本文共 4157 字，大约阅读时间需要 13 分钟。

PEB（Process Environment Block，进程环境块）存放进程信息，每个进程都有自己的PEB信息。位于用户地址空间。

TEB（Thread Environment Block，线程环境块）系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间，在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。

调试的程序的时候，了解PEB和TEB往往对分析很有帮助。 WinDBG中 !peb 和 !teb 命令可以用来显示PEB和TEB：

0:000> !pebPEB at 7ffd6000InheritedAddressSpace: NoReadImageFileExecOptions: NoBeingDebugged: YesImageBaseAddress: 01000000Ldr 001a1ea0Ldr.Initialized: YesLdr.InInitializationOrderModuleList: 001a1f58 . 001a2850Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2840Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2848Base TimeStamp Module1000000 3b7d8475 Aug 17 13:54:13 2001 C:/WINDOWS/system32/winmine.exe7c900000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/ntdll.dll7c800000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/kernel32.dll77c10000 4802a188 Apr 13 17:12:56 2008 C:/WINDOWS/system32/msvcrt.dll77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:/WINDOWS/system32/ADVAPI32.dll77e70000 4802a106 Apr 13 17:10:46 2008 C:/WINDOWS/system32/RPCRT4.dll77fe0000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/Secur32.dll77f10000 49006fbe Oct 23 05:36:14 2008 C:/WINDOWS/system32/GDI32.dll7e410000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/USER32.dll7c9c0000 48e1c4d9 Sep 29 23:19:05 2008 C:/WINDOWS/system32/SHELL32.dll77f60000 4802a116 Apr 13 17:11:02 2008 C:/WINDOWS/system32/SHLWAPI.dll76b40000 4802a13c Apr 13 17:11:40 2008 C:/WINDOWS/system32/WINMM.dll773d0000 4802a094 Apr 13 17:08:52 2008 C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83/COMCTL32.dllSubSystemData: 00000000ProcessHeap: 000a0000ProcessParameters: 00020000WindowTitle: 'C:/WINDOWS/system32/winmine.exe'ImageFile: 'C:/WINDOWS/system32/winmine.exe'CommandLine: 'winmine'DllPath: 'C:/WINDOWS/system32;C:/WINDOWS/system32;C:/WINDOWS/system;C:/WINDOWS;.;C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/bin'Environment: 00010000=::=::/ALLUSERSPROFILE=C:/Documents and Settings/All UsersANT_HOME=C:/Program Files/Apache-antAPPDATA=C:/Documents and Settings/WinGeek/Application DataAVENGINE=C:/PROGRA~1/CA/SHARED~1/SCANEN~1CommonProgramFiles=C:/Program Files/Common FilesCOMPUTERNAME=QIComSpec=C:/WINDOWS/system32/cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=/Documents and Settings/WinGeekINOCULAN=C:/Program Files/CA/eTrust AntivirusJAVA_HOME=C:/Program Files/Java/jdk1.5.0_14LOGONSERVER=//QINUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/binPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=0f02ProgramFiles=C:/Program FilesSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:/WINDOWSTEMP=C:/DOCUME~1/WinGeek/LOCALS~1/TempTMP=C:/DOCUME~1/WinGeek/LOCALS~1/TempUSERDOMAIN=QIUSERNAME=WinGeekUSERPROFILE=C:/Documents and Settings/WinGeekVS80COMNTOOLS=C:/Program Files/Microsoft Visual Studio 8/Common7/Tools/VS90COMNTOOLS=C:/Program Files/Microsoft Visual Studio 9.0/Common7/Tools/WINDBG_DIR=C:/Program Files/WinDbgwindir=C:/WINDOWS

0:000> !tebTEB at 7ffdf000ExceptionList: 0007fd0cStackBase: 00080000StackLimit: 0007c000SubSystemTib: 00000000FiberData: 00001e00ArbitraryUserPointer: 00000000Self: 7ffdf000EnvironmentPointer: 00000000ClientId: 000014a8 . 000014acRpcHandle: 00000000Tls Storage: 00000000PEB Address: 7ffd6000LastErrorValue: 0LastStatusValue: 0Count Owned Locks: 0HardErrorMode: 0

转载地址：http://vehab.baihongyu.com/