Skip to content

Instantly share code, notes, and snippets.

@Inndy

Inndy/PEB_probe.cc

Created October 8, 2025 10:19
Show Gist options
  • Save Inndy/f28e82c22b5bb2485b430c35667bd7e8 to your computer and use it in GitHub Desktop.
Save Inndy/f28e82c22b5bb2485b430c35667bd7e8 to your computer and use it in GitHub Desktop.
Download ZIP
Just learned that PEB.Ldr will be placed at the same address across processes, like system DLLs // https://x.com/Inndy_tw/status/1975867556163711073
Raw
output.txt
PID: 29184 ; PEB: 000000323baba000 ; PEB.ProcessParameters: 00000169c6808a20 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 76232 ; PEB: 0000006708cdc000 ; PEB.ProcessParameters: 0000024876105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 38720 ; PEB: 000000726384b000 ; PEB.ProcessParameters: 0000019cae105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 53072 ; PEB: 0000007fe6f2a000 ; PEB.ProcessParameters: 000002701f105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 78840 ; PEB: 000000502ec9f000 ; PEB.ProcessParameters: 0000016422105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 52948 ; PEB: 000000fb9d1e2000 ; PEB.ProcessParameters: 000002a894105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 56104 ; PEB: 000000b459ed0000 ; PEB.ProcessParameters: 000001dbf0c48a20 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 82676 ; PEB: 000000377d331000 ; PEB.ProcessParameters: 00000152d3105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 96460 ; PEB: 000000d7f2f22000 ; PEB.ProcessParameters: 0000024806105e90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 105000 ; PEB: 00000076bb08f000 ; PEB.ProcessParameters: 000001db51968a20 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 100600 ; PEB: 000000a1b5292000 ; PEB.ProcessParameters: 0000020fa97d8a20 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 85688 ; PEB: 0000001965039000 ; PEB.ProcessParameters: 0000011a3f105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 94792 ; PEB: 0000000000526000 ; PEB.ProcessParameters: 000000000e2d8780 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 86964 ; PEB: 000000e5017c3000 ; PEB.ProcessParameters: 0000028561105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 8676 ; PEB: 000000f204ae1000 ; PEB.ProcessParameters: 0000023979105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 74072 ; PEB: 000000c54a67b000 ; PEB.ProcessParameters: 0000026729105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 103248 ; PEB: 000000d773045000 ; PEB.ProcessParameters: 0000027f8e105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 74908 ; PEB: 00000089c1cb2000 ; PEB.ProcessParameters: 000001bfda105d90 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 23488 ; PEB: 000000b3130ce000 ; PEB.ProcessParameters: 000002897a1b8a20 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
PID: 23704 ; PEB: 0000004820edb000 ; PEB.ProcessParameters: 0000022f230e8a20 ; PEB.Ldr: 00007ffa0e7d4940 ; Ldr Links: { 000002b34ef74f70 000002b34ef7d690 000002b34ef74f80 000002b34ef7d6a0 000002b34ef74d60 000002b34ef7f6a0 }
Raw
PEB_probe.cc
#include <windows.h>
#include <winternl.h>
#include <psapi.h>
#include <iostream>
#include <vector>
bool check(HANDLE hProcess) {
PROCESS_BASIC_INFORMATION pbi = {};
DWORD rb = 0;
auto status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &rb);
if (!NT_SUCCESS(status)) {
std::cerr << "NtQueryInformationProcess(get PEB) failed" << std::endl;
return false;
}
PEB rPEB = {};
SIZE_T r = 0;
if (!ReadProcessMemory(hProcess, (LPCVOID)pbi.PebBaseAddress, (LPVOID)&rPEB, sizeof(rPEB), &r)) {
std::cerr << "ReadProcessMemory(PEB) failed" << std::endl;
return false;
}
std::printf("PID: %-6d ; PEB: %p ; PEB.Ldr: %p ; Ldr Links: { %p %p %p %p %p %p }\n",
(int)pbi.UniqueProcessId, pbi.PebBaseAddress, rPEB.Ldr,
(&rPEB.Ldr->InMemoryOrderModuleList)[-1].Flink, (&rPEB.Ldr->InMemoryOrderModuleList)[-1].Blink, // InLoadOrderModuleList
(&rPEB.Ldr->InMemoryOrderModuleList)[ 0].Flink, (&rPEB.Ldr->InMemoryOrderModuleList)[ 0].Blink,
(&rPEB.Ldr->InMemoryOrderModuleList)[+1].Flink, (&rPEB.Ldr->InMemoryOrderModuleList)[+1].Blink, // InInitializationOrderModuleList
0);
return true;
}
int main() {
std::vector<DWORD> pids(4096);
DWORD needed = 0;
EnumProcesses(&pids[0], pids.size() * sizeof(DWORD), &needed);
if(needed / 4 <= pids.size())
pids.resize(needed / 4);
else
std::printf("You have tooooooo much process living on your system\n");
for (auto pid : pids) {
HANDLE hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, pid);
if (!hProcess) {
continue;
}
check(hProcess);
CloseHandle(hProcess);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment