Understanding The PEB for Reverse Engineers Part 2 - Walking The PEB (Patreon)

This is the second in a short two-part series on the Process Environment Block (PEB) and the Thread Environment Block (TEB). In this tutorial we focus on how a processes’ modules (DLLs) can be accessed via the PEB. We also introduce the concept of “walking the PEB”, the CONTAINING_RECORD macro, and shifted pointers.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

• ShellcodeLdrModules.cpp
• ShellcodeLoadOrderModules.cpp

Further Reading

• TEB Reference (Geoff Chappell)
• PEB Reference (Geoff Chappell)
• VERGILIUS
• Official PEB Structure (Microsoft)
• Addressing The PEB (Stack Overflow)
• Wikipedia TEB Reference 
• Shellcode PEB Walk
• PEB_LDR_DATA structure (Microsoft)
• OLABS Shifted Pointers
• IDA Shifted Pointers
• CONTAINING_RECORD (Microsoft)

Hands-On Examples

Attached to this post is the compiled examples from the tutorial (64-bit) and a 32-bit versions of the same examples. See if you can replicate the pseudocode markup from the tutorial with all four samples.