Process Environment Block (PEB)

The Process Environment Block (PEB) is a data structure that contains information about the process. Each process has a single PEB. It is maintained by the operating system and contains details such as loaded modules, command line arguments, heap information, and process startup information.

The PEB is not directly accessible via a public API function. It can be obtained indirectly by accessing the ProcessEnvironmentBlock member of the Thread Environment Block (TEB), or by using undocumented functions and structures. For most application development, direct interaction with the PEB is not required, as higher-level APIs abstract these details.

PEB Structure (Simplified and Conceptual)

The actual PEB structure is complex and can vary between Windows versions. Below is a conceptual representation of some key fields you might find.

`Reserved1[2]` (`PVOID`)

Reserved for system use. Typically an array of two pointers.

`BeingDebugged` (`BOOLEAN`)

A flag indicating whether the process is being debugged.

`Ldr` (`PPEB_LDR_DATA`)

A pointer to the loader data structure, which contains information about loaded modules (DLLs).

The PEB_LDR_DATA structure contains linked lists of initialized, uninitialized, and memory-order module data.

`ProcessParameters` (`PRTL_USER_PROCESS_PARAMETERS`)

A pointer to the process parameters structure, which includes information like the command line, environment variables, and current directory.

`Heap` (`PVOID`)

A pointer to the process's default process heap.

`FastPebLock` (`RTL_CRITICAL_SECTION`)

A critical section used for synchronizing access to certain PEB fields.

`AtlThunkSListPtr32` (`PVOID`)

Reserved for system use.

`PostProcessInitRoutine` (`PVOID`)

A pointer to a routine called after process initialization.

`Reserved2[3]` (`PVOID`)

Reserved for system use.

`PostFixupProtectionValue` (`ULONG`)

Used internally by the operating system.

`HasImageBaseAddressConsistencyChecker` (`BOOLEAN`)

Indicates if image base address consistency checks are enabled.

`LdrSizeOfHeapInBytes` (`ULONG`)

The size of the heap in bytes.

`PostPatchLoadState` (`PVOID`)

Reserved for system use.

`Reserved3[2]` (`PVOID`)

Reserved for system use.

`ParentMajorVersion`, `ParentMinorVersion` (`USHORT`)

Major and minor versions of the parent process.

`PatchEntryCount` (`USHORT`)

Number of patches applied to the executable.

`Reserved4[2]` (`USHORT`)

Reserved for system use.

`MinimumAlignment` (`ULONG`)

Minimum alignment for heap allocations.

`Reserved5[5]` (`PVOID`)

Reserved for system use.

`ImageSubsystemMajorVersion`, `ImageSubsystemMinorVersion` (`UCHAR`)

Major and minor versions of the image subsystem.

`ActiveProcessAffinityMask` (`ULONG_PTR`)

The active affinity mask for the process.

`GdiHeapHandle` (`PVOID`)

Handle to the GDI heap.

`GdiMemoryBufferHandle` (`PVOID`)

Handle to the GDI memory buffer.

`LoaderHeapHandle` (`PVOID`)

Handle to the loader heap.

`ProcessHeap` (`PVOID`)

Pointer to the process heap manager.

`FastPebLockRoutine` (`PVOID`)

Pointer to the routine that locks the PEB.

`FastPebUnlockRoutine` (`PVOID`)

Pointer to the routine that unlocks the PEB.

`EnvironmentUpdateCount` (`ULONG`)

Number of times the environment has been updated.

`KernelCallbackTable` (`PVOID`)

Pointer to the kernel callback table.

`SystemReserved[1]` (`PVOID`)

System reserved value.

`FreeList` (`PACTIVATION_CONTEXT_DATA`)

Pointer to the free list.

`TlsExpansionCounter` (`ULONG`)

Thread Local Storage (TLS) expansion counter.

`TlsBitmap` (`PVOID`)

Pointer to the TLS bitmap.

`TlsBitmapBits` (`SIZE_T`)

Size of the TLS bitmap bits.

`ReadOnlySharedMemoryBase`, `SharedMemoryBase` (`PVOID`)

Pointers to shared memory regions.

`HotPatchNoTenantIsolation` (`PVOID`)

Reserved for hot patching.

`SystemApplication তথ` (`ULONG`)

System application information.

`SystemReserved[2]` (`PVOID`)

System reserved values.

`Attributes` (`ULONG`)

Process attributes.

`ClientPebsCacheList` (`LIST_ENTRY`)

List of client PEB caches.

`SystemApplicationData` (`PVOID`)

System application data.

`ReservedForCsmf` (`PVOID`)

Reserved for CSMS (Common System Management Framework).

`MinimumStackCommit` (`ULONG`)

Minimum stack commit size.

`ReservedForAmd64` (`PVOID`)

Reserved for AMD64 architecture.

`SafeThunkEscalationFilter` (`ULONG`)

Safe thunk escalation filter value.

`ShutdownMode` (`ULONG`)

Process shutdown mode.

Related Concepts

Thread Environment Block (TEB): Contains information specific to a thread, including a pointer to the PEB.
Process Information: General information about processes.
Memory Management: Understanding memory structures is crucial when dealing with PEB and TEB.

Usage Notes

Directly manipulating the PEB is an advanced technique often used in low-level system programming, reverse engineering, or security research. For typical application development, rely on documented Win32 APIs to manage processes and their resources.