Author Topic: TIB and PEB  (Read 4128 times)

xanatose

  • Member
  • ***
  • Posts: 398
TIB and PEB
« on: October 24, 2015, 02:13:23 PM »
I found some reference on the Thread Information Block (TIB) and the Process Environment Block (PEB)
under win32. By using the FS register.

https://en.wikipedia.org/wiki/Win32_Thread_Information_Block

However I would like to get the same information for Win64. Does anyone knows where to get the information?
« Last Edit: October 24, 2015, 03:25:11 PM by xanatose »

TWell

  • Member
  • ****
  • Posts: 748
Re: TIB and PEB
« Reply #1 on: October 25, 2015, 01:59:17 AM »
Tell me more about TEB/TIB like here

TWell

  • Member
  • ****
  • Posts: 748
Re: TIB and PEB
« Reply #2 on: October 25, 2015, 11:21:32 AM »
Win64 PEB?
Code: [Select]
printf("PEB: %X\n", __readgsqword(0x60));
Code: [Select]
mov RAX, GS:[0x60]Is this correct?
« Last Edit: October 25, 2015, 08:57:39 PM by TWell »


dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: TIB and PEB
« Reply #4 on: October 26, 2015, 02:49:25 AM »
from what i can see, it's the same as 32-bit, except that the GS register is used, rather than FS
i don't have 64-bit windows to test that   :P

adeyblue

  • Member
  • **
  • Posts: 89
    • Airesoft
Re: TIB and PEB
« Reply #5 on: October 27, 2015, 05:59:16 AM »
RtlGetCurrentPeb() in ntdll.dll returns the address of the PEB in eax/rax