Thread Environment block and Process Environment block-CodePudding

I have read win32 process memory contains this structure:

One Process Environment block (PEB) (one per process)
Several Thread Environment blocs (TEB) (one per thread inside the process)

I have read a lot of documentation and I do not understand:

This TEB and PEB are specific to windows x86 32 ? Or is it the same for x86 64 windows OS ?
Is there a way to loop all process's threads TEB without calling windows API ?
What is the equivalent of TEB/PEB for Linux systems ?

Thanks

CodePudding user response：

This TEB and PEB are specific to windows x86 32 ? Or is it the same for x86 64 windows OS ?

There's a TEB and PEB for 32-bit and 64-bit programs. e.g. you have a TEB32 and TEB64 structures (you can see them in the kernel symbols). They have the same fields but since x64 fields are larger (e.g. a pointer is 4 bytes on 32-bit but 8 bytes on 64-bit) their sizes differ and the fields offsets are obviously different.

From a kernel debugger:

0: kd> ?? sizeof(_TEB64)
unsigned int64 0x1838

0: kd> dt _TEB64
nt!_TEB64
    0x000 NtTib            : _NT_TIB64
    0x038 EnvironmentPointer : Uint8B
    0x040 ClientId         : _CLIENT_ID64
    0x050 ActiveRpcHandle  : Uint8B
    0x058 ThreadLocalStoragePointer : Uint8B
    0x060 ProcessEnvironmentBlock : Uint8B
    0x068 LastErrorValue   : Uint4B
   ...

0: kd> ?? sizeof(_TEB32)
unsigned int64 0x1000

0: kd> dt _TEB32
nt!_TEB32
    0x000 NtTib            : _NT_TIB32
    0x01c EnvironmentPointer : Uint4B
    0x020 ClientId         : _CLIENT_ID32
    0x028 ActiveRpcHandle  : Uint4B
    0x02c ThreadLocalStoragePointer : Uint4B
    0x030 ProcessEnvironmentBlock : Uint4B
    0x034 LastErrorValue   : Uint4B
   ...

Is there a way to loop all process's threads TEB without calling windows API ?

Nope, TEBs are not linked and the PEB doesn't have a list of the TEBs. At the kernel level this is possible (with EPROCESS and ETHREAD structures), but not at the user-mode level. So, not without calling an API (e.g. NtQueryInformationThread).

What is the equivalent of TEB/PEB for Linux systems ?

There's no direct 1:1 mapping between TEB/PEB and linux structures; the closest you could get is, I guess, task_struct and thread_info (which are more akin to EPROCESS / ETHREAD), but the system architectures are different enough that there's no real counterparts in linux.