Advertisement
krot

PEB

May 22nd, 2018
262
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. MOV EAX,DWORD PTR FS:[30] ; eax == PEB
  2. MOV EAX,DWORD PTR DS:[EAX+8]             ; eax == _RTL_USER_PROCESS_PARAMETERS
  3. struct _PEB {
  4.     0x000 BYTE InheritedAddressSpace;
  5.     0x001 BYTE ReadImageFileExecOptions;
  6.     0x002 BYTE BeingDebugged;
  7.     0x003 BYTE SpareBool;
  8.     0x004 void* Mutant;
  9.     0x008 void* ImageBaseAddress;
  10.     0x00c _PEB_LDR_DATA* Ldr;
  11.     0x010 _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
  12.     0x014 void* SubSystemData;
  13.     0x018 void* ProcessHeap;
  14.     0x01c _RTL_CRITICAL_SECTION* FastPebLock;
  15.     0x020 void* FastPebLockRoutine;
  16.     0x024 void* FastPebUnlockRoutine;
  17.     0x028 DWORD EnvironmentUpdateCount;
  18.     0x02c void* KernelCallbackTable;
  19.     0x030 DWORD SystemReserved[1];
  20.     0x034 DWORD ExecuteOptions:2; // bit offset: 34, len=2
  21.     0x034 DWORD SpareBits:30; // bit offset: 34, len=30
  22.     0x038 _PEB_FREE_BLOCK* FreeList;
  23.     0x03c DWORD TlsExpansionCounter;
  24.     0x040 void* TlsBitmap;
  25.     0x044 DWORD TlsBitmapBits[2];
  26.     0x04c void* ReadOnlySharedMemoryBase;
  27.     0x050 void* ReadOnlySharedMemoryHeap;
  28.     0x054 void** ReadOnlyStaticServerData;
  29.     0x058 void* AnsiCodePageData;
  30.     0x05c void* OemCodePageData;
  31.     0x060 void* UnicodeCaseTableData;
  32.     0x064 DWORD NumberOfProcessors;
  33.     0x068 DWORD NtGlobalFlag;
  34.     0x070 _LARGE_INTEGER CriticalSectionTimeout;
  35.     0x078 DWORD HeapSegmentReserve;
  36.     0x07c DWORD HeapSegmentCommit;
  37.     0x080 DWORD HeapDeCommitTotalFreeThreshold;
  38.     0x084 DWORD HeapDeCommitFreeBlockThreshold;
  39.     0x088 DWORD NumberOfHeaps;
  40.     0x08c DWORD MaximumNumberOfHeaps;
  41.     0x090 void** ProcessHeaps;
  42.     0x094 void* GdiSharedHandleTable;
  43.     0x098 void* ProcessStarterHelper;
  44.     0x09c DWORD GdiDCAttributeList;
  45.     0x0a0 void* LoaderLock;
  46.     0x0a4 DWORD OSMajorVersion;
  47.     0x0a8 DWORD OSMinorVersion;
  48.     0x0ac WORD OSBuildNumber;
  49.     0x0ae WORD OSCSDVersion;
  50.     0x0b0 DWORD OSPlatformId;
  51.     0x0b4 DWORD ImageSubsystem;
  52.     0x0b8 DWORD ImageSubsystemMajorVersion;
  53.     0x0bc DWORD ImageSubsystemMinorVersion;
  54.     0x0c0 DWORD ImageProcessAffinityMask;
  55.     0x0c4 DWORD GdiHandleBuffer[34];
  56.     0x14c void (*PostProcessInitRoutine)();
  57.     0x150 void* TlsExpansionBitmap;
  58.     0x154 DWORD TlsExpansionBitmapBits[32];
  59.     0x1d4 DWORD SessionId;
  60.     0x1d8 _ULARGE_INTEGER AppCompatFlags;
  61.     0x1e0 _ULARGE_INTEGER AppCompatFlagsUser;
  62.     0x1e8 void* pShimData;
  63.     0x1ec void* AppCompatInfo;
  64.     0x1f0 _UNICODE_STRING CSDVersion;
  65.     0x1f8 void* ActivationContextData;
  66.     0x1fc void* ProcessAssemblyStorageMap;
  67.     0x200 void* SystemDefaultActivationContextData;
  68.     0x204 void* SystemAssemblyStorageMap;
  69.     0x208 DWORD MinimumStackCommit;
  70. );
  71. ;http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_combined.html
  72. ;https://www.aldeid.com/wiki/PEB-Process-Environment-Block
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement