PEB & TEB
A brief overview of Process Environment Block and Thread Environment Block
Last updated
A brief overview of Process Environment Block and Thread Environment Block
Last updated
Official Documentation can be found on Microsoft's website.
There's a TEB and PEB for 32-bit and 64-bit programs. e.g. you have a TEB32 and TEB64 structures. TEBs are not linked and the PEB doesn't have a list of the TEBs. At the kernel level, this is possible (with EPROCESS and ETHREAD structures), but not at the user-mode level. So, not without calling an API (e.g. NtQueryInformationThread).
Process Environment Block (abbreviated PEB) is a data structure. This is the Windows NT operating system. The PEB is closely associated with the kernel mode EPROCESS data structure and with per-process data structures managed within the address space of the Client-Server Runtime Sub-System process. The environment block provides information about the runtime environment of the program, such as system configuration, user information, and other details. It has the highest-level knowledge of a process in kernel mode and the lowest-level in user mode. If anything about a process is shared with kernel mode but can be properly managed in user mode without needing a transition to kernel mode, it goes in the PEB. If anything about a process might usefully be shared between user-mode modules, then it’s at least a candidate for going into the PEB for easy access. Some use of PEB in malware is Determining the presence of security software by inspecting loaded modules. Access environment variables to gather system or user information. Manipulate process-wide settings, such as the process heap, for malicious purposes.
As you can see above, PEB has a large data structure and can be set up with extreme complexity, so it is important to map all of your uses and know what your doing when using this. User-mode code can less easily access the PEB of any process for which it has a handle and sufficient access rights. The gatekeeper is the NtQueryInformationProcess function. The kernel sets BeingDebugged to indicate that the process has a debug port. The (documented) KERNEL32 function IsDebuggerPresent does nothing more than read BeingDebugged from the current PEB.
Thread Environment Block or TEB is a thread’s user-mode representation. It has the highest-level knowledge of a thread in kernel mode and the lowest-level in user mode. Both TEB and PED have the hight level of knowledge of the with the least amount of privileges. That said, not all the TEB is about sharing with the kernel. Code executing in user mode can easily find the TEB for the current thread. While a thread that has a TEB executes in user mode, the fs or gs register, for 32-bit and 64-bit code respectively, addresses this TEB. The TEB of any thread can be located via a handle with sufficient access rights. The gatekeeper is the NtQueryInformationThread function. The relationship between the TEB and PEB is such that each thread's TEB contains a pointer to the PEB for its process. This pointer allows the thread to access process-wide information, such as environment variables, heap information, and loaded modules. Some use of TEB in malware is to Manage thread-specific data, such as malware-specific configuration or state. Hide malicious activity by manipulating TLS or stack-related information. Detect and evade analysis tools by checking for specific TLS slots or values. Malware can use TEB to store thread-specific data, such as configuration settings, handles to resources, or pointers to other data structures. This allows each malware thread to have its own data set, making it harder for security tools to detect and analyze the malware's behavior.
