The TEB Structure

The TEB (Thread Environment Block) #

Just as PEB contains information about the processs, the TEB has information about the thread running in the processs. A process when created contains at least one thread that execute the desired code, a process can create N Threads.

Each thread has its own TEB structure, the TEB is often used by exploit developers and malware developers to locate the Pointer to the PEB structure or information about running thread.

The TEB is accessed through FS segment register on 32-bit and GS on 64-bit Windows.

typedef struct _TEB {
  PVOID Reserved1[12];
  PPEB  ProcessEnvironmentBlock;
  PVOID Reserved2[399];
  BYTE  Reserved3[1952];
  PVOID TlsSlots[64];
  BYTE  Reserved4[8];
  PVOID Reserved5[26];
  PVOID ReservedForOle;
  PVOID Reserved6[4];
  PVOID TlsExpansionSlots;
} TEB, *PTEB;

References:
TEB Microsoft
TEB Wikipedia