kd> dt _teb ntdll!_TEB +0x000 NtTib : _NT_TIB +0x01c EnvironmentPointer : Ptr32 Void +0x020 ClientId : _CLIENT_ID +0x028 ActiveRpcHandle : Ptr32 Void +0x02c ThreadLocalStoragePointer : Ptr32 Void +0x030 ProcessEnvironmentBlock : Ptr32 _PEB +0x034 LastErrorValue : Uint4B +0x038 CountOfOwnedCriticalSections : Uint4B +0x03c CsrClientThread : Ptr32 Void +0x040 Win32ThreadInfo : Ptr32 Void +0x044 User32Reserved : [26] Uint4B +0x0ac UserReserved : [5] Uint4B +0x0c0 WOW32Reserved : Ptr32 Void +0x0c4 CurrentLocale : Uint4B +0x0c8 FpSoftwareStatusRegister : Uint4B +0x0cc SystemReserved1 : [54] Ptr32 Void +0x1a4 ExceptionCode : Int4B +0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK +0x1bc SpareBytes1 : [24] UChar +0x1d4 GdiTebBatch : _GDI_TEB_BATCH +0x6b4 RealClientId : _CLIENT_ID +0x6bc GdiCachedProcessHandle : Ptr32 Void +0x6c0 GdiClientPID : Uint4B +0x6c4 GdiClientTID : Uint4B +0x6c8 GdiThreadLocalInfo : Ptr32 Void +0x6cc Win32ClientInfo : [62] Uint4B +0x7c4 glDispatchTable : [233] Ptr32 Void +0xb68 glReserved1 : [29] Uint4B +0xbdc glReserved2 : Ptr32 Void +0xbe0 glSectionInfo : Ptr32 Void +0xbe4 glSection : Ptr32 Void +0xbe8 glTable : Ptr32 Void +0xbec glCurrentRC : Ptr32 Void +0xbf0 glContext : Ptr32 Void +0xbf4 LastStatusValue : Uint4B +0xbf8 StaticUnicodeString : _UNICODE_STRING +0xc00 StaticUnicodeBuffer : [261] Uint2B +0xe0c DeallocationStack : Ptr32 Void +0xe10 TlsSlots : [64] Ptr32 Void +0xf10 TlsLinks : _LIST_ENTRY +0xf18 Vdm : Ptr32 Void +0xf1c ReservedForNtRpc : Ptr32 Void +0xf20 DbgSsReserved : [2] Ptr32 Void +0xf28 HardErrorsAreDisabled : Uint4B +0xf2c Instrumentation : [16] Ptr32 Void +0xf6c WinSockData : Ptr32 Void +0xf70 GdiBatchCount : Uint4B +0xf74 InDbgPrint : UChar +0xf75 FreeStackOnTermination : UChar +0xf76 HasFiberData : UChar +0xf77 IdealProcessor : UChar +0xf78 Spare3 : Uint4B +0xf7c ReservedForPerf : Ptr32 Void +0xf80 ReservedForOle : Ptr32 Void +0xf84 WaitingOnLoaderLock : Uint4B +0xf88 Wx86Thread : _Wx86ThreadState +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void +0xf98 ImpersonationLocale : Uint4B +0xf9c IsImpersonating : Uint4B +0xfa0 NlsCache : Ptr32 Void +0xfa4 pShimData : Ptr32 Void +0xfa8 HeapVirtualAffinity : Uint4B +0xfac CurrentTransactionHandle : Ptr32 Void +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME +0xfb4 SafeThunkCall : UChar +0xfb5 BooleanSpare : [3] UChar 0:001> dg 0x0 0x38 P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 0000 00000000 00000000 0 Nb By Np Nl 00000000 0008 00000000 ffffffff Code RE 0 Bg Pg P Nl 00000c9a 0010 00000000 ffffffff Data RW 0 Bg Pg P Nl 00000c92 0018 00000000 ffffffff Code RE 3 Bg Pg P Nl 00000cfa 0020 00000000 ffffffff Data RW 3 Bg Pg P Nl 00000cf2 0028 80042000 000020ab TSS32 Busy 0 Nb By P Nl 0000008b 0030 ffdff000 00001fff Data RW 0 Bg Pg P Nl 00000c92 0038 7ffde000 00000fff Data RW Ac 3 Bg By P Nl 000004f3 R3 fs=0x38 0x7ffde000-0x7ffdefff 4kb _TEB 每个线程有一个_TEB,从0x7ffde000开始,每个4kb,依此类推0x7ffdd000、0x7ffdc000……,向下增长。 0:001> ~ 0 Id: e4.304 Suspend: 1 Teb: 7ffdd000 Unfrozen . 1 Id: e4.714 Suspend: 1 Teb: 7ffdc000 Unfrozen 可以看出第一个_TEB的取值也不一定是0x7ffde000,如上就是0x7ffdd000,此时的0x7ffde000是_PEB! 0:001> !peb PEB at 7ffde000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 01000000 Ldr 001a1ea0 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 001a1f58 . 001a33b0 Ldr.InLoadOrderModuleList: 001a1ee0 . 001a33a0 Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a33a8 Base TimeStamp Module 1000000 41107cc3 Aug 04 14:05:55 2004 C:\WINDOWS\NOTEPAD.EXE 7c920000 4121457c Aug 17 07:38:36 2004 C:\WINDOWS\system32\ntdll.dll 7c800000 46239c32 Apr 16 23:54:26 2007 C:\WINDOWS\system32\kernel32.dll 76320000 4121455b Aug 17 07:38:03 2004 C:\WINDOWS\system32\comdlg32.dll 77f40000 47589c77 Dec 07 09:05:59 2007 C:\WINDOWS\system32\SHLWAPI.dll 77da0000 4121454d Aug 17 07:37:49 2004 C:\WINDOWS\system32\ADVAPI32.dll 77e50000 46923396 Jul 09 21:09:42 2007 C:\WINDOWS\system32\RPCRT4.dll 77fc0000 4121457b Aug 17 07:38:35 2004 C:\WINDOWS\system32\Secur32.dll 77ef0000 4677dad9 Jun 19 21:32:09 2007 C:\WINDOWS\system32\GDI32.dll 77d10000 45f02db2 Mar 08 23:37:22 2007 C:\WINDOWS\system32\USER32.dll 77be0000 412145fe Aug 17 07:40:46 2004 C:\WINDOWS\system32\msvcrt.dll 77180000 44ef1c15 Aug 25 23:49:41 2006 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll 7d590000 4720ca57 Oct 26 00:54:47 2007 C:\WINDOWS\system32\SHELL32.dll 72f70000 4121457a Aug 17 07:38:34 2004 C:\WINDOWS\system32\WINSPOOL.DRV 5cc30000 41214576 Aug 17 07:38:30 2004 C:\WINDOWS\system32\ShimEng.dll 58fb0000 41214534 Aug 17 07:37:24 2004 C:\WINDOWS\AppPatch\AcGenral.DLL 76b10000 4121459a Aug 17 07:39:06 2004 C:\WINDOWS\system32\WINMM.dll 76990000 42e5be95 Jul 26 12:39:49 2005 C:\WINDOWS\system32\ole32.dll 770f0000 47559f02 Dec 05 02:40:02 2007 C:\WINDOWS\system32\OLEAUT32.dll 77bb0000 4121457b Aug 17 07:38:35 2004 C:\WINDOWS\system32\MSACM32.dll 77bd0000 41214577 Aug 17 07:38:31 2004 C:\WINDOWS\system32\VERSION.dll 759d0000 41214578 Aug 17 07:38:32 2004 C:\WINDOWS\system32\USERENV.dll 5adc0000 4121457a Aug 17 07:38:34 2004 C:\WINDOWS\system32\UxTheme.dll 76300000 41214561 Aug 17 07:38:09 2004 C:\WINDOWS\system32\IMM32.DLL 62c20000 41214556 Aug 17 07:37:58 2004 C:\WINDOWS\system32\LPK.DLL 73fa0000 41214579 Aug 17 07:38:33 2004 C:\WINDOWS\system32\USP10.dll 74680000 41214596 Aug 17 07:39:02 2004 C:\WINDOWS\system32\MSCTF.dll 73640000 41214597 Aug 17 07:39:03 2004 C:\WINDOWS\system32\msctfime.ime SubSystemData: 00000000 ProcessHeap: 000a0000 ProcessParameters: 00020000 WindowTitle: 'C:\WINDOWS\NOTEPAD.EXE' ImageFile: 'C:\WINDOWS\NOTEPAD.EXE' CommandLine: 'C:\WINDOWS\NOTEPAD.EXE' DllPath: 'C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem' Environment: 00010000 ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Administrator\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=CHINA-B99C4869A ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Administrator LOGONSERVER=\\CHINA-B99C4869A NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0f0d ProgramFiles=C:\Program Files SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp USERDOMAIN=CHINA-B99C4869A USERNAME=Administrator USERPROFILE=C:\Documents and Settings\Administrator WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86) windir=C:\WINDOWS _NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols _PEB总是位于第一个_TEB的后面。 procsup.c MmCreateTeb TebBase->ProcessEnvironmentBlock = TargetProcess->Peb; TebBase->ClientId = *ClientId; TebBase->RealClientId = *ClientId; nxi386.c #define PcTeb 0x18 __inline struct _TEB * NtCurrentTeb( void ) { return (struct _TEB *) (ULONG_PTR) __readfsdword (PcTeb); } kd> dt _nt_tib ntdll!_NT_TIB +0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD +0x004 StackBase : Ptr32 Void +0x008 StackLimit : Ptr32 Void +0x00c SubSystemTib : Ptr32 Void +0x010 FiberData : Ptr32 Void +0x010 Version : Uint4B +0x014 ArbitraryUserPointer : Ptr32 Void +0x018 Self : Ptr32 _NT_TIB