{ "id": "8ee55a05-b25b-41de-9576-4a149aa68f3f", "created_at": "2026-04-06T00:16:32.073902Z", "updated_at": "2026-04-10T13:11:45.500095Z", "deleted_at": null, "sha1_hash": "82aa27601c2813111fef82b392b620458a7336c9", "title": "PEB: Where Magic Is Stored", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 368537, "plain_text": "PEB: Where Magic Is Stored\r\nPublished: 2021-08-22 · Archived: 2026-04-05 23:06:30 UTC\r\nAs a reverse engineer, every now and then you encounter a situation where you dive deeper into the internal\r\nstructures of an operating system as usual. Be it out of simple curiosity, or because you need to understand how a\r\nbinary uses specific parts of the operating system in certain ways . One of the more interesting structures in\r\nWindows is the Process Environment Block/PEB. In this article, I’d like to introduce you to this structure and talk\r\nabout various use cases of how adversaries can abuse this structure for their own purposes.\r\nIntroducing PEB\r\nThe Process Environment Block is a critical structure in the Windows OS, most of its fields are not intended to be\r\nused by other than the operating system. It contains data structures that apply across a whole process and is stored\r\nin user-mode memory, which makes it accessible for the corresponding process. The structure contains valuable\r\ninformation about the running process, including:\r\nwhether the process is being debugged or not\r\nwhich modules are loaded into memory\r\nthe command line used to invoke the process\r\nAll these information gives adversaries a number of possibilities to abuse it. The figure below shows the layout of\r\nthe PEB structure:\r\ntypedef struct _PEB {\r\nBYTE                           Reserved1[2];\r\nBYTE                           BeingDebugged;\r\nBYTE                           Reserved2[1];\r\nPVOID                          Reserved3[2];\r\nPPEB_LDR_DATA Ldr;\r\nPRTL_USER_PROCESS_PARAMETERS ProcessParameters;\r\nPVOID                          Reserved4[3];\r\nPVOID                          AtlThunkSListPtr;\r\nPVOID                          Reserved5;\r\nULONG                          Reserved6;\r\nPVOID                          Reserved7;\r\nhttps://malwareandstuff.com/peb-where-magic-is-stored/\r\nPage 1 of 7\n\nULONG                          Reserved8;\r\nULONG                          AtlThunkSListPtr32;\r\nPVOID                          Reserved9[45];\r\nBYTE                           Reserved10[96];\r\nPPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;\r\nBYTE                           Reserved11[128];\r\nPVOID                          Reserved12[1];\r\nULONG                          SessionId;\r\n} PEB, *PPEB;\r\nNow that we’ve talked a little bit about the layout and purpose of the structure, let’s take a look at a few use cases.\r\nReading the BeingDebugged flag\r\nThe most obvious way is to check the BeingDebugged to identify, whether a debugger is attached to the process\r\nor not. Through reading the variable directly from memory instead of using usual suspects like\r\nNtQueryInformationProcess or IsDebuggerPresent , malware can prevent noisy WINAPI calls. This makes it\r\nharder to spot this technique.\r\nHowever, most debuggers already take care of this. X64dbg for example, has an option to hide the Debugger by\r\nmodifying the PEB structure at start of the debugging session.\r\nIterating through loaded modules\r\nAnother use case, could be iterating the loaded modules and discover DLLs injected into memory with purpose to\r\noverwatch the running process. To understand how to achieve this, we need to take a look at the PPEB_LDR_DATA\r\nstructure included in PEB , which is provided by the Ldr variable:\r\ntypedef struct _PEB_LDR_DATA {\r\nBYTE        Reserved1[8];\r\nPVOID       Reserved2[3];\r\nLIST_ENTRY InMemoryOrderModuleList;\r\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\r\nPPEB_LDR_DATA contains the head to a doubly linked list named InMemoryOrderModuleList . Each item in this\r\nlist is a structure from type LDR_DATA_TABLE_ENTRY , which contains all the information we need to iterate loaded\r\nmodules. See the structure of LDR_DATA_TABLE_ENTRY below:\r\nhttps://malwareandstuff.com/peb-where-magic-is-stored/\r\nPage 2 of 7\n\ntypedef struct _LDR_DATA_TABLE_ENTRY {\r\nPVOID Reserved1[2];\r\nLIST_ENTRY InMemoryOrderLinks;\r\nPVOID Reserved2[2];\r\nPVOID DllBase;\r\nPVOID EntryPoint;\r\nPVOID Reserved3;\r\nUNICODE_STRING FullDllName;\r\nBYTE Reserved4[8];\r\nPVOID Reserved5[3];\r\nunion {\r\nULONG CheckSum;\r\nPVOID Reserved6;\r\n};\r\nULONG TimeDateStamp;\r\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\r\nSo by iterating the doubly linked list, we are able to discover the base address and full name of all modules loaded\r\ninto memory of the running process. The snippet below is a small Proof of Concept. It iterates the linked list and\r\nprints the library name to stdout. I created it for the purpose of this blog article. You are free to use it, however I\r\nwill also upload it to my github repo the upcoming days:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n#include \u003cWindows.h\u003e\r\n#include \u003ciostream\u003e\r\n#include \u003cshlwapi.h\u003e\r\n#define NO_STDIO_REDIRECT\r\ntypedef struct _UNICODE_STRING\r\n{\r\nUSHORT Length;\r\nhttps://malwareandstuff.com/peb-where-magic-is-stored/\r\nPage 3 of 7\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\nUSHORT MaximumLength;\r\nPWSTR Buffer;\r\n} UNICODE_STRING, * PUNICODE_STRING;\r\ntypedef struct _LDR_DATA_TABLE_ENTRY_MOD {\r\nLIST_ENTRY InMemoryOrderLinks;\r\nPVOID Reserved2[2];\r\nPVOID DllBase;\r\nPVOID EntryPoint;\r\nPVOID Reserved3;\r\nUNICODE_STRING FullDllName;\r\nBYTE Reserved4[8];\r\nPVOID Reserved5[3];\r\nunion {\r\nULONG CheckSum;\r\nPVOID Reserved6;\r\n};\r\nULONG TimeDateStamp;\r\n} LDR_DATA_TABLE_ENTRY_MOD, * PLDR_DATA_TABLE_ENTRY_MOD_MOD;\r\nint main( int argc, char ** argv[]){\r\nPLDR_DATA_TABLE_ENTRY_MOD_MOD lib = NULL;\r\n_asm {\r\nxor eax, eax\r\nmov eax, fs:[0x30]\r\nmov eax, [eax + 0xC]\r\nmov eax, [eax + 0x14]\r\nmov lib, eax\r\nhttps://malwareandstuff.com/peb-where-magic-is-stored/\r\nPage 4 of 7\n\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n};\r\nprintf ( \"[+] Initialised pointer to first LDR_DATA_TABLE_ENTRY_MOD\\n\" );\r\nwhile ( lib-\u003eFullDllName.Buffer != NULL ) {\r\nprintf ( \"[+] %S\\n\" , lib-\u003eFullDllName.Buffer);\r\nlib = (PLDR_DATA_TABLE_ENTRY_MOD_MOD)lib-\u003eInMemoryOrderLinks.Flink;\r\n}\r\nprintf ( \"[+] Done!\\n\" );\r\nreturn 0;\r\nhttps://malwareandstuff.com/peb-where-magic-is-stored/\r\nPage 5 of 7\n\n60\r\nIf you are wondering how I am able to access the PEB in the code below, you should take a look at the inline\r\nassembly in the main method, especially the instruction mov eax, fs:[0x30] . FS is a segment register, similar\r\nto GS. FS can be used to access thread-specific memory. Offset 0x30 allows you to access the linear address of\r\nthe Process Environment Block.\r\nFinally, we want to take a look at a real world example of how PEB can be abused.\r\nHow the MATA Framework abuses PEB\r\nThis use case was introduced to me while reverse engineering a Windows variant of the MATA Framework.\r\nAccording to Kaspersky[1], the MATA Framework is used by the Lazarus group and targets multiple platforms.\r\nMalware authors have a high interest in obfuscation, because it increases the time needed to reverse engineer it.\r\nOne way to hide API calls is to use API Hashing. I have written about Danabot’s API Hashing[2] before and how\r\nto overcome it. MATA also uses this technique.\r\nHowever instead of using the WIN API calls to retrieve the address of DLLs loaded into memory, MATA abuses\r\nthe Process Environment Block to fetch base addresses. Let’s take a look at how MATA for Windows achieves\r\nthis:\r\nMATA API Hashing\r\nThe input of the APIHashing method takes an integer as the only parameter, this is the hash for the corresponding\r\nAPI call.\r\nFigure 1: Call to APIHash method\r\nRight after the prologue, it retrieves a pointer to PEB by reading it from the Thread Environment Block via the\r\nsegment register GS . Similar to our proof of concept above, MATA now fetches the address to the head of the\r\nlinked list provided by InMemoryOrderModuleList . Each item of the linked list provides the DLL base address of\r\nthe corresponding loaded module.\r\nFrom there, the malware reads the e_lfanew field, which contains the offset to the file header. By adding the\r\nbase address, e_lfsanew and 0x88 it jumps directly to the data directories of the corresponding PE. From the\r\ndata directories, MATA accesses the exported function names in a similar way as I’ve described in my blog article\r\nabout DanaBot’s API Hashing[3]. The hashing algorithm is fairly simple. Each integer representation of a\r\ncharacter is added and the result of the addition is ROR'd by 0xD consecutively each iteration. If the final hash\r\nhttps://malwareandstuff.com/peb-where-magic-is-stored/\r\nPage 6 of 7\n\nmatches the input parameter, the address to the function is retrieved. The following figure explains the function at\r\na high level:\r\nHigh level overview of API Hashing of MATA malware\r\nLearning from each other\r\nThat’s it with the blog article, I hope you enjoyed it! There are probably way more use cases and real world cases\r\nof how the PEB is and and can be abused. If you can think of another one, feel free to leave a comment below\r\nand share it, so that we can learn from each other!\r\nSource: https://malwareandstuff.com/peb-where-magic-is-stored/\r\nhttps://malwareandstuff.com/peb-where-magic-is-stored/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malwareandstuff.com/peb-where-magic-is-stored/" ], "report_names": [ "peb-where-magic-is-stored" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434592, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82aa27601c2813111fef82b392b620458a7336c9.pdf", "text": "https://archive.orkl.eu/82aa27601c2813111fef82b392b620458a7336c9.txt", "img": "https://archive.orkl.eu/82aa27601c2813111fef82b392b620458a7336c9.jpg" } }