 0x00170000<BR>ProcessHeaps[2]: 0x008c0000<BR>ProcessHeaps[3]: 0x00cd0000<BR>ProcessHeaps[4]: 0x00ed0000<BR>ProcessHeaps[5]: 0x00f10000<BR>ProcessHeaps[6]: 0x01290000<BR>ProcessHeaps[7]: 0x013e0000<BR>ProcessHeaps[8]: 0x01ce0000<BR>ProcessHeaps[9]: 0x01f50000<BR>ProcessHeaps[10]: 0x03bf0000<BR><BR>77fce380: 00070000 00170000 008c0000 00cd0000<BR>77fce390: 00ed0000 00f10000 01290000 013e0000<BR>77fce3a0: 01ce0000 01f50000 03bf0000 00000000<BR>77fce3b0: 00000000 00000000 00000000 00000000<BR><BR>从 ProcessHeaps 数组,我们可以找到进程的每一个堆。
<P>为了方便观察某个进程地址空间中内容,我写了一个叫 <A href="http://jiurl.nease.net/cn/document/JiurlPlayWin2k/JiurlProcessMemSee.zip">JiurlProcessMemSee</A> 的程序,可以获得指定进程地址空间中的内容。<BR><BR>使用 KD(内核调试器) 我们也可以找到 PEB 及其相关结构的定义。<BR><BR>kd> !strct PEB<BR>!strct PEB<BR>struct _PEB (sizeof=488)<BR>+000 byte InheritedAddressSpace<BR>+001 byte ReadImageFileExecOptions<BR>+002 byte BeingDebugged<BR>+003 byte SpareBool<BR>+004 void *Mutant<BR>+008 void *ImageBaseAddress<BR>+00c struct _PEB_LDR_DATA *Ldr<BR>+010 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters<BR>+014 void *SubSystemData<BR>+018 void *ProcessHeap<BR>+01c void *FastPebLock<BR>+020 void *FastPebLockRoutine<BR>+024 void *FastPebUnlockRoutine<BR>+028 uint32 EnvironmentUpdateCount<BR>+02c void *KernelCallbackTable<BR>+030 uint32 SystemReserved[2]<BR>+038 struct _PEB_FREE_BLOCK *FreeList<BR>+03c uint32 TlsExpansionCounter<BR>+040 void *TlsBitmap<BR>+044 uint32 TlsBitmapBits[2]<BR>+04c void *ReadOnlySharedMemoryBase<BR>+050 void *ReadOnlySharedMemoryHeap<BR>+054 void **ReadOnlyStaticServerData<BR>+058 void *AnsiCodePageData<BR>+05c void *OemCodePageData<BR>+060 void *UnicodeCaseTableData<BR>+064 uint32 NumberOfProcessors<BR>+068 uint32 NtGlobalFlag<BR>+070 union _LARGE_INTEGER CriticalSectionTimeout<BR>+070 uint32 LowPart<BR>+074 int32 HighPart<BR>+070 struct __unnamed3 u<BR>+070 uint32 LowPart<BR>+074 int32 HighPart<BR>+070 int64 QuadPart<BR>+078 uint32 HeapSegmentReserve<BR>+07c uint32 HeapSegmentCommit<BR>+080 uint32 HeapDeCommitTotalFreeThreshold<BR>+084 uint32 HeapDeCommitFreeBlockThreshold<BR>+088 uint32 NumberOfHeaps<BR>+08c uint32 MaximumNumberOfHeaps<BR>+090 void **ProcessHeaps<BR>+094 void *GdiSharedHandleTable<BR>+098 void *ProcessStarterHelper<BR>+09c uint32 GdiDCAttributeList<BR>+0a0 void *LoaderLock<BR>+0a4 uint32 OSMajorVersion<BR>+0a8 uint32 OSMinorVersion<BR>+0ac uint16 OSBuildNumber<BR>+0ae uint16 OSCSDVersion<BR>+0b0 uint32 OSPlatformId<BR>+0b4 uint32 ImageSubsystem<BR>+0b8 uint32 ImageSubsystemMajorVersion<BR>+0bc uint32 ImageSubsystemMinorVersion<BR>+0c0 uint32 ImageProcessAffinityMask<BR>+0c4 uint32 GdiHandleBuffer[34]<BR>+14c function *PostProcessInitRoutine<BR>+150 void *TlsExpansionBitmap<BR>+154 uint32 TlsExpansionBitmapBits[32]<BR>+1d4 uint32 SessionId<BR>+1d8 void *AppCompatInfo<BR>+1dc struct _UNICODE_STRING CSDVersion<BR>+1dc uint16 Length<BR>+1de uint16 MaximumLength<BR>+1e0 uint16 *Buffer<BR><BR>kd> !strct PEB_LDR_DATA<BR>!strct PEB_LDR_DATA<BR>struct _PEB_LDR_DATA (sizeof=36)<BR>+00 uint32 Length<BR>+04 byte Initialized<BR>+08 void *SsHandle<BR>+0c struct _LIST_ENTRY InLoadOrderModuleList<BR>+0c struct _LIST_ENTRY *Flink<BR>+10 struct _LIST_ENTRY *Blink<BR>+14 struct _LIST_ENTRY InMemoryOrderModuleList<BR>+14 struct _LIST_ENTRY *Flink<BR>+18 struct _LIST_ENTRY *Blink<BR>+1c struct _LIST_ENTRY InInitializationOrderModuleList<BR>+1c struct _LIST_ENTRY *Flink<BR>+20 struct _LIST_ENTRY *Blink<BR><BR>kd> !strct RTL_USER_PROCESS_PARAMETERS<BR>!strct RTL_USER_PROCESS_PARAMETERS<BR>struct _RTL_USER_PROCESS_PARAMETERS (sizeof=656)<BR>+000 uint32 MaximumLength<BR>+004 uint32 Length<BR>+008 uint32 Flags<BR>+00c uint32 DebugFlags<BR>+010 void *ConsoleHandle<BR>+014 uint32 ConsoleFlags<BR>+018 void *StandardInput<BR>+01c void *StandardOutput<BR>+020 void *StandardError<BR>+024 struct _CURDIR CurrentDirectory<BR>+024 struct _UNICODE_STRING DosPath<BR>+024 uint16 Length<BR>+026 uint16 MaximumLength<BR>+028 uint16 *Buffer<BR>+02c void *Handle<BR>+030 struct _UNICODE_STRING DllPath<BR>+030 uint16 Length<BR>+032 uint16 MaximumLength<BR>+034 uint16 *Buffer<BR>+038 struct _UNICODE_STRING ImagePathName<BR>+038 uint16 Length<BR>+03a uint16 MaximumLength<BR>+03c uint16 *Buffer<BR>+040 struct _UNICODE_STRING CommandLine<BR>+040 uint16 Length<BR>+042 uint16 MaximumLength<BR>+044 uint16 *Buffer<BR>+048 void *Environment<BR>+04c uint32 StartingX<BR>+050 uint32 StartingY<BR>+054 uint32 CountX<BR>+058 uint32 CountY<BR>+05c uint32 CountCharsX<BR>+060 uint32 CountCharsY<BR>+064 uint32 FillAttribute<BR>+068 uint32 WindowFlags<BR>+06c uint32 ShowWindowFlags<BR>+070 struct _UNICODE_STRING WindowTitle<BR>+070 uint16 Length<BR>+072 uint16 MaximumLength<BR>+074 uint16 *Buffer<BR>+078 struct _UNICODE_STRING DesktopInfo<BR>+078 uint16 Length<BR>+07a uint16 MaximumLength<BR>+07c uint16 *Buffer<BR>+080 struct _UNICODE_STRING ShellInfo<BR>+080 uint16 Length<BR>+082 uint16 MaximumLength<BR>+084 uint16 *Buffer<BR>+088 struct _UNICODE_STRING RuntimeData<BR>+088 uint16 Length<BR>+08a uint16 MaximumLength<BR>+08c uint16 *Buffer<BR>+090 struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]<BR>uint16 Flags<BR>uint16 Length<BR>uint32 TimeStamp<BR>struct _STRING DosPath<BR>uint16 Length<BR>uint16 MaximumLength<BR>char *Buffer<BR><BR>kd> !strct RTL_DRIVE_LETTER_CURDIR<BR>!strct RTL_DRIVE_LETTER_CURDIR<BR>struct _RTL_DRIVE_LETTER_CURDIR (sizeof=16)<BR>+00 uint16 Flags<BR>+02 uint16 Length<BR>+04 uint32 TimeStamp<BR>+08 struct _STRING DosPath<BR>+08 uint16 Length<BR>+0a uint16 MaximumLength<BR>+0c char *Buffer<BR><BR>kd> !strct PEB_FREE_BLOCK<BR>!strct PEB_FREE_BLOCK<BR>struct _PEB_FREE_BLOCK (sizeof=8)<BR>+0 struct _PEB_FREE_BLOCK *Next<BR>+4 uint32 Size
<P>欢迎交流,欢迎交朋友,<BR>欢迎访问 <A href="http://jiurl.yeah.net/">[url]http://jiurl.yeah.net[/url]</A> <A href="http://jiurl.cosoft.org.cn/forum">[url]http://jiurl.cosoft.org.cn/forum[/url]</A><BR><BR><BR><A href="http://jiurl.nease.net/cn/document/JiurlPlayWin2k/JiurlPebSee.zip">下载 JiurlPebSee 可执行文件及源程序</A><BR><A href="http://jiurl.nease.net/cn/document/JiurlPlayWin2k/JiurlProcessMemSee.zip">下载 JiurlProcessMemSee 可执行文件及源程序</A> <BR><BR></P></TD></TR></TBODY></TABLE></DIV>
页:
[1]