PEB & TEB

TEB

typedef struct _TEB {
  NT_TIB                  Tib;
  PVOID                   EnvironmentPointer;
  CLIENT_ID               Cid;
  PVOID                   ActiveRpcInfo;
  PVOID                   ThreadLocalStoragePointer;
  PPEB                    Peb;
  ULONG                   LastErrorValue;
  ULONG                   CountOfOwnedCriticalSections;
  PVOID                   CsrClientThread;
  PVOID                   Win32ThreadInfo;
  ULONG                   Win32ClientInfo[0x1F];
  PVOID                   WOW32Reserved;
  ULONG                   CurrentLocale;
  ULONG                   FpSoftwareStatusRegister;
  PVOID                   SystemReserved1[0x36];
  PVOID                   Spare1;
  ULONG                   ExceptionCode;
  ULONG                   SpareBytes1[0x28];
  PVOID                   SystemReserved2[0xA];
  ULONG                   GdiRgn;
  ULONG                   GdiPen;
  ULONG                   GdiBrush;
  CLIENT_ID               RealClientId;
  PVOID                   GdiCachedProcessHandle;
  ULONG                   GdiClientPID;
  ULONG                   GdiClientTID;
  PVOID                   GdiThreadLocaleInfo;
  PVOID                   UserReserved[5];
  PVOID                   GlDispatchTable[0x118];
  ULONG                   GlReserved1[0x1A];
  PVOID                   GlReserved2;
  PVOID                   GlSectionInfo;
  PVOID                   GlSection;
  PVOID                   GlTable;
  PVOID                   GlCurrentRC;
  PVOID                   GlContext;
  NTSTATUS                LastStatusValue;
  UNICODE_STRING          StaticUnicodeString;
  WCHAR                   StaticUnicodeBuffer[0x105];
  PVOID                   DeallocationStack;
  PVOID                   TlsSlots[0x40];
  LIST_ENTRY              TlsLinks;
  PVOID                   Vdm;
  PVOID                   ReservedForNtRpc;
  PVOID                   DbgSsReserved[0x2];
  ULONG                   HardErrorDisabled;
  PVOID                   Instrumentation[0x10];
  PVOID                   WinSockData;
  ULONG                   GdiBatchCount;
  ULONG                   Spare2;
  ULONG                   Spare3;
  ULONG                   Spare4;
  PVOID                   ReservedForOle;
  ULONG                   WaitingOnLoaderLock;
  PVOID                   StackCommit;
  PVOID                   StackCommitMax;
  PVOID                   StackReserved;

} TEB, *PTEB;

Thread Environment Block (TEB) is a structure in Windows that stores information about the currently running thread. Every created thread has its own TEB block. User can get address of TEB by calling the NtCurrentTeb function. We can also manually fetch the TEB using __readgsqword.

pTEB = (PTEB)__readgsqword(0x30);

There are a lot of members but the most important one for us is the PEB which is located at an offset of 0x30 . We can also look at this in WinDbg by typing the !teb command to get the address of TEB and then dt command to show the structure.

PEB

The Process Environment Block (PEB) is a structure that contains crucial information about a running process. It is created when a process starts and remains in memory throughout the process's lifetime.

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

We can guess a few members like BeingDebugged & ProcessParameters. We can query PEB using the same __readgsqword function.

PPEB pPEB = (PEB)__readgsqword(0x60)
// In case you wonder why is TEB at gs:[0x30] but PEB gs:[0x60]
// even though PEB is at an offset of 0x60 from TEB
// This is because the gs register contains a list of important structures/members 
// like TEB , PID , PEB , etc.
// Refer https://en.wikipedia.org/wiki/Win32_Thread_Information_Block

If we look at PEB in WinDbg, we can see that the BeingDebugged member is set to 0x1 (true) which is correct since we are debugging the process right now.

It also contains the Ldr member which contains information regarding the image (DLL) loaded in the process. We can also see that in WinDbg

We can see all the different DLL being loaded into the notepad process.

All in all, TEB & PEB are really important structures and understanding them well is important for both developing & analyzing malwares.

PreviousSystem Calls Nextx86 Architecture Overview

Last updated 8 months ago

Was this helpful?