Hacking/Windows internals/Process/Memory/TEB

From Skypher

Jump to: navigation, search

Main Page
├─▷Programming
└─▼Hacking
  ├─▷Shellcode
  ├─▼Windows internals
  │ ├─○PE
  │ ├─▷DLL
  │ ├─▼Process
  │ │ ├─▼Memory
  │ │ │ ├─○Heap
  │ │ │ ├─▷Stack
  │ │ │ ├─○PEB
  │ │ │ ├─●TEB
  │ │ │ ├─○DEP
  │ │ │ ├─○ASLR
  │ │ │ ...
  │ │ ├─○Thread
  │ │ ├─○SEH
  │ │ ...
  │ ...
  ├─○Vulnerabilities
  ├─○Heap spraying
  └─○List of security teams contact information

A TEB (Thread Environment Block also referred to as TIB for Thread Information Block in OllyDbg) is a region in User land memory that is used to store information about/for a single thread running in a process. Every thread has exactly one TEB, so there are always as many TEBs in a process' memory as there are threads running in the process.

In OllyDbg, a TEB can be found in the Memory map by looking in the Contains column for Data block of thread X or Data block of main thread. They are always loaded at high addresses in the user land address space. If you double click on a TEB in the memory map, you will open a memory dump. The memory dump is automatically formatted to display the information in the TEB and should look something like this: 

Dump - 7EFDD000..7EFDDFFF
Address |Hex dump    |Decoded data|Comments
7EFDD000| .  A8FA3100|DD 0031FAA8 |SEH chain = 31FAA8 -> {Next=FFFFFFFF,Handler=77C22926}
7EFDD004| .  00003200|DD 00320000 |Thread's stack base = 320000
7EFDD008| .  00302200|DD 00223000 |Thread's stack limit = 223000
7EFDD00C| .  00000000|DD 00000000 |TIB of OS/2 Subsystem = NULL
7EFDD010| .  001E0000|DD 00001E00 |Fiber data = 00001E00
7EFDD014| .  00000000|DD 00000000 |Arbitrary user data = 0
7EFDD018| .  00D0FD7E|DD 7EFDD000 |TIB linear address = 7EFDD000
7EFDD01C| .  00000000|DD 00000000 |00000000
7EFDD020| .  28090000|DD 00000928 |Process ID = 00000928
7EFDD024| .  000B0000|DD 00000B00 |Thread ID = 00000B00
7EFDD028| .  00000000|DD 00000000 |00000000
7EFDD02C| .  2CD0FD7E|DD 7EFDD02C |TLS array = 7EFDD02C
7EFDD030| .  00E0FD7E|DD 7EFDE000 |Process database = 7EFDE000
7EFDD034| .  00000000|DD 00000000 |Thread's last error = ERROR_SUCCESS

The TEB contains the following useful information:

Address Size Description
0[TEB+0] DWORD A pointer to the first entry in the SEH chain on the stack.
1[TEB+4] DWORD A pointer to the end of the memory region allocated for the stack. This is the top of the stack, from which it grows down towards address 0.
2[TEB+8] DWORD A pointer to the start of the memory region allocated for the stack. If the stack needs to grow down further than this address, it will either need to be expanded or the program will terminate with a stack overflow exception (not to be confused with a stack buffer overrun).
3[TEB+18] DWORD The address of this TEB.
4[TEB+30] DWORD The address of the PEB.
Retrieved from "http://skypher.com/wiki/index.php/Hacking/Windows_internals/Process/Memory/TEB"
Personal tools