Explaining the Windows PEB process environment block structure through isdebuggerpesent

First introduce the concepts of PEB and TEB:
PEB (process environment block, processes environment blocks) holds process information, and each process has its own PEB information. is located in the user address space.

The TEB (thread environment block, threaded environment block) system stores frequently used thread-related data in this TEB. is located in the user address space, which is lower than the address of the PEB. Each thread in the process has its own teb.

Write a Windows program that uses the Isdebuggerpesent function, open with OD, breakpoint isdebuggerpesent function

OD goes inside the isdebuggerpesent function

74E23789 >  64:a1 18000000   mov     eax, DWORD ptr fs:[18]74e2378f    8b40          -mov     eax, DWORD ptr [EAX +30]74e23792    0fb640        movzx   eax, byte ptr [eax+2]74e23796    C3               retn

Track to 3rd Step

74E23792    0fb640        movzx   eax, byte ptr [eax+2]

View window to see

ds:[7efde002]=01eax=7efde000

Data window tracking ds:[7efde002] can see

7efde002  01                                               

7efde002 Address 01 is the memory of the isdebuggerpesent to determine the flag bit

In the csdn of this friend blog This article we can see http://blog.csdn.net/waveradio/article/details/2681346

struct _PEB structure: typedef struct _PEB {//size:0x1d8/*000*/UCHAR inheritedaddressspace;/*001*/UCHAR Readimagefileexecop tions;/*002*/UCHAR beingdebugged;/*003*/UCHAR sparebool; Allocation size/*004*/HANDLE mutant;/*008*/hinstance imagebaseaddress; instance/*00c*/VOID *dlllist;/*010*/pprocess_parameters *processparameters;/*014*/ULONG SubSystemData;/*018*/ HANDLE defaultheap;/*01c*/kspin_lock fastpeblock;/*020*/ulong fastpeblockroutine;/*024*/ULONG Fastpebunlockroutine ;/*028*/ulong environmentupdatecount;/*02c*/ulong kernelcallbacktable;/*030*/Large_integer SystemReserved;/*038*/ ULONG freelist;/*03c*/ULONG tlsexpansioncounter;/*040*/ulong tlsbitmap;/*044*/Large_integer tlsbitmapbits;/*04c*/ ULONG readonlysharedmemorybase;/*050*/ULONG readonlysharedmemoryheap;/*054*/ULONG readonlystaticserverdata;/*058* /ULONG ansicodepagedata;/*05c*/ULONG oemcodepagedata;/*060*/ULONG unicodecasetabledata;/*064*/ULONG numberofprocessors;/*068*/Large_integer Ntglobalflag; //Address of a local copy/*070*/large_integer criticalsectiontimeout;/*078*/ulong heapsegmentreserve;/*07c*/ULONG heapsegmentcommit;/*080*/ULONG heapdecommittotalfreethreshold;/*084*/ULONG heapdecommitfreeblockthreshold;/*088* /ULONG numberofheaps;/*08c*/ULONG maximumnumberofheaps;/*090*/ULONG processheaps;/*094*/ULONG gdisharedhandletable ;/*098*/ulong processstarterhelper;/*09c*/ulong gdidcattributelist;/*0a0*/kspin_lock loaderlock;/*0a4*/ULONG osmajorversion;/*0a8*/ulong osminorversion;/*0ac*/USHORT osbuildnumber;/*0ae*/USHORT oscsdversion;/*0b0*/ULONG osplatformid;/*0b4*/ULONG imagesubsystem;/*0b8*/ULONG imagesubsystemmajorversion;/*0bc*/ULONG imagesubsystemminorversion;/*0c0*/ULONG imageprocessaffinitymask;/*0c4*/ULONG gdihandlebuffer[0x22];/*14c*/ULONG postprocessinitroutine;/*150*/ulong tlsexpansionbitmap;/*154*/UCHAR tlsexpansionbitmapbits[0x80];/*1d4*/ULONG SessionId;} PEB, *PPEB;

The 7efde002 address corresponds to the PEB structure.

/*002*/UCHAR beingdebugged;

So the starting address of PEB is the 7efde002 address minus 2. Getting 7efde000 is the starting address of PEB.

You can also infer that the Ntglobalflag address is

/*068*/Large_integer Ntglobalflag; Address of a local copy

7efde068 is the address of Ntglobalflag

Data window followed by

7efde068                                               P

Explaining the Windows PEB process environment block structure through isdebuggerpesent