Process Environment Block Microsoft documentation of this is incomplete, the fields here are taken from various resources including:
InheritedAddressSpace: BOOLEANReadImageFileExecOptions: BOOLEANBeingDebugged: BOOLEANBitField: UCHARMutant: HANDLEImageBaseAddress: HMODULELdr: *PEB_LDR_DATAProcessParameters: *RTL_USER_PROCESS_PARAMETERSSubSystemData: PVOIDProcessHeap: HANDLEFastPebLock: *RTL_CRITICAL_SECTIONAtlThunkSListPtr: PVOIDIFEOKey: PVOIDCrossProcessFlags: ULONGSystemReserved: ULONGAtlThunkSListPtr32: ULONGApiSetMap: PVOIDTlsExpansionCounter: ULONGTlsBitmap: *RTL_BITMAPTlsBitmapBits: [2]ULONGReadOnlySharedMemoryBase: PVOIDSharedData: PVOIDReadOnlyStaticServerData: *PVOIDAnsiCodePageData: PVOIDOemCodePageData: PVOIDUnicodeCaseTableData: PVOIDNumberOfProcessors: ULONGNtGlobalFlag: ULONGCriticalSectionTimeout: LARGE_INTEGERHeapSegmentReserve: ULONG_PTRHeapSegmentCommit: ULONG_PTRHeapDeCommitTotalFreeThreshold: ULONG_PTRHeapDeCommitFreeBlockThreshold: ULONG_PTRNumberOfHeaps: ULONGMaximumNumberOfHeaps: ULONGProcessHeaps: *PVOIDGdiSharedHandleTable: PVOIDProcessStarterHelper: PVOIDGdiDCAttributeList: ULONGLoaderLock: *RTL_CRITICAL_SECTIONOSMajorVersion: ULONGOSMinorVersion: ULONGOSBuildNumber: USHORTOSCSDVersion: USHORTOSPlatformId: ULONGImageSubSystem: ULONGImageSubSystemMajorVersion: ULONGImageSubSystemMinorVersion: ULONGActiveProcessAffinityMask: KAFFINITYGdiHandleBuffer: [
switch (@sizeOf(usize)) {
4 => 0x22,
8 => 0x3C,
else => unreachable,
}
]ULONGPostProcessInitRoutine: PVOIDTlsExpansionBitmap: *RTL_BITMAPTlsExpansionBitmapBits: [32]ULONGSessionId: ULONGAppCompatFlags: ULARGE_INTEGERAppCompatFlagsUser: ULARGE_INTEGERShimData: PVOIDAppCompatInfo: PVOIDCSDVersion: UNICODE_STRINGActivationContextData: *const ACTIVATION_CONTEXT_DATAProcessAssemblyStorageMap: *ASSEMBLY_STORAGE_MAPSystemDefaultActivationData: *const ACTIVATION_CONTEXT_DATASystemAssemblyStorageMap: *ASSEMBLY_STORAGE_MAPMinimumStackCommit: ULONG_PTRFlsCallback: *FLS_CALLBACK_INFOFlsListHead: LIST_ENTRYFlsBitmap: *RTL_BITMAPFlsBitmapBits: [4]ULONGFlsHighIndex: ULONGWerRegistrationData: PVOIDWerShipAssertPtr: PVOIDpUnused: PVOIDpImageHeaderHash: PVOIDTracingFlags: ULONGCsrServerReadOnlySharedMemoryBase: ULONGLONGTppWorkerpListLock: ULONGTppWorkerpList: LIST_ENTRYWaitOnAddressHashTable: [0x80]PVOIDTelemetryCoverageHeader: PVOIDCloudFileFlags: ULONGpub const PEB = extern struct {
// Versions: All
InheritedAddressSpace: BOOLEAN,
// Versions: 3.51+
ReadImageFileExecOptions: BOOLEAN,
BeingDebugged: BOOLEAN,
// Versions: 5.2+ (previously was padding)
BitField: UCHAR,
// Versions: all
Mutant: HANDLE,
ImageBaseAddress: HMODULE,
Ldr: *PEB_LDR_DATA,
ProcessParameters: *RTL_USER_PROCESS_PARAMETERS,
SubSystemData: PVOID,
ProcessHeap: HANDLE,
// Versions: 5.1+
FastPebLock: *RTL_CRITICAL_SECTION,
// Versions: 5.2+
AtlThunkSListPtr: PVOID,
IFEOKey: PVOID,
// Versions: 6.0+
/// https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/crossprocessflags.htm
CrossProcessFlags: ULONG,
// Versions: 6.0+
union1: extern union {
KernelCallbackTable: PVOID,
UserSharedInfoPtr: PVOID,
},
// Versions: 5.1+
SystemReserved: ULONG,
// Versions: 5.1, (not 5.2, not 6.0), 6.1+
AtlThunkSListPtr32: ULONG,
// Versions: 6.1+
ApiSetMap: PVOID,
// Versions: all
TlsExpansionCounter: ULONG,
// note: there is padding here on 64 bit
TlsBitmap: *RTL_BITMAP,
TlsBitmapBits: [2]ULONG,
ReadOnlySharedMemoryBase: PVOID,
// Versions: 1703+
SharedData: PVOID,
// Versions: all
ReadOnlyStaticServerData: *PVOID,
AnsiCodePageData: PVOID,
OemCodePageData: PVOID,
UnicodeCaseTableData: PVOID,
// Versions: 3.51+
NumberOfProcessors: ULONG,
NtGlobalFlag: ULONG,
// Versions: all
CriticalSectionTimeout: LARGE_INTEGER,
// End of Original PEB size
// Fields appended in 3.51:
HeapSegmentReserve: ULONG_PTR,
HeapSegmentCommit: ULONG_PTR,
HeapDeCommitTotalFreeThreshold: ULONG_PTR,
HeapDeCommitFreeBlockThreshold: ULONG_PTR,
NumberOfHeaps: ULONG,
MaximumNumberOfHeaps: ULONG,
ProcessHeaps: *PVOID,
// Fields appended in 4.0:
GdiSharedHandleTable: PVOID,
ProcessStarterHelper: PVOID,
GdiDCAttributeList: ULONG,
// note: there is padding here on 64 bit
LoaderLock: *RTL_CRITICAL_SECTION,
OSMajorVersion: ULONG,
OSMinorVersion: ULONG,
OSBuildNumber: USHORT,
OSCSDVersion: USHORT,
OSPlatformId: ULONG,
ImageSubSystem: ULONG,
ImageSubSystemMajorVersion: ULONG,
ImageSubSystemMinorVersion: ULONG,
// note: there is padding here on 64 bit
ActiveProcessAffinityMask: KAFFINITY,
GdiHandleBuffer: [
switch (@sizeOf(usize)) {
4 => 0x22,
8 => 0x3C,
else => unreachable,
}
]ULONG,
// Fields appended in 5.0 (Windows 2000):
PostProcessInitRoutine: PVOID,
TlsExpansionBitmap: *RTL_BITMAP,
TlsExpansionBitmapBits: [32]ULONG,
SessionId: ULONG,
// note: there is padding here on 64 bit
// Versions: 5.1+
AppCompatFlags: ULARGE_INTEGER,
AppCompatFlagsUser: ULARGE_INTEGER,
ShimData: PVOID,
// Versions: 5.0+
AppCompatInfo: PVOID,
CSDVersion: UNICODE_STRING,
// Fields appended in 5.1 (Windows XP):
ActivationContextData: *const ACTIVATION_CONTEXT_DATA,
ProcessAssemblyStorageMap: *ASSEMBLY_STORAGE_MAP,
SystemDefaultActivationData: *const ACTIVATION_CONTEXT_DATA,
SystemAssemblyStorageMap: *ASSEMBLY_STORAGE_MAP,
MinimumStackCommit: ULONG_PTR,
// Fields appended in 5.2 (Windows Server 2003):
FlsCallback: *FLS_CALLBACK_INFO,
FlsListHead: LIST_ENTRY,
FlsBitmap: *RTL_BITMAP,
FlsBitmapBits: [4]ULONG,
FlsHighIndex: ULONG,
// Fields appended in 6.0 (Windows Vista):
WerRegistrationData: PVOID,
WerShipAssertPtr: PVOID,
// Fields appended in 6.1 (Windows 7):
pUnused: PVOID, // previously pContextData
pImageHeaderHash: PVOID,
/// TODO: https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/tracingflags.htm
TracingFlags: ULONG,
// Fields appended in 6.2 (Windows 8):
CsrServerReadOnlySharedMemoryBase: ULONGLONG,
// Fields appended in 1511:
TppWorkerpListLock: ULONG,
TppWorkerpList: LIST_ENTRY,
WaitOnAddressHashTable: [0x80]PVOID,
// Fields appended in 1709:
TelemetryCoverageHeader: PVOID,
CloudFileFlags: ULONG,
}