Key Points for _PEB Flashcards
_PEB - BeingDebugged
Tells you whether the process is currently being debugged. We’ve seen malware that attaches to itself(by calling DebugActiveProcess). Because only one debugger at a time can attach to a target process, it served as anti-debugging protection. Thus, there is a red glad if this value is set to true, but there are no legitimate debuggers running.
_PEB - ImageBaseAddress
The address in process memory where the main executable (.exe) is loaded. Before volatility’s procdump plugin carves an executable from memory, it reads the value so it knows where to look.
_PEB - Ldr
Points to a _PEB_LDR_DATA structure, which contains details about the DLLs loaded in a process.
_PEB - ProcessParameters
Points to a _RTL_PROCESS_PARAMETERS structure.
_PEB - ProcessHeap
Primary heap for the process, which is created automatically when the process is initialized.
_PEB - NumberOfHeaps
Number of heaps in a process. By default, a process has only one heap, but it can create others by calling HeapCreate.
_PEB - ProcessHeaps
An array of pointers to process heaps. The first entry in this list always points to the same location as ProcessHeap because it is the primary.
_PEB.ProcessParameters.Environment
A process’ environment variables are pointed to be _PEB.ProcessParameters.Environment. The variables are organized as multiple NULL-terminated strings. If an attacker manipulates these variables, they can cause the target application to unexpectedly execute malicious code. Some malware marks its presence by creating environmental variables rather than mutexes.
Attacks on Environmental Variables
The two most common attacks on environmental variables include changing the PATH and PATHEXT variables. Modifying these values has an effect similar to search-order hijacking. (Kind of like changing the boot order in BIOS)
