Skip to main content

The PEB Structure

·1 min
OffensiveSecurity WindowsInternal ReverseEng ExploitDev
Table of Contents

The PEB (Process Environment Block) #

The PEB is a data structure that store information about the running process and can be accessed through intel x86 [FS] register at offset 0x30h.

The structure contains useful information such as loaded modules on the running process commonly used during shellcode devolpment to resolve Win32 APIs functions.

Another useful information in the PEB structure is BeingDebugged that shows if the running process is been attached to the debugger or not.

This feature is often used by malware developers as an anti-debugging technique to increase the difficult of defenders such as Malware Analysts to analyse the malware dynamically using a debugger.

If the malware detects that is been debugged the malware could act as completed different to hide true purpose from analysts or delete itself on disk.

The Ldr data structure is also important which I will explain later on.

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

Reference: Microsoft API PEB Reference