Process Environment Block (PEB) in Windows OS

7 min readAug 4, 2024

The Process Environment Block (PEB) in Windows OS is a data structure in user mode that contains information about a process. It is used by the operating system and by applications to store and access various pieces of information relevant to the running process. Understanding the PEB is crucial for tasks such as debugging, malware analysis, and reverse engineering.

Detailed Overview of PEB

Structure of the PEB

The PEB structure varies slightly between different versions of Windows, but it generally includes the following fields:

1. InheritedAddressSpace

Type: BOOLEAN
Description: Indicates whether the process is using an inherited address space. This field is typically used during process creation to determine if the address space of the parent process is being inherited.

2. ReadImageFileExecOptions

Type: BOOLEAN
Description: Specifies whether the process has read the Image File Execution Options registry key, which can influence the process’s behavior by specifying options such as debugging settings.

3. BeingDebugged

Type: BOOLEAN
Description: Indicates if the process is currently being debugged. This field is often checked by malware to detect the presence of a debugger and alter its behavior to avoid detection.

4. Mutant

Type: HANDLE
Description: A handle to a mutant (mutex) object used during process creation. This can help ensure that certain resources or initialization procedures are properly synchronized.

5. ImageBaseAddress

Type: PVOID
Description: The base address where the executable image of the process is loaded in memory. This is crucial for various tasks such as debugging, module enumeration, and process injection.

6. Ldr

Type: PPEB_LDR_DATA
Description: Points to the PEB_LDR_DATA structure, which contains information about all the modules loaded in the process (e.g., DLLs and the main executable).

7. ProcessParameters

Type: PRTL_USER_PROCESS_PARAMETERS
Description: Points to the RTL_USER_PROCESS_PARAMETERS structure, which includes command line arguments, environment variables, and other startup information for the process.

8. SubSystemData

Type: PVOID
Description: Points to subsystem-specific data, which is used by certain types of subsystems such as the Windows GUI subsystem.

9. ProcessHeap

Type: PVOID
Description: Points to the default heap for the process. This is used for dynamic memory allocation throughout the process’s lifetime.

10. FastPebLock

Type: PVOID
Description: A critical section used to synchronize access to the PEB, ensuring thread safety when multiple threads need to read or modify the PEB.

11. AtlThunkSListPtr

Type: PVOID
Description: Used by the Active Template Library (ATL) in user-mode applications, typically related to the management of ATL thunk objects.

12. APISetMap

Type: PVOID
Description: Points to a structure used for API redirection and API sets, allowing the OS to map certain API calls to different implementations, which is particularly useful for backward compatibility.

13. TlsExpansionCounter

Type: ULONG
Description: A counter indicating the number of thread-local storage (TLS) slots that have been allocated.

14. TlsBitmap

Type: PVOID
Description: Points to a bitmap indicating which TLS slots are currently allocated.

15. TlsBitmapBits

Type: ULONG
Description: The actual bits for the TLS bitmap, which indicate the status (allocated/free) of each TLS slot.

16. ReadOnlySharedMemoryBase

Type: PVOID
Description: Points to the base address of read-only shared memory. This is used to share data between processes without allowing them to modify it.

17. HotpatchInformation

Type: PVOID
Description: Contains information related to hotpatching, which allows for patches to be applied to a running process without needing to restart it.

18. AffinityMask

Type: KAFFINITY
Description: Specifies the process affinity mask, determining which processors the threads of the process are eligible to run on.

19. GdiSharedHandleTable

Type: PVOID
Description: Points to the Graphics Device Interface (GDI) shared handle table, used for managing GDI objects shared between processes.

20. ProcessStarterHelper

Type: PVOID
Description: Points to the process startup helper, a structure used to assist in the initialization of the process.

21. GdiDCAttributeList

Type: PVOID
Description: A list of attributes for GDI device contexts (DCs), which represent the drawing surface for GDI operations.

22. LoaderLock

Type: PVOID
Description: A critical section used to synchronize the loading and unloading of modules in the process, ensuring thread safety.

23. OSMajorVersion

Type: ULONG
Description: The major version number of the operating system (e.g., 10 for Windows 10).

24. OSMinorVersion

Type: ULONG
Description: The minor version number of the operating system (e.g., 0 for Windows 10 version 1903).

25. OSBuildNumber

Type: ULONG
Description: The build number of the operating system, which indicates the specific build of the OS.

26. OSCSDVersion

Type: USHORT
Description: The service pack version of the operating system (e.g., Service Pack 1).

27. OSPlatformId

Type: ULONG
Description: The platform ID, indicating the type of platform (e.g., VER_PLATFORM_WIN32_NT for Windows NT-based systems).

28. ImageSubsystem

Type: ULONG
Description: The subsystem type of the process (e.g., IMAGE_SUBSYSTEM_WINDOWS_GUI for a GUI application).

29. ImageSubsystemMajorVersion

Type: ULONG
Description: The major version number of the subsystem.

30. ImageSubsystemMinorVersion

Type: ULONG
Description: The minor version number of the subsystem.

31. ActiveProcessAffinityMask

Type: KAFFINITY
Description: Specifies the affinity mask for active processes, determining which processors the threads of these processes are eligible to run on.

32. GdiHandleBuffer

Type: ULONG[60]
Description: A buffer for storing GDI handles, used for managing GDI objects within the process.

33. PostProcessInitRoutine

Type: PVOID
Description: Points to a routine that is called after the process has been initialized.

34. TlsExpansionBitmap

Type: PVOID
Description: Points to a bitmap for expanded TLS slots, indicating the status of additional TLS slots beyond the initial allocation.

35. TlsExpansionBitmapBits

Type: ULONG
Description: The actual bits for the expanded TLS bitmap, indicating the status (allocated/free) of each additional TLS slot.

36. SessionId

Type: ULONG
Description: The session ID of the process, used to identify the session in which the process is running, particularly relevant in terminal server environments.

37. AppCompatFlags

Type: ULONGLONG
Description: Application compatibility flags, which can be used to alter the behavior of the process for compatibility purposes.

38. AppCompatFlagsUser

Type: ULONGLONG
Description: User-specific application compatibility flags, similar to AppCompatFlags but specific to the user context.

39. pShimData

Type: PVOID
Description: Points to shim data used by the application compatibility layer to apply compatibility fixes to the process.

40. AppCompatInfo

Type: PVOID
Description: Additional application compatibility information, which can include various compatibility settings and patches.

41. CSDVersion

Type: UNICODE_STRING
Description: A Unicode string representing the service pack version of the operating system.

42. ActivationContextData

Type: PVOID
Description: Points to activation context data, used for side-by-side assemblies and manifest-based applications.

43. ProcessAssemblyStorageMap

Type: PVOID
Description: Points to the process assembly storage map, which manages the storage of assemblies within the process.

44. SystemDefaultActivationContextData

Type: PVOID
Description: Points to the system default activation context data, used for system-wide activation contexts.

45. SystemAssemblyStorageMap

Type: PVOID
Description: Points to the system assembly storage map, which manages the storage of system-wide assemblies.

46. MinimumStackCommit

Type: SIZE_T
Description: Specifies the minimum stack commit size for the process, which determines the minimum amount of stack space that will be committed.

47. FlsCallback

Type: PVOID
Description: Points to an array of Fiber Local Storage (FLS) callback functions.

48. FlsListHead

Type: LIST_ENTRY
Description: The head of the list of FLS slots, used to manage FLS for the process.

49. FlsBitmap

Type: PVOID
Description: Points to a bitmap indicating which FLS slots are currently allocated.

50. FlsBitmapBits

Type: ULONG
Description: The actual bits for the FLS bitmap, indicating the status (allocated/free) of each FLS slot.

51. FlsHighIndex

Type: ULONG
Description: The highest index of the FLS slots that have been allocated.

52. WerRegistrationData

Type: PVOID
Description: Points to Windows Error Reporting registration data, used for managing error reporting settings.

53. WerShipAssertPtr

Type: PVOID
Description: Points to a structure used by Windows Error Reporting for ship asserts (assertions that occur in shipped code).

54. pContextData

Type: PVOID
Description: Points to context data, which can include various context-specific information for the process.

55. pImageHeaderHash

Type: PVOID
Description: Points to the image header hash, used for verifying the integrity of the process image.

56. TracingFlags

Type: ULONG
Description: Flags for tracing, such as heap tracing, which can be used to track and debug memory allocation issues.

These fields collectively provide comprehensive information about a process’s execution environment, resources, and configuration. They are critical for understanding and manipulating process behavior in various contexts, including debugging, reverse engineering, and security analysis.

Example: Accessing the PEB in C

#include <windows.h>
#include <winternl.h>
#include <stdio.h>
typedef struct _PEB 

{
 BYTE Reserved1[2];
 BYTE BeingDebugged;
 BYTE Reserved2[1];
 PVOID Reserved3[2];
 PPEB_LDR_DATA Ldr;
 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
 // … (other fields not shown for brevity)
}
 
PEB, *PPEB;
typedef struct _PEB_LDR_DATA 

{
 ULONG Length;
 BOOLEAN Initialized;
 HANDLE SsHandle;
 LIST_ENTRY InLoadOrderModuleList;
 LIST_ENTRY InMemoryOrderModuleList;
 LIST_ENTRY InInitializationOrderModuleList;
 // … (other fields not shown for brevity)
} 

PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _RTL_USER_PROCESS_PARAMETERS 

{
 BYTE Reserved1[16];
 PVOID Reserved2[10];
 UNICODE_STRING ImagePathName;
 UNICODE_STRING CommandLine;
 // … (other fields not shown for brevity)
} 

RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
int main() 

{
 PPEB pPeb = (PPEB)__readgsqword(0x60);
 wprintf(L"ImagePathName: %wZ\n", &pPeb->ProcessParameters->ImagePathName);
 wprintf(L"CommandLine: %wZ\n", &pPeb->ProcessParameters->CommandLine);
 return 0;
}

Detailed Explanation

Retrieving the PEB:

In a 64-bit Windows process, the PEB is pointed to by the TEB, specifically at the offset 0x60. The __readgsqword(0x60) function call fetches the PEB address from this location.

Accessing ProcessParameters:

Once the PEB is retrieved, the ProcessParameters pointer is accessed, which points to the RTL_USER_PROCESS_PARAMETERS structure.

Printing ImagePathName and CommandLine:

The ImagePathName and CommandLine fields are both UNICODE_STRING structures, which contain a length, a maximum length, and a pointer to the actual wide-character string. The wprintf function with the %wZ format specifier prints these UNICODE_STRING values correctly.

This code retrieves and prints the full path of the executable and the command-line arguments of the current process by accessing the PEB and its associated structures.

#PEB #WindowsInternals #ReverseEngineering