2

I'm trying to work with the PEB struct in C/ASM, but before I'd like to understand some basics. I read somewhere that most processes have their PEB at address 0x07FFDA00.

Now is this address relative to the process base address, i.e. (0x00400000 + 0x07FFDA00 == PEB base addr) ?

Because all processes can't have their PEB to this address of course.

zakinster
  • 10,508
  • 1
  • 41
  • 52
Preacher
  • 23
  • 2
  • Why not look it up with [NtQueryInformationProcess](http://msdn.microsoft.com/en-us/library/windows/desktop/ms684280.aspx) rather than assume? – Rup May 24 '13 at 11:16
  • Since it's just a virtual address, it could be the same in every process. And it's not an RVA - few things in-memory are RVAs, RVAs are more of an PE thing. `fs:[30]` (32bit) or `gs:[0x60]` (64bit) points directly to the PEB, no offset required. Btw didn't they say 0x7FFDA000? Also, processes don't really have a base address, images do. – harold May 24 '13 at 11:27

1 Answers1

3

Because all processes can't have their PEB to this address of course.

If 0x07FFDA00 is a virtual address as well as 0x00400000 then all processes can have their PEB at this address.

As you can see in this thread, 0x07FFDA00 is not a RVA, it's only a VA relative to the physical address of the process, so 0x00400000 + 0x07FFDA00 doesn't make any sense.

You can check this using NtQueryInformationProcess with something like :

DWORD pid = GetCurrentProcessId();
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
PROCESS_BASIC_INFORMATION pbi;
NTSTATUS status = NtQueryInformationProcess(hProcess,
                                            ProcessBasicInformation,
                                            &pbi,
                                            sizeof(pbi),
                                            NULL);
PPEB peb_addr = pbi.PebBaseAddress;
Community
  • 1
  • 1
zakinster
  • 10,508
  • 1
  • 41
  • 52
  • Ok, thank you, actually, virtual address are just made to make things easier? So every processes have a virtual addr space from 0x0 to 0xFFFFFFFF ? Finally, 7FFDA00-400000 is the a RVA ? Hm i'll dig around physical addr space and VAS. Thanks – Preacher May 24 '13 at 16:24
  • RVA are indeed relative to some VA, but it make only sense in case of the relocation of an image file in a virtual memory space. There's no RVA here. See [this thread](http://stackoverflow.com/questions/2170843/va-virtual-adress-rva-relative-virtual-address) for more information about VA/RVA. – zakinster May 24 '13 at 16:49
  • Well, a last question please... If each process has it's own virtual addr space, how come if i run several times the same process, the PEB base addr isn't exactly the same ? It may sounds easy for some but i'm still wondering. Thanks again – Preacher May 25 '13 at 08:54