Process Environment Block

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computing the Process Environment Block (abbreviated PEB) is a data structure in Win32. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system.[1] Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows".[2] The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures.[1]

The PEB is closely associated with the kernel mode EPROCESS data structure, as well as with per-process data structures managed within the address space of the Client-Server Runtime Sub-System process. However, (like the CSRSS data structures) the PEB is not a kernel mode data structure itself. It resides in the application mode address space of the process that it relates to. This is because it is designed to be used by the application-mode code in the operating system libraries, such as NTDLL, that executes outside of kernel mode, such as the code for the program image loader and the heap manager.[3]

In WinDbg, the command that dumps the contents of a PEB is the !peb command, which is passed the address of the PEB within a process' application address space. That information, in turn, is obtained by the !process command, which displays the information from the EPROCESS data structure, one of whose fields is the address of the PEB.[3]

Structure of PEB[edit]

typedef struct _PEB
{
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;
    union
    {
        BOOLEAN BitField;
        struct
        {
            BOOLEAN ImageUsesLargePages : 1;
            BOOLEAN IsProtectedProcess : 1;
            BOOLEAN IsLegacyProcess : 1;
            BOOLEAN IsImageDynamicallyRelocated : 1;
            BOOLEAN SkipPatchingUser32Forwarders : 1;
            BOOLEAN IsPackagedProcess : 1;
            BOOLEAN IsAppContainer : 1;
            BOOLEAN SpareBits : 1;
        };
    };
    HANDLE Mutant;
 
    PVOID ImageBaseAddress;
    PPEB_LDR_DATA Ldr;
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    PVOID SubSystemData;
    PVOID ProcessHeap;
    PRTL_CRITICAL_SECTION FastPebLock;
    PVOID AtlThunkSListPtr;
    PVOID IFEOKey;
    union
    {
        ULONG CrossProcessFlags;
        struct
        {
            ULONG ProcessInJob : 1;
            ULONG ProcessInitializing : 1;
            ULONG ProcessUsingVEH : 1;
            ULONG ProcessUsingVCH : 1;
            ULONG ProcessUsingFTH : 1;
            ULONG ReservedBits0 : 27;
        };
        ULONG EnvironmentUpdateCount;
    };
    union
    {
        PVOID KernelCallbackTable;
        PVOID UserSharedInfoPtr;
    };
    ULONG SystemReserved[1];
    ULONG AtlThunkSListPtr32;
    PVOID ApiSetMap;
    ULONG TlsExpansionCounter;
    PVOID TlsBitmap;
    ULONG TlsBitmapBits[2];
    PVOID ReadOnlySharedMemoryBase;
    PVOID HotpatchInformation;
    PPVOID ReadOnlyStaticServerData;
    PVOID AnsiCodePageData;
    PVOID OemCodePageData;
    PVOID UnicodeCaseTableData;
 
    ULONG NumberOfProcessors;
    ULONG NtGlobalFlag;
 
    LARGE_INTEGER CriticalSectionTimeout;
    SIZE_T HeapSegmentReserve;
    SIZE_T HeapSegmentCommit;
    SIZE_T HeapDeCommitTotalFreeThreshold;
    SIZE_T HeapDeCommitFreeBlockThreshold;
 
    ULONG NumberOfHeaps;
    ULONG MaximumNumberOfHeaps;
    PPVOID ProcessHeaps;
 
    PVOID GdiSharedHandleTable;
    PVOID ProcessStarterHelper;
    ULONG GdiDCAttributeList;
 
    PRTL_CRITICAL_SECTION LoaderLock;
 
    ULONG OSMajorVersion;
    ULONG OSMinorVersion;
    USHORT OSBuildNumber;
    USHORT OSCSDVersion;
    ULONG OSPlatformId;
    ULONG ImageSubsystem;
    ULONG ImageSubsystemMajorVersion;
    ULONG ImageSubsystemMinorVersion;
    ULONG_PTR ImageProcessAffinityMask;
    GDI_HANDLE_BUFFER GdiHandleBuffer;
    PVOID PostProcessInitRoutine;
 
    PVOID TlsExpansionBitmap;
    ULONG TlsExpansionBitmapBits[32];
 
    ULONG SessionId;
 
    ULARGE_INTEGER AppCompatFlags;
    ULARGE_INTEGER AppCompatFlagsUser;
    PVOID pShimData;
    PVOID AppCompatInfo;
 
    UNICODE_STRING CSDVersion;
 
    PVOID ActivationContextData;
    PVOID ProcessAssemblyStorageMap;
    PVOID SystemDefaultActivationContextData;
    PVOID SystemAssemblyStorageMap;
 
    SIZE_T MinimumStackCommit;
 
    PPVOID FlsCallback;
    LIST_ENTRY FlsListHead;
    PVOID FlsBitmap;
    ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
    ULONG FlsHighIndex;
 
    PVOID WerRegistrationData;
    PVOID WerShipAssertPtr;
    PVOID pContextData;
    PVOID pImageHeaderHash;
    union
    {
        ULONG TracingFlags;
        struct
        {
            ULONG HeapTracingEnabled : 1;
            ULONG CritSecTracingEnabled : 1;
            ULONG LibLoaderTracingEnabled : 1;
            ULONG SpareTracingBits : 29;
        };
    };
    ULONGLONG CsrServerReadOnlySharedMemoryBase;
} PEB,*PPEB;
Fields of the PEB that are documented by Microsoft[2]
Field meaning notes
BeingDebugged Whether the process is being debugged Can be used for anti-debugging.
Ldr A pointer to a PEB_LDR_DATA structure providing information about loaded modules The PEB_LDR_DATA structure is also mostly opaque and not guaranteed to be consistent across multiple versions of Windows.[4]
ProcessParameters A pointer to a RTL_USER_PROCESS_PARAMETERS structure providing information about loaded modules The RTL_USER_PROCESS_PARAMETERS structure is also mostly opaque and not guaranteed to be consistent across multiple versions of Windows.[5]
PostProcessInitRoutine A pointer to a callback function called after DLL initialization but before the main executable code is invoked This callback function is used on Windows 2000, but is not guaranteed to be used on later versions of Windows NT.[2]
SessionId The session ID of the Terminal Services session that the process is part of The NtCreateUserProcess function initializes this by calling the kernel's internal MmGetSessionId function.[3]

The contents of the PEB are initialized by the NtCreateUserProcess() system call, the Native API function that implements part of, and underpins, the Win32 CreateProcess(), CreateProcessAsUser(), CreateProcessWithTokenW(), and CreateProcessWithLogonW() library functions that are in the kernel32.dll and advapi32.dll libraries as well as underpinning the fork() function in the Windows NT POSIX library, posix.dll.[3]

For Windows NT POSIX processes, the contents of a new process' PEB are initialized by NtCreateUserProcess() as simply a direct copy of the parent process' PEB, in line with how the fork() function operates. For Win32 processes, the initial contents of a new process' PEB are mainly taken from global variables maintained within the kernel. However, several fields may instead be taken from information provided within the process' image file, in particular information provided in the IMAGE_OPTIONAL_HEADER32 data structure within the PE file format (PE+ or PE32+ in 64 bit executable images).[3]

Fields from a PEB that are initialized from kernel global variables[3]
Field is initialized from overridable by PE information?
NumberOfProcessors KeNumberOfProcessors No
NtGlobalFlag NtGlobalFlag No
CriticalSectionTimeout MmCriticalSectionTimeout No
HeapSegmentReserve MmHeapSegmentReserve No
HeapSegmentCommit MmHeapSegmentCommit No
HeapDeCommitTotalFreeThreshold MmHeapDeCommitTotalFreeThreshold No
HeapDeCommitFreeBlockThreshold MmHeapDeCommitFreeBlockThreshold No
MinimumStackCommit MmMinimumStackCommitInBytes No
ImageProcessAffinityMask KeActiveProcessors ImageLoadConfigDirectory.ProcessAffinityMask
OSMajorVersion NtMajorVersion OptionalHeader.Win32VersionValue & 0xFF
OSMinorVersion NtMinorVersion (OptionalHeader.Win32VersionValue >> 8) & 0xFF
OSBuildNumber NtBuildNumber & 0x3FFF combined with CmNtCSDVersion (OptionalHeader.Win32VersionValue >> 16) & 0x3FFF combined with ImageLoadConfigDirectory.CmNtCSDVersion
OSPlatformId VER_PLATFORM_WIN32_NT (OptionalHeader.Win32VersionValue >> 30) ^ 0x2

References[edit]

  1. ^ a b Rajeev Nagar (1997). Windows NT file system internals: a developer's guide. O'Reilly Series. O'Reilly. p. 129. ISBN 9781565922495. 
  2. ^ a b c "Process and Thread structures: PEB Structure". MSDN Library. Microsoft. 2010-07-15. Retrieved 2010-07-15. 
  3. ^ a b c d e f Mark E. Russinovich, David A. Solomon, and Alex Ionescu (2009). Windows internals. Microsoft Press Series (5th ed.). Microsoft Press. pp. 335–336,341–342,348,357–358. ISBN 9780735625303. 
  4. ^ "Process and Thread structures: PEB_LDR_DATA Structure". MSDN Library. Microsoft. 2010-07-15. Retrieved 2010-07-15. 
  5. ^ "Process and Thread structures: RTL_USER_PROCESS_PARAMETERS Structure". MSDN Library. Microsoft. 2010-07-15. Retrieved 2010-07-15.