Hacking/Windows internals/Process/Memory/PEB
From Skypher
(Redirected from PEB)
|
▼Main Page |
The PEB can be found easily in the Memory map by looking in the Contains column for Process Environment Block. It is also always loaded near the end of the user land address space, in the same area as the TEBs. As with the TEB, if you double click on the PEB, you will open a memory Dump in Olly, which is automatically formatted to display the information in the PEB. It should look something like this:
Dump - 7EFDE000..7EFDEFFF Address |Hex dump |Decoded data |Comments 7EFDE000| . 00 |DB 00 |InheritedAddressSpace = 0 7EFDE001| . 00 |DB 00 |ReadImageFileExecOptions = 0 7EFDE002| . 01 |DB 01 |BeingDebugged = TRUE 7EFDE003| . 08 |DB 08 |SpareBool = TRUE 7EFDE004| . FFFFFFFF|DD FFFFFFFF |Mutant = INVALID_HANDLE_VALUE 7EFDE008| . 0000884A|DD OFFSET cmd.<STRUCT IM|ImageBaseAddress = 4A880000 7EFDE00C| . 2001C577|DD OFFSET ntdll.77C50120|LoaderData = ntdll.77C50120 7EFDE010| . 50147400|DD 00741450 |ProcessParameters = 741450 7EFDE014| . 00000000|DD 00000000 |SubSystemData = NULL 7EFDE018| . 00007400|DD 00740000 |ProcessHeap = 00740000 7EFDE01C| . E001C577|DD OFFSET ntdll.77C501E0|FastPebLock = ntdll.77C501E0 7EFDE020| . 00000000|DD 00000000 |FastPebLockRoutine = 00000000 7EFDE024| . 00000000|DD 00000000 |FastPebUnlockRoutine = 00000000 7EFDE028| . 01000000|DD 00000001 |EnvironmentUpdateCount = 1 7EFDE02C| . 00000000|DD 00000000 |KernelCallbackTable = NULL 7EFDE030| . 00000000|DD 00000000 |Reserved = 0 7EFDE034| . 00000000|DD 00000000 |Reserved = 0 7EFDE038| . 00000000|DD 00000000 |FreeList = 0 7EFDE03C| . 00000000|DD 00000000 |TlsExpansionCounter = 0 7EFDE040| . 6825C577|DD OFFSET ntdll.77C52568|TlsBitmap = ntdll.77C52568 7EFDE044| . 07000000|DD 00000007 |TlsBitmapBits[2] = 7 7EFDE048| . 00000000|DD 00000000 | 7EFDE04C| . 0000FE7E|DD 7EFE0000 |ReadOnlySharedMemoryBase = 7EFE0000 7EFDE050| . 00000000|DD 00000000 |ReadOnlySharedMemoryHeap = NULL 7EFDE054| . 800AFE7E|DD 7EFE0A80 |ReadOnlyStaticServerData = 7EFE0A80 7EFDE058| . 0000FB7E|DD 7EFB0000 |AnsiCodePageData = 7EFB0000 7EFDE05C| . 2802FC7E|DD 7EFC0228 |OemCodePageData = 7EFC0228 7EFDE060| . 5006FD7E|DD 7EFD0650 |UnicodeCaseTableData = 7EFD0650 7EFDE064| . 04000000|DD 00000004 |NumberOfProcessors = 4 7EFDE068| . 70000000|DD 00000070 |NtGlobalFlag = 112. 7EFDE06C| . 00000000|DD 00000000 |Reserved = 0 7EFDE070| . 00809B07|DD 079B8000 |CriticalSectionTimeout_Lo = 79B8000 7EFDE074| . 6DE8FFFF|DD FFFFE86D |CriticalSectionTimeout_Hi = -1793 7EFDE078| . 00001000|DD 00100000 |HeapSegmentReserve = 1048576. 7EFDE07C| . 00200000|DD 00002000 |HeapSegmentCommit = 8192. 7EFDE080| . 00000100|DD 00010000 |HeapDeCommitTotalFreeThreshold = 65536. 7EFDE084| . 00100000|DD 00001000 |HeapDeCommitFreeBlockThreshold = 4096. 7EFDE088| . 02000000|DD 00000002 |NumberOfHeaps = 2 7EFDE08C| . 10000000|DD 00000010 |MaximumNumberOfHeaps = 16. 7EFDE090| . 8025C577|DD OFFSET ntdll.77C52580|ProcessHeaps = 77C52580 7EFDE094| . 00000000|DD 00000000 |GdiSharedHandleTable = NULL 7EFDE098| . 00000000|DD 00000000 |ProcessStarterHelper = NULL 7EFDE09C| . 00000000|DD 00000000 |GdiDCAttributeList = 0 7EFDE0A0| . B400C577|DD OFFSET ntdll.77C500B4|LoaderLock = 77C500B4 7EFDE0A4| . 06000000|DD 00000006 |OSMajorVersion = 6 7EFDE0A8| . 00000000|DD 00000000 |OSMinorVersion = 0 7EFDE0AC| . 7117 |DW 1771 |OSBuildNumber = 6001. 7EFDE0AE| . 0001 |DW 100 |OSCSDVersion = 256. 7EFDE0B0| . 02000000|DD 00000002 |OSPlatformId = 2 7EFDE0B4| . 03000000|DD 00000003 |ImageSubsystem = 3 7EFDE0B8| . 06000000|DD 00000006 |ImageSubsystemMajorVersion = 6 7EFDE0BC| . 00000000|DD 00000000 |ImageSubsystemMinorVersion = 0 7EFDE0C0| . 0F000000|DD 0000000F |ImageProcessAffinityMask = 0F 7EFDE0C4| . 00000000|DD 00000000 |GdiHandleBuffer[34.] = 0 <<<SNIP>>> 7EFDE14C| . 00000000|DD 00000000 |PostProcessInitRoutine = 00000000 7EFDE150| . 6025C577|DD OFFSET ntdll.77C52560|TlsExpansionBitmap = ntdll.77C52560 7EFDE154| . 01000000|DD 00000001 |TlsExpansionBitmapBits[32.] = 1 <<<SNIP>>> 7EFDE1D4| . 01000000|DD 00000001 |SessionId = 1 7EFDE1D8| . 00000000|DD 00000000 |pAppCompatInfo = 0 7EFDE1DC| . 00000000|DD 00000000 |CSDVersion = NULL
The PEB contains the following useful information:
| Address | Size | Description |
|---|---|---|
[PEB+2] | BYTE | Is the program currently being debugged (1=Yes, 0=No). |
[PEB+8] | DWORD | A pointer to the start location of the memory region in which the main PE for this process is loaded. |
[PEB+C] | DWORD | A pointer to information about all the modules loaded into memory for this process (more on this later). |
[PEB+18] | DWORD | The start address of the main heap. |
[PEB+88] | DWORD | The number of heaps the process has. |
[PEB+90] | DWORD | A pointer to a list of addresses of each heap for the process (This number of entries in this list is found at [PEB+88], it has a DWORD for each heap. This DWORD is the start address of the heap). |
[PEB+A4] | DWORD | The mayor version number of the OS. |
[PEB+A8] | DWORD | The minor version number of the OS. |
The DWORDS at [PEB+18] is the same as the first DWORD in the list at [PEB+90].
The DWORDS at [PEB+A4] and [PEB+A8] can be used to determine which version of windows the process is running in using the following table:
| Mayor | Minor | Version |
|---|---|---|
| 7 | 0 | Windows 7 |
| 6 | 0 | Windows Vista / Windows Server 2008 |
| 5 | 2 | Windows Server 2003 |
| 5 | 1 | Windows XP |
| 5 | 0 | Windows 2000 |
| 4 | 90 | Windows ME |
| 4 | 10 | Windows 98 |
| 4 | 0 | Windows 95 / Windows NT 4.0 |
| 3 | 51 | Windows NT 4.51 |
