Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
the Process Environment Block (abbreviated PEB) is a data structure in Win32. It is an opaque data structure
Opaque data type
In computer science, an opaque data type is a user defined data type used like built-in data type. It is incompletely defined in an interface, so that ordinary client programs can only manipulate data of that type by calling procedures that have access to the missing information.-Overview:Opaque...
that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library
MSDN Library
MSDN Library is a library of official technical documentation content intended for developers developing for Microsoft Windows. MSDN stands for the Microsoft Developer Network. The MSDN Library documents the APIs that ship with Microsoft products and also includes sample code, technical articles,...
documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion
Mutual exclusion
Mutual exclusion algorithms are used in concurrent programming to avoid the simultaneous use of a common resource, such as a global variable, by pieces of computer code called critical sections. A critical section is a piece of code in which a process or thread accesses a common resource...
for process-wide data structures.
The PEB is closely associated with the kernel mode EPROCESS data structure, as well as with per-process data structures managed within the address space of the Client-Server Runtime Sub-System process. However, (like the CSRSS data structures) the PEB is not a kernel mode data structure itself. It resides in the application mode address space of the process that it relates to. This is because it is designed to be used by the application-mode code in the operating system libraries, such as NTDLL, that executes outside of kernel mode, such as the code for the program image loader and the heap manager.
WinDbg is a multipurposed debugger for Microsoft Windows, distributed on the web by Microsoft. It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode...
, the command that dumps the contents of a PEB is the !peb command, which is passed the address of the PEB within a process' application address space. That information, in turn, is obtained by the !process command, which displays the information from the EPROCESS data structure, one of whose fields is the address of the PEB.
Fields of the PEB that are documented by Microsoft
Field
meaning
notes
BeingDebugged
Whether the process is being debugged
Microsoft recommends not using this field but using the official Win32 CheckRemoteDebuggerPresent library function instead.
Ldr
A pointer to a PEB_LDR_DATA structure providing information about loaded modules
The PEB_LDR_DATA structure is also mostly opaque and not guaranteed to be consistent across multiple versions of Windows.
ProcessParameters
A pointer to a RTL_USER_PROCESS_PARAMETERS structure providing information about loaded modules
The RTL_USER_PROCESS_PARAMETERS structure is also mostly opaque and not guaranteed to be consistent across multiple versions of Windows.
PostProcessInitRoutine
A pointer to a callback function called after DLL initialization but before the main executable code is invoked
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, but is not guaranteed to be used on later versions of Windows NT.
SessionId
The session ID of the Terminal Services session that the process is part of
The NtCreateUserProcess system call initializes this by calling the kernel's internal MmGetSessionId function.
The contents of the PEB are initialized by the NtCreateUserProcess system call, the Native API
Native API
The Native API is the publicly- and incompletely-documented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft.. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point...
function that implements part of, and underpins, the Win32 CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW, and CreateProcessWithLogonW library functions that are in the kernel32.dll and advapi32.dll libraries as well as underpinning the fork function in the Windows NT POSIX
Microsoft POSIX subsystem
Microsoft POSIX subsystem is one of 3 subsystems of several operating systems from the Windows NT family ....
library, posix.dll.
For Windows NT POSIX processes, the contents of a new process' PEB are initialized by NtCreateUserProcess as simply a direct copy of the parent process' PEB, in line with how the fork function operates. For Win32 processes, the initial contents of a new process' PEB are mainly taken from global variables maintained within the kernel. However, several fields may instead be taken from information provided within the process' image file, in particular information provided in the IMAGE_OPTIONAL_HEADER32 data structure within the PE
Portable Executable
The Portable Executable format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture...
file format.
Fields from a PEB that are initialized from kernel global variables
Field
is initialized from
overridable by PE information?
NumberOfProcessors
KeNumberOfProcessors
NtGlobalFlag
NtGlobalFlag
CriticalSectionTimeout
MmCriticalSectionTimeout
HeapSegmentReserve
MmHeapSegmentReserve
HeapSegmentCommit
MmHeapSegmentCommit
HeapDeCommitTotalFreeThreshold
MmHeapDeCommitTotalFreeThreshold
HeapDeCommitFreeBlockThreshold
MmHeapDeCommitFreeBlockThreshold
MinimumStackCommit
MmMinimumStackCommitInBytes
ImageProcessAffinityMask
KeActiveProcessors
OSMajorVersion
NtMajorVersion
OSMinorVersion
NtMinorVersion
OSBuildNumber
NtBuildNumber & 0x3FFF combined with CmNtCSDVersion
OSPlatformId
VER_PLATFORM_WIN32_NT
The source of this article is wikipedia, the free encyclopedia. The text of this article is licensed under the GFDL.
