{
	"id": "cb042de8-9401-40d5-be0a-b907d6f3273e",
	"created_at": "2026-04-06T00:18:50.391476Z",
	"updated_at": "2026-04-10T03:21:50.791991Z",
	"deleted_at": null,
	"sha1_hash": "aba39ced835c93ec49e9e51a0168c4dfd6fbc243",
	"title": "PEB (winternl.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52540,
	"plain_text": "PEB (winternl.h) - Win32 apps\r\nBy karl-bridge-microsoft\r\nArchived: 2026-04-05 18:00:51 UTC\r\n[This structure may be altered in future versions of Windows.]\r\nContains process information.\r\nSyntax\r\ntypedef struct _PEB {\r\n BYTE Reserved1[2];\r\n BYTE BeingDebugged;\r\n BYTE Reserved2[1];\r\n PVOID Reserved3[2];\r\n PPEB_LDR_DATA Ldr;\r\n PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\r\n PVOID Reserved4[3];\r\n PVOID AtlThunkSListPtr;\r\n PVOID Reserved5;\r\n ULONG Reserved6;\r\n PVOID Reserved7;\r\n ULONG Reserved8;\r\n ULONG AtlThunkSListPtr32;\r\n PVOID Reserved9[45];\r\n BYTE Reserved10[96];\r\n PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;\r\n BYTE Reserved11[128];\r\n PVOID Reserved12[1];\r\n ULONG SessionId;\r\n} PEB, *PPEB;\r\nMembers\r\nReserved1[2]\r\nReserved for internal use by the operating system.\r\nBeingDebugged\r\nIndicates whether the specified process is currently being debugged. The PEB structure, however, is an internal\r\noperating-system structure whose layout may change in the future. It is best to use the\r\nCheckRemoteDebuggerPresent function instead.\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb\r\nPage 1 of 3\n\nReserved2[1]\r\nReserved for internal use by the operating system.\r\nReserved3[2]\r\nReserved for internal use by the operating system.\r\nLdr\r\nA pointer to a PEB_LDR_DATA structure that contains information about the loaded modules for the process.\r\nProcessParameters\r\nA pointer to an RTL_USER_PROCESS_PARAMETERS structure that contains process parameter information\r\nsuch as the command line.\r\nReserved4[3]\r\nReserved for internal use by the operating system.\r\nAtlThunkSListPtr\r\nReserved5\r\nReserved for internal use by the operating system.\r\nReserved6\r\nReserved for internal use by the operating system.\r\nReserved7\r\nReserved for internal use by the operating system.\r\nReserved8\r\nAtlThunkSListPtr32\r\nReserved9[45]\r\nReserved10[96]\r\nPostProcessInitRoutine\r\nNot supported.\r\nReserved11[128]\r\nReserved12[1]\r\nSessionId\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb\r\nPage 2 of 3\n\nThe Terminal Services session identifier associated with the current process.\r\nThe syntax for this structure on 64-bit Windows is as follows:\r\ntypedef struct _PEB {\r\n BYTE Reserved1[2];\r\n BYTE BeingDebugged;\r\n BYTE Reserved2[21];\r\n PPEB_LDR_DATA LoaderData;\r\n PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\r\n BYTE Reserved3[520];\r\n PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;\r\n BYTE Reserved4[136];\r\n ULONG SessionId;\r\n} PEB;\r\nRequirements\r\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps only]\r\nMinimum supported server Windows Server 2003 [desktop apps only]\r\nHeader winternl.h\r\nSee also\r\nNtQueryInformationProcess\r\nZwQueryInformationProcess\r\nTEB\r\nPEB_LDR_DATA\r\nRTL_USER_PROCESS_PARAMETERS\r\nSource: https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb"
	],
	"report_names": [
		"ns-winternl-peb"
	],
	"threat_actors": [],
	"ts_created_at": 1775434730,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aba39ced835c93ec49e9e51a0168c4dfd6fbc243.pdf",
		"text": "https://archive.orkl.eu/aba39ced835c93ec49e9e51a0168c4dfd6fbc243.txt",
		"img": "https://archive.orkl.eu/aba39ced835c93ec49e9e51a0168c4dfd6fbc243.jpg"
	}
}