Windbg Debug Command 6 (! Peb ,! Teb)

Source: Internet
Author: User
Windbg Debug Command 6 (! Peb ,! Teb)

Peb(Process environment block) Stores process information. Each process has its own peb information. Located in the user address space.

Teb(Thread environment block, thread environment block) The system stores frequently used thread-related data in Teb. Located in the user address space, which is lower than the address of peb. Each thread in the process has its own Teb.

When debugging programs, understanding peb and Teb is often very helpful for analysis. In windbg! PebAnd! TebCommand can be used to display peb and Teb:

0: 000>! Peb
Peb at 7ffd6000
Inheritedaddressspace: No
Readimagefileexecoptions: No
Beingdebugged: Yes
Imagebaseaddress: 01000000
LDR 001a1ea0
LDR. initialized: Yes
LDR. ininitializationordermodulelist: 001a1f58. 001a2850
LDR. inloadordermodulelist: 001a1ee0. 001a2840
LDR. inmemoryordermodulelist: 001a1ee8. 001a2848
Base timestamp Module
1000000 3b7d8475 Aug 17 13:54:13 2001 c:/Windows/system32/winmine.exe
7c900000 4802a12c APR 13 17:11:24 2008 C:/Windows/system32/NTDLL. dll
7c800000 4802a12c APR 13 17:11:24 2008 C:/Windows/system32/kernel32.dll
77c10000 4802a188 APR 13 17:12:56 2008 C:/Windows/system32/msvcrt. dll
77dd0000 4802a0b2 APR 13 17:09:22 2008 C:/Windows/system32/advapi32.dll
77e70000 4802a106 APR 13 17:10:46 2008 C:/Windows/system32/rpcrt4.dll
77fe0000 4802a11b APR 13 17:11:07 2008 C:/Windows/system32/secur32.dll
77f10000 49006fbe Oct 23 05:36:14 2008 C:/Windows/system32/gdi32.dll
7e410000 4802a11b APR 13 17:11:07 2008 C:/Windows/system32/user32.dll
7c9c0000 48e1c4d9 Sep 29 23:19:05 2008 C:/Windows/system32/shell32.dll
77f60000 4802a116 APR 13 17:11:02 2008 C:/Windows/system32/shlwapi. dll
76b40000 4802a13c APR 13 17:11:40 2008 C:/Windows/system32/winmm. dll
773d0000 4802a094 APR 13 17:08:52 2008 C:/Windows/winsxs/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83/comctl32.dll
Subsystemdata: 00000000
Processheap: 000a0000
Processparameters: 00020000
Windowtitle: 'C:/Windows/system32/winmine.exe'
Imagefile: 'C:/Windows/system32/winmine.exe'
CommandLine: 'winmine'
Dllpath: 'C:/Windows/system32; C:/Windows/system32; C:/Windows/system; C:/windows ;.; c:/program files/windbg/winext/arcade; C:/tools/perl/site/bin; C:/tools/perl/bin; C:/Windows/system32; c:/windows; C:/Windows/system32/WBEM; C:/progra ~ 1/CA/shared ~ 1/scanen ~ 1; C:/Program
Files/CA/eTrust Antivirus; C:/program files/Java/jdk1.5.0 _ 14/bin; C:/program files/Apache-ANT/bin; C: /program files/windbg; C:/tools; C:/program files/tortoisesvn/bin'
Environment: 00010000
= ::/
Allusersprofile = C:/Documents ents and settings/All Users
Ant_home = C:/program files/Apache-ant
Appdata = C:/Documents ents and settings/wingeek/Application Data
Avengine = C:/progra ~ 1/CA/shared ~ 1/scanen ~ 1
Commonprogramfiles = C:/program files/common files
Computername = Qi
Comspec = C:/Windows/system32/cmd.exe
Fp_no_host_check = No
Homedrive = C:
Homepath =/Documents ents and settings/wingeek
Inoculan = C:/program files/CA/eTrust Antivirus
Java_home = C:/program files/Java/jdk1.5.0 _ 14
Logonserver = // Qi
Number_of_processors = 2
OS = windows_nt
Path = C:/program files/windbg/winext/arcade; C:/tools/perl/site/bin; C:/tools/perl/bin; C: /Windows/system32; C:/windows; C:/Windows/system32/WBEM; C:/progra ~ 1/CA/shared ~ 1/scanen ~ 1; C:/program files/CA/eTrust Antivirus; C:/program files/Java/jdk1.5.0 _ 14/bin; C:/Program
Files/Apache-ANT/bin; C:/program files/windbg; C:/tools; C:/program files/tortoisesvn/bin
Pathext =. com;. EXE;. BAT;. CMD;. vbs;. VBE;. js;. JSE;. WSF;. wsh
Processor_architecture = x86
Processor_identifier = x86 family 6 model 15 stepping 2, genuineintel
Processor_level = 6
Processor_revision = 0f02
ProgramFiles = C:/Program Files
Sessionname = console
Systemdrive = C:
Systemroot = C:/Windows
Temp = C:/docume ~ 1/wingeek/locals ~ 1/temp
TMP = C:/docume ~ 1/wingeek/locals ~ 1/temp
Userdomain = Qi
Username = wingeek
USERPROFILE = C:/Documents ents and settings/wingeek
Vs80comntools = C:/program files/Microsoft Visual Studio 8/common7/tools/
Vs90comntools = C:/program files/Microsoft Visual Studio 9.0/common7/tools/
Windbg_dir = C:/program files/windbg
WINDIR = C:/Windows

From above! Peb output results. We can see the imagebaseaddress of the process, the heap starting address of the process, the DLL, command line parameters, and system environment variables...

 

0: 000>! Teb
Teb at 7ffdf000
Predictionlist: 0007fd0c
Stackbase: 00080000
Stacklimit: 0007c000
Subsystemtib: 00000000
Fiberdata: 00001e00
Arbitraryuserpointer: 00000000
SELF: 7ffdf000
Environmentpointer: 00000000
Clientid: 201714a8. g014ac
Rpchandle: 00000000
TLS storage: 00000000
Peb address: 7ffd6000
Lasterrorvalue: 0
Laststatusvalue: 0
Count owned locks: 0
Harderrormode: 0

From above! The starting address of stack, the address of TLS storage, the address of exception handling, and the value of lasterror...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.