0x30 of the TIB (on Win32?) points to the PEB. NtCurrentTeb() -> ProcessEnvironmentBlock PEB.BeingDebugged indicates if a debugger is attached. ebx register (x64: rbx) register points to the PEB when an exe's entry point is called. peb.c) as github gist which gets a pointer to the PEB for every architecture that NT was ported to (x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, PowerPC). This source relies on Visual-C compiler intrinsics. - __readfsdword(0x30), for x64, it is __readgsqword(0x60).