Undocumented functions of NTDLL

2OO1, 2 March


Gridstore - NonStop Storage

PEB
PEB

typedef struct _PEB {

BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; BOOLEAN Spare; HANDLE Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA LoaderData; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PVOID FastPebLock; PPEBLOCKROUTINE FastPebLockRoutine; PPEBLOCKROUTINE FastPebUnlockRoutine; ULONG EnvironmentUpdateCount; PPVOID KernelCallbackTable; PVOID EventLogSection; PVOID EventLog; PPEB_FREE_BLOCK FreeList; ULONG TlsExpansionCounter; PVOID TlsBitmap; ULONG TlsBitmapBits[0x2]; PVOID ReadOnlySharedMemoryBase; PVOID ReadOnlySharedMemoryHeap; PPVOID ReadOnlyStaticServerData; PVOID AnsiCodePageData; PVOID OemCodePageData; PVOID UnicodeCaseTableData; ULONG NumberOfProcessors; ULONG NtGlobalFlag; BYTE Spare2[0x4]; LARGE_INTEGER CriticalSectionTimeout; ULONG HeapSegmentReserve; ULONG HeapSegmentCommit; ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; PPVOID *ProcessHeaps; PVOID GdiSharedHandleTable; PVOID ProcessStarterHelper; PVOID GdiDCAttributeList; PVOID LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; ULONG OSBuildNumber; ULONG OSPlatformId; ULONG ImageSubSystem; ULONG ImageSubSystemMajorVersion; ULONG ImageSubSystemMinorVersion; ULONG GdiHandleBuffer[0x22]; ULONG PostProcessInitRoutine; ULONG TlsExpansionBitmap; BYTE TlsExpansionBitmapBits[0x80]; ULONG SessionId;

} PEB, *PPEB;



Structure PEB (Process Enviroment Block) contains all User-Mode parameters associated by system with current process.



  • InheritedAddressSpace
  •     
  • ReadImageFileExecOptions
  •     
  • BeingDebugged
  •     
  • Spare
  •     
  • Mutant
  •     
  • ImageBaseAddress
  •     Address of executable image in process' memory.
  • LoaderData
  •     Pointer to PEB_LDR_DATA structure contains information filled by Loader.
  • ProcessParameters
  •     Pointer to RTL_USER_PROCESS_PARAMETERS structure.
  • SubSystemData
  •     
  • ProcessHeap
  •     Address of process' first heap allocated by Loader.
  • FastPebLock
  •     Parameter for PEBLOCKROUTINE (see below).
  • FastPebLockRoutine
  •     Address of fast-locking routine for PEB. Definition of routine is:
    typedef void (*PPEBLOCKROUTINE)(
    PVOID PebLock
    );
  • FastPebUnlockRoutine
  •     PEB fast-unlock routine.
  • EnvironmentUpdateCount
  •     Counter of process environment updates.
  • KernelCallbackTable
  •     
  • EventLogSection
  •     
  • EventLog
  •     
  • FreeList
  •     
  • TlsExpansionCounter
  •     
  • TlsBitmap
  •     
  • TlsBitmapBits[0x2]
  •     
  • ReadOnlySharedMemoryBase
  •     
  • ReadOnlySharedMemoryHeap
  •     
  • ReadOnlyStaticServerData
  •     
  • AnsiCodePageData
  •     
  • OemCodePageData
  •     
  • UnicodeCaseTableData
  •     
  • NumberOfProcessors
  •     
  • NtGlobalFlag
  •     
  • Spare2[0x4]
  •     
  • CriticalSectionTimeout
  •     
  • HeapSegmentReserve
  •     
  • HeapSegmentCommit
  •     
  • HeapDeCommitTotalFreeThreshold
  •     
  • HeapDeCommitFreeBlockThreshold
  •     
  • NumberOfHeaps
  •     
  • MaximumNumberOfHeaps
  •     
  • *ProcessHeaps
  •     
  • GdiSharedHandleTable
  •     
  • ProcessStarterHelper
  •     
  • GdiDCAttributeList
  •     
  • LoaderLock
  •     
  • OSMajorVersion
  •     
  • OSMinorVersion
  •     
  • OSBuildNumber
  •     
  • OSPlatformId
  •     
  • ImageSubSystem
  •     
  • ImageSubSystemMajorVersion
  •     
  • ImageSubSystemMinorVersion
  •     
  • GdiHandleBuffer[0x22]
  •     
  • PostProcessInitRoutine
  •     
  • TlsExpansionBitmap
  •     
  • TlsExpansionBitmapBits[0x80]
  •     
  • SessionId
  •     


    Documented by:
    Reactos
    Tomasz Nowak



    Requirements:
    Library: ntdll.lib


    See also:
    NtQueryInformationProcess
    PEB_FREE_BLOCK
    PEB_LDR_DATA
    PROCESS_BASIC_INFORMATION
    RTL_USER_PROCESS_PARAMETERS
    TEB