extern struct PEB [src]

Process Environment Block Microsoft documentation of this is incomplete, the fields here are taken from various resources including: https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L269 https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm

Fields

InheritedAddressSpace: BOOLEAN

ReadImageFileExecOptions: BOOLEAN

BeingDebugged: BOOLEAN

BitField: UCHAR

Mutant: HANDLE

ImageBaseAddress: HMODULE

Ldr: *PEB_LDR_DATA

ProcessParameters: *RTL_USER_PROCESS_PARAMETERS

SubSystemData: PVOID

ProcessHeap: HANDLE

FastPebLock: *RTL_CRITICAL_SECTION

AtlThunkSListPtr: PVOID

IFEOKey: PVOID

CrossProcessFlags: ULONGhttps://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/crossprocessflags.htm

union1: extern union { KernelCallbackTable: PVOID, UserSharedInfoPtr: PVOID, }

SystemReserved: ULONG

AtlThunkSListPtr32: ULONG

ApiSetMap: PVOID

TlsExpansionCounter: ULONG

TlsBitmap: *RTL_BITMAP

TlsBitmapBits: [2]ULONG

ReadOnlySharedMemoryBase: PVOID

SharedData: PVOID

ReadOnlyStaticServerData: *PVOID

AnsiCodePageData: PVOID

OemCodePageData: PVOID

UnicodeCaseTableData: PVOID

NumberOfProcessors: ULONG

NtGlobalFlag: ULONG

CriticalSectionTimeout: LARGE_INTEGER

HeapSegmentReserve: ULONG_PTR

HeapSegmentCommit: ULONG_PTR

HeapDeCommitTotalFreeThreshold: ULONG_PTR

HeapDeCommitFreeBlockThreshold: ULONG_PTR

NumberOfHeaps: ULONG

MaximumNumberOfHeaps: ULONG

ProcessHeaps: *PVOID

GdiSharedHandleTable: PVOID

ProcessStarterHelper: PVOID

GdiDCAttributeList: ULONG

LoaderLock: *RTL_CRITICAL_SECTION

OSMajorVersion: ULONG

OSMinorVersion: ULONG

OSBuildNumber: USHORT

OSCSDVersion: USHORT

OSPlatformId: ULONG

ImageSubSystem: ULONG

ImageSubSystemMajorVersion: ULONG

ImageSubSystemMinorVersion: ULONG

ActiveProcessAffinityMask: KAFFINITY

GdiHandleBuffer: [ switch (@sizeOf(usize)) { 4 => 0x22, 8 => 0x3C, else => unreachable, } ]ULONG

PostProcessInitRoutine: PVOID

TlsExpansionBitmap: *RTL_BITMAP

TlsExpansionBitmapBits: [32]ULONG

SessionId: ULONG

AppCompatFlags: ULARGE_INTEGER

AppCompatFlagsUser: ULARGE_INTEGER

ShimData: PVOID

AppCompatInfo: PVOID

CSDVersion: UNICODE_STRING

ActivationContextData: *const ACTIVATION_CONTEXT_DATA

ProcessAssemblyStorageMap: *ASSEMBLY_STORAGE_MAP

SystemDefaultActivationData: *const ACTIVATION_CONTEXT_DATA

SystemAssemblyStorageMap: *ASSEMBLY_STORAGE_MAP

MinimumStackCommit: ULONG_PTR

FlsCallback: *FLS_CALLBACK_INFO

FlsListHead: LIST_ENTRY

FlsBitmap: *RTL_BITMAP

FlsBitmapBits: [4]ULONG

FlsHighIndex: ULONG

WerRegistrationData: PVOID

WerShipAssertPtr: PVOID

pUnused: PVOID

pImageHeaderHash: PVOID

TracingFlags: ULONGTODO: https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/tracingflags.htm

CsrServerReadOnlySharedMemoryBase: ULONGLONG

TppWorkerpListLock: ULONG

TppWorkerpList: LIST_ENTRY

WaitOnAddressHashTable: [0x80]PVOID

TelemetryCoverageHeader: PVOID

CloudFileFlags: ULONG

Source

  pub const PEB = extern struct {
    // Versions: All
    InheritedAddressSpace: BOOLEAN,

    // Versions: 3.51+
    ReadImageFileExecOptions: BOOLEAN,
    BeingDebugged: BOOLEAN,

    // Versions: 5.2+ (previously was padding)
    BitField: UCHAR,

    // Versions: all
    Mutant: HANDLE,
    ImageBaseAddress: HMODULE,
    Ldr: *PEB_LDR_DATA,
    ProcessParameters: *RTL_USER_PROCESS_PARAMETERS,
    SubSystemData: PVOID,
    ProcessHeap: HANDLE,

    // Versions: 5.1+
    FastPebLock: *RTL_CRITICAL_SECTION,

    // Versions: 5.2+
    AtlThunkSListPtr: PVOID,
    IFEOKey: PVOID,

    // Versions: 6.0+

    /// https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/crossprocessflags.htm
    CrossProcessFlags: ULONG,

    // Versions: 6.0+
    union1: extern union {
        KernelCallbackTable: PVOID,
        UserSharedInfoPtr: PVOID,
    },

    // Versions: 5.1+
    SystemReserved: ULONG,

    // Versions: 5.1, (not 5.2, not 6.0), 6.1+
    AtlThunkSListPtr32: ULONG,

    // Versions: 6.1+
    ApiSetMap: PVOID,

    // Versions: all
    TlsExpansionCounter: ULONG,
    // note: there is padding here on 64 bit
    TlsBitmap: *RTL_BITMAP,
    TlsBitmapBits: [2]ULONG,
    ReadOnlySharedMemoryBase: PVOID,

    // Versions: 1703+
    SharedData: PVOID,

    // Versions: all
    ReadOnlyStaticServerData: *PVOID,
    AnsiCodePageData: PVOID,
    OemCodePageData: PVOID,
    UnicodeCaseTableData: PVOID,

    // Versions: 3.51+
    NumberOfProcessors: ULONG,
    NtGlobalFlag: ULONG,

    // Versions: all
    CriticalSectionTimeout: LARGE_INTEGER,

    // End of Original PEB size

    // Fields appended in 3.51:
    HeapSegmentReserve: ULONG_PTR,
    HeapSegmentCommit: ULONG_PTR,
    HeapDeCommitTotalFreeThreshold: ULONG_PTR,
    HeapDeCommitFreeBlockThreshold: ULONG_PTR,
    NumberOfHeaps: ULONG,
    MaximumNumberOfHeaps: ULONG,
    ProcessHeaps: *PVOID,

    // Fields appended in 4.0:
    GdiSharedHandleTable: PVOID,
    ProcessStarterHelper: PVOID,
    GdiDCAttributeList: ULONG,
    // note: there is padding here on 64 bit
    LoaderLock: *RTL_CRITICAL_SECTION,
    OSMajorVersion: ULONG,
    OSMinorVersion: ULONG,
    OSBuildNumber: USHORT,
    OSCSDVersion: USHORT,
    OSPlatformId: ULONG,
    ImageSubSystem: ULONG,
    ImageSubSystemMajorVersion: ULONG,
    ImageSubSystemMinorVersion: ULONG,
    // note: there is padding here on 64 bit
    ActiveProcessAffinityMask: KAFFINITY,
    GdiHandleBuffer: [
        switch (@sizeOf(usize)) {
            4 => 0x22,
            8 => 0x3C,
            else => unreachable,
        }
    ]ULONG,

    // Fields appended in 5.0 (Windows 2000):
    PostProcessInitRoutine: PVOID,
    TlsExpansionBitmap: *RTL_BITMAP,
    TlsExpansionBitmapBits: [32]ULONG,
    SessionId: ULONG,
    // note: there is padding here on 64 bit
    // Versions: 5.1+
    AppCompatFlags: ULARGE_INTEGER,
    AppCompatFlagsUser: ULARGE_INTEGER,
    ShimData: PVOID,
    // Versions: 5.0+
    AppCompatInfo: PVOID,
    CSDVersion: UNICODE_STRING,

    // Fields appended in 5.1 (Windows XP):
    ActivationContextData: *const ACTIVATION_CONTEXT_DATA,
    ProcessAssemblyStorageMap: *ASSEMBLY_STORAGE_MAP,
    SystemDefaultActivationData: *const ACTIVATION_CONTEXT_DATA,
    SystemAssemblyStorageMap: *ASSEMBLY_STORAGE_MAP,
    MinimumStackCommit: ULONG_PTR,

    // Fields appended in 5.2 (Windows Server 2003):
    FlsCallback: *FLS_CALLBACK_INFO,
    FlsListHead: LIST_ENTRY,
    FlsBitmap: *RTL_BITMAP,
    FlsBitmapBits: [4]ULONG,
    FlsHighIndex: ULONG,

    // Fields appended in 6.0 (Windows Vista):
    WerRegistrationData: PVOID,
    WerShipAssertPtr: PVOID,

    // Fields appended in 6.1 (Windows 7):
    pUnused: PVOID, // previously pContextData
    pImageHeaderHash: PVOID,

    /// TODO: https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/tracingflags.htm
    TracingFlags: ULONG,

    // Fields appended in 6.2 (Windows 8):
    CsrServerReadOnlySharedMemoryBase: ULONGLONG,

    // Fields appended in 1511:
    TppWorkerpListLock: ULONG,
    TppWorkerpList: LIST_ENTRY,
    WaitOnAddressHashTable: [0x80]PVOID,

    // Fields appended in 1709:
    TelemetryCoverageHeader: PVOID,
    CloudFileFlags: ULONG,
}  