Understanding The PEB for Reverse Engineers Part 1 - Accessing The PEB (Patreon)

This is the first in a short two-part series on the Process Environment Block (PEB) and the Thread Environment Block (TEB). In this tutorial we introduce the PEB and the TEB and provide some background on how these data structures are accessed programmatically. We also provide some tips for identifying and marking up PEB access in IDA.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

• ShellcodePEB.cpp

Further Reading

• TEB Reference (Geoff Chappell)
• PEB Reference (Geoff Chappell)
• VERGILIUS
• Official PEB Structure (Microsoft)
• Addressing The PEB (Stack Overflow)
• Wikipedia TEB Reference 
• Anti Debug Flag (Checkpoint)

Hands-On Example

Attached to this post is the compiled example from the tutorial (64-bit) and a 32-bit version of the same example. See if you can replicate the pseudocode markup from the tutorial with both samples.