Print Page - TIB and PEB

Title: TIB and PEB
Post by: xanatose on October 24, 2015, 02:13:23 PM

I found some reference on the Thread Information Block (TIB) and the Process Environment Block (PEB)
under win32. By using the FS register.

https://en.wikipedia.org/wiki/Win32_Thread_Information_Block

However I would like to get the same information for Win64. Does anyone knows where to get the information?

Title: Re: TIB and PEB
Post by: TWell on October 25, 2015, 01:59:17 AM

Tell me more about TEB/TIB like here (https://code.google.com/p/ontl/source/browse/branches/x64/ntl/nt/teb.hxx?r=67)

Title: Re: TIB and PEB
Post by: TWell on October 25, 2015, 11:21:32 AM

Win64 PEB?

Code Select

printf("PEB: %X\n", __readgsqword(0x60));

Code Select

mov RAX, GS:[0x60]Is this correct?

Title: Re: TIB and PEB
Post by: Vortex on October 25, 2015, 07:42:45 PM

http://stackoverflow.com/questions/10802532/fastest-way-to-get-the-tid-thread-information-block-in-a-64-bit-windows-applic

Title: Re: TIB and PEB
Post by: dedndave on October 26, 2015, 02:49:25 AM

from what i can see, it's the same as 32-bit, except that the GS register is used, rather than FS
i don't have 64-bit windows to test that :P

Title: Re: TIB and PEB
Post by: adeyblue on October 27, 2015, 05:59:16 AM

RtlGetCurrentPeb() in ntdll.dll returns the address of the PEB in eax/rax

The MASM Forum

64 bit assembler => 64 bit assembler. Conceptual Issues => Topic started by: xanatose on October 24, 2015, 02:13:23 PM