Process and Thread Structures on 32-bit Machine
PEB
Contains process information.
typedef void(*PPEBLOCKROUTINE)(PVOID PebLock);
typedef struct _PEB_FREE_BLOCK {
_PEB_FREE_BLOCK *Next;
ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
typedef struct _PEB { // sizeof(PEB) = 0x1D4 bytes
BOOLEAN InheritedAddressSpace; // 0x00
BOOLEAN ReadImageFileExecOptions; // 0x01
BOOLEAN BeingDebugged; // 0x02
BOOLEAN BitField; // 0x03
PVOID Mutant; // 0x04
PVOID ImageBaseAddress; // 0x08
PPEB_LDR_DATA Ldr; // 0x0C
PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 0x10
PVOID SubSystemData; // 0x14
PVOID ProcessHeap; // 0x18
PVOID FastPebLock; // 0x1C
PPEBLOCKROUTINE FastPebLockRoutine; // 0x20
PPEBLOCKROUTINE FastPebUnlockRoutine; // 0x24
ULONG EnvironmentUpdateCount; // 0x28
PVOID *KernelCallbackTable; // 0x2C
PVOID EventLogSection; // 0x30
PVOID EventLog; // 0x34
PPEB_FREE_BLOCK FreeList; // 0x38
ULONG TlsExpansionCounter; // 0x3C
PVOID TlsBitmap; // 0x40
ULONG TlsBitmapBits[2]; // 0x44
PVOID ReadOnlySharedMemoryBase; // 0x4C
PVOID ReadOnlySharedMemoryHeap; // 0x50
PVOID *ReadOnlyStaticServerData; // 0x54
PVOID AnsiCodePageData; // 0x58
PVOID OemCodePageData; // 0x5C
PVOID UnicodeCaseTableData; // 0x60
ULONG NumberOfProcessors; // 0x64
ULONG NtGlobalFlag; // 0x68
BYTE Spare2[4]; // 0x6C
LARGE_INTEGER CriticalSectionTimeout; // 0x70
ULONG HeapSegmentReserve; // 0x78
ULONG HeapSegmentCommit; // 0x7C
ULONG HeapDeCommitTotalFreeThreshold; // 0x80
ULONG HeapDeCommitFreeBlockThreshold; // 0x84
ULONG NumberOfHeaps; // 0x88
ULONG MaximumNumberOfHeaps; // 0x8C
PVOID **ProcessHeaps; // 0x90
PVOID GdiSharedHandleTable; // 0x94
PVOID ProcessStarterHelper; // 0x98
PVOID GdiDCAttributeList; // 0x9C
PVOID LoaderLock; // 0xA0
ULONG OSMajorVersion; // 0xA4
ULONG OSMinorVersion; // 0xA8
ULONG OSBuildNumber; // 0xAC
ULONG OSPlatformId; // 0xB0
ULONG ImageSubSystem; // 0xB4
ULONG ImageSubSystemMajorVersion; // 0xB8
ULONG ImageSubSystemMinorVersion; // 0xBC
ULONG GdiHandleBuffer[34]; // 0xC0
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; // 0x148
ULONG TlsExpansionBitmap; // 0x14C
BYTE TlsExpansionBitmapBits[128]; // 0x150
ULONG SessionId; // 0x1D0
} PEB, *PPEB;
#include <Windows.h>
#include <stdio.h>
void main() {
// Get PEB of current process
#ifdef _WIN64
UINT64 uiPeb = __readgsqword(0x60);
#else
UINT32 uiPeb = __readfsdword(0x30);
#endif
PPEB pPeb = PPEB(uiPeb);
printf("Base address of PEB: %p\n", pPeb);
printf("ImageBaseAddress: %p\n", pPeb->ImageBaseAddress);
}
PEB_LDR_DATA
Contains information about the loaded modules for the process.
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
typedef struct _LDR_DATA_TABLE_ENTRY { // sizeof(LDR_DATA_TABLE_ENTRY) = 0x48 bytes
LIST_ENTRY InLoadOrderLinks; // 0x00
LIST_ENTRY InMemoryOrderModuleList; // 0x08
LIST_ENTRY InInitializationOrderModuleList; // 0x10
PVOID DllBase; // 0x18
PVOID EntryPoint; // 0x1C
ULONG SizeOfImage; // 0x20
UNICODE_STRING FullDllName; // 0x24
UNICODE_STRING BaseDllName; // 0x2C
ULONG Flags; // 0x34
SHORT LoadCount; // 0x38
SHORT TlsIndex; // 0x3A
LIST_ENTRY HashTableEntry; // 0x3C
ULONG TimeDateStamp; // 0x44
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB_LDR_DATA { // sizeof(PEB_LDR_DATA) = 0x28 bytes
DWORD Length; // 0x00
BOOLEAN Initialized; // 0x04
LPVOID SsHandle; // 0x08
LIST_ENTRY InLoadOrderModuleList; // 0x0C
LIST_ENTRY InMemoryOrderModuleList; // 0x14
LIST_ENTRY InInitializationOrderModuleList; // 0x1C
LPVOID EntryInProgress; // 0x24
} PEB_LDR_DATA, *PPEB_LDR_DATA;
InMemoryOrderModuleList
The head of a doubly-linked list that contains the loaded modules for the process.
Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure.
References
- https://msdn.microsoft.com/en-us/library/ms684855(v=vs.85).aspx
- https://gist.github.com/okumura/7173722