Process Environment Block (PEB)
The Process Environment Block (PEB) is a user-mode data structure that provides information about the current process. It is a crucial component used by the Windows loader and various debugging and inspection tools.
PEB Structure Overview
typedef struct _PEB {
BYTE InheritedAddressSpace; // 0x000
BYTE ReadImageFileExecOptions; // 0x001
BYTE BeingDebugged; // 0x002
BYTE BitField; // 0x003
VOID* Mutant; // 0x008
VOID* ImageBaseAddress; // 0x010
PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 0x018
// ... many more fields ...
} PEB, *PPEB;
Key Fields
| Field | Offset | Description |
|---|---|---|
| InheritedAddressSpace | 0x000 | Indicates if the process inherits the address space of its parent. |
| BeingDebugged | 0x002 | Non‑zero if a debugger is attached. |
| ImageBaseAddress | 0x010 | Base address where the executable image is loaded. |
| ProcessParameters | 0x018 | Pointer to a RTL_USER_PROCESS_PARAMETERS structure. |
Retrieving the PEB in C/C++
#include#include #pragma comment(lib, "ntdll.lib") int main() { PPEB peb = NtCurrentPeb(); // NTDLL macro that returns the PEB pointer wprintf(L"BeingDebugged: %d\n", peb->BeingDebugged); wprintf(L"ImageBaseAddress: %p\n", peb->ImageBaseAddress); wprintf(L"ProcessParameters address: %p\n", peb->ProcessParameters); return 0; }
Related Articles
- Process Parameters (RTL_USER_PROCESS_PARAMETERS)
- NTDLL Functions Overview
- Debugging a Process in Windows
- Virtual Address Space Layout
References
- Microsoft Docs – PEB Structure (Native API)
- Windows Internals, Part 1 (Mark Russinovich)