一、概念

TEB(Thread Environment Block，线程环境块)系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间，在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。一个进程的所有TEB都以堆栈的方式，存放在从0x7FFDE000开始的线性内存中，每 4KB为一个完整的TEB，不过该内存区域是向下扩展的。在用户模式下，当前线程的TEB位于独立的4KB段，可通过CPU的FS寄存器来访问该段，一般存储在[FS:0]。在用户态下WinDbg中可用命令$thread取得TEB地址。

PEB(Process Environment Block，进程环境块)存放进程信息，每个进程都有自己的PEB信息。位于用户地址空间。在Win 2000下，进程环境块的地址对于每个进程来说是固定的，在0x7FFDF000处，这是用户地址空间，所以程序能够直接访问。准确的PEB地址应从系统 的EPROCESS结构的0x1b0偏移处获得，但由于EPROCESS在系统地址空间，访问这个结构需要有ring0的权限。还可以通过TEB结构的偏 移0x30处获得PEB的位置，FS段寄存器指向当前的TEB结构：

mov eax,fs:[0x30]mov PEB,eax

在用户态下WinDbg中可用命令$proc取得PEB地址。

二、TEB偏移

FS:[000]   指向SEH链指针

FS:[004]  线程堆栈顶部

FS:[008] 线程堆栈底部

FS:[00C]  SubSystemTib

FS:[010]  FiberData

FS:[014] ArbitraryUserPointer

FS:[018]  指向TEB自身

FS:[020] 进程PID

FS:[024] 线程ID

FS:[02C] 指向线程局部存储指针

FS:[030] PEB结构地址(进程结构)

FS:[034] 上个错误号

三、参考

四、结构

//Thread Environment Block (TEB)

typedef struct_TEB

{

NT_TIB Tib;/*00h*/PVOID EnvironmentPointer;/*1Ch*/CLIENT_ID Cid;/*20h*/PVOID ActiveRpcHandle;/*28h*/PVOID ThreadLocalStoragePointer;/*2Ch*/

struct _PEB *ProcessEnvironmentBlock; /*30h*/ULONG LastErrorValue;/*34h*/ULONG CountOfOwnedCriticalSections;/*38h*/PVOID CsrClientThread;/*3Ch*/

struct _W32THREAD* Win32ThreadInfo; /*40h*/ULONG User32Reserved[0x1A]; /*44h*/ULONG UserReserved[5]; /*ACh*/PVOID WOW32Reserved;/*C0h*/LCID CurrentLocale;/*C4h*/ULONG FpSoftwareStatusRegister;/*C8h*/PVOID SystemReserved1[0x36]; /*CCh*/LONG ExceptionCode;/*1A4h*/

struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /*1A8h*/UCHAR SpareBytes1[0x28]; /*1ACh*/GDI_TEB_BATCH GdiTebBatch;/*1D4h*/CLIENT_ID RealClientId;/*6B4h*/PVOID GdiCachedProcessHandle;/*6BCh*/ULONG GdiClientPID;/*6C0h*/ULONG GdiClientTID;/*6C4h*/PVOID GdiThreadLocalInfo;/*6C8h*/ULONG Win32ClientInfo[62]; /*6CCh*/PVOID glDispatchTable[0xE9]; /*7C4h*/ULONG glReserved1[0x1D]; /*B68h*/PVOID glReserved2;/*BDCh*/PVOID glSectionInfo;/*BE0h*/PVOID glSection;/*BE4h*/PVOID glTable;/*BE8h*/PVOID glCurrentRC;/*BECh*/PVOID glContext;/*BF0h*/NTSTATUS LastStatusValue;/*BF4h*/UNICODE_STRING StaticUnicodeString;/*BF8h*/WCHAR StaticUnicodeBuffer[0x105]; /*C00h*/PVOID DeallocationStack;/*E0Ch*/PVOID TlsSlots[0x40]; /*E10h*/LIST_ENTRY TlsLinks;/*F10h*/PVOID Vdm;/*F18h*/PVOID ReservedForNtRpc;/*F1Ch*/PVOID DbgSsReserved[0x2]; /*F20h*/ULONG HardErrorDisabled;/*F28h*/PVOID Instrumentation[14]; /*F2Ch*/PVOID SubProcessTag;/*F64h*/PVOID EtwTraceData;/*F68h*/PVOID WinSockData;/*F6Ch*/ULONG GdiBatchCount;/*F70h*/BOOLEAN InDbgPrint;/*F74h*/BOOLEAN FreeStackOnTermination;/*F75h*/BOOLEAN HasFiberData;/*F76h*/UCHAR IdealProcessor;/*F77h*/ULONG GuaranteedStackBytes;/*F78h*/PVOID ReservedForPerf;/*F7Ch*/PVOID ReservedForOle;/*F80h*/ULONG WaitingOnLoaderLock;/*F84h*/ULONG SparePointer1;/*F88h*/ULONG SoftPatchPtr1;/*F8Ch*/ULONG SoftPatchPtr2;/*F90h*/PVOID*TlsExpansionSlots; /*F94h*/ULONG ImpersionationLocale;/*F98h*/ULONG IsImpersonating;/*F9Ch*/PVOID NlsCache;/*FA0h*/PVOID pShimData;/*FA4h*/ULONG HeapVirualAffinity;/*FA8h*/PVOID CurrentTransactionHandle;/*FACh*/PTEB_ACTIVE_FRAME ActiveFrame;/*FB0h*/PVOID FlsData;/*FB4h*/UCHAR SafeThunkCall;/*FB8h*/UCHAR BooleanSpare[3]; /*FB9h*/} TEB,*PTEB;

//Process Environment Block

typedef struct_PEB

{

UCHAR InheritedAddressSpace;//00h

UCHAR ReadImageFileExecOptions; //01h

UCHAR BeingDebugged; //02h

UCHAR Spare; //03h

PVOID Mutant; //04h

PVOID ImageBaseAddress; //08h

PPEB_LDR_DATA Ldr; //0Ch

PRTL_USER_PROCESS_PARAMETERS ProcessParameters; //10h

PVOID SubSystemData; //14h

PVOID ProcessHeap; //18h

PVOID FastPebLock; //1Ch

PPEBLOCKROUTINE FastPebLockRoutine; //20h

PPEBLOCKROUTINE FastPebUnlockRoutine; //24h

ULONG EnvironmentUpdateCount; //28h

PVOID* KernelCallbackTable; //2Ch

PVOID EventLogSection; //30h

PVOID EventLog; //34h

PPEB_FREE_BLOCK FreeList; //38h

ULONG TlsExpansionCounter; //3Ch

PVOID TlsBitmap; //40h

ULONG TlsBitmapBits[0x2]; //44h

PVOID ReadOnlySharedMemoryBase; //4Ch

PVOID ReadOnlySharedMemoryHeap; //50h

PVOID* ReadOnlyStaticServerData; //54h

PVOID AnsiCodePageData; //58h

PVOID OemCodePageData; //5Ch

PVOID UnicodeCaseTableData; //60h

ULONG NumberOfProcessors; //64h

ULONG NtGlobalFlag; //68h

UCHAR Spare2[0x4]; //6Ch

LARGE_INTEGER CriticalSectionTimeout; //70h

ULONG HeapSegmentReserve; //78h

ULONG HeapSegmentCommit; //7Ch

ULONG HeapDeCommitTotalFreeThreshold; //80h

ULONG HeapDeCommitFreeBlockThreshold; //84h

ULONG NumberOfHeaps; //88h

ULONG MaximumNumberOfHeaps; //8Ch

PVOID** ProcessHeaps; //90h

PVOID GdiSharedHandleTable; //94h

PVOID ProcessStarterHelper; //98h

PVOID GdiDCAttributeList; //9Ch

PVOID LoaderLock; //A0h

ULONG OSMajorVersion; //A4h

ULONG OSMinorVersion; //A8h

ULONG OSBuildNumber; //ACh

ULONG OSPlatformId; //B0h

ULONG ImageSubSystem; //B4h

ULONG ImageSubSystemMajorVersion; //B8h

ULONG ImageSubSystemMinorVersion; //C0h

ULONG GdiHandleBuffer[0x22]; //C4h

PVOID ProcessWindowStation; //???

} PEB, *PPEB;