How to access the PEB (process environment block) in dump using DbgHelp

StackOverflow https://stackoverflow.com/questions/15141706

  •  16-03-2022
  •  | 
  •  

Question

I found an example that uses the debugger engine API to get at the PEB in a dump. Is this possible using DbgHelp? Have existing code that uses DbgHelp to pull out comment and exception information. Would like to grab some info from PEB if possible.

Was it helpful?

Solution

You can use the MiniDumpReadDumpStream function to read streams from the dump file. Just read the dump file into the memory or map it into the memory, and use this function.

To access the PEB. Read the ThreadListStream from the dump file. The MINIDUMP_THREAD_LIST structure will contain an array of MINIDUMP_THREAD strutures, which have a Teb field with the address of the TEB for that thread.

The difference of the TEB and PEB on 32 and 64 bit is that the pointers are 8 bytes on 64 bit.

This means for a 32 bit process the address of PEB can be found at the 0x30 offset of TEB. For a 64 bit process the address of PEB can be found at the 0x60 offset of the TEB.

You will need to roll your own memory reader functions when reading memory from a minidump file.

OTHER TIPS

There's a !peb command in WinDbg, which works for dumps. See also here: http://windbg.info/doc/1-common-cmds.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top