Search notes:

PEB - Windows Process Environment Block

PEB is the Windows Process Environment block

Offset 0x30 of the TIB (on Win32?) points to the PEB.

The PEB can be programatically found with NtCurrentTeb() -> ProcessEnvironmentBlock

PEB.BeingDebugged indicates if a debugger is attached.

It seems like the ebx register (x64: rbx) register points to the PEB when an exe's entry point is called.

peb.c

Wack0 has written a small c source file (peb.c) as github gist which gets a pointer to the PEB for every architecture that NT was ported to (x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, PowerPC). This source relies on Visual-C compiler intrinsics. -

For x86, the relevant instruction is __readfsdword(0x30), for x64, it is __readgsqword(0x60).

I have allowed myself to fork this gist here.

Index

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 8 attempt to write a readonly database in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php:78 Stack trace: #0 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(78): PDOStatement->execute(Array) #1 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(30): insert_webrequest_('/notes/Windows/...', 1758931678, '216.73.216.5', 'Mozilla/5.0 App...', NULL) #2 /home/httpd/vhosts/renenyffenegger.ch/httpsdocs/notes/Windows/development/process/PEB(54): insert_webrequest() #3 {main} thrown in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php on line 78