← Created page with 'In computing the '''Process Environment Block''' is a data structure in Win32 on x86 that stores information about the currently running process. This...' |
m Fix Linter errors. |
||
(36 intermediate revisions by 26 users not shown) | |||
Line 1: | Line 1: | ||
In [[computing]] the '''Process Environment Block''' (abbreviated '''PEB''') is a data structure in the [[Windows NT]] operating system family. It is an [[opaque data type|opaque data structure]] that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system.<ref name=Nagar1997 /> Microsoft notes, in its [[MSDN Library]] documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows".<ref name=MSDN1 /> The PEB contains data structures that apply across a whole [[process (computing)|process]], including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide [[mutual exclusion]] for process-wide data structures.<ref name=Nagar1997 /> |
|||
In [[computing]] the '''Process Environment Block''' is a data structure in [[Win32]] on x86 that stores information about the currently running [[process]]. |
|||
The PEB is closely associated with the [[kernel mode]] <syntaxhighlight lang=cpp inline>EPROCESS</syntaxhighlight> data structure, as well as with per-process data structures managed within the address space of the [[Client/Server Runtime Subsystem|Client-Server Runtime Sub-System]] process. However, (like the CSRSS data structures) the PEB is not a kernel mode data structure itself. It resides in the application mode address space of the process that it relates to. This is because it is designed to be used by the application-mode code in the operating system libraries, such as [[ntdll.dll|NTDLL]], that executes outside of kernel mode, such as the code for the program image loader and the heap manager.<ref name=Internals5 /> |
|||
This is pointed to by the [[Win32 Thread Information Block|TIB]]+0x30 |
|||
In [[WinDbg]], the command that dumps the contents of a PEB is the <code>!peb</code> command, which is passed the address of the PEB within a process' application address space. That information, in turn, is obtained by the <code>!process</code> command, which displays the information from the <syntaxhighlight lang=cpp inline>EPROCESS</syntaxhighlight> data structure, one of whose fields is the address of the PEB.<ref name=Internals5 /> |
|||
==Contents of the PEB== |
|||
+0x000 InheritedAddressSpace : UChar |
|||
{| class="wikitable sortable" |
|||
+0x001 ReadImageFileExecOptions : UChar |
|||
|+ Fields of the PEB that are documented by Microsoft<ref name=MSDN1 /> |
|||
+0x002 BeingDebugged : UChar |
|||
|- |
|||
+0x003 BitField : UChar |
|||
! Field !! meaning !! notes |
|||
+0x003 ImageUsesLargePages : Pos 0, 1 Bit |
|||
|- |
|||
+0x003 IsProtectedProcess : Pos 1, 1 Bit |
|||
| <code>BeingDebugged</code> || Whether the process is being debugged || Microsoft recommends not using this field but using the official Win32 <syntaxhighlight lang=cpp inline>CheckRemoteDebuggerPresent()</syntaxhighlight> library function instead.<ref name=MSDN1 /> |
|||
+0x003 IsLegacyProcess : Pos 2, 1 Bit |
|||
|- |
|||
+0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit |
|||
| Ldr || A pointer to a <syntaxhighlight lang=cpp inline>PEB_LDR_DATA</syntaxhighlight> structure providing information about loaded modules || Contains the base address of [[kernel32]] and [[ntdll]]. |
|||
+0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit |
|||
|- |
|||
+0x003 SpareBits : Pos 5, 3 Bits |
|||
| ProcessParameters || A pointer to a <syntaxhighlight lang=cpp inline>RTL_USER_PROCESS_PARAMETERS</syntaxhighlight> structure providing information about process startup parameters || The <syntaxhighlight lang=cpp inline>RTL_USER_PROCESS_PARAMETERS</syntaxhighlight> structure is also mostly opaque and not guaranteed to be consistent across multiple versions of Windows.<ref name=MSDN3 /> |
|||
+0x004 Mutant : Ptr32 Void |
|||
|- |
|||
+0x008 ImageBaseAddress : Ptr32 Void |
|||
| PostProcessInitRoutine || A pointer to a callback function called after DLL initialization but before the main executable code is invoked || This callback function is used on [[Windows 2000]], but is not guaranteed to be used on later versions of Windows NT.<ref name=MSDN1 /> |
|||
+0x00c Ldr : Ptr32 _PEB_LDR_DATA |
|||
|- |
|||
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS |
|||
| SessionId || The session ID of the Terminal Services session that the process is part of || The <syntaxhighlight lang=cpp inline>NtCreateUserProcess()</syntaxhighlight> system call initializes this by calling the kernel's internal <syntaxhighlight lang=cpp inline>MmGetSessionId()</syntaxhighlight> function.<ref name=Internals5 /> |
|||
+0x014 SubSystemData : Ptr32 Void |
|||
|} |
|||
+0x018 ProcessHeap : Ptr32 Void |
|||
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION |
|||
The contents of the PEB are initialized by the <syntaxhighlight lang=cpp inline>NtCreateUserProcess()</syntaxhighlight> system call, the [[Native API]] function that implements part of, and underpins, the Win32 <syntaxhighlight lang=cpp inline>CreateProcess()</syntaxhighlight>, <syntaxhighlight lang=cpp inline>CreateProcessAsUser()</syntaxhighlight>, <syntaxhighlight lang=cpp inline>CreateProcessWithTokenW()</syntaxhighlight>, and <syntaxhighlight lang=cpp inline>CreateProcessWithLogonW()</syntaxhighlight> library functions that are in [[Microsoft Windows library files|the kernel32.dll and advapi32.dll libraries]] as well as underpinning the <code>[[fork (file system)|fork()]]</code> function in the [[Microsoft POSIX subsystem|Windows NT POSIX]] library, posix.dll.<ref name=Internals5 /> |
|||
+0x020 AtlThunkSListPtr : Ptr32 Void |
|||
+0x024 IFEOKey : Ptr32 Void |
|||
For Windows NT POSIX processes, the contents of a new process' PEB are initialized by <syntaxhighlight lang=cpp inline>NtCreateUserProcess()</syntaxhighlight> as simply a direct copy of the parent process' PEB, in line with how the <syntaxhighlight lang=cpp inline>fork()</syntaxhighlight> function operates. For Win32 processes, the initial contents of a new process' PEB are mainly taken from global variables maintained within the kernel. However, several fields may instead be taken from information provided within the process' image file, in particular information provided in the <syntaxhighlight lang=cpp inline>IMAGE_OPTIONAL_HEADER32</syntaxhighlight> data structure within the [[Portable Executable|PE]] file format (PE+ or PE32+ in 64 bit executable images).<ref name=Internals5 /> |
|||
+0x028 CrossProcessFlags : Uint4B |
|||
+0x028 ProcessInJob : Pos 0, 1 Bit |
|||
{| class="wikitable sortable" |
|||
+0x028 ProcessInitializing : Pos 1, 1 Bit |
|||
|+ Fields from a PEB that are initialized from kernel global variables<ref name=Internals5 /> |
|||
+0x028 ProcessUsingVEH : Pos 2, 1 Bit |
|||
|- |
|||
+0x028 ProcessUsingVCH : Pos 3, 1 Bit |
|||
! Field !! is initialized from !! overridable by PE information? |
|||
+0x028 ReservedBits0 : Pos 4, 28 Bits |
|||
|- |
|||
+0x02c KernelCallbackTable : Ptr32 Void |
|||
| <code>NumberOfProcessors</code> || <code>KeNumberOfProcessors</code> || {{no}} |
|||
+0x02c UserSharedInfoPtr : Ptr32 Void |
|||
|- |
|||
+0x030 SystemReserved : [1] Uint4B |
|||
| <code>NtGlobalFlag</code> || <code>NtGlobalFlag</code> || {{no}} |
|||
+0x034 SpareUlong : Uint4B |
|||
|- |
|||
+0x038 SparePebPtr0 : Uint4B |
|||
| <code>CriticalSectionTimeout</code> || <code>MmCriticalSectionTimeout</code> || {{no}} |
|||
+0x03c TlsExpansionCounter : Uint4B |
|||
|- |
|||
+0x040 TlsBitmap : Ptr32 Void |
|||
| <code>HeapSegmentReserve</code> || <code>MmHeapSegmentReserve</code> || {{no}} |
|||
+0x044 TlsBitmapBits : [2] Uint4B |
|||
|- |
|||
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void |
|||
| <code>HeapSegmentCommit</code> || <code>MmHeapSegmentCommit</code> || {{no}} |
|||
+0x050 HotpatchInformation : Ptr32 Void |
|||
|- |
|||
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void |
|||
| <code>HeapDeCommitTotalFreeThreshold</code> || <code>MmHeapDeCommitTotalFreeThreshold</code> || {{no}} |
|||
+0x058 AnsiCodePageData : Ptr32 Void |
|||
|- |
|||
+0x05c OemCodePageData : Ptr32 Void |
|||
| <code>HeapDeCommitFreeBlockThreshold</code> || <code>MmHeapDeCommitFreeBlockThreshold</code> || {{no}} |
|||
+0x060 UnicodeCaseTableData : Ptr32 Void |
|||
|- |
|||
+0x064 NumberOfProcessors : Uint4B |
|||
| <code>MinimumStackCommit</code> || <code>MmMinimumStackCommitInBytes</code> || {{no}} |
|||
+0x068 NtGlobalFlag : Uint4B |
|||
|- |
|||
+0x070 CriticalSectionTimeout : _LARGE_INTEGER |
|||
| <code>ImageProcessAffinityMask</code> || <code>KeActiveProcessors</code> || {{Yes|<syntaxhighlight lang=cpp inline>ImageLoadConfigDirectory.ProcessAffinityMask</syntaxhighlight>}} |
|||
+0x078 HeapSegmentReserve : Uint4B |
|||
|- |
|||
+0x07c HeapSegmentCommit : Uint4B |
|||
| <code>OSMajorVersion</code> || <code>NtMajorVersion</code> || {{Yes|<syntaxhighlight lang=cpp inline>OptionalHeader.Win32VersionValue & 0xFF</syntaxhighlight>}} |
|||
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B |
|||
|- |
|||
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B |
|||
| <code>OSMinorVersion</code> || <code>NtMinorVersion</code> || {{Yes|<syntaxhighlight lang=cpp inline>(OptionalHeader.Win32VersionValue >> 8) & 0xFF</syntaxhighlight>}} |
|||
+0x088 NumberOfHeaps : Uint4B |
|||
|- |
|||
+0x08c MaximumNumberOfHeaps : Uint4B |
|||
| <code>OSBuildNumber</code> || <syntaxhighlight lang=cpp inline>NtBuildNumber & 0x3FFF</syntaxhighlight> combined with <code>CmNtCSDVersion</code> || {{Yes|<syntaxhighlight lang=cpp inline>(OptionalHeader.Win32VersionValue >> 16) & 0x3FFF</syntaxhighlight> combined with <syntaxhighlight lang=cpp inline>ImageLoadConfigDirectory.CmNtCSDVersion</syntaxhighlight>}} |
|||
+0x090 ProcessHeaps : Ptr32 Ptr32 Void |
|||
|- |
|||
+0x094 GdiSharedHandleTable : Ptr32 Void |
|||
| <code>OSPlatformId</code> || <syntaxhighlight lang=cpp inline>VER_PLATFORM_WIN32_NT</syntaxhighlight> || {{Yes|<syntaxhighlight lang=cpp inline>(OptionalHeader.Win32VersionValue >> 30) ^ 0x2</syntaxhighlight>}} |
|||
+0x098 ProcessStarterHelper : Ptr32 Void |
|||
|} |
|||
+0x09c GdiDCAttributeList : Uint4B |
|||
+0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION |
|||
The [[WineHQ]] project provides a fuller PEB definition in its version of winternl.h.<ref name=wine-winternl>{{cite web |title=wine winternl.h: typedef struct _PEB |url=https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L269 |website=GitHub |publisher=wine-mirror |date=29 October 2019}}</ref> Later versions of Windows have adjusted the number and purpose of some fields.<ref>{{cite web |last1=Chappel |first1=Geoff |title=PEB |url=https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm |accessdate=30 October 2019}}</ref> |
|||
+0x0a4 OSMajorVersion : Uint4B |
|||
+0x0a8 OSMinorVersion : Uint4B |
|||
== References == |
|||
+0x0ac OSBuildNumber : Uint2B |
|||
<references> |
|||
+0x0ae OSCSDVersion : Uint2B |
|||
<ref name=Nagar1997>{{cite book|title=Windows NT file system internals: a developer's guide|series=O'Reilly Series|author=Rajeev Nagar|publisher=O'Reilly|year=1997|isbn=9781565922495|pages=[https://archive.org/details/windowsntfilesys00naga/page/129 129]|url-access=registration|url=https://archive.org/details/windowsntfilesys00naga/page/129}}</ref> |
|||
+0x0b0 OSPlatformId : Uint4B |
|||
<ref name=MSDN1>{{cite web|work=[[MSDN Library]]|publisher=[[Microsoft]]|title=Process and Thread structures: PEB Structure|url=http://msdn.microsoft.com/library/aa813706(VS.85).aspx|date=2010-07-15|accessdate=2010-07-15|archive-url=https://web.archive.org/web/20121022182726/http://msdn.microsoft.com/library/aa813706(VS.85).aspx|archive-date=2012-10-22|url-status=dead}}</ref> |
|||
+0x0b4 ImageSubsystem : Uint4B |
|||
<ref name=MSDN3>{{cite web|work=[[MSDN Library]]|publisher=[[Microsoft]]|title=Process and Thread structures: RTL_USER_PROCESS_PARAMETERS Structure|url=http://msdn.microsoft.com/library/aa813741(VS.85).aspx|date=2010-07-15|accessdate=2010-07-15}}</ref> |
|||
+0x0b8 ImageSubsystemMajorVersion : Uint4B |
|||
<ref name=Internals5>{{cite book|title=Windows internals|series=Microsoft Press Series|author=[[Mark Russinovich|Mark E. Russinovich]], David A. Solomon, and Alex Ionescu|edition=5th|publisher=Microsoft Press|year=2009|isbn=9780735625303|pages=335–336,341–342,348,357–358}}</ref> |
|||
+0x0bc ImageSubsystemMinorVersion : Uint4B |
|||
</references> |
|||
+0x0c0 ActiveProcessAffinityMask : Uint4B |
|||
+0x0c4 GdiHandleBuffer : [34] Uint4B |
|||
==External links== |
|||
+0x14c PostProcessInitRoutine : Ptr32 void |
|||
* [https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_PEB PEB definitions for various Windows versions] |
|||
+0x150 TlsExpansionBitmap : Ptr32 Void |
|||
+0x154 TlsExpansionBitmapBits : [32] Uint4B |
|||
[[Category:Windows NT architecture]] |
|||
+0x1d4 SessionId : Uint4B |
|||
[[Category:Data structures by computing platform]] |
|||
+0x1d8 AppCompatFlags : _ULARGE_INTEGER |
|||
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER |
|||
+0x1e8 pShimData : Ptr32 Void |
|||
+0x1ec AppCompatInfo : Ptr32 Void |
|||
+0x1f0 CSDVersion : _UNICODE_STRING |
|||
+0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA |
|||
+0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP |
|||
+0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA |
|||
+0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP |
|||
+0x208 MinimumStackCommit : Uint4B |
|||
+0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO |
|||
+0x210 FlsListHead : _LIST_ENTRY |
|||
+0x218 FlsBitmap : Ptr32 Void |
|||
+0x21c FlsBitmapBits : [4] Uint4B |
|||
+0x22c FlsHighIndex : Uint4B |
|||
+0x230 WerRegistrationData : Ptr32 Void |
|||
+0x234 WerShipAssertPtr : Ptr32 Void |
Latest revision as of 05:00, 8 June 2021
In computing the Process Environment Block (abbreviated PEB) is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system.[1] Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows".[2] The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures.[1]
The PEB is closely associated with the kernel mode EPROCESS
data structure, as well as with per-process data structures managed within the address space of the Client-Server Runtime Sub-System process. However, (like the CSRSS data structures) the PEB is not a kernel mode data structure itself. It resides in the application mode address space of the process that it relates to. This is because it is designed to be used by the application-mode code in the operating system libraries, such as NTDLL, that executes outside of kernel mode, such as the code for the program image loader and the heap manager.[3]
In WinDbg, the command that dumps the contents of a PEB is the !peb
command, which is passed the address of the PEB within a process' application address space. That information, in turn, is obtained by the !process
command, which displays the information from the EPROCESS
data structure, one of whose fields is the address of the PEB.[3]
Field | meaning | notes |
---|---|---|
BeingDebugged |
Whether the process is being debugged | Microsoft recommends not using this field but using the official Win32 CheckRemoteDebuggerPresent() library function instead.[2]
|
Ldr | A pointer to a PEB_LDR_DATA structure providing information about loaded modules |
Contains the base address of kernel32 and ntdll. |
ProcessParameters | A pointer to a RTL_USER_PROCESS_PARAMETERS structure providing information about process startup parameters |
The RTL_USER_PROCESS_PARAMETERS structure is also mostly opaque and not guaranteed to be consistent across multiple versions of Windows.[4]
|
PostProcessInitRoutine | A pointer to a callback function called after DLL initialization but before the main executable code is invoked | This callback function is used on Windows 2000, but is not guaranteed to be used on later versions of Windows NT.[2] |
SessionId | The session ID of the Terminal Services session that the process is part of | The NtCreateUserProcess() system call initializes this by calling the kernel's internal MmGetSessionId() function.[3]
|
The contents of the PEB are initialized by the NtCreateUserProcess()
system call, the Native API function that implements part of, and underpins, the Win32 CreateProcess()
, CreateProcessAsUser()
, CreateProcessWithTokenW()
, and CreateProcessWithLogonW()
library functions that are in the kernel32.dll and advapi32.dll libraries as well as underpinning the fork()
function in the Windows NT POSIX library, posix.dll.[3]
For Windows NT POSIX processes, the contents of a new process' PEB are initialized by NtCreateUserProcess()
as simply a direct copy of the parent process' PEB, in line with how the fork()
function operates. For Win32 processes, the initial contents of a new process' PEB are mainly taken from global variables maintained within the kernel. However, several fields may instead be taken from information provided within the process' image file, in particular information provided in the IMAGE_OPTIONAL_HEADER32
data structure within the PE file format (PE+ or PE32+ in 64 bit executable images).[3]
Field | is initialized from | overridable by PE information? |
---|---|---|
NumberOfProcessors |
KeNumberOfProcessors |
No |
NtGlobalFlag |
NtGlobalFlag |
No |
CriticalSectionTimeout |
MmCriticalSectionTimeout |
No |
HeapSegmentReserve |
MmHeapSegmentReserve |
No |
HeapSegmentCommit |
MmHeapSegmentCommit |
No |
HeapDeCommitTotalFreeThreshold |
MmHeapDeCommitTotalFreeThreshold |
No |
HeapDeCommitFreeBlockThreshold |
MmHeapDeCommitFreeBlockThreshold |
No |
MinimumStackCommit |
MmMinimumStackCommitInBytes |
No |
ImageProcessAffinityMask |
KeActiveProcessors |
ImageLoadConfigDirectory.ProcessAffinityMask
|
OSMajorVersion |
NtMajorVersion |
OptionalHeader.Win32VersionValue & 0xFF
|
OSMinorVersion |
NtMinorVersion |
(OptionalHeader.Win32VersionValue >> 8) & 0xFF
|
OSBuildNumber |
NtBuildNumber & 0x3FFF combined with CmNtCSDVersion |
(OptionalHeader.Win32VersionValue >> 16) & 0x3FFF combined with ImageLoadConfigDirectory.CmNtCSDVersion
|
OSPlatformId |
VER_PLATFORM_WIN32_NT |
(OptionalHeader.Win32VersionValue >> 30) ^ 0x2
|
The WineHQ project provides a fuller PEB definition in its version of winternl.h.[5] Later versions of Windows have adjusted the number and purpose of some fields.[6]
References
- ^ a b Rajeev Nagar (1997). Windows NT file system internals: a developer's guide. O'Reilly Series. O'Reilly. pp. 129. ISBN 9781565922495.
- ^ a b c d "Process and Thread structures: PEB Structure". MSDN Library. Microsoft. 2010-07-15. Archived from the original on 2012-10-22. Retrieved 2010-07-15.
- ^ a b c d e f Mark E. Russinovich, David A. Solomon, and Alex Ionescu (2009). Windows internals. Microsoft Press Series (5th ed.). Microsoft Press. pp. 335–336, 341–342, 348, 357–358. ISBN 9780735625303.
{{cite book}}
: CS1 maint: multiple names: authors list (link) - ^ "Process and Thread structures: RTL_USER_PROCESS_PARAMETERS Structure". MSDN Library. Microsoft. 2010-07-15. Retrieved 2010-07-15.
- ^ "wine winternl.h: typedef struct _PEB". GitHub. wine-mirror. 29 October 2019.
- ^ Chappel, Geoff. "PEB". Retrieved 30 October 2019.