Skip to content

Instantly share code, notes, and snippets.

@HACKE-RC

HACKE-RC/TEB.c

Last active October 7, 2023 10:54
Show Gist options
  • Save HACKE-RC/687fdae74f80a83f32e24a9b593106a8 to your computer and use it in GitHub Desktop.
Save HACKE-RC/687fdae74f80a83f32e24a9b593106a8 to your computer and use it in GitHub Desktop.
Download ZIP
The Windows TEB data structure.
Raw
TEB.c
struct _TEB {
struct _NT_TIB NtTib;
void *EnvironmentPointer;
struct _CLIENT_ID ClientId;
void *ActiveRpcHandle;
void *ThreadLocalStoragePointer;
struct _PEB *ProcessEnvironmentBlock;
unsigned long LastErrorValue;
unsigned long CountOfOwnedCriticalSections;
void *CsrClientThread;
void *Win32ThreadInfo;
unsigned long User32Reserved[26];
unsigned long UserReserved[5];
void *WOW32Reserved;
unsigned long CurrentLocale;
unsigned long FpSoftwareStatusRegister;
void *ReservedForDebuggerInstrumentation[16];
void *SystemReserved1[37];
unsigned int WorkingOnBehalfTicket[8];
long ExceptionCode;
unsigned int Padding0[4];
struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer;
unsigned int InstrumentationCallbackSp;
unsigned int InstrumentationCallbackPreviousPc;
unsigned int InstrumentationCallbackPreviousSp;
unsigned long TxFsContext;
unsigned int InstrumentationCallbackDisabled;
unsigned int Padding1[3];
struct _GDI_TEB_BATCH GdiTebBatch;
struct _CLIENT_ID RealClientId;
void *GdiCachedProcessHandle;
unsigned long GdiClientPID;
unsigned long GdiClientTID;
void *GdiThreadLocalInfo;
unsigned int Win32ClientInfo[62];
void *glDispatchTable[233];
unsigned int glReserved1[29];
void *glReserved2;
void *glSectionInfo;
void *glSection;
void *glTable;
void *glCurrentRC;
void *glContext;
unsigned long LastStatusValue;
unsigned int Padding2[4];
struct _UNICODE_STRING StaticUnicodeString;
wchar_t StaticUnicodeBuffer[261];
unsigned int Padding3[6];
void *DeallocationStack;
void *TlsSlots[64];
struct _LIST_ENTRY TlsLinks;
void *Vdm;
void *ReservedForNtRpc;
void *DbgSsReserved[2];
unsigned long HardErrorMode;
unsigned int Padding4[4];
void *Instrumentation[11];
struct _GUID ActivityId;
void *SubProcessTag;
void *PerflibData;
void *EtwTraceData;
void *WinSockData;
unsigned long GdiBatchCount;
struct _PROCESSOR_NUMBER CurrentIdealProcessor;
unsigned long IdealProcessorValue;
unsigned int ReservedPad0;
unsigned int ReservedPad1;
unsigned int ReservedPad2;
unsigned int IdealProcessor;
unsigned long GuaranteedStackBytes;
unsigned int Padding5[4];
void *ReservedForPerf;
void *ReservedForOle;
unsigned long WaitingOnLoaderLock;
unsigned int Padding6[4];
void *SavedPriorityState;
unsigned int ReservedForCodeCoverage;
void *ThreadPoolData;
void **TlsExpansionSlots;
void *DeallocationBStore;
void *BStoreLimit;
unsigned long MuiGeneration;
unsigned long IsImpersonating;
void *NlsCache;
void *pShimData;
unsigned int HeapVirtualAffinity;
unsigned int LowFragHeapDataSlot;
unsigned int Padding7[4];
void *CurrentTransactionHandle;
struct _TEB_ACTIVE_FRAME *ActiveFrame;
void *FlsData;
void *PreferredLanguages;
void *UserPrefLanguages;
void *MergedPrefLanguages;
unsigned long MuiImpersonation;
unsigned int CrossTebFlags;
unsigned int SpareCrossTebBits : 16;
unsigned int SameTebFlags;
unsigned int SafeThunkCall : 1;
unsigned int InDebugPrint : 1;
unsigned int HasFiberData : 1;
unsigned int SkipThreadAttach : 1;
unsigned int WerInShipAssertCode : 1;
unsigned int RanProcessInit : 1;
unsigned int ClonedThread : 1;
unsigned int SuppressDebugMsg : 1;
unsigned int DisableUserStackWalk : 1;
unsigned int RtlExceptionAttached : 1;
unsigned int InitialThread : 1;
unsigned int SessionAware : 1;
unsigned int LoadOwner : 1;
unsigned int LoaderWorker : 1;
unsigned int SpareSameTebBits : 2;
void *TxnScopeEnterCallback;
void *TxnScopeExitCallback;
void *TxnScopeContext;
unsigned long LockCount;
long WowTebOffset;
void *ResourceRetValue;
void *ReservedForWdf;
unsigned int ReservedForCrt;
struct _GUID EffectiveContainerId;
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment