HI!
I can't find info about Process Environment Block (PEB). Any links to infoa or structure are welcome!
Posted on 2003-07-08 03:55:27 by ionik
http://www.masmforum.com/website/tutorials/kmdtute/index.html
Posted on 2003-07-08 11:24:48 by Four-F
2 Four-F
??????? ?? ????? ??????? ? ?????? :alright: ?????! ???? ???? ??? ????-???? ???????;) , ??????? ???? ??? ????????? Thread Information Block (TIB) (? ??? ?????, ??? ??? NT ??? ??????????: "Thread Environment Block (TEB)") ??? 9? ? NT (??? ????? ??????????).
Posted on 2003-07-09 19:11:51 by ionik
?? ?????? ????? ?????????? ?? wasm.ru.

The above structures were fetched from *.pdb files. So I'm 100% sure they are correct. At least for w2k+sp2, wxp+sp1 and w2k3 Release Candidate 2 respectively. But the TEB structure is fully undocumented. There is no one even in m$'s *.pdb files. I have about 5 or 6 different definition that i've found around, but neither is 100% correct, IMHO. You can follow this link http://www.securitybugware.org/NT/5966.html
The definition you'll find there is very very close to reality, at least under w2k. May be it accurate for some different windows version. I don't know. If you'll manage to get some trusty info, please, let me know.

The only things i'm sure is below. The sizeof TEB = 0FA4h under Windows 2000.



[size=9]
NT_TIB STRUCT ; sizeof = 1Ch
ExceptionList PVOID ? ; PTR EXCEPTION_REGISTRATION_RECORD
StackBase PVOID ? ; 04h
StackLimit PVOID ? ; 08h
SubSystemTib PVOID ? ; 0Ch
union
FiberData PVOID ? ; 10h
Version DWORD ? ; 10h
ends
ArbitraryUserPointer PVOID ? ; 14h
Self PVOID ? ; 18h PTR NT_TIB
NT_TIB ENDS
PNT_TIB typedef PTR NT_TIB

TEB STRUCT
Tib NT_TIB <> ; 000h
EnvironmentPointer PVOID ? ; 01Ch
Cid CLIENT_ID <> ; 020h
ActiveRpcInfo PVOID ? ; 028h
ThreadLocalStoragePointer PVOID ? ; 02Ch
Peb PVOID ? ; 030h PTR PEB
LastErrorValue DWORD ? ; 034h
. . . .
TEB ENDS
PTEB typedef PTR TEB
[/size]
Posted on 2003-07-10 17:24:59 by Four-F