Windows Internals: Walking the Process Environment Block to Discover In-Memory Libraries

Knowing Windows Internals is a must for any reverse engineer. There are a several key internal structures in the Windows operating system that are regularly used to obtain non-standard functionality. The process environment block, commonly referred to as the PEB, is one of those structures. In this video, we'll discuss the overall structure of the PEB and use WinDbg to view it's structure. We'll also look at a sample program that walks the peb to find the base of NTDLL and discuss how this code works and how you can identify it.

Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/j...
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻   / joshstroschein  
🌎 Follow me 👉🏻   / jstrosch  ,   / joshstroschein  
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch

You can find the sample program here: https://github.com/jstrosch/learning-...

00:00 Introduction
01:01 PEB Structure Defined on MSDN
01:56 Sample Program for Demo
02:38 Exploring the PEB w/ WinDbg
04:19 FS:30h
05:11 PEB_LDR_DATA Structure
05:47 In-Memory Module Linked-Lists
06:03 LIST_ENTRY For the Doubly Linked LIst
06:35 LDR_DATA_TABLE_ENTRY Structure
11:56 Accessing Name and Base Address
15:26 Viewing PEB and Structures in Memory