Process and Thread Structures on 32-bit Machine
PEB
Contains process information.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | typedef void(*PPEBLOCKROUTINE)(PVOID PebLock);typedef struct _PEB_FREE_BLOCK { _PEB_FREE_BLOCK *Next; ULONG Size;} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;typedef struct _PEB { // sizeof(PEB) = 0x1D4 bytes BOOLEAN InheritedAddressSpace; // 0x00 BOOLEAN ReadImageFileExecOptions; // 0x01 BOOLEAN BeingDebugged; // 0x02 BOOLEAN BitField; // 0x03 PVOID Mutant; // 0x04 PVOID ImageBaseAddress; // 0x08 PPEB_LDR_DATA Ldr; // 0x0C PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 0x10 PVOID SubSystemData; // 0x14 PVOID ProcessHeap; // 0x18 PVOID FastPebLock; // 0x1C PPEBLOCKROUTINE FastPebLockRoutine; // 0x20 PPEBLOCKROUTINE FastPebUnlockRoutine; // 0x24 ULONG EnvironmentUpdateCount; // 0x28 PVOID *KernelCallbackTable; // 0x2C PVOID EventLogSection; // 0x30 PVOID EventLog; // 0x34 PPEB_FREE_BLOCK FreeList; // 0x38 ULONG TlsExpansionCounter; // 0x3C PVOID TlsBitmap; // 0x40 ULONG TlsBitmapBits[2]; // 0x44 PVOID ReadOnlySharedMemoryBase; // 0x4C PVOID ReadOnlySharedMemoryHeap; // 0x50 PVOID *ReadOnlyStaticServerData; // 0x54 PVOID AnsiCodePageData; // 0x58 PVOID OemCodePageData; // 0x5C PVOID UnicodeCaseTableData; // 0x60 ULONG NumberOfProcessors; // 0x64 ULONG NtGlobalFlag; // 0x68 BYTE Spare2[4]; // 0x6C LARGE_INTEGER CriticalSectionTimeout; // 0x70 ULONG HeapSegmentReserve; // 0x78 ULONG HeapSegmentCommit; // 0x7C ULONG HeapDeCommitTotalFreeThreshold; // 0x80 ULONG HeapDeCommitFreeBlockThreshold; // 0x84 ULONG NumberOfHeaps; // 0x88 ULONG MaximumNumberOfHeaps; // 0x8C PVOID **ProcessHeaps; // 0x90 PVOID GdiSharedHandleTable; // 0x94 PVOID ProcessStarterHelper; // 0x98 PVOID GdiDCAttributeList; // 0x9C PVOID LoaderLock; // 0xA0 ULONG OSMajorVersion; // 0xA4 ULONG OSMinorVersion; // 0xA8 ULONG OSBuildNumber; // 0xAC ULONG OSPlatformId; // 0xB0 ULONG ImageSubSystem; // 0xB4 ULONG ImageSubSystemMajorVersion; // 0xB8 ULONG ImageSubSystemMinorVersion; // 0xBC ULONG GdiHandleBuffer[34]; // 0xC0 PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; // 0x148 ULONG TlsExpansionBitmap; // 0x14C BYTE TlsExpansionBitmapBits[128]; // 0x150 ULONG SessionId; // 0x1D0} PEB, *PPEB; |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | #include <Windows.h>#include <stdio.h>void main() { // Get PEB of current process#ifdef _WIN64 UINT64 uiPeb = __readgsqword(0x60);#else UINT32 uiPeb = __readfsdword(0x30);#endif PPEB pPeb = PPEB(uiPeb); printf("Base address of PEB: %p\n", pPeb); printf("ImageBaseAddress: %p\n", pPeb->ImageBaseAddress);} |
PEB_LDR_DATA
Contains information about the loaded modules for the process.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink;} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;typedef struct _LDR_DATA_TABLE_ENTRY { // sizeof(LDR_DATA_TABLE_ENTRY) = 0x48 bytes LIST_ENTRY InLoadOrderLinks; // 0x00 LIST_ENTRY InMemoryOrderModuleList; // 0x08 LIST_ENTRY InInitializationOrderModuleList; // 0x10 PVOID DllBase; // 0x18 PVOID EntryPoint; // 0x1C ULONG SizeOfImage; // 0x20 UNICODE_STRING FullDllName; // 0x24 UNICODE_STRING BaseDllName; // 0x2C ULONG Flags; // 0x34 SHORT LoadCount; // 0x38 SHORT TlsIndex; // 0x3A LIST_ENTRY HashTableEntry; // 0x3C ULONG TimeDateStamp; // 0x44} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;typedef struct _PEB_LDR_DATA { // sizeof(PEB_LDR_DATA) = 0x28 bytes DWORD Length; // 0x00 BOOLEAN Initialized; // 0x04 LPVOID SsHandle; // 0x08 LIST_ENTRY InLoadOrderModuleList; // 0x0C LIST_ENTRY InMemoryOrderModuleList; // 0x14 LIST_ENTRY InInitializationOrderModuleList; // 0x1C LPVOID EntryInProgress; // 0x24} PEB_LDR_DATA, *PPEB_LDR_DATA; |
InMemoryOrderModuleList
The head of a doubly-linked list that contains the loaded modules for the process.
Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure.
References
- https://msdn.microsoft.com/en-us/library/ms684855(v=vs.85).aspx
- https://gist.github.com/okumura/7173722