top of page
  • Writer's pictureJosh Stroschein

Exploring the Process Environment Block (PEB) with WinDbg

The source code for this example can be found here. The assembly is:

mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB
mov ebx, [ ebx + 0x0C ] ; // get PEB->Ldr

mov ebx, [ ebx + 0x1C ] ;// PEB->Ldr.InInitializationOrderModuleList

mov ebx, [ ebx + 0x08 ] ; // get the entries base address

The commands ran in this video, in order:

> r $teb

> dt _PEB <result from previous command>

> dt _PEB_LDR_DATA <PEB + 0x0C>


> lm ntdll



Want to know when my latest content drops? Sign-up to receive email notications and access to other exclusive content!

bottom of page